# System Infected



## enjoy (Aug 11, 2008)

It seems my system has gone infected by some Malware

Web browser automatically opens webpages of windowsscanner-freever.com and zoombli.com

On little search the problem might be similar to mentioned at *www.siteadvisor.com/sites/zoombli.com/summary/

After this infection I am unable to restart/shutdown my Windows XP SP2 laptop normally. It always crashes with Bluescreen
The windows logon process system process terminated unexpectedly with a status of 0xC00000005 (0x00000000,0x00000000). The system has been shut down."


I have scanned my system fully with updated version of Norton Anti virus, Ad aware, Spybot Search & Destroy. But they all don't seem to have caught the issue.


Any thoughts on what I should do now ?


----------



## rhitwick (Aug 11, 2008)

Go to offline......even unplug ur modem
Go to safe mode
Scan ur lappy with Avira and post HijackThis log.......

BSOD code guide can be found here

I've got more things check this


----------



## enjoy (Aug 11, 2008)

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:35, on 11/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\IBM\Mobility Client\artstartsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\Program Files\C4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\notes\ntmulti.exe
C:\Program Files\AT&T Network Client\NetCfgSv.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IBM\Personal Communications\tpam.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\C4ebreg\isamtray.exe
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.common_1.3.14\pmonmh.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\notes\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080625-1707\soffice.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\CiscoSecureAA\PROGRAM\Client.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\IBM\My Help\MyHelp.exe
C:\Program Files\IBM\My Help\jre\bin\myhelpw.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.1.2.200802132253\win32\x86\eclipse.exe
C:\notes\framework\rcp\eclipse\plugins\com.ibm.rcp.j2se.win32.x86_1.5.0.SR6-200802132253\jre\bin\notes2w.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\notes\nlnotes.exe
C:\notes\ntaskldr.EXE
C:\Downloads\putty.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = *w3.ibm.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = *w3.ibm.com/download/standardsoftware/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = *autoproxy.au.ibm.com/in1.pac
O1 - Hosts: 9.124.105.52 d23m0172
O1 - Hosts: 9.124.105.52 d23m0172.ibm.com
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [MyHelpService] "C:\Program Files\IBM\My Help\workspace\service\delayStart.exe"
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\C4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [Isamtray] "C:\Program Files\C4ebreg\isamtray.exe"
O4 - HKLM\..\Run: [defergui] c:/sdwork/defergui.exe
O4 - HKLM\..\Run: [pmonmh] C:\Program Files\IBM\My Help\workspace\..\plugins\com.ibm.myhelp.common_1.3.14/pmonmh.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SODCPreLoad] C:\notes\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080625-1707\preload.exe C:\notes\data\workspace\.sodc\
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [6806ab12] rundll32.exe "C:\WINDOWS\system32\ejtcyvph.dll",b
O4 - HKLM\..\Run: [BM6b35988e] Rundll32.exe "C:\WINDOWS\system32\migrrvwp.dll",s
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network Client\NetSP.exe" -show
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: default.caa
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=*w3.ibm.com
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - *bangalore.redirectme.net/iNotes6W.cab
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java2 Runtime Environment 1.5.0) - *
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = in.ibm.com
O17 - HKLM\Software\..\Telephony: DomainName = in.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{19323137-03EF-46B8-AE67-4A613395F022}: Domain = in.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{665E0B4E-2FDA-494A-A4FC-D82B1B0970A6}: Domain = in.ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = in.ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = in.ibm.com,ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{19323137-03EF-46B8-AE67-4A613395F022}: Domain = in.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = in.ibm.com,ibm.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\Drivers\appnnode.exe
O23 - Service: Mobility Client (ArtourService) - Unknown owner - C:\Program Files\IBM\Mobility Client\artsvc.exe
O23 - Service: IBM Mobility Client Start Utility (artstartsvc) - Unknown owner - C:\Program Files\IBM\Mobility Client\artstartsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Hummingbird Exceed Display Management (HumDisplayServer) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - Unknown owner - C:\Program Files\C4ebreg\isamsmt.exe (file missing)
O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Corp. - C:\Program Files\C4ebreg\c4ebreg.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Corp. - c:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe
O23 - Service: My Help (MyHelp) - Unknown owner - C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpService.exe (file missing)
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Network Client\NetCfgSv.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 15613 bytes


----------



## chesss (Aug 11, 2008)

First STOP using internet explorer. Its crap
get firefox or Opera,

For your problem - get windows defender. Thats all you need.


