Help please

**Skinner.Daddy** · 11-08-2008, 10:05 PM

Got a bad dose of adware, am getting sponsored google links on the LEFT hand side of the webpage when I do a search and also lots of pop-ups. Have run Hijack this and have the results below. Keep running Spybot and keeps cleaning and then others apear after connecting to the web.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:50:11, on 11/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://wwx.mansfieldrugby.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_ = hxxp://wwx.evesham.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53d74087-9072-4a47-9835-127be85f5133} - (no file)
O2 - BHO: (no name) - {58AA2AAB-E945-49E7-B7A2-672AC85367E7} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {83BDDCC4-41BB-48A2-8B1F-2358216C07AD} - C:\WINDOWS\system32\efcBuRlJ.dll (file missing)
O2 - BHO: mysidesearch search enhancer - {88078cc8-2444-9400-daf2-2f55dbd16a1b} - C:\WINDOWS\system32\ihpaajfarm.dll
O2 - BHO: {a3818fef-af91-ad89-7d04-335110827d4b} - {b4d72801-1533-40d7-98da-19fafef8183a} - C:\WINDOWS\system32\qtevjy.dll
O2 - BHO: (no name) - {B4E2485A-EE2B-4E50-A6E2-14DFE78C7095} - C:\WINDOWS\system32\nnnoOeFX.dll (file missing)
O2 - BHO: (no name) - {DA2CA135-53C3-4672-8C57-46FBC517B54E} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_=hxxp://wwx.evesham.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: wvUoOIxu - C:\WINDOWS\
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Outlook Express\profsyxymil.html

--
End of file - 5997 bytes

I'm guessing one of the issues is the mysidesearch, but any others in there that look bad?

Cheers S.D

**Jay** · 11-08-2008, 10:41 PM

O2 - BHO: (no name) - {83BDDCC4-41BB-48A2-8B1F-2358216C07AD} - C:\WINDOWS\system32\efcBuRlJ.dll (file missing)
O2 - BHO: mysidesearch search enhancer - {88078cc8-2444-9400-daf2-2f55dbd16a1b} - C:\WINDOWS\system32\ihpaajfarm.dll
O2 - BHO: {a3818fef-af91-ad89-7d04-335110827d4b} - {b4d72801-1533-40d7-98da-19fafef8183a} - C:\WINDOWS\system32\qtevjy.dll

profsyxymil.html

all looks a bit odd

I think it can be uninstalled in add remove programs.

also don't like the look of this...

"Microsoft Internet Explorer provided by evesham.com"

**Viper81** · 11-08-2008, 10:42 PM

On a quick scan, the following also looks very suspicious

> O2 - BHO: {a3818fef-af91-ad89-7d04-335110827d4b} - {b4d72801-1533-40d7-98da-19fafef8183a} - C:\WINDOWS\system32\qtevjy.dll

**Skinner.Daddy** · 12-08-2008, 08:52 AM

Ok Cheers Guys, the PC is from a company called Evesham and they must have updated the reg entry for the iexplorer title so that should be ok.

Will use Hijackthis later to fix the above entries.

Also the other ones with missing file or no file, am I safe just fixing those with hijackthis too?

Many thanks for your help, I've been try to clean that computer for ages and it was really starting to P*$$ me off

Cheers S.D

Thread: Help please

LinkBack

Thread Tools

Help please

Re: Help please

Re: Help please

Re: Help please

Thread Information

Users Browsing this Thread

Posting Permissions