MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Pop-ups, including winfixer2005
June 03, 2020, 02:15:31 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 03, 2020, 02:15:31 AM

Login with username, password and session length
 Featured Sites:
News
New  Check out our improved Download section for tons of software....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Pop-ups, including winfixer2005  (Read 3078 times)
bill727
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 3


Bookmark and Share

View Profile
« on: August 07, 2005, 11:42:50 AM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: windows xp, service pack 2
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages: winfixer2005 and other popups



Any help getting rid of this most annoying issue would be greatly appreciated. Thanks,  Bill

Logfile of HijackThis v1.99.1
Scan saved at 7:41:40 AM, on 8/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\kumsiz.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\rdso\eetu.exe
C:\WINDOWS\system32\F?nts\services.exe
C:\Hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSN Toolbar BHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [xsduotw] c:\windows\system32\kumsiz.exe r
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [ANONYMIZER_SPYWAREKILLER] C:\Program Files\Anonymizer\Anti-Spyware\AnonAntiSpyware.exe /BOOT
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - HKCU\..\Run: [Wjxla] C:\WINDOWS\system32\F?nts\services.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\VX6STKIT.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #1 on: August 07, 2005, 03:47:54 PM »

Hi and Welcome to MyTechSupport

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you have Notepad 'on'. If you should choose to do otherwise, it may lead to some confusion.

If there's anything that you don't understand, kindly ask your question(s) before proceeding with the fixes. There should not be any open browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs.  Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.  

http://www.greyknight17.com/spy/Cleanup.exe - CleanUp! - Download & Install.

http://www.downloads.subratam.org/KillBox.zip - KillBox v2.0.0.175

http://www.noidea.us/easyfile/file.php?download=20050711214630636 - Nailfix - Unzip tp a new folder

http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443 - FindIt's.zip

http://www.sysinternals.com/Files/Process*xplorerNt.zip - Process Explorer

http://download.ewido.net/ewido-setup.exe - Ewido Security Suite - Install it & update it's database here > http://www.ewido.net/en/download/updates/

http://www.atribune.org/downloads/l2mfix.exe - L2mfix

UNPLUG YOUR COMPUTER FOM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan with HiJackThis & locate an entry that looks similar to this...

O4 - HKLM\..\Run: [xsduotw] c:\windows\system32\kumsiz.exe r

The name might be different but it resides in the system32 folder & has the alphabet "r" at the end. Take note of the filename & location.

Run Process Explorer and locate name of the file you've just identified in the list of Processes.
Select the process and click Process > Suspend
Leave Process Explorer running with the process suspended


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =  

When doing the fix, you shall be viewing these instructions from Notepad.
Copy the filename/s listed below.
Select/Highlight all the filenames & then click on Notepad's Edit menu & select Copy

name of the file you've just identified
C:\WINDOWS\Nail.exe
C:\WINDOWS\ttext.dll
C:\WINDOWS\ttupt.exe
c:\windows\system32\kumsiz.exe
C:\Program Files\rdso\eetu.exe
C:\WINDOWS\system32\F?nts\services.exe
C:\WINDOWS\system32\VX6STKIT.DLL
c:\windows\SvcProc.exe


Launch KillBox.exe
Go to the File menu, and choose 'Paste from Clipboard'  * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
 Select/tick the following:
 Delete on Reboot
 End Explorer Shell While Killing File
 Unregister dlll Before deleting * if it's not grayed out
 Click the RED X button.
 Click Yes at the 'Delete on Reboot' prompt.
 Click Yes at the 'Pending Operations prompt'.

* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe from http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe. Then try Killbox again.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO SAFE MODE
Shut Windows down, and then turn off the computer.
Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:

Ezula
Spyware Killer    
>>rogueware with a dubious history

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

CLOSE ALL OTHER PROGRAMS & ALL OPEN WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [xsduotw] c:\windows\system32\kumsiz.exe r
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [ANONYMIZER_SPYWAREKILLER] C:\Program Files\Anonymizer\Anti-Spyware\AnonAntiSpyware.exe /BOOT
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - HKCU\..\Run: [Wjxla] C:\WINDOWS\system32\F?nts\services.exe
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\VX6STKIT.DLL  



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options>View tab.
 Enable the option for `Show hidden files and folder
Logged

 
bill727
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 3


Bookmark and Share

View Profile
« Reply #2 on: August 07, 2005, 06:49:17 PM »

I followed all the items as you laid them out, the only problems were:

there was no "kumsiz.exe r" or similar file with that "r" to suspend

and

the panda online scan didn't give me any of the options you listed it only allowed me to scan but not disinfect.