----------



## ravi_9793 (Aug 11, 2008)

chesss said:


> First STOP using internet explorer. Its crap
> get firefox or Opera,


can you prove it. I find IE better than rest browser.

Regarding solution, Try this:
*How To Do Effective System Scanning*


----------



## ashu888ashu888 (Aug 11, 2008)

Also, use a good system protector like Eset's NOD32 with AV and online active scanner. .  Plz do not use avast, as it fails to detect sum viruses and malware... use NOD32+lavasoft's AD Aware

ANd yes, i too love the new IE 7 browser  so +1 for it

Cheers n e-peace...

-----------------

plz stop using Norton as its a world acclaimed SYSTEM HOG 
:grrr..rr..:


----------



## chesss (Aug 11, 2008)

> can you prove it. I find IE better than rest browser.


Edit: his internet explorer is crapping(has been hijacked) and u want proof? ur wish 
Worst product 
US govt - don't use exploder  

For more proof read this 

or just google.


----------



## enjoy (Aug 11, 2008)

Its not just IE, the new popups open in Firefox too. Probably the default system browser is used. I am trying to scan my system using Windows Defender now.


----------



## rhitwick (Aug 11, 2008)

U seems to have posted only HijackThis log.........have u checked the following two links?
Check specially 2nd one..........



rhitwick said:


> BSOD code guide can be found here
> 
> I've got more things check this


----------



## chesss (Aug 11, 2008)

^well  I guess Opera is your only solution then. 
But u still musn't use IE .

and btw let windows defender run in the background. 
ALternatively u can use winpatrol - it basically prevent unauthorised changes to various aspects of the pc startup/is/hosts file.


----------



## enjoy (Aug 11, 2008)

@rhitwick, The Windows KB page doesnt seems to be relevant o my problem since I don't have Norton CleanSweep Smart Sweep.

And the BSOD guide doesn't has any matching error code/message to the one I am receiving.

Also the Windows Defender quick scan gave nothing. So I am going for Full Scan with it now.


----------



## ravi_9793 (Aug 11, 2008)

chesss said:


> Edit: his internet explorer is crapping(has been hijacked) and u want proof? ur wish
> Worst product
> US govt - don't use exploder
> 
> ...


well I cant teach you to do safe browsing with IE. I have no antivirus, and antispyware installed on my system. And I am doing  happy browsing  with my windows XP and IE. No infection yet. Even I use IE to login in my paypal account, SBI online, Google adsense, Google Adword, My server control panel, domain reseller control panel and many...........

Although I also use FF and opera for forum works, and they are also good. I dont say FF or opera is bad, but I find IE better than rest.


----------



## chesss (Aug 11, 2008)

> well I cant teach you to do safe browsing with IE.


 THanks but I have better things to do with my time than tweak IE and hope I get lucky.
Besides security is not the only aspect of IE which is a complete nightmare


----------



## rhitwick (Aug 11, 2008)

Ravi_9793
And
Chess

our thread starter is having a problem and asking help from you, and wat r u doin?? Fighting urselves??!!! Shame on you..................

And remember everybody has his/her preferences................try to acknowledge it


----------



## chesss (Aug 11, 2008)

^Sorry papa


----------



## Sridhar_Rao (Aug 11, 2008)

rhitwick, you asked enjoy to post log from hikackthis. Has the log been any use to anyone to pinpoint where the problem is? 

For the rest, "This guy needs solution not advice on browser".

enjoy, update your antivirus/antispyware definitions (if you can!), reboot in safe mode and run them. If possible, run antivirus scan at boot. Sometimes, you may need more than one software to detect or remove. Removal kits are available online for some infections, google it.


