garmanma Posted June 30, 2006 Report Share Posted June 30, 2006 I updated and ran all the virus and spyware programs. I'm still getting an obnoxious Win Antivirus pop-up. My daughter also told me That a window came up wanting to install a BHO helper and she couldn't get rid of it. Any help would be helpfulThanks MarkLogfile of HijackThis v1.99.1Scan saved at 9:57:45 AM, on 6/30/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\Program Files\Adelphia HSAgent\bin\tgcmd.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\WINDOWS\system32\devldr32.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\Program Files\OpenOffice.org 2.0\program\soffice.exeC:\Program Files\OpenOffice.org 2.0\program\soffice.BINC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Andrea\My Documents\hijack this\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKLM\..\Run: [tgcmd] "c:\Program Files\Adelphia HSAgent\bin\tgcmd.exe" /server /startmonitor /deaf O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quietO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119754399165O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Link to post Share on other sites
Steamhead Posted June 30, 2006 Report Share Posted June 30, 2006 Hello garmanma Let's get started!First download ewido anti-spyware from HERE and save that file to your desktop.This is a 30 day trial of the programOnce you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.Once the setup is complete you will need run ewido and update the definition files.On the main screen select the icon "Update" then select the "Update now" link.Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".[*]Under "Reports"Select "Automatically generate report after every scan"Un-Select "Only if threats were found"Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:Lauch ewido-anti-spyware by double-clicking the icon on your desktop.Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".ewido will now begin the scanning process, be patient this may take a little time.Once the scan is complete do the following:If you have any infections you will prompted, then select "Apply all actions"Next select the "Reports" icon at the top.Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.I would also like for you to go to the location you saved HijackThis to and rename the file to "HJT", then scanning again and posting a fresh log. Thank You! Link to post Share on other sites
garmanma Posted June 30, 2006 Author Report Share Posted June 30, 2006 Here you go. This is my daughter's machine, i'm not sure if I'll be back on it until MondayThanksMarkwido anti-spyware - Scan Report--------------------------------------------------------- + Created at: 5:16:14 PM 6/30/2006 + Scan result: C:\WINDOWS\system32\sstqr.dll -> Adware.Virtumonde : No action taken.HKU\S-1-5-21-823518204-1292428093-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : No action taken.C:\Documents and Settings\Andrea\Local Settings\Temporary Internet Files\Content.IE5\2Z6B6PYB\WinAntiVirusPro2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@2o7[1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Addynamix : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Adserver : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Bridgetrack : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : No action taken.C:\Documents and Settings\Wade\Cookies\wade@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : No action taken.C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Overture : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@trafficmp[2].txt -> TrackingCookie.Trafficmp : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Valuead : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : No action taken.C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.C:\Documents and Settings\Wade\Cookies\wade@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@zedo[1].txt -> TrackingCookie.Zedo : No action taken.::Report endLogfile of HijackThis v1.99.1Scan saved at 5:25:52 PM, on 6/30/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\devldr32.exeC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\Program Files\Adelphia HSAgent\bin\tgcmd.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\ewido anti-spyware 4.0\ewido.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\OpenOffice.org 2.0\program\soffice.exeC:\Program Files\OpenOffice.org 2.0\program\soffice.BINC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Documents and Settings\Andrea\My Documents\hijack this\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKLM\..\Run: [tgcmd] "c:\Program Files\Adelphia HSAgent\bin\tgcmd.exe" /server /startmonitor /deaf O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimizedO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quietO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119754399165O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Link to post Share on other sites