Here are the logs you requested:

Logfile of HijackThis v1.99.1
Scan saved at 2:31:44 PM, on 8/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSN Toolbar BHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ANONYMIZER_SPYWAREKILLER] C:\Program Files\Anonymizer\Anti-Spyware\AnonAntiSpyware.exe /BOOT
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Online scan
Incident                      Status                        Location                                                                                                                                                                                                                                                        

Adware:adware/bookedspace     No disinfected                C:\WINDOWS\cfgmgr52.ini                                                                                                                                                                                                                                        
Adware:adware/ezula           No disinfected                C:\WINDOWS\woinstall.exe                                                                                                                                                                                                                                        
Adware:adware/searchrelevancy No disinfected                C:\PROGRAM FILES\SearchRelevant                                                                                                                                                                                                                                
Adware:adware/wupd            No disinfected                Windows Registry                                                                                                                                                                                                                                                
Hacktool:Hacktool/Processor   No disinfected                C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe                                                                                                                                                                                                
Adware:Adware/ILookup         No disinfected                C:\Hijackthis\backups\backup-20050805-210214-897.inf                                                                                                                                                                                                            
Adware:Adware/Look2Me         No disinfected                C:\Hijackthis\l2mfix\backup.zip[chpbk32.dll]                                                                                                                                                                                                                    
Adware:Adware/Look2Me         No disinfected                C:\Hijackthis\l2mfix\backup.zip[VX6STKIT.DLL]                                                                                                                                                                                                                  
Adware:Adware/Look2Me         No disinfected                C:\Hijackthis\l2mfix\backup.zip[wlnsrv.dll]                                                                                                                                                                                                                    
Hacktool:Hacktool/Processor   No disinfected                C:\Hijackthis\l2mfix\Process.exe                                                                                                                                                                                                                                
Hacktool:Hacktool/Processor   No disinfected                C:\Hijackthis\l2mfix.exe[Process.exe]                                                                                                                                                                                                                          
Adware:Adware/SearchRelevancy No disinfected                C:\Program Files\SearchRelevant\uninstall.exe                                                                                                                                                                                                                  
Adware:Adware/BTGrab          No disinfected                C:\WINDOWS\inf\btgrab.inf                                                                                                                                                                                                                                      
Adware:Adware/PurityScan      No disinfected                C:\WINDOWS\system32\Shex.exe                                                                                                                                                                                                                                    
Adware:Adware/SAHAgent        No disinfected                C:\WINDOWS\system32\xmltok.dll                                                                                                                                                                                                                                  
Adware:Adware/Imibar          No disinfected                C:\WINDOWS\ttext.dll        

--------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         1:34:27 PM, 8/7/2005
 + Report-Checksum:      E95A48D5

 + Scan result:

   HKLM\SOFTWARE\ClickSpring -> Spyware.PurityScan : Cleaned with backup
   HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
   HKLM\SOFTWARE\SearchRelevancy\Update -> Spyware.SearchRelevancy : Cleaned with backup
   HKU\S-1-5-21-682003330-1425521274-839522115-1004\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
   HKU\S-1-5-21-682003330-1425521274-839522115-1004\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
   HKU\S-1-5-21-682003330-1425521274-839522115-1004\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
   HKU\S-1-5-21-682003330-1425521274-839522115-1004\Software\share_bwp -> Spyware.BigWebPortal : Cleaned with backup
   HKU\S-1-5-21-682003330-1425521274-839522115-1004\Software\share_bwp\ffffaaa -> Spyware.BigWebPortal : Cleaned with backup
   HKU\S-1-5-21-682003330-1425521274-839522115-1004\Software\share_bwp\iiii -> Spyware.BigWebPortal : Cleaned with backup
   HKU\S-1-5-21-682003330-1425521274-839522115-1004\Software\share_bwp\kkkk -> Spyware.BigWebPortal : Cleaned with backup
   HKU\S-1-5-21-682003330-1425521274-839522115-1004\Software\share_bwp\pppp -> Spyware.BigWebPortal : Cleaned with backup
   HKU\S-1-5-21-682003330-1425521274-839522115-1004\Software\share_bwp\ssss -> Spyware.BigWebPortal : Cleaned with backup
   [208] C:\WINDOWS\system32\VX6STKIT.DLL -> Spyware.Look2Me : Error during cleaning
   [628] C:\WINDOWS\system32\chpbk32.dll -> Spyware.Look2Me : Error during cleaning
   [704] C:\WINDOWS\system32\chpbk32.dll -> Spyware.Look2Me : Error during cleaning
   C:\Documents and Settings\All Users\Application Data\SecTaskMan\cfgmgr52.dll.q_2CFF005_q -> Spyware.BookedSpace : Cleaned with backup
   C:\Hijackthis\backups\backup-20050804-222949-196.dll -> Spyware.Look2Me : Cleaned with backup
   C:\Hijackthis\backups\backup-20050807-125604-740.dll -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\Program Files\eZula -> Adware.eZula : Cleaned with backup
   C:\Program Files\SearchRelevant\SearchRelevant.dll -> Spyware.Relevance : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD : Cleaned with backup
   C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
   C:\WINDOWS\qaxmrg.exe -> Adware.BetterInternet : Cleaned with backup
   C:\WINDOWS\ru.exe -> Spyware.PurityScan : Cleaned with backup
   C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\dovx_xx0c.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\dwstyle.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\dwvx_xx11.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\ezPopStub.exe -> Adware.eZula : Cleaned with backup
   C:\WINDOWS\system32\gimf32.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\hyetcfg.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\ib50_32.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\jbsh400.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\kkdcan.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\kodsw.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\lsfhyu.exe -> Adware.BetterInternet : Cleaned with backup
   C:\WINDOWS\system32\lsfil13n.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\movbvm50.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\pfisdecd.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\ppintui.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\rasutils.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\rcgsvc.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\rknd.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\ukiplat.dll -> Spyware.Look2Me : Cleaned with backup
   C:\WINDOWS\system32\viothr.exe -> Adware.BetterInternet : Cleaned with backup
   C:\WINDOWS\system32\winenc32.dll -> TrojanSpy.Globar.d : Cleaned with backup

L2Mfix 1.03a
 
Running From:
C:\Hijackthis\l2mfix
 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


 
Setting registry permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
 - adding new ACCESS DENY entry

 
Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------      BUILTIN\Administrators
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


 
Setting up for Reboot
 
 
Starting Reboot!
 
C:\Hijackthis\l2mfix
System Rebooted!
 
Running From:
C:\Hijackthis\l2mfix
 
killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1240 'explorer.exe'
Killing PID 1240 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1596 'rundll32.exe'
 
Scanning First Pass. Please Wait!
 
First Pass Completed
 
Second Pass Scanning
 
Second pass Completed!
Backing Up: C:\WINDOWS\system32\chpbk32.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\chpbk32.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\VX6STKIT.DLL
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\VX6STKIT.DLL
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlnsrv.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wlnsrv.dll
        1 file(s) copied.
deleting: C:\WINDOWS\system32\chpbk32.dll  
Successfully Deleted: C:\WINDOWS\system32\chpbk32.dll
deleting: C:\WINDOWS\system32\chpbk32.dll  
Successfully Deleted: C:\WINDOWS\system32\chpbk32.dll
deleting: C:\WINDOWS\system32\VX6STKIT.DLL  
Successfully Deleted: C:\WINDOWS\system32\VX6STKIT.DLL
deleting: C:\WINDOWS\system32\VX6STKIT.DLL  
Successfully Deleted: C:\WINDOWS\system32\VX6STKIT.DLL
deleting: C:\WINDOWS\system32\wlnsrv.dll  
Successfully Deleted: C:\WINDOWS\system32\wlnsrv.dll
deleting: C:\WINDOWS\system32\wlnsrv.dll  
Successfully Deleted: C:\WINDOWS\system32\wlnsrv.dll
 
 
Zipping up files for submission:
  adding: chpbk32.dll (188 bytes security) (deflated 48%)
  adding: VX6STKIT.DLL (188 bytes security) (deflated 48%)
  adding: wlnsrv.dll (188 bytes security) (deflated 48%)
  adding: clear.reg (188 bytes security) (deflated 52%)
  adding: echo.reg (188 bytes security) (deflated 5%)
  adding: direct.txt (188 bytes security) (stored 0%)
  adding: lo2.txt (188 bytes security) (deflated 78%)
  adding: readme.txt (188 bytes security) (deflated 49%)
  adding: report.txt (188 bytes security) (deflated 63%)
  adding: report2.txt (188 bytes security) (deflated 63%)
  adding: test.txt (188 bytes security) (deflated 72%)
  adding: test2.txt (188 bytes security) (deflated 33%)
  adding: test3.txt (188 bytes security) (deflated 33%)
  adding: test5.txt (188 bytes security) (deflated 33%)
  adding: xfind.txt (188 bytes security) (deflated 69%)
  adding: backregs/6FA0A9B0-DB65-4222-919E-49CA3A498F38.reg (188 bytes security) (deflated 70%)
  adding: backregs/915A422D-296C-4CE2-9DE9-F14783F1AF38.reg (188 bytes security) (deflated 70%)
  adding: backregs/98C5FBEB-EAA1-45D9-BB30-7817DB26FF47.reg (188 bytes security) (deflated 70%)
  adding: backregs/B0C7CF5B-BB08-4FD9-8EB5-808A276DD852.reg (188 bytes security) (deflated 70%)
  adding: backregs/shell.reg (188 bytes security) (deflated 74%)
 
Restoring Registry Permissions:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

 
Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read           BUILTIN\Users
(ID-IO) ALLOW  Read           BUILTIN\Users
(ID-NI) ALLOW  Full access    BUILTIN\Administrators
(ID-IO) ALLOW  Full access    BUILTIN\Administrators
(ID-NI) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access    CREATOR OWNER


Restoring Sedebugprivilege:
 
 Granting SeDebugPrivilege to Administrators   ... successful
 
deleting local copy: chpbk32.dll  
deleting local copy: chpbk32.dll  
deleting local copy: VX6STKIT.DLL  
deleting local copy: VX6STKIT.DLL  
deleting local copy: wlnsrv.dll  
deleting local copy: wlnsrv.dll  
 
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\chpbk32.dll
C:\WINDOWS\system32\chpbk32.dll
C:\WINDOWS\system32\VX6STKIT.DLL
C:\WINDOWS\system32\VX6STKIT.DLL
C:\WINDOWS\system32\wlnsrv.dll
C:\WINDOWS\system32\wlnsrv.dll
 
Registry Entries that were Deleted:
Please verify that the listing looks ok.  
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B0C7CF5B-BB08-4FD9-8EB5-808A276DD852}"=-
"{6FA0A9B0-DB65-4222-919E-49CA3A498F38}"=-
"{915A422D-296C-4CE2-9DE9-F14783F1AF38}"=-
"{98C5FBEB-EAA1-45D9-BB30-7817DB26FF47}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B0C7CF5B-BB08-4FD9-8EB5-808A276DD852}]
[-HKEY_CLASSES_ROOT\CLSID\{6FA0A9B0-DB65-4222-919E-49CA3A498F38}]
[-HKEY_CLASSES_ROOT\CLSID\{915A422D-296C-4CE2-9DE9-F14783F1AF38}]
[-HKEY_CLASSES_ROOT\CLSID\{98C5FBEB-EAA1-45D9-BB30-7817DB26FF47}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 08/07/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #3 on: August 07, 2005, 07:43:00 PM »

Please save the following instructions in Notepad. I have customed my instructions on the assumption that you have Notepad 'on'. It may lead to some confusion should you choose to do otherwise.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

From the L2MFix folder, double-click L2mfix.bat
Select option #4 - Merge Winlogon Notify Defaults - by typing 4
Type E to exit the program.

You may delete the L2MFix folder after that


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Close all programs & browsers. Have HijackThis fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O4 - HKCU\..\Run: [ANONYMIZER_SPYWAREKILLER] C:\Program Files\Anonymizer\Anti-Spyware\AnonAntiSpyware.exe /BOOT


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Locate & delete this folder:

C:\PROGRAM FILES\SearchRelevant

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

When doing the fix, you shall be viewing these instructions from Notepad.
Copy the filename/s listed below.
Select/Highlight all the filenames & then click on Notepad's Edit menu & select Copy
      C:\WINDOWS\cfgmgr52.ini
    C:\WINDOWS\woinstall.exe
    C:\WINDOWS\inf\btgrab.inf
    C:\WINDOWS\system32\Shex.exe
    C:\WINDOWS\system32\xmltok.dll
    C:\WINDOWS\ttext.dll    

Launch KillBox.exe
Go to the File menu, and choose 'Paste from Clipboard' * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
Delete on Reboot
End Explorer Shell While Killing File
Unregister dlll Before deleting
* if it's not grayed out
Click the RED X button.
Click Yes at the 'Delete on Reboot' prompt.
Click Yes at the 'Pending Operations prompt'.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Upon reboot, run CleanUp! using the settings outlined earlier

Post a fresh Hijackthis log in your next reply

Let me know how the machine behaves now.

Logged

 
bill727
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 3


Bookmark and Share

View Profile
« Reply #4 on: August 07, 2005, 08:09:00 PM »

Everything seems to be running much better now, as of this point, I haven't had a single pop-up.  Your help has been very much appreciated.  

Logfile of HijackThis v1.99.1
Scan saved at 4:06:36 PM, on 8/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSN Toolbar BHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #5 on: August 07, 2005, 08:31:15 PM »

Your system is clean    

Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:

Clear & reset System Restore's cache
click Start >> Run - type SYSDM.CPL & press Enter
Select the System Restore Tab
Tick on the checkbox - Turn off System Restore on all drives
Click Apply
Then untick the same checkbox & click OK      


Make your Internet Explorer more secure -  This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.


Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine.  This alone can save you a lot of trouble with malware in the future.  

See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources


Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish).  If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.  Without a firewall your computer is succeptible to being hacked and taken over.  I am very serious about this and see it happen almost every day with my clients.  Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls


Visit Microsoft's Windows Update Site Frequently - It is important that you visit windowsupdate.com regularly.  This will ensure your computer has always the latest security updates available installed on your computer.  If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.  This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.  You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware,  & Hijackers from Your Computer


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly - Make sure you update all the programs I have listed regularly.  Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.  



Here are some additional utilities that will further enhance your safety

IE/Spyad - IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system.  It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc.  Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer


Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program!  (AOL, Yahoo, ICQ, IRC, MSN)


Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.


Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.


Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.


Google Toolbar - Get the free google toolbar to help stop pop up windows.


CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more.  Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.


Winpatrol -  Download and install the free version of Winpatrol.
A tutorial for this product is located here > Using Winpatrol to protect your computer from malicious software


To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.  

Please respond to this thread one more time so we can mark this thread as resolved.
Logged

 
teej813
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 2


Bookmark and Share

View Profile
« Reply #6 on: August 18, 2005, 02:29:47 PM »

Hi!

I registered just to tell you how helpful your reply is. We're fighting the same program on one of our user's PC.  Any idea how WinFixer gets installed?  Are there known freeware programs that WinFixer is bundled with or must our user have installed it purposefully?

Thanks for any info.


tj
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #7 on: August 18, 2005, 05:35:03 PM »

Since it does not have an entry in the Add/Remove Programs section, it'll be fair to assume that it's not bundleware. It's most likely a drive-by infection primarily caused by weak security settings on the browser's part.

It's nice to know that this thread has been helpful to more than one user. Thanks for letting me know. Smiley
Logged

 
teej813
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 2


Bookmark and Share

View Profile
« Reply #8 on: August 19, 2005, 07:55:50 PM »

Gotcha.  Ok, thanks!

I've bookmarked the forum and will post from time to time.  Thanks for your efforts!



tj
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page August 14, 2017, 07:57:07 AM