----------



## Ecko (Aug 11, 2008)

Buddy just use avast latest version & install it 
When asked during installation say yes to Boot time scan

Else you can try to update your antivirus & scan your PC


----------



## Sridhar_Rao (Aug 11, 2008)

Trust Avast at your own risk. My system had been infected by Trace.registry.adclicker and trojan-ddos.win32.agent.bs. None of these (Avast, Adaware, Spybot S&D, windows defender) could remove it or even detect it. It was Ashampoo antispyware 2 trial vesion that detected and removed it. There is no single application that can detect all infections. use as many as you can.


----------



## Psychosocial (Aug 11, 2008)

Install AVG8 and Spybot : Search and Destroy, update them, boot in safe-mod and do a scan and if it dosen't identify or catch the malware then the biggest and the most used and the most effective solution is to FORMAT YOUR HDD.  enjoy enjoy .


----------



## amrawtanshx (Aug 12, 2008)

Use Opera .... Minimum fuss. Least number of pop-ups.
Use Avast.
Update.
And perform a bootscan.(Itself deletes the virus on booting)


----------



## afonofa (Aug 12, 2008)

1. Uninstall Symantec's Antivirus/Suite. It's "protection" is just not worth the resource drain on your comp. If you want to, you can always reinstall it after you cleanup the malware.

2. Install *Kaspersky Antivirus v7.0.1.325* trial, with its self defense enabled during and after installation. Set KAV's settings to max. It will barely hurt your comp's performance. Activate the trial > update it > disconnect from the internet > do a full system scan in normal mode and if it can't quarantine/delete any infected files even on reboot, then scan in safe mode. At max settings the scan can take a long time to complete. So you may want to exit all other programs before starting the scan. (also before a HJT scan, exit all programs other than your antivirus + antispyware + firewall, so that it reduces the length of the HJT log)

3. Turn off System Restore.

4. Clean out your Temp files and folders. I have never used it, but many forum members recommend using *CCleaner*.

5. Definitely upgrade to *Internet Explorer 7*

6. Install all the critical updates through windows automatic updates or *SP3*.

7. Check your comp with *Windows Malicious Software Removal Tool*.

I have never tried Avast, but my friend used to have Avast home on his comp, and his comp would be infected with malware often. His comp's been malware free for a long time now, since I got him to switch to Eset Nod32 Antivirus + ZA Pro + Spybot S&D + Sandboxie. But to cleanup an already infected system, I would pick KAV over EAV any day(coupled with HJT of course).



enjoy said:


> HijackThis log
> 
> O1 - Hosts: 9.124.105.52 d23m0172
> O1 - Hosts: 9.124.105.52 d23m0172.ibm.com
> ...



I don't think those two dll files are supposed to load at startup. A google search brings up no info on them. Do a search(include hidden files) on your comp for *ejtcyvp*.** and *migrrvw*.**

1. If you find any .exe's in your search, then quarantine them alongwith the .dll's.
2. Select(tick mark) the entries for those two dll's in HJT > Fix checked.
3. I'm not sure about those entries in your hosts file. So I leave that to you to decide whether they are required or not. If you are unsure, then note them down, remove them with HJT and check if there's any problem without those entries. If there are, then its simple to add them back.



enjoy said:


> Running processes:
> C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
> C:\WINDOWS\system32\rundll32.exe
> ...
> ...



If you have no open windows (add/remove programs, windows firewall settings etc.) and you see rundll32.exe running in your Task Manager processes, end it immediately, until the time your comp is free of malware.



enjoy said:


> O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
> O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
> O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
> O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
> ...



For your comp to work properly, the above programs are not required to load at startup. It depends on your preferences but turning them off will speed up your startup. Turn them off from within the programs themselves, for those that you can't, use Spybot S&D to disable them from startup(don't use msconfig). This has nothing to do with the browser hijack problem that you are having.


