spyware/adware/viruses help? 2 Options

[yukichan]

<!-- begin code provided by createblog.com --><br />Logfile of HijackThis v1.99.1<br />Scan saved at 10:04:15, on 2005/06/06<br />Platform: Windows XP SP2 (WinNT 5.01.2600)<br />MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)<br /><br />Running processes:<br />C:\WINDOWS\System32\smss.exe<br />C:\WINDOWS\system32\winlogon.exe<br />C:\WINDOWS\system32\services.exe<br />C:\WINDOWS\system32\lsass.exe<br />C:\WINDOWS\system32\svchost.exe<br />C:\WINDOWS\System32\svchost.exe<br />C:\WINDOWS\system32\spoolsv.exe<br />C:\WINDOWS\Explorer.exe<br />C:\WINDOWS\system32\ctfmon.exe<br />C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe<br />C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe<br />C:\Program Files\Common Files\Symantec Shared\ccApp.exe<br />C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe<br />C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe<br />C:\Program Files\HP\hpcoretech\hpcmpmgr.exe<br />C:\WINDOWS\System32\hphmon05.exe<br />C:\Program Files\Norton AntiVirus\navapsvc.exe<br />C:\Program Files\QuickTime\qttask.exe<br />C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe<br />C:\Program Files\Common Files\AOL\ACS\AOLDial.exe<br />C:\Program Files\Norton AntiVirus\SAVScan.exe<br />C:\Program Files\Common Files\Real\Update_OB\realsched.exe<br />C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe<br />C:\WINDOWS\system32\nsvsvc\nsvsvc.exe<br />C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe<br />C:\WINDOWS\system32\picsvr\picsvr.exe<br />C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe<br />C:\Program Files\webHancer\Programs\whSurvey.exe<br />C:\Program Files\webHancer\Programs\whAgent.exe<br />c:\windows\system32\photgac.exe<br />C:\Program Files\aim\aim.exe<br />C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe<br />C:\Program Files\BigFix\BigFix.exe<br />C:\WINDOWS\System32\HPZipm12.exe<br />C:\Program Files\Internet Explorer\iexplore.exe<br />C:\Program Files\Internet Explorer\IEXPLORE.EXE<br />C:\Program Files\Messenger\msmsgs.exe<br />C:\DOCUME~1\NANCYS~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe<br /><br />F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe<br />N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nancy Sato\Application Data\Mozilla\Profiles\default\qnlupyzf.slt\prefs.js)<br />O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)<br />O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll<br />O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)<br />O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll (file missing)<br />O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll<br />O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll<br />O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll<br />O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)<br />O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll<br />O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll<br />O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)<br />O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)<br />O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"<br />O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"<br />O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe<br />O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe<br />O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"<br />O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe<br />O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32<br />O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC<br />O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC<br />O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName<br />O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime<br />O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe<br />O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe<br />O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot<br />O4 - HKLM\..\Run: [xixzig] c:\windows\system32\xixzig.exe<br />O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe<br />O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe<br />O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe<br />O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1<br />O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer<br />O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"<br />O4 - HKLM\..\Run: [CyQbid6] C:\WINDOWS\gfywdt.exe<br />O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe<br />O4 - HKLM\..\Run: [C:\WI^#OWS\gfywdt.exC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\gfywdt.exe<br />O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe<br />O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe<br />O4 - HKLM\..\Run: [C:\WI3ﾔOW^#gfywdt.exC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\gfywdt.exe<br />O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u<br />O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe<br />O4 - HKLM\..\Run: [C:\WI3ﾔOW^#gfywdtNxC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\gfywdt.exe<br />O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"<br />O4 - HKLM\..\Run: [C:\WI3ﾔOWGGgfﾏNb化9:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\gfywdt.exe<br />O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"<br />O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"<br />O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"<br />O4 - HKLM\..\Run: [zeiszma] c:\windows\system32\photgac.exe<br />O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe<br />O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"<br />O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background<br />O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet<br />O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl<br />O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Nancy Sato\Application Data\rncr.exe<br />O4 - HKCU\..\Run: [Nvbde] C:\WINDOWS\system32\wυcrtupd.exe<br />O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe<br />O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe<br />O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE<br />O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html<br />O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html<br />O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html<br />O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html<br />O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html<br />O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll<br />O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll<br />O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe<br />O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe<br />O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe<br />O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll<br />O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe<br />O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe<br />O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)<br />O10 - Hijacked Internet access by WebHancer<br />O10 - Hijacked Internet access by WebHancer<br />O10 - Hijacked Internet access by WebHancer<br />O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com<br />O15 - Trusted Zone: *.media-motor.net<br />O15 - Trusted Zone: *.popuppers.com<br />O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - [url=http://help.rr.com/Foundrysdccommon/download/tgctlar.cab]http://help.rr.com/Foundrysdccommon/download/tgctlar.cab[/url]<br />O16 - DPF: {04719992-296F-4958-AA0F-FA25FFA5008B} - [url=http://www1.excite.com/ct/speedbar/x8bar1,0,2,3.cab]http://www1.excite.com/ct/speedbar/x8bar1,0,2,3.cab[/url]<br />O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - [url=https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab]https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab[/url]<br />O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - [url=http://pictures02.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.7.cab]http://pictures02.aim.com/ygp/aol/plugin/u...AIM.9.5.1.7.cab[/url]<br />O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - [url=http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab]http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab[/url]<br />O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - [url=http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab]http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab[/url]<br />O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - [url=https://www-secure.symantec.com/techsupp/asa/SymAData.cab]https://www-secure.symantec.com/techsupp/asa/SymAData.cab[/url]<br />O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url=http://chat.msn.com/bin/msnchat45.cab]http://chat.msn.com/bin/msnchat45.cab[/url]<br />O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - [url=http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab]http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab[/url]<br />O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll<br />O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe<br />O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe<br />O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe<br />O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe<br />O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe<br />O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe<br />O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe<br />O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe<br />O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe<br />O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe<br />O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe<br />O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe<br /><!-- end code provided by createblog.com -->

