Solved

Removing freeadsolutions spyware

Posted on 2006-07-22
8
472 Views
Last Modified: 2013-12-04
I have tried every spyware program I can think of and I am still getting popus from ad.freeadsolutions.com

Here is my hijack this profile:  (I ran this in safe mode)

Logfile of HijackThis v1.99.1
Scan saved at 5:52:29 PM, on 7/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
R3 - URLSearchHook: (no name) - _{A5213F06-A3C6-FA14-9F49-FFBAAA3F1C95} - (no file)
R3 - URLSearchHook: (no name) - {A5213F06-A3C6-FA14-9F49-FFBAAA3F1C95} - (no file)
O2 - BHO: (no name) - {019D40E7-CB54-41E0-8093-066575FCE86C} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {915D9B36-F039-4DC1-97C5-B21AFD832919} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {A62E6DAB-820F-4183-9A68-EF29DC8624A7} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [sys0370825826-20] C:\WINDOWS\sys0370825826-20.exe
O4 - HKLM\..\Run: [sys11-2070825826] C:\WINDOWS\sys11-2070825826.exe
O4 - HKLM\..\Run: [ckpsdr] C:\WINDOWS\system32\dslbdt.exe reg_run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VSL13.exe] C:\WINDOWS\system32\VSL13.exe
O4 - HKCU\..\Run: [1201.exe] C:\Documents and Settings\Marion's\Application Data\System Restore\1201.exe
O4 - HKCU\..\Run: [yhwte] C:\WINDOWS\system32\dslbdt.exe reg_run
O4 - Startup: Navigator.lnk = C:\Program Files\DIRECWAY\BIN\dpcnav.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://*.update.windowsupdate.com
O15 - Trusted Zone: http://update.windowsupdate.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab40641.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: NameServer = 66.82.4.8,68.87.77.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: Domain = direcway.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: NameServer = 66.82.4.8,68.87.77.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: Domain = direcway.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: NameServer = 66.82.4.8,68.87.77.130
O20 - AppInit_DLLs: taskmgr.dll C:\WINDOWS\system32\svchost.dll C:\WINDOWS\system32\taskmgr.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

0
Comment
Question by:pmaurey
  • 4
  • 2
  • 2
8 Comments
 
LVL 97

Expert Comment

by:war1
ID: 17161583
Greetings, pmaurey !

You should not have posted the HijackThis log here.  Instead, run an an analysis at http://hijackthis.de  then save the result and post a link to the result here.  Here is a link to the analyzed log

http://hijackthis.de/logfiles/57f62514ce66ca6f5888d5dde90af5e9.html

Check the box next to the following items and have HijackThis "Fix Checked".

R3 - URLSearchHook: (no name) - _{A5213F06-A3C6-FA14-9F49-FFBAAA3F1C95} - (no file)
O2 - BHO: (no name) - {019D40E7-CB54-41E0-8093-066575FCE86C} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)            
O2 - BHO: (no name) - {915D9B36-F039-4DC1-97C5-B21AFD832919} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)          
O2 - BHO: (no name) - {A62E6DAB-820F-4183-9A68-EF29DC8624A7} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O4 - HKLM\..\Run: [sys0370825826-20] C:\WINDOWS\sys0370825826-20.exe            
O4 - HKLM\..\Run: [sys11-2070825826] C:\WINDOWS\sys11-2070825826.exe          
O4 - HKLM\..\Run: [ckpsdr] C:\WINDOWS\system32\dslbdt.exe reg_run
O4 - HKCU\..\Run: [VSL13.exe] C:\WINDOWS\system32\VSL13.exe
O4 - HKCU\..\Run: [1201.exe] C:\Documents and Settings\Marion's\Application Data\System Restore\1201.exe
O4 - HKCU\..\Run: [yhwte] C:\WINDOWS\system32\dslbdt.exe reg_run
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O20 - AppInit_DLLs: taskmgr.dll C:\WINDOWS\system32\svchost.dll C:\WINDOWS\system32\taskmgr.dll

If you did not install the following items, have HJT remove them.

