Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

VERY slow and tons of pop-up adds

1265 Views 5 Replies 5 Participants Last post by  Flrman1
J
I just started a new job but the company computer I have to use is in dier need of a clean up. I installed Spybot and got rid of 543 :eek: problems and I am going to do a virus scan with Housecall. Hopefully someone will be able to give me some assistance with what do get rid of from the Hijack this log.

Logfile of HijackThis v1.97.3
Scan saved at 6:07:12 PM, on 4/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
e:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\System32\msblast.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
E:\Program Files\Adobe\Distillr\AcroTray.exe
C:\Documents and Settings\Backyard Paradise\Application Data\DownloadPlus.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
E:\Program Files\Microsoft Office\Office10\MSE7.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
C:\Documents and Settings\Backyard Paradise\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\program files\adobe\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - c:\program files\WhistleSoftware\wselservices\whistlehelper.dll
O2 - BHO: (no name) - {4C428974-F461-D03C-42F1-7A4CFAE448F0} - C:\WINDOWS\system32\itukcirm.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\hhU.dll
O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll
O2 - BHO: (no name) - {FFEBD446-4B0E-4DDC-2E16-67A7E5CDECAE} - C:\WINDOWS\system32\kxyzfose.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [Dialer] c:\Program Files\Instant Access\Dialer.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
O4 - HKLM\..\Run: [abgggzch] C:\WINDOWS\qciusude.exe
O4 - HKLM\..\Run: [tbrnkfff] C:\WINDOWS\muyqjhdn.exe
O4 - HKLM\..\Run: [camdwbbx] C:\WINDOWS\vmcorwrv.exe
O4 - HKLM\..\Run: [lqlgzdhd] C:\WINDOWS\rhnzblps.exe
O4 - HKLM\..\Run: [BEILOVYIL] C:\WINDOWS\BEILOVYIL.exe
O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ Error</TI] c:\WINDOWS\System32\ Error
O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [GANDI then par] c:\WINDOWS\System32\GANDI then parked.
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ Error</TI] c:\WINDOWS\System32\ Error
O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\Run: [GANDI then par] c:\WINDOWS\System32\GANDI then parked.
O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -noauth
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Backyard Paradise\Application Data\DownloadPlus.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Whistle (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_286.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www109.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37501.3485532407
O16 - DPF: {C5F5BD70-3BC5-A328-FD4E-FCA11BDACE6E} - http://public.searchbarcash.com/cab/037/nnznqdib.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{64CEFCE4-8484-42BE-8079-76F88A4A6437}: NameServer = 207.69.188.187 207.69.188.186

THANK YOU!!!
See less See more
Save
Like
Status
Not open for further replies.
1 - 2 of 6 Posts
J
Ok...I ran Spybot again, I got and ran the newest Hijack This and got rid of all you had listed, I ran the MSblast, and ran the Housecall virus scan...I tried one of the other virus scan sites but the computer started going haywire so I gave up for the day.
Here's the newest Hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 11:18:20 AM, on 4/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
e:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\qciusude.exe
C:\WINDOWS\vmcorwrv.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
E:\Program Files\Adobe\Distillr\AcroTray.exe
C:\Documents and Settings\Backyard Paradise\Application Data\DownloadPlus.exe
C:\WINDOWS\System32\cidaemon.exe
D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\program files\adobe\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Dialer] c:\Program Files\Instant Access\Dialer.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
O4 - HKLM\..\Run: [abgggzch] C:\WINDOWS\qciusude.exe
O4 - HKLM\..\Run: [tbrnkfff] C:\WINDOWS\muyqjhdn.exe
O4 - HKLM\..\Run: [camdwbbx] C:\WINDOWS\vmcorwrv.exe
O4 - HKLM\..\Run: [lqlgzdhd] C:\WINDOWS\rhnzblps.exe
O4 - HKLM\..\Run: [BEILOVYIL] C:\WINDOWS\BEILOVYIL.exe
O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ Error</TI] c:\WINDOWS\System32\ Error
O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [GANDI then par] c:\WINDOWS\System32\GANDI then parked.
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ Error</TI] c:\WINDOWS\System32\ Error
O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\Run: [GANDI then par] c:\WINDOWS\System32\GANDI then parked.
O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -noauth
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Backyard Paradise\Application Data\DownloadPlus.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Whistle (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_286.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www109.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37501.3485532407
O16 - DPF: {C5F5BD70-3BC5-A328-FD4E-FCA11BDACE6E} - http://public.searchbarcash.com/cab/037/nnznqdib.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{64CEFCE4-8484-42BE-8079-76F88A4A6437}: NameServer = 207.217.126.81 207.217.77.82

Thank you!!!
See less See more
Save
Like
1 - 2 of 6 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top