----------



## enjoy (Aug 12, 2008)

Thanks afonova. I tried the steps you mentioned. But the problem still remains. somehow the names of dll (which were calling rundll32.exe ) today in the HTL have changed. I tried deleting those dlls, but seems they are being used by lot other processes too (tasklist/m).

Updated Windows Defender/Spybot/Adaware/Symantec got nothing.

Bluescreen problem got resolved, but popups still open. Another issue which I see now is that after login, the explorer doesnt itself starts. So I have to use taskmanager and start the explorer.exe manually.

ALL, changing the browser wont help, since whatever executable the malware uses, it will use the system default browser and launch the URL. So its not about browser. My system is infected because of opening a wrong email attachment which initially seemed to have come from a valid source.


----------



## rhitwick (Aug 12, 2008)

Try QuickHeal trial version............insatall and do a boot time scan............its a pretty good boot time scanner...............and have u tried Avira??


----------



## drsubhadip (Aug 12, 2008)

the easy solution is format the hard disk..
install ubuntu 8.04 hardy..
forget about antivirus,anti spyware,anti malware, trojan horse 
everything..
go to linux my friend..
or use knoppix live dvd or cd ..


----------



## enjoy (Aug 12, 2008)

Thanks drsubhadip, but I want to solve the problem and not get away with it.


----------



## drsubhadip (Aug 12, 2008)

ok.......
best of luck


----------



## afonofa (Aug 12, 2008)

enjoy said:


> I tried deleting those dlls, but seems they are being used by lot other processes too (tasklist/m).


1. Try deleting them in safe mode. 
2. If you can't see them in windows explorer in safe mode, try the command prompt in normal and/or safe mode.
3. You can also setup HiJackThis to delete those dll's on a reboot.
4. Check whether it's just the names of the dll's which have changed or whether they are entirely new files.
5. Submit those dll samples to Symantec. Scan them at *VirusTotal*.
6. Immunize after Spybot S&D update, use Spybot S&D's Resident "SDHelper".
7. Search for any new/unknown/suspicious *.bat files *.vbs files
8. I think you will find *Process Explorer* much better than tasklist
9. Try blocking windowsscanner-freever.com and zoombli.com in your firewall OR add them to your hosts file

```
127.0.0.1 windowsscanner-freever.com
127.0.0.1 zoombli.com
```

Usually in normal mode, if you end explorer.exe, then through the command prompt, you can delete many of the "access denied" files. You may have to use the *dir* and *attrib* commands for this.



enjoy said:


> Bluescreen problem got resolved, but popups still open.


Was there anything specific that you did to fix the BSOD? (incase someone else comes upon this in a search)



enjoy said:


> Another issue which I see now is that after login, the explorer doesnt itself starts. So I have to use taskmanager and start the explorer.exe manually.


There was a *similar problem* posted. The original poster never replied back whether it worked or not, but the suggestion was to add a *string* value("Shell"="Explorer.exe") in the registry at

```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
```

I still think you should trial Kaspersky AV 7.0 for 30 days, or till your browser hijack is solved. I don't know if Symantec's antivirus has a HIPS, but KAV does. On max settings it will alert you to any registry changes or any executable trying to load those dll's into other processes, find things that don't show up in HJT scans, which can give you a clue to where the real problem is. 

I agree, formatting the HDD should be the absolute final step, only if nothing else works. Could you post a HJT log with only the essential security software running and all other windows/programs exited?


----------



## saurabh.sauron (Aug 13, 2008)

sounds like virtumonde infection. download and run vundo fix. it might help.


----------



## enjoy (Aug 14, 2008)

Thanks afonofa.

Finally I got a chance to reboot my system. Scanning in safe mode with Windows Defender did fixed the issues. However some applications like winamp have started to crash, well these could be reinstalled anytime.

I had been really disappointed by Adaware & Spybot this time.

Thanks a bunch everyone.


----------



## Ecko (Aug 14, 2008)

Are yaar keep them updted 7 u'll see that teh're also damn good
Also Run SFC to recheck any altered file
Go TO Run
type SFC /SCANNOW 
Window will pop up & check all your system files


----------