Steamhead Posted July 2, 2006 Report Share Posted July 2, 2006 Hmm .. I'd like to see a couple more things.STEP 1:Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)Click Save, copy and paste the results in your next post.STEP 2:Please go HERE to run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now buttonIf it wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report Link to post Share on other sites
garmanma Posted July 3, 2006 Author Report Share Posted July 3, 2006 (edited) Here you go:Incident Status Location Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Wade\Cookies\[email protected][1].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Wade\Cookies\wade@atwola[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Wade\Cookies\wade@burstnet[1].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Wade\Cookies\wade@ccbill[2].txt Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Wade\Cookies\[email protected][1].txt I opened Hijack This>misc. tools>open uninstall manager but when I click on "save list" it just closes the app. I've search the hard drive for "uninstall_list.text" but nothing shows up. ???MarkIt was just brought to my attention that I used "text" instead of "txt" in my search. I'll look again for it on Wed. Edited July 3, 2006 by garmanma Link to post Share on other sites
Steamhead Posted July 5, 2006 Report Share Posted July 5, 2006 (edited) Hello garmanma, Happy 4th of July! You may want to print this out for reference.STEP 1:Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.STEP 2:Please open HijackThis and check the following entries:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comClose all open windows and browsers (except for Hijackthis) and click on "Fix Checked".Please post a fresh HijackThis log with a fresh Ewido and Panda scan. Thanks! Edited July 5, 2006 by Steamhead Link to post Share on other sites
garmanma Posted July 5, 2006 Author Report Share Posted July 5, 2006 Updated July 5Logfile of HijackThis v1.99.1Scan saved at 11:54:15 AM, on 7/5/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\WINDOWS\system32\devldr32.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\Program Files\Adelphia HSAgent\bin\tgcmd.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\ewido anti-spyware 4.0\ewido.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\Program Files\OpenOffice.org 2.0\program\soffice.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\OpenOffice.org 2.0\program\soffice.BINC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Andrea\My Documents\hijack this\HijackThis.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKLM\..\Run: [tgcmd] "c:\Program Files\Adelphia HSAgent\bin\tgcmd.exe" /server /startmonitor /deaf O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimizedO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quietO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119754399165O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeWhenever I open Ewido I get an alert for Adware Virtumonde locationC:\WINDOWS\system32\sstqr.dll---------------------------------------------------------ewido anti-spyware - Scan Report--------------------------------------------------------- + Created at: 12:58:58 PM 7/5/2006 + Scan result: C:\WINDOWS\system32\sstqr.dll -> Adware.Virtumonde : No action taken.C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.C:\Documents and Settings\Wade\Cookies\wade@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Overture : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.C:\Documents and Settings\Wade\Cookies\wade@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.C:\Documents and Settings\Andrea\Cookies\andrea@zedo[1].txt -> TrackingCookie.Zedo : No action taken.::Report endI searched everywhere for uninstall_list.txt, but it is nowhere to be found. Whenever I click on "save report as" HJT closes. I wrote the list to notepad. Thank goodness my daugter can type welladaware se personaladelphia high-speed internetadobe download mgr 2.0 remove onlyadobe reader 7.05aol instant messengerastonia 3avg free editionbattle.netbest buy rhapsodycall of duty r2desktop calendar 0.42bdiabloempire earthewido antispyware 4.0hijack this 199.1itunesj2se runtime enviorment 5.0 update 4lucas arts balance of powerlucas arts x-wing vs tie fightermacromedia flash player 8msn messenger 7.0openoffice.org 2.0panda activescanquicktimerollercoaster tycoon 3security update for windows xp kb883939kb890046kb893066kb893756kb896358kb896422kb896423kb896424kb896428kb896688kb899587kb899588kb899589kb899591kb900725kb901017kb901214kb902400kb903235kb904706kb905414kb905749kb908519kb911562kb911567kb911927kb912812kb912919kb913446kb913580kb914389kb916281kb917344kb917753kb918439snood for windows version 3.52-wspybot - search & destroy 1.4spyware blaster v3.5.1spywareguard v2.2star wars galactic battlegrouns: sagathe sims 2the sims 2 family fun stuffthe sims 2 nightlifethe sims 2 open for businessthe sims 2 universityupdate for windows xp kb894391kb896727kb898461kb900485kb908531kb910437viewpoint manager remove only viewpoint media playerwindows genuine advantage v1.3.0251.0windows installer 3.1 kb893803windows media format runtimewindows xp hotfix kb873333kb873339kb885250kb885835kb885836kb886185kb887472kb887742kb888113kb888302kb890175kb890859kb891781kb893086yahoo! anti-spyyahoo! extrasyahoo! install manageryahoo! internet mailyahoo! messengeryahoo! messenger explorer baryahoo! toolbar for internet explorerzonealarmActive scan reportIncident Status Location Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andrea\Cookies\andrea@atdmt[1].