casino palazza, nasty sex etc

Hi I'm so glad I found this forum. I purschased Spy Killer before realising it is scumware and I had no idea how to reach other people with knowledge of the virus/trojan etc. I think in my particular case I have a virus which affects my online searches and causes pop-ups (and unders). My home page changes between coolsearch and some res:// prefix. I've tried following tips to rename the start page in the IE/All section of the registry but each time the browser is closed/opened, it resets to the bad page. Also several adult links are dumped in my favourites. An shortcut icon that points to IE (usually teensex or something) is left on my desktop. When leaving IE open for a while, a few adult websites will open every few minutes. I don't know if this is related but I also used to get the "messenger" pop-ups until I turned off the messenger service.

I have downloaded and used AdAware and now HiJackthis. Below are the contents of the log:

Logfile of HijackThis v1.97.7
Scan saved at 11:18:32, on 26/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VVSN\VVSN.exe
C:\WINDOWS\System32\services\msxmidi.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\uvucivz.exe
C:\Program Files\TrojanHunter 3.9\THGuard.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\program files\internet optimizer\sim\msbb.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Save\Save.exe
C:\Program Files\Kontiki\bin\kontiki.exe
C:\WINDOWS\System32\NDrv.exe
C:\Documents and Settings\nickroman\Application Data\etrr.exe
C:\WINDOWS\System32\wapicc.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nickroman\Desktop\applications\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://line-plus.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=137837
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=137837
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=137837
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcomi.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fcomi.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://line-plus.com/sweb/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://bwtxo.dll/index.html#96676
F1 - win.ini: run=C:\WINDOWS\System32\services\msxmidi.exe
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [4A29F13E] C:\WINDOWS\System32\mannaydqq.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [otdimadru] C:\WINDOWS\System32\uvucivz.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [s4L7fa] C:\documents and settings\nickroman\local settings\temp\s4L7fa.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AutoLoaderwsqt1bTgKQXO] "C:\WINDOWS\System32\lfcoader.exe" /PC="POP.WILD_EU" /HideUninstall
O4 - HKLM\..\Run: [wF9R3nO] lfcoader.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\program files\internet optimizer\sim\msbb.exe
O4 - HKLM\..\Run: [gdqnijar] C:\WINDOWS\gdqnijar.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
O4 - HKCU\..\Run: [Aceu] C:\Documents and Settings\nickroman\Application Data\etrr.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapicc.exe
O4 - Startup: BlueSpace NE.lnk = C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: bet365 Poker (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab
O16 - DPF: {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - http://www.cameup.com/download2/ToolBand.cab
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {4E7BD74F-2B8D-469E-C0FF-FD7FB29BFA7D} - http://www.netfreestuff.com/toolbar/test/nfsbar.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/SSInstaller.exe
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildAppNonUS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{377F08A7-7E3B-4106-86D6-B255AF642706}: NameServer = 217.37.93.46

 

Hi ndmonkey

Download cwshredder here Close all browser windows and click on the fix/next button.

Download Ad-aware from here: http://www.computercops.biz/downloads-file-292.html
Install by double-clicking on the downloaded file.
After installing but before running, update Ad-aware by using its Globe icon.
After updating, shutdown and restart Ad-aware.
Ad-aware is ready to scan and clean your system following these steps:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Press "Scan Now"
Check option "Use Custom scanning options"
Check option "Activate In-Depth Scan"
Press "Select drives\folders to scan"
Select the active partition which is usually C:
Press "Next" to let Ad-aware scan your drives...
If it finds "bad" files and registry keys, press "Next" again
Right-click in that pane and choose "select all"
Press "next"
When it asks to remove all checked items, Press "OK"
Close Ad-aware, reboot your system and go on to Step 2 below.


Spybot S&D
The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

Install by double-clicking on the downloaded file.
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.
Close all IE windows and close & restart Spybot S&D.
Press "Check for problems" button.
Have SpyBot remove all it marks in red by pressing "Fix selected problems".

Close Spybot S&D, reboot your system .

Empty your Temporary Internet Files and history in Internet Options. And clean out your
%Userprofile%\Local Settings\Temp
folder. It's a good idea to do that regularly.

Run HJT again and pls. post a FRESH log. Thanks.

 

Hi Marianna

Thanks for helping so much, it has now stopped with the static browser and no popups just yet. I ran CW Shredder and Ad-Aware not SpyBot but it seems to have done some good.

I would be grateful if you could have a look at the new log anyway just to make sure.