Umm..Made a new topic as dispn0ygonekrazy requested...
For more information check http://www.createblog.com/forums/index.php...=0#entry1343361

[dispn0ygonekrazy]

all right nekochan ill will help you as soon as my internet stops being g@y alright thank you =]

[ryanoman]

Let me list some of your infections:

Vbouncer
Webhancer
WebRebates
Aurora
IST (not really sure)

[dispn0ygonekrazy]

Hi Nekochan1018,

Im Mike I'll help you clean your computer of spyware and Nail. Please follow the instructions below throughly and not missing a step so the Cleaning process will not be out in order.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

After that run CWShredder and let it clean all the files it finds.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

[yukichan]

thanks for the help!
I'm starting it now, so I'll put the logs up later..

[*mona lisa*]

Umm...mind if I use this as well?

I have a few viruses that AVG detected, but it couldn't get rid of it. I put it in quotes so it's easier to read.
Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 9:01:15 PM, on 6/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\mks\Free History Eraser\HistoryEraser.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://world.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ohb Class - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll (file missing)
O2 - BHO: (no name) - {10AA115E-9874-17AF-147C-C424D9FA21F0} - C:\WINDOWS\ipin32.dll (file missing)
O2 - BHO: (no name) - {A6504E6D-DF84-8F54-841C-8C1D866319B2} - C:\WINDOWS\System32\zpvupmgh.dll
O3 - Toolbar: TheSearchMall.com Bar - {4B8F38C7-62FC-4762-B9A0-27E63F768167} - C:\WINDOWS\System32\winsrm32.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\RunServices: [MSN Update] dllcon.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\mks\Free History Eraser\HistoryEraser.exe" /stealt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Messenger\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://world.yahoo.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - http://www.thesearchmall.com/toolbar/winsrm32.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5co...b?1106867032968
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F4F027A-E0DC-49DE-AC21-C6FC196AAE80}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F4F027A-E0DC-49DE-AC21-C6FC196AAE80}: NameServer = 192.168.2.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Anything I can do?

[dispn0ygonekrazy]

Yes sir i can definitely help you let me make a fix for you individually as well also alright please be patient ill get to you

Alright gotnoheart sorry it took so long to get to you, im on vacation and currently still but i have time to help you =].

Please follow the instructions thoroughly and making sure you do them in order.

MooSoft <------ Download the program and run a scan for trojans. You have a trojan detected in your harddrive.

Run this online virus scan: ActiveScan - Save the results from the scan!

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install. CleanUp!

You have a CoolWebSearch infection.

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

Open HJT, Scan then put a check on the following files below.

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
O2 - BHO: ohb Class - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll (file missing)
O2 - BHO: (no name) - {10AA115E-9874-17AF-147C-C424D9FA21F0} - C:\WINDOWS\ipin32.dll (file missing)
O2 - BHO: (no name) - {A6504E6D-DF84-8F54-841C-8C1D866319B2} - C:\WINDOWS\System32\zpvupmgh.dll
O3 - Toolbar: TheSearchMall.com Bar - {4B8F38C7-62FC-4762-B9A0-27E63F768167} - C:\WINDOWS\System32\winsrm32.dll (file missing)
O4 - HKLM\..\RunServices: [MSN Update] dllcon.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - http://www.thesearchmall.com/toolbar/winsrm32.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.

Post a new HiJackThis log along with the results from ActiveScan.

[*mona lisa*]

Latest Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 6:14:15 PM, on 6/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Free History Eraser\HistoryEraser.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://world.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Free History Eraser\HistoryEraser.exe" /stealt
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Messenger\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://world.yahoo.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5co...b?1106867032968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F4F027A-E0DC-49DE-AC21-C6FC196AAE80}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F4F027A-E0DC-49DE-AC21-C6FC196AAE80}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{768B6603-931C-427F-883D-43198EDEF9FE}: NameServer = 209.226.175.15 207.236.176.28
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ActiveScan log:

Incident                      Status                        Location                                                                                                                                                                                                                                                       

Adware:Adware/PurityScan      No disinfected                C:\WINDOWS\System32\zpvupmgh.dll                                                                                                                                                                                                                               
Virus:Trj/Agent.DD            Disinfected                  Operating system                                                                                                                                                                                                                                               
Adware:Adware/SaveNow        No disinfected                Windows Registry                                                                                                                                                                                                                                               
Adware:Adware/KeenValue      No disinfected                C:\WINDOWS\system32\drivers\etc\hosts.bho                                                                                                                                                                                                                     
Spyware:Spyware/BetterInet    No disinfected                C:\WINDOWS\system32\in10b6s.dll                                                                                                                                                                                                                               
Adware:Adware/PortalScan      No disinfected                Windows Registry                                                                                                                                                                                                                                               
Adware:Adware/VirtualBouncer  No disinfected                C:\WINDOWS\system32\inneradinstall.log                                                                                                                                                                                                                         
Spyware:Spyware/TVMedia      No disinfected                C:\Documents and Settings\Owner\Application Data\tvm*.dll                                                                                                                                                                                                     
Adware:Adware/DelFinMedia    No disinfected                C:\keys.ini                                                                                                                                                                                                                                                   
Adware:Adware/SideSearch      No disinfected                C:\WINDOWS\sepsd.bin                                                                                                                                                                                                                                           
Adware:Adware/IEDriver        No disinfected                Windows Registry                                                                                                                                                                                                                                               
Adware:Adware/IPInsight      No disinfected                C:\WINDOWS\inf\alchem.in?                                                                                                                                                                                                                                     
Adware:Adware/SideFind        No disinfected                Windows Registry                                                                                                                                                                                                                                               
Spyware:Spyware/LocalNRD      No disinfected                C:\WINDOWS\inf\localNRD.inf                                                                                                                                                                                                                                   
Adware:Adware/ExactSearch    No disinfected                Windows Registry                                                                                                                                                                                                                                               
Adware:Adware/SuperSpider    No disinfected                C:\WINDOWS\msxmidi.exe                                                                                                                                                                                                                                         
Adware:Adware/P2PNetworking  No disinfected                Windows Registry                                                                                                                                                                                                                                               
Virus:Bck/Dumador.O          Disinfected                  Operating system                                                                                                                                                                                                                                               
Spyware:Spyware/TVMedia      No disinfected                C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll                                                                                                                                                                                                   
Adware:Adware/PurityScan      No disinfected                C:\Documents and Settings\Owner\Application Data\wtta.exe                                                                                                                                                                                                     
Adware:Adware/DelFinMedia    No disinfected                C:\keys.ini                                                                                                                                                                                                                                                   
Adware:Adware/MultiMPP        No disinfected                C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp                                                                                                                                                                                                             
Adware:Adware/NavHelper      No disinfected                C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp                                                                                                                                                                                                               
Adware:Adware/NavHelper      No disinfected                C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp                                                                                                                                                                                                               
Adware:Adware/NavHelper      No disinfected                C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp                                                                                                                                                                                                               
Adware:Adware/NavHelper      No disinfected                C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp\NavHelper\v2.0.4c\v2.0.4c.c.cab                                                                                                                                                                               
Adware:Adware/NavHelper      No disinfected                C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp\NavHelper\v2.0.4c\v2.0.4c.c.cab[NHelper.dll]                                                                                                                                                                 
Adware:Adware/NavHelper      No disinfected                C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp\NavHelper\v2.0.4c\v2.0.4c.c.cab[NHUninstaller.exe]                                                                                                                                                           
Adware:Adware/NavHelper      No disinfected                C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp\NavHelper\v2.0.4c\v2.0.4c.c.cab[NHUpdater.exe]                                                                                                                                                               
Adware:Adware/NavHelper      No disinfected                C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp\v2.0.4c.c.cab                                                                                                                                                                                                 
Adware:Adware/NavHelper      No disinfected                C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp\v2.0.4c.c.cab[NHelper.dll]                                                                                                                                                                                   
Adware:Adware/NavHelper      No disinfected                C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp\v2.0.4c.c.cab[NHUninstaller.exe]                                                                                                                                                                             
Adware:Adware/NavHelper      No disinfected                C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp\v2.0.4c.c.cab[NHUpdater.exe]                                                                                                                                                                                 
Adware:Adware/IPInsight      No disinfected                C:\WINDOWS\inf\alchem.inf                                                                                                                                                                                                                                     
Spyware:Spyware/LocalNRD      No disinfected                C:\WINDOWS\inf\localNrd.inf                                                                                                                                                                                                                                   
Adware:Adware/Twain-Tech      No disinfected                C:\WINDOWS\inf\twaintec.inf                                                                                                                                                                                                                                   
Adware:Adware/eZula          No disinfected                C:\WINDOWS\mmttil.exe                                                                                                                                                                                                                                         
Virus:Trj/Banker.BP          Disinfected                  C:\WINDOWS\msxmidi.exe                                                                                                                                                                                                                                         
Adware:Adware/SAHAgent        No disinfected                C:\WINDOWS\sahagent-mediamotor1002.exe                                                                                                                                                                                                                         
Adware:Adware/SAHAgent        No disinfected                C:\WINDOWS\sahagent-mediamotor1003.exe                                                                                                                                                                                                                         
Adware:Adware/SideSearch      No disinfected                C:\WINDOWS\sepsd.bin                                                                                                                                                                                                                                           
Adware:Adware/MyDailyHoroscopeNo disinfected                C:\WINDOWS\setup_silent_17253.exe                                                                                                                                                                                                                             
Adware:Adware/MyDailyHoroscopeNo disinfected                C:\WINDOWS\setup_silent_17304.exe                                                                                                                                                                                                                             
Adware:Adware/StatBlaster    No disinfected                C:\WINDOWS\standard.exe                                                                                                                                                                                                                                       
Adware:Adware/KeenValue      No disinfected                C:\WINDOWS\system32\drivers\etc\hosts.bho                                                                                                                                                                                                                     
Adware:Adware/nCase          No disinfected                C:\WINDOWS\system32\in10b6s.dll                                                                                                                                                                                                                               
Adware:Adware/VirtualBouncer  No disinfected                C:\WINDOWS\system32\INNERADINSTALL.LOG                                                                                                                                                                                                                         
Adware:Adware/I-search.us    No disinfected                C:\WINDOWS\system32\isearch2.dll                                                                                                                                                                                                                               
Adware:Adware/SAHAgent        No disinfected                C:\WINDOWS\system32\lsp.to_be_deleted                                                                                                                                                                                                                         
Virus:Trj/Downloader.OA      Disinfected                  C:\WINDOWS\system32\O.BAT                                                                                                                                                                                                                                     
Adware:Adware/KeenValue      No disinfected                C:\WINDOWS\system32\setup_incred_4.exe                                                                                                                                                                                                                         
Adware:Adware/PurityScan      No disinfected                C:\WINDOWS\system32\WAUBOO~1.EXE                                                                                                                                                                                                                               
Adware:Adware/SAHAgent        No disinfected                C:\WINDOWS\system32\xmlparse.dll                                                                                                                                                                                                                               
Adware:Adware/SAHAgent        No disinfected                C:\WINDOWS\system32\xmltok.dll                                                                                                                                                                                                                                 
Adware:Adware/PurityScan      No disinfected                C:\WINDOWS\system32\zpvupmgh.dll                                                                                                                                                                                                                               

[dispn0ygonekrazy]

Hi gotnoheart we still have a few problems to solve but we'll get there

OK now open HJT, Scan and put a check on the following files below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll (file missing)


O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Free History Eraser\HistoryEraser.exe" /stealt

After placing a check on the files click on Fix Checked

Also run CleanUp! the file you downloaded earlier and run then scan.

Restart your computer and post a fresh HJT Log.

[*mona lisa*]

Hi there. =)
Thanks for all your help last time.

HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:15:21 PM, on 6/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://world.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Messenger\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://world.yahoo.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106867032968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F4F027A-E0DC-49DE-AC21-C6FC196AAE80}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F4F027A-E0DC-49DE-AC21-C6FC196AAE80}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{768B6603-931C-427F-883D-43198EDEF9FE}: NameServer = 209.226.175.15 207.236.176.28
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

There's also that virus that was detected called Java/Openstream. Heard of it? I'm guessing it has to do with the Java Runtime program that came along with Limewire. Although I rarely use it anymore, I don't want to delete the whole thing.

[dispn0ygonekrazy]

Aiight buddy we almost done here ok,

Open HJT and scan, put a check on the following files below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://world.yahoo.com
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O14 - IERESET.INF: START_PAGE_URL=http://world.yahoo.co
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F4F027A-E0DC-49DE-AC21-C6FC196AAE80}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F4F027A-E0DC-49DE-AC21-C6FC196AAE80}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{768B6603-931C-427F-883D-43198EDEF9FE}: NameServer = 209.226.175.15 207.236.176.28

then click on Fix Checked.

Now run Spybot S&D and update then scan. If you dont have the program please download it from my signature.

Restart and Post a new HJT log and tell me how your system is running. :)

[Paradox of Life]

What is up with you and fixing computers?

[dispn0ygonekrazy]

becuzzz its my hobby =] i like helping people XD

[*mona lisa*]

O17 - HKLM\System\CCS\Services\Tcpip\..\{5F4F027A-E0DC-49DE-AC21-C6FC196AAE80}: Domain = sympatico.ca

Are you sure I should delete this one because Sympatico is my Internet Service Provider. I didn't just in case.

New log:

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Messenger\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106867032968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F4F027A-E0DC-49DE-AC21-C6FC196AAE80}: Domain = sympatico.ca
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[ryanoman]

Do you know what OmniPass is?

O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll

O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

[*mona lisa*]

Do you know what OmniPass is?

O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll

O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

Me or dispn0ygonecrazy?

I think it's for password management. My dad's a computer programmer so I thought it was one of his programs. I left it alone.

[ryanoman]

Yeah... it's for password management. Nevermind.

[dispn0ygonekrazy]

lol yeah ryanamo thats why i didnt include it =] umm yeah gotnoheart dont delete the 017 i added there I'm glad you left it there lol. But other than that your log is clean dude good job.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
• Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
• More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.

And also see TonyKlein's good advice
So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

[*mona lisa*]

Yay, thankyouuu.

I have most of those programs anyway. =)

So you can't do anything about the Java/Openstream virus?

[dispn0ygonekrazy]

Alright lets try this, Download Ewido Security Suite from its website, just google it, install and update the definitions but dont run it yet.

Clear your temporary internet files and folders and run MooSoft, if you dont have it Download it from my Signature.

Reboot in Safe Mode and run Ewido Security Suite and restart your computer and tell me how it is.