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Andrea\Cookies\andrea@trafficmp[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Wade\Cookies\[email protected][1].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Wade\Cookies\wade@atwola[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Wade\Cookies\wade@burstnet[1].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Wade\Cookies\wade@ccbill[2].txt Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Wade\Cookies\[email protected][1].txt Link to post Share on other sites
Steamhead Posted July 5, 2006 Report Share Posted July 5, 2006 Are you still having problems? If so can you explain to me exactly what it does please. From these logs you appear to be clean. Link to post Share on other sites
garmanma Posted July 5, 2006 Author Report Share Posted July 5, 2006 (edited) I'm at home on my computer, but I can tell you what it's doing. When I open I.E. with Ewido running, I'll get an alert about Virtumonde. No matter if I click on ignore or quaratine it will pop right back up. The only way to close the window is to turn off Ewido. Then when I turn off Ewido, the pop-ups start coming. They're for Winantivirus, a spyware scanner, and sometimes a registry cleaner. I don't even have to have I.E. opened. With my browser closed, I click to open "my documents" and I'll get pop-upsI might also add the last HJT, Ewido, and Panda scans WERE NOT run in safemode. I was in a hurry and forgotThanksMarkI just got a call from my old boss. I have a favor to do for him tomorrow, I don't know if I'll make it to my daughter's or not on Thurs. Funny, I can fix pc-controlled machines and circutboards all day long but I can't get rid of this garbage Edited July 5, 2006 by garmanma Link to post Share on other sites
Steamhead Posted July 5, 2006 Report Share Posted July 5, 2006 Hello garmanma, I see where your problem lies. I missed a line on a log, my mistake. I'll make a fix now, did you ever change HijackThis.exe to HJT.exe?? Link to post Share on other sites
garmanma Posted July 5, 2006 Author Report Share Posted July 5, 2006 Hello garmanma, I see where your problem lies. I missed a line on a log, my mistake. I'll make a fix now, did you ever change HijackThis.exe to HJT.exe?? Link to post Share on other sites
Steamhead Posted July 5, 2006 Report Share Posted July 5, 2006 (edited) Let's see if this works... Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.Put a check next to Run VundoFix as a task.You will receive a message saying vundofix will close and re-open in a minute or less. Click OKWhen VundoFix re-opens, click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will shutdown your computer, click OK.Turn your computer back on.Please post the contents of C:\vundofix.txt and a new HiJackThis log.edit:no problem! Take your time! Edited July 5, 2006 by Steamhead Link to post Share on other sites
garmanma Posted July 6, 2006 Author Report Share Posted July 6, 2006 Well, it sure does run better. I tried to rename hijackthis.exe but it says that file already exists. I searched for Hjt.exe and it shows a file HJT, ( not HJT.exe). It says the file was creates yesterday. I clicked on it and a DOS screen tries to open. Here's the reportsThanksMarkVundoFix V5.0.0Running as SYSTEMfrom c:\windows\system32\VundoFix.exeChecking Java version...Java version is 1.5.0.4Scan started at 3:09:27 PM 7/6/2006Listing files found while scanning....C:\windows\system32\pmnll.dllC:\windows\system32\llnmp.iniC:\windows\system32\llnmp.bak1C:\windows\system32\llnmp.bak2C:\windows\system32\sstqr.dll Attempting to delete C:\windows\system32\pmnll.dllC:\windows\system32\pmnll.dll Has been deleted! Attempting to delete C:\windows\system32\llnmp.iniC:\windows\system32\llnmp.ini Has been deleted! Attempting to delete C:\windows\system32\llnmp.bak1C:\windows\system32\llnmp.bak1 Has been deleted! Attempting to delete C:\windows\system32\llnmp.bak2C:\windows\system32\llnmp.bak2 Has been deleted! Attempting to delete C:\windows\system32\sstqr.dllC:\windows\system32\sstqr.dll Has been deleted!Performing Repairs to the registry.Done!Logfile of HijackThis v1.99.1Scan saved at 3:18:53 PM, on 7/6/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\Program Files\Adelphia HSAgent\bin\tgcmd.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\WINDOWS\system32\devldr32.exeC:\Program Files\OpenOffice.org 2.0\program\soffice.exeC:\Program Files\OpenOffice.org 2.0\program\soffice.BINC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Andrea\My Documents\HJT\HijackThis.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {06C7CAB4-39AC-499F-BCD2-D487DAC7A73C} - C:\WINDOWS\system32\sstqr.dll (file missing)O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: (no name) - {4D0DA2EA-07AE-44F4-A8D2-627B3EE857E5} - C:\WINDOWS\system32\pmnll.dll (file missing)O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKLM\..\Run: [tgcmd] "c:\Program Files\Adelphia HSAgent\bin\tgcmd.exe" /server /startmonitor /deaf O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimizedO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quietO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119754399165O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Link to post Share on other sites