Thanks - Nick


Logfile of HijackThis v1.97.7
Scan saved at 11:49:11, on 27/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 3.9\THGuard.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\MstInst.exe
C:\Program Files\Apoint\Apntex.exe
C:\windows\system32\idecntl.exe
C:\windows\system32\sncntr.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\windows\system32\qsearch.exe
C:\Program Files\Kontiki\bin\kontiki.exe
C:\WINDOWS\System32\NDrv.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\nickroman\Desktop\applications\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://line-plus.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcomi.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fcomi.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://line-plus.com/sweb/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://bwtxo.dll/index.html#96676
F1 - win.ini: run=C:\WINDOWS\System32\services\msxmidi.exe
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [4A29F13E] C:\WINDOWS\System32\mannaydqq.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [s4L7fa] C:\documents and settings\nickroman\local settings\temp\s4L7fa.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AutoLoaderwsqt1bTgKQXO] "C:\WINDOWS\System32\lfcoader.exe" /PC="POP.WILD_EU" /HideUninstall
O4 - HKLM\..\Run: [wF9R3nO] lfcoader.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [gdqnijar] C:\WINDOWS\gdqnijar.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [MsdInfo] C:\WINDOWS\System32\MstInst.exe
O4 - HKLM\..\Run: [Idecntl] c:\windows\system32\idecntl.exe
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [QSearch] c:\windows\system32\qsearch.exe /install
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [Aceu] C:\Documents and Settings\nickroman\Application Data\etrr.exe
O4 - HKCU\..\Run: [Idecntl] c:\windows\system32\idecntl.exe
O4 - Startup: BlueSpace NE.lnk = C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: bet365 Poker (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {4E7BD74F-2B8D-469E-C0FF-FD7FB29BFA7D} - http://www.netfreestuff.com/toolbar/test/nfsbar.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/SSInstaller.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{377F08A7-7E3B-4106-86D6-B255AF642706}: NameServer = 217.37.93.46

 

Hi ndmonkey,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://line-plus.com/search/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fcomi.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fcomi.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://line-plus.com/sweb/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://bwtxo.dll/index.html#96676
F1 - win.ini: run=C:\WINDOWS\System32\services\msxmidi.exe
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll

O4 - HKLM\..\Run: [4A29F13E] C:\WINDOWS\System32\mannaydqq.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe

O4 - HKLM\..\Run: [s4L7fa] C:\documents and settings\nickroman\local settings\temp\s4L7fa.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [AutoLoaderwsqt1bTgKQXO] "C:\WINDOWS\System32\lfcoader.exe" /PC="POP.WILD_EU" /HideUninstall
O4 - HKLM\..\Run: [wF9R3nO] lfcoader.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [gdqnijar] C:\WINDOWS\gdqnijar.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [MsdInfo] C:\WINDOWS\System32\MstInst.exe
O4 - HKLM\..\Run: [Idecntl] c:\windows\system32\idecntl.exe
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [QSearch] c:\windows\system32\qsearch.exe /install
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [Aceu] C:\Documents and Settings\nickroman\Application Data\etrr.exe
O4 - HKCU\..\Run: [Idecntl] c:\windows\system32\idecntl.exe

O9 - Extra button: bet365 Poker (HKLM)

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {4E7BD74F-2B8D-469E-C0FF-FD7FB29BFA7D} - http://www.netfreestuff.com/toolbar/test/nfsbar.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/SSInstaller.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

Then reboot into safe mode and delete:
C:\Program Files\AutoUpdate <= entire folder
C:\Program Files\VVSN <= entire folder
c:\windows\system32\idecntl.exe
C:\Program Files\WindowsSA <= entire folder
C:\Windows\System32\wsaupdater.exe
C:\Documents and Settings\nickroman\Application Data\etrr.exe

And (still in safe mode) use the DiskCleanup Tool to empty all your Temp folders.

Then I would like you to find the following files and mail them to me if you have them:
C:\WINDOWS\system32\notepad.com
C:\WINDOWS\System32\MstInst.exe
lfcoader.exe
Please send them (preferably zipped) to pieterATwilderssecurity.org (replace AT with @)

Regards,

Pieter

 

I shall do tonight Pieter, thanks

 

I tried to follow your instructions but some of the files were not available to delete. I removed/fixed the rest of it through safe mode, but on the new reboot, similar websites/popups are appearing.

I have prepared a new HijackThis log: (I also couldnt get the other two files - the nearest available was notepad.EXE




Logfile of HijackThis v1.97.7
Scan saved at 00:10:21, on 29/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\addol32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\ntzr.exe
C:\windows\system32\aulecvdc.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
C:\Documents and Settings\nickroman\Desktop\applications\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bqvrc.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
O2 - BHO: (no name) - {BC202B40-4228-E5C4-D46E-F1D1D27E63DE} - C:\WINDOWS\system32\ipzn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ntzr.exe] C:\WINDOWS\ntzr.exe
O4 - HKLM\..\Run: [AULECVDC] c:\windows\system32\aulecvdc.exe /install
O4 - Startup: BlueSpace NE.lnk = C:\Program Files\Sony\BlueSpace\BlueSpaceNE.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: winlgn.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{377F08A7-7E3B-4106-86D6-B255AF642706}: NameServer = 217.37.93.46

 

Hi ndmonkey,

Click Start > Run > Services.msc > OK
In the services window find Network Security Service.
Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

Then open TaskManager and stop these two processes:
C:\WINDOWS\addol32.exe
C:\WINDOWS\ntzr.exe

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bqvrc.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
O2 - BHO: (no name) - {BC202B40-4228-E5C4-D46E-F1D1D27E63DE} - C:\WINDOWS\system32\ipzn.dll

O4 - HKLM\..\Run: [ntzr.exe] C:\WINDOWS\ntzr.exe

O4 - Global Startup: winlgn.exe

Download and run: CWShredder
Use the Fix button and follow the instructions you will receive.

Then reboot into safe mode and delete:
C:\WINDOWS\addol32.exe
C:\WINDOWS\ntzr.exe
C:\WINDOWS\system32\ipzn.dat
C:\WINDOWS\system32\bqvrc.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

Regards,

Pieter