O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab


Best wishes!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17161884
Hi,
You can upload hijackthis log to any sites you prefer or the best place is at EE-stuff.com

Go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


1. Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

2. Copy all the text contained inside the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):
-----------------------------------------------------------------------------------------------------------

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\sys0370825826-20.exe  
C:\WINDOWS\sys11-2070825826.exe  
C:\WINDOWS\system32\dslbdt.exe
C:\WINDOWS\system32\VSL13.exe
C:\WINDOWS\system32\svchost.dll
C:\WINDOWS\system32\taskmgr.dll
C:\Documents and Settings\Marion's\Application Data\System Restore\1201.exe

----------------------------------------------------------------------------------------------------------
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
    *Under "Script file to execute" choose "Input Script Manually".
    *Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    *Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    *Click Done
    *Now click on the Green Light to begin execution of the script
    *Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
    *It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    *On reboot, it will briefly open a black command window on your desktop, this is normal.
    *After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
    *The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Run Hijackthis again and put a check next to these entries and click "Fix Checked":
O2 - BHO: (no name) - {019D40E7-CB54-41E0-8093-066575FCE86C} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
O2 - BHO: (no name) - {915D9B36-F039-4DC1-97C5-B21AFD832919} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
 O2 - BHO: (no name) - {A62E6DAB-820F-4183-9A68-EF29DC8624A7} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O4 - HKLM\..\Run: [sys0370825826-20] C:\WINDOWS\sys0370825826-20.exe  
O4 - HKLM\..\Run: [sys11-2070825826] C:\WINDOWS\sys11-2070825826.exe  
O4 - HKLM\..\Run: [ckpsdr] C:\WINDOWS\system32\dslbdt.exe reg_run
O4 - HKCU\..\Run: [VSL13.exe] C:\WINDOWS\system32\VSL13.exe
O4 - HKCU\..\Run: [1201.exe] C:\Documents and Settings\Marion's\Application Data\System Restore\1201.exe  
O4 - HKCU\..\Run: [yhwte] C:\WINDOWS\system32\dslbdt.exe reg_run
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000881958} - http://69.56.176.75/webplugin.cab
O20 - AppInit_DLLs: taskmgr.dll C:\WINDOWS\system32\svchost.dll C:\WINDOWS\system32\taskmgr.dll

5. Please copy/paste the content of c:\avenger.txt into your reply.


Please also run these 2 tools to make sure that no files belonging to these infections are left in your pc.
1. Please download Qoofix by RubbeR DuckY
http://www.malwarebytes.org/Qoofix.zi
Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.
Post the contents of the Qoofix logfile.


2. In add/remove programs look for any program belonging to OIN.
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.

Post a fresh link to your Hikackthis log to make sure it's clean.


After that, you can also run your updated antivirus, or download and run download ewido anti-spyware
http://www.ewido.net/en/download/
Update first and run a scan in safe mode.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17161894
>>>Here is my hijack this profile:  (I ran this in safe mode)<<<
Hijackthis scan MUST be run in normal mode if possible so most nasties are showing in the log.
After you've done Avenger, can you please post a link to a new hijackthis log that is a result of a normal mode scan?

0
 

Author Comment

by:pmaurey
ID: 17172159
I am increasing the point value.  I have followed all of the directions above and am still getting popups.  I could not get logged into www.ee-stuff.com so I am posting the log here again.  This was ran in normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 6:39:06 PM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\DIRECWAY\BIN\dpcnav.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
R3 - URLSearchHook: (no name) - _{A5213F06-A3C6-FA14-9F49-FFBAAA3F1C95} - (no file)
R3 - URLSearchHook: (no name) - {A5213F06-A3C6-FA14-9F49-FFBAAA3F1C95} - (no file)
O2 - BHO: (no name) - {34F8A3F6-C9E7-41FA-8B65-25FE7DCA0680} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {4F2D01F4-87AC-45D6-B054-17ADB57DADEC} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {558B7AF3-5758-428C-8FEF-5B92FD1389FE} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {8D815C58-8377-4207-9C3D-464C846E6512} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {9D79B131-E2E9-43B0-BCFE-0334BB995A98} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {F75631F9-DCDF-4B00-83D4-E1BA38EDB007} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Navigator.lnk = C:\Program Files\DIRECWAY\BIN\dpcnav.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://*.update.windowsupdate.com
O15 - Trusted Zone: http://update.windowsupdate.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.media-motor.net/cabs/joysavsht.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab40641.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab40641.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: NameServer = 66.82.4.8,68.87.77.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: Domain = direcway.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: NameServer = 66.82.4.8,68.87.77.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: Domain = direcway.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{025EE287-9762-4422-A980-A087E44D3A7F}: NameServer = 66.82.4.8,68.87.77.130
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17172381
So, you already ran Qoofix, and OIN Uninstaller right?
Can you please qoofix txt and Avenger txt?