Steamhead Posted July 7, 2006 Report Share Posted July 7, 2006 Hello garmanma, Let's finish this up!STEP 1:We need to run ATF Cleaner again.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.STEP 2:Please run another ewido scan and another panda scan. We're almost done!! Post the logs of all the scans along with one more HJT log. Thanks!NOTE: Please rename HijackThis.exe to something like HJT01.exe or something similar. As long as it's not HijackThis.exe, it'll work! Thanks. If you still have propblems renameing it just continue on anyway, Link to post Share on other sites
garmanma Posted July 8, 2006 Author Report Share Posted July 8, 2006 Renamed hijackthis.exe to HJT.exe. Ran ATF. Using I.E. browser right now . I cleared cookies, history and temp. files in Internet Options. I noticed Edwido still detects virtumonde. I'm not getting any pop-ups and the machine is running quicker and more crisp. A funny thing about Panda activescan. When the scan window opened up I couldn't get the window to maximize. The maximize button was greyed out, I couldn't drag the edges, and the control, shift, and x keys didn't work. I feel like such a dumbf**sHere are the reportsLogfile of HijackThis v1.99.1Scan saved at 12:59:57 PM, on 7/8/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\Program Files\Adelphia HSAgent\bin\tgcmd.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\devldr32.exeC:\Program Files\OpenOffice.org 2.0\program\soffice.exeC:\Program Files\OpenOffice.org 2.0\program\soffice.BINC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Andrea\My Documents\HJT\HijackThis.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {06C7CAB4-39AC-499F-BCD2-D487DAC7A73C} - C:\WINDOWS\system32\sstqr.dll (file missing)O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: (no name) - {4D0DA2EA-07AE-44F4-A8D2-627B3EE857E5} - C:\WINDOWS\system32\pmnll.dll (file missing)O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKLM\..\Run: [tgcmd] "c:\Program Files\Adelphia HSAgent\bin\tgcmd.exe" /server /startmonitor /deaf O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimizedO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quietO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119754399165O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe---------------------------------------------------------ewido anti-spyware - Scan Report--------------------------------------------------------- + Created at: 12:29:09 PM 7/8/2006 + Scan result: C:\VundoFix Backups\sstqr.dll -> Adware.Virtumonde : No action taken.C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.C:\Documents and Settings\Wade\Cookies\wade@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : No action taken.C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Overture : No action taken.C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.C:\Documents and Settings\Wade\Cookies\wade@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.::Report endIncident Status Location Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Wade\Cookies\wade@atwola[1].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Wade\Cookies\wade@ccbill[2].txt Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Wade\Cookies\[email protected][1].txt Link to post Share on other sites
Steamhead Posted July 10, 2006 Report Share Posted July 10, 2006 Hello garmanma.Some final clean-up steps.... You may want to print this out for reference.STEP 1:Please open HJT and scan your computer. Place a check next to the following entries:O2 - BHO: (no name) - {06C7CAB4-39AC-499F-BCD2-D487DAC7A73C} - C:\WINDOWS\system32\sstqr.dll (file missing)O2 - BHO: (no name) - {4D0DA2EA-07AE-44F4-A8D2-627B3EE857E5} - C:\WINDOWS\system32\pmnll.dll (file missing)Please close all open windows and click on fix checked.aanndd.....WE'RE DONE!!!You are clean! If you are still having issues please tell me, if not please refer to this prevention speech for tips on how not to get infected again! btw.. Panda scan is suppoused to do that, it's not suppoused to be maximized. The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.SpywareBlaster - Great prevention tool to keep nasties from installing on your system.SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein Link to post Share on other sites
garmanma Posted July 10, 2006 Author Report Share Posted July 10, 2006 I would like to express my thanks. Mainly to you, Steamhead. You were a GREAT help, but also to everybody on the boards that go out of their way to help people. I'm sure there's a lot of other things you could be doing than helping someone. I appreciate it very much. Link to post Share on other sites
Steamhead Posted July 11, 2006 Report Share Posted July 11, 2006 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts