Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

VERY slow and tons of pop-up adds

1268 Views 5 Replies 5 Participants Last post by  Flrman1
J
I just started a new job but the company computer I have to use is in dier need of a clean up. I installed Spybot and got rid of 543 :eek: problems and I am going to do a virus scan with Housecall. Hopefully someone will be able to give me some assistance with what do get rid of from the Hijack this log.

Logfile of HijackThis v1.97.3
Scan saved at 6:07:12 PM, on 4/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
e:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\System32\msblast.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
E:\Program Files\Adobe\Distillr\AcroTray.exe
C:\Documents and Settings\Backyard Paradise\Application Data\DownloadPlus.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
E:\Program Files\Microsoft Office\Office10\MSE7.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
C:\Documents and Settings\Backyard Paradise\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\program files\adobe\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - c:\program files\WhistleSoftware\wselservices\whistlehelper.dll
O2 - BHO: (no name) - {4C428974-F461-D03C-42F1-7A4CFAE448F0} - C:\WINDOWS\system32\itukcirm.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\hhU.dll
O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll
O2 - BHO: (no name) - {FFEBD446-4B0E-4DDC-2E16-67A7E5CDECAE} - C:\WINDOWS\system32\kxyzfose.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [Dialer] c:\Program Files\Instant Access\Dialer.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
O4 - HKLM\..\Run: [abgggzch] C:\WINDOWS\qciusude.exe
O4 - HKLM\..\Run: [tbrnkfff] C:\WINDOWS\muyqjhdn.exe
O4 - HKLM\..\Run: [camdwbbx] C:\WINDOWS\vmcorwrv.exe
O4 - HKLM\..\Run: [lqlgzdhd] C:\WINDOWS\rhnzblps.exe
O4 - HKLM\..\Run: [BEILOVYIL] C:\WINDOWS\BEILOVYIL.exe
O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ Error</TI] c:\WINDOWS\System32\ Error
O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [GANDI then par] c:\WINDOWS\System32\GANDI then parked.
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ Error</TI] c:\WINDOWS\System32\ Error
O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\Run: [GANDI then par] c:\WINDOWS\System32\GANDI then parked.
O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -noauth
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Backyard Paradise\Application Data\DownloadPlus.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Whistle (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_286.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www109.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37501.3485532407
O16 - DPF: {C5F5BD70-3BC5-A328-FD4E-FCA11BDACE6E} - http://public.searchbarcash.com/cab/037/nnznqdib.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{64CEFCE4-8484-42BE-8079-76F88A4A6437}: NameServer = 207.69.188.187 207.69.188.186

THANK YOU!!!
See less See more
Save
Like
Status
Not open for further replies.
1 - 1 of 6 Posts
Flrman1
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll

O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O4 - HKLM\..\Run: [Dialer] c:\Program Files\Instant Access\Dialer.exe

O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe

O4 - HKLM\..\Run: [abgggzch] C:\WINDOWS\qciusude.exe

O4 - HKLM\..\Run: [tbrnkfff] C:\WINDOWS\muyqjhdn.exe

O4 - HKLM\..\Run: [camdwbbx] C:\WINDOWS\vmcorwrv.exe

O4 - HKLM\..\Run: [lqlgzdhd] C:\WINDOWS\rhnzblps.exe

O4 - HKLM\..\Run: [BEILOVYIL] C:\WINDOWS\BEILOVYIL.exe

O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\

O4 - HKLM\..\Run: [ Error</TI] c:\WINDOWS\System32\ Error

O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\

O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\

O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKLM\..\Run: [GANDI then par] c:\WINDOWS\System32\GANDI then parked.

O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\

O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun

O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe

O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [ Error</TI] c:\WINDOWS\System32\ Error

O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKCU\..\Run: [GANDI then par] c:\WINDOWS\System32\GANDI then parked.

O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_286.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.cab

O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www109.coolsavings.com/download/cscmv5X.cab

O16 - DPF: {C5F5BD70-3BC5-A328-FD4E-FCA11BDACE6E} - http://public.searchbarcash.com/cab/037/nnznqdib.cab

Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now open the C:\Windows folder and delete these files:

av.exe
qciusude.exe
muyqjhdn.exe
vmcorwrv.exe
rhnzblps.exe
BEILOVYIL.exe

Now in the C:\Windows folder open the System32 folder and delete this file:

zzb.exe

Next navigate to the C:\Program Files folder and delete these folders:

MyWebSearch
Instant Access

Open the C:\Program Files\Common files folder and delete this folder:

CommonName

After you've done all that run Adaware and Spybot according to these directions:

Go here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

Then go here and download Spybot Search & Destroy.

Install the program and launch it.

Before scanning press Online and Search for Updates .

Put a check mark at and install all updates.

Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

Restart your computer.
See less See more
Save
Like
1 - 1 of 6 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top