Need to fix these:
R3 - URLSearchHook: (no name) - _{A5213F06-A3C6-FA14-9F49-FFBAAA3F1C95} - (no file)  
R3 - URLSearchHook: (no name) - {A5213F06-A3C6-FA14-9F49-FFBAAA3F1C95} - (no file)  
O2 - BHO: (no name) - {34F8A3F6-C9E7-41FA-8B65-25FE7DCA0680} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
O2 - BHO: (no name) - {4F2D01F4-87AC-45D6-B054-17ADB57DADEC} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
O2 - BHO: (no name) - {558B7AF3-5758-428C-8FEF-5B92FD1389FE} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
O2 - BHO: (no name) - {8D815C58-8377-4207-9C3D-464C846E6512} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
O2 - BHO: (no name) - {9D79B131-E2E9-43B0-BCFE-0334BB995A98} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)  
O2 - BHO: (no name) - {F75631F9-DCDF-4B00-83D4-E1BA38EDB007} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.media-motor.net/cabs/joysavsht.cab


C:\Program Files\ComPlus Applications <-- delete this folder.


Please run Silent Runners we'll see what comes up in the log. If you can't upload the logs at EE-stuff.com or somewhere else don't worry, I'll delete all the logs here after your problem is solved.

Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
0
 

Author Comment

by:pmaurey
ID: 17172431
Here is the silentrunner link:
http://www.rafb.net/paste/results/HB48oJ34.html

Qoofix logifle:
Qoofix v1.02 by http://www.malwarebytes.org
Scan started on [7/24/2006] at [6:20:49 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [7/24/2006] at [6:22:13 PM]

Note: Some registry keys may have been removed.


Qoofix v1.02 by http://www.malwarebytes.org
Scan started on [7/24/2006] at [7:54:10 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [7/24/2006] at [7:55:34 PM]

Note: Some registry keys may have been removed.


Avenger.txt File:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lqpbborw

*******************

Script file located at: \??\C:\Documents and Settings\fplceloq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\sys0370825826-20.exe not found!
Deletion of file C:\WINDOWS\sys0370825826-20.exe failed!

Could not process line:
C:\WINDOWS\sys0370825826-20.exe
Status: 0xc0000034



File C:\WINDOWS\sys11-2070825826.exe not found!
Deletion of file C:\WINDOWS\sys11-2070825826.exe failed!

Could not process line:
C:\WINDOWS\sys11-2070825826.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dslbdt.exe not found!
Deletion of file C:\WINDOWS\system32\dslbdt.exe failed!

Could not process line:
C:\WINDOWS\system32\dslbdt.exe
Status: 0xc0000034

File C:\WINDOWS\system32\VSL13.exe deleted successfully.


File C:\WINDOWS\system32\svchost.dll not found!
Deletion of file C:\WINDOWS\system32\svchost.dll failed!

Could not process line:
C:\WINDOWS\system32\svchost.dll
Status: 0xc0000034



File C:\WINDOWS\system32\taskmgr.dll not found!
Deletion of file C:\WINDOWS\system32\taskmgr.dll failed!

Could not process line:
C:\WINDOWS\system32\taskmgr.dll
Status: 0xc0000034



File C:\Documents and Settings\Marion's\Application Data\System Restore\1201.exe not found!
Deletion of file C:\Documents and Settings\Marion's\Application Data\System Restore\1201.exe failed!

Could not process line:
C:\Documents and Settings\Marion's\Application Data\System Restore\1201.exe
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished!  Terminate.

I have also removed the entries listed with Hijackthis.

Thanks for your help.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 17172764
Not sure where the popup trigger is coming from.
Those files that Avenger didn't find means they're not there and they're just the registry entries left showing in the hijackthis log.

Can you please scan with Ewido and show us the log? the log might me helpful too.

Try these scanners:
1. Try ATFCleaner to clean your tem folders.
ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Reboot your computer into Safe Mode.
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


2. The is just in case it is wareout.
You must have an active Internet connection when running this fix, in order to download the Brute Force Uninstaller (BFU) from Merijn's page.

If you have problems with your connection:
Please go to Start -> Control Panel, and choose Network Connections.  Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.  Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.  Click OK twice, and restart your computer.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.


3. And these to look for hidden files or rootkit like.
Download and save blacklight to your desktop.
https://europe.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

or:
Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.
0
 
LVL 97

Expert Comment

by:war1
ID: 17172778
pmaurey,

1. If you have Windows Messenger Service, disable it.  The Messenger is the source of popups and virus.

http://www.itc.virginia.edu/desktop/docs/messagepopup/
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now