thestealthpenguin Posted March 8, 2008 Share Posted March 8, 2008 My main problem is that I started getting random websites poping up in internet explorer. These happen even when im using firefox. These are full websites and not just ads. They sometimes seem to have something to do with the websites your currently looking at, but not always. Hopefully I can find and get rid of whatever is causing this. Wasnt quite sure if I should paste the text or attach a file, so I did both. Thank you in advance. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:15:22 PM, on 2/24/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - {0B1923BF-0D70-4349-B458-B48081B73314} - C:\WINDOWS\system32\iifcy.dll (file missing) O2 - BHO: (no name) - {2F161FD5-749E-4F1A-B9B6-1479EA8008DA} - C:\WINDOWS\system32\iiife.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {ABA4DC60-D928-4234-BBD4-F004ECB1B4AE} - C:\Program Files\Internet Explorer\mepovyguqC:\WINDOWS\system32\usmvt3\gyreo83122.exe.dll (file missing) O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\system32\qomkihg.dll (file missing) O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\RunOnce: [spybotDeletingA4013] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk" O4 - HKLM\..\RunOnce: [spybotDeletingC6464] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\RunOnce: [spybotDeletingB5754] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk" O4 - HKCU\..\RunOnce: [spybotDeletingD975] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk" O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Backgammon - http://download2.games.yahoo.com/games/clients/y/at1_x.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201979771398 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O20 - Winlogon Notify: qomkihg - qomkihg.dll (file missing) O20 - Winlogon Notify: wvuutuu - wvuutuu.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe -- End of file - 6194 bytes Link to comment Share on other sites More sharing options...
Administrator Tarun Posted March 8, 2008 Administrator Share Posted March 8, 2008 Hi thestealthpenguin and welcome to Lunarsoft! Upon reviewing your log I see that you have items pending for deletion. Go ahead and restart your computer so those items will be deleted. I would also suggest renaming HijackThis into something like "HJScanner" and then please post a new log. This will allow your log to be refreshed and if any malware is looking for "hijackthis" in the running process list to try and hide itself, the renaming will reveal any hidden malware. Link to comment Share on other sites More sharing options...
thestealthpenguin Posted March 8, 2008 Author Share Posted March 8, 2008 thestealthpenguin - log02 I restarted, and renamed the program to HJT.exe. Is this better? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:41:42 PM, on 3/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\HJT\HJT.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - {0B1923BF-0D70-4349-B458-B48081B73314} - C:\WINDOWS\system32\iifcy.dll (file missing) O2 - BHO: (no name) - {2F161FD5-749E-4F1A-B9B6-1479EA8008DA} - C:\WINDOWS\system32\iiife.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {ABA4DC60-D928-4234-BBD4-F004ECB1B4AE} - C:\Program Files\Internet Explorer\mepovyguqC:\WINDOWS\system32\usmvt3\gyreo83122.exe.dll (file missing) O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\system32\qomkihg.dll (file missing) O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Backgammon - http://download2.games.yahoo.com/games/clients/y/at1_x.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201979771398 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O20 - Winlogon Notify: qomkihg - qomkihg.dll (file missing) O20 - Winlogon Notify: wvuutuu - wvuutuu.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe -- End of file - 5834 bytes Link to comment Share on other sites More sharing options...
Administrator Tarun Posted March 8, 2008 Administrator Share Posted March 8, 2008 You'll want to update your Sun Java and also do Windows Updates to get IE7 which has a lot of important security updates. I would also recommend scanning with AVG Anti-Spyware. I would also highly recommend uninstalling all toolbars since when they attack to Internet Explorer they attach to your Windows Explorer and that can cause issues should anything bad happen with the toolbars. Here are the items to clean out and the recommendations. Simply apply a checkmark to the items listed in HijackThis and then click "Fix". Generated by Tarun of Lunarsoft's HijackThis Converter v0.53 Beta. Default-color items are optional, red are known to be malicious. Created registry value R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch Changed registry value R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch Created registry value R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 Created extra registry value where only one should be R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) Enumeration of existing IE's BHO's O2 - BHO: (no name) - {0B1923BF-0D70-4349-B458-B48081B73314} - C:\WINDOWS\system32\iifcy.dll (file missing) O2 - BHO: (no name) - {2F161FD5-749E-4F1A-B9B6-1479EA8008DA} - C:\WINDOWS\system32\iiife.dll (file missing) O2 - BHO: (no name) - {ABA4DC60-D928-4234-BBD4-F004ECB1B4AE} - C:\Program Files\Internet Explorer\mepovyguqC:\WINDOWS\system32\usmvt3\gyreo83122.exe.dll (file missing) O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\system32\qomkihg.dll (file missing) Enumeration of existing IE's toolbars O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll Downloaded Program Files item O16 - DPF: Yahoo! Backgammon - http://download2.games.yahoo.com/games/clients/y/at1_x.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys O20 - Winlogon Notify: qomkihg - qomkihg.dll (file missing) O20 - Winlogon Notify: wvuutuu - wvuutuu.dll (file missing) Link to comment Share on other sites More sharing options...
thestealthpenguin Posted March 9, 2008 Author Share Posted March 9, 2008 Well... i ran highjackthis and fixed the things you noted (still got pop up IE websites). I then updated Java and updated to IE7 (still got popups). Then I updated and ran AVG again (that is what i normally use along with AdAware, until i installed the 50 other scaners suggested on the LunarSoft PC Maitnence page), and...still getting popups. This is the last log file ran after all of that. Thanks for the help... thestealthpenguin - log 05 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:20:54 PM, on 3/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HJT\HJT.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Backgammon - http://download2.games.yahoo.com/games/clients/y/at1_x.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201979771398 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe -- End of file - 5791 bytes Link to comment Share on other sites More sharing options...
thestealthpenguin Posted March 9, 2008 Author Share Posted March 9, 2008 Oh I forgot, the toolbars. I dont *want* either the netzero or yahoo toolbars. They arent 'up' or 'visable' on my browsers. Ive gone to Add/Remove Programs and removed the yahoo toolbar before, but i guess it didnt get all of it. The yahoo one was probably installed with our dsl internet. I dont know where else to look to remove it. As for Netzero, we were using that for a while, and id like to keep it as a dialup backup. I dont know how or if i can remove the toolbar without uninstalling the whole netzero program. Link to comment Share on other sites More sharing options...
Administrator Tarun Posted March 9, 2008 Administrator Share Posted March 9, 2008 You said you ran AVG, but was it AVG Anti-Virus or AVG Anti-Spyware? Link to comment Share on other sites More sharing options...
thestealthpenguin Posted March 10, 2008 Author Share Posted March 10, 2008 I was using AVG Anti VIRUS. I never even realized there was a spyware version. I downloaded that, and ran a scan. It didnt find anything except a few cookies. Link to comment Share on other sites More sharing options...
Administrator Tarun Posted March 10, 2008 Administrator Share Posted March 10, 2008 What websites are giving you popups? Please list them using the [code] BBCode. Link to comment Share on other sites More sharing options...
thestealthpenguin Posted March 10, 2008 Author Share Posted March 10, 2008 We've gotten lots of different sites. The best I can do is to try to get a few samples over the next few days. Link to comment Share on other sites More sharing options...
thestealthpenguin Posted March 14, 2008 Author Share Posted March 14, 2008 So, I tried to collect some of the websites over the last week. A lot of these get repeated, and come up again and again, so, I only listed them once. Also, once in a while, something different comes up that seems to be vaugely related to what youre searching for at the time. Hope this helps some. http://media2.mediafileshost.com/images/41...78_7155251.html http://hotjobs.yahoo.com/ http://www.leadsandfeeds.com/ http://c5.zedo.com/jsc/c5/ff2.html?n=377;c...=16;w=720;h=300 http://ww.smas***s.com/adn-02.html http://hotjobs.yahoo.com/ http://blognfl.smacchat.com/ http://www.primosearch.com/jump/?affiliate...o%20classifieds http://www.jokeroo.com/travel/travelairlines-lynxjet.php https://www.centennialgoldcards.com/dn/Pers...080310164241BPR http://www.wallst.net/ http://www.hornymatches.com/geolist18_35.php http://try.alot.com/tb/weather/weather_sea...ea-lcl-thdr-728 http://giveaway-cafe.com/?config=4298&...8450aaa:148697: https://www.accountnowvisa.com/secure/landi...&scode=6140 http://www.ovguide.com/index.html?aff=323 http://www.coolringmobile.com/?src=BlowSearch http://www.rebateprocessortools.com/?ref=&cid=CD25092 Link to comment Share on other sites More sharing options...
Administrator Tarun Posted March 14, 2008 Administrator Share Posted March 14, 2008 Could you please go into CCleaner > Tools > Uninstall and click the Save to text file button. Then please copy and paste the contents here. Link to comment Share on other sites More sharing options...
thestealthpenguin Posted March 15, 2008 Author Share Posted March 15, 2008 Here is the CCleaner uninstall list log file 7-Zip 4.42 Ad-Aware 2007 Adobe Flash Player 9 ActiveX Adobe Flash Player ActiveX Adobe Flash Player Plugin Apple Software Update AT&T Self Support Tool Audacity 1.2.6 Audio Recorder for FREE v8.2 AVG 7.5 AVG Anti-Spyware 7.5 CCleaner (remove only) Citrix Presentation Server Client Dynamic TWAIN 3.0 Foxit PDF Editor Foxit Reader FreePCB 1.2 GPL Ghostscript 8.60 GPL Ghostscript Fonts HijackThis 2.0.2 Hotfix for Windows XP (KB914440) Hoyle Board Games 2005 Java 6 Update 2 Java 6 Update 3 Java 6 Update 5 lcc-win32 version 3.2 (base system) Lizardtech Express View Browser Plug-in Malwarebytes' RogueRemover Microsoft .NET Framework 2.0 Service Pack 1 Microsoft Office Professional Edition 2003 Microsoft Streets and Trips 2001 Mozilla Firefox (2.0.0.12) NetZero Internet Notepad++ PDFCreator PrimoPDF PrimoPDF Redistribution Package Puzzle Master QuickTime RealPlayer Rhapsody Player Engine Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB936782) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB937894) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB946026) SoundCapture Spybot - Search & Destroy SpywareBlaster v3.5.1 Update for Windows XP (KB894391) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB930916) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Update for Windows XP (KB946627) Virtual Rosary WebFldrs XP Windows Defender Windows Genuine Advantage Validation Tool (KB892130) Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893056 Link to comment Share on other sites More sharing options...
Administrator Tarun Posted March 15, 2008 Administrator Share Posted March 15, 2008 You'll want to uninstall: Java 6 Update 2 Java 6 Update 3 SpywareBlaster 3.5.1 (SpywareBlaster 4.0 is out now and a clean install is recommended) Are there any programs in your Add/Remove programs that you do not recognize? ctfmon is often used as malware. Please upload it to VirusTotal and then provide the link to the results. If you have not already done so, please run CWShredder and AboutBuster. Link to comment Share on other sites More sharing options...
thestealthpenguin Posted March 15, 2008 Author Share Posted March 15, 2008 I uninstalled the things you recomended. Everything else in the add remove programs seems fine. I know i looked through it a while ago, and uninstalled some things, but i dont think anything was suspicious. I ran CWshredder and AboutBuster around the end of feb, when i did the whole list of scanners listed on the lunarsoft PC maitenence page. I didnt like one of those, because i think it delete a lot of normal settings on my computer, like start menu options or something. I think that was CWshredder. Anyway, I also installed the new version of Spyware Blaster and enabled it. As for the ctfmon program, I searched for it and came up with the following: C:\WINDOWS\Prefetch\CTFMON.EXE-0E17969B.pf C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft Office 2003\YC561403.CAB\F816_ctfmon.exe.2BBC3BB7_EE04_46E8_8476_2F99E88F4EE4 C:\WINDOWS\system32\dllcache\ctfmon.exe C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\YC561403.CAB\F816_ctfmon.exe.2BBC3BB7 _EE04_46E8_8476_2F99E88F4EE4 I uploaded the file C:\WINDOWS\system32\ctfmon.exe and got this page: http://www.virustotal.com/analisis/d762af8...f38f4fd1d8eb62b I also noticed looking in the system folders that some of my files and folders have blue text. Is that something related to one of the spyware scaners i have? I never noticed it before, seems weird. Thanks. Link to comment Share on other sites More sharing options...
Administrator Tarun Posted March 15, 2008 Administrator Share Posted March 15, 2008 Blue items mean they have been compressed. That generally happens most with hotfixes and is perfectly normal. Did running AboutBuster or CWShredder find anything? Neither of the two touch any user settings. Link to comment Share on other sites More sharing options...
thestealthpenguin Posted March 15, 2008 Author Share Posted March 15, 2008 No, i dont think anything was found when i first ran those scans. I just ran them again, and nothing was found now either. Link to comment Share on other sites More sharing options...
Administrator Tarun Posted March 19, 2008 Administrator Share Posted March 19, 2008 From your HijackThis logs there is nothing else that stands out as malware. I would suggest running Windows Update and getting fully up-to-date, installing IE7 as well. Link to comment Share on other sites More sharing options...
Recommended Posts