I have no idea how to do these logs. All I know is this program looking things called powerscan 1.1 was up and Avast tells me it’s win32. trojan-gen. Avast says c:/programfiles/websavingsfromebates/websavingsfromebate1.exe is infected by above mentioned virus. I deleted and/or removed all infected files, but didn’t think about the spyware just redoing the same thing when I opened my browser. So now I’m back at square one. I am using windows xp. Am I going to have to get a spyware program to avoid future infestations of this virus? I need help, I’ll be glad to give further information, but I will need help getting that information.
Thanks
Ok Update!
I downloaded Spybot S&D and Ad-aware and removed all programs/files each could find. Then I recscanned with Avast. Now the only file Avast can find is websavingsfromebates1.exe. I’m hoping that this means I’ve gotten rid of the .exe that was giving me such greif. Am I now to assume that I’ve gotten everything?
Seriously please I need help. Spybot keeps detecting the same CleverIEhooker.jeried and DSO exploit over and over again. Avast said it got rid of Websavingsfromebates1.exe earlier, but yet it’s still in my add/remove programs. Powerscan is still on my start menu as well. I do not know what to do. Ad-aware did not pick up anything new this time though. It’s obviously still on my system because I got all of the popups again.
Please please give me some advice.
You could post a Hijackthis log, if you think you are still infected. About the Spybot problem, you should ask in the Spybot forum http://forums.net-integration.net/
Ok gonna try the hijackthis stuff.
Ok here is what i got
Logfile of HijackThis v1.97.7
Scan saved at 8:30:56 AM, on 5/24/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\jmqz.exe
C:\WINDOWS\System32\xztete.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\dhsvr.exe
C:\Documents and Settings\Owner\My Documents\My Music\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D319706-12A4-4DB4-A4CF-2F9F602672D8} - C:\WINDOWS\yiynszflb.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-EEFD-ED6DB186CE4D} - C:\WINDOWS\DOWNLO~1\404SEA~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O4 - HKLM..\Run: [StorageGuard] “C:\Program Files\VERITAS Software\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [Lexmark X74-X75] “C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe”
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM..\Run: [boqlsc] C:\WINDOWS\jmqz.exe
O4 - HKLM..\Run: [nosigtb] C:\WINDOWS\System32\xztete.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [xyx] C:\WINDOWS\xyx.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworld.com/java/ezmed/ezmed.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O17 - HKLM\System\CCS\Services\Tcpip..{511A5197-0F41-4F65-A37A-5B86E030CF6B}: NameServer = 24.116.0.152,24.116.0.202
I have no idea what all of that means so I will need lots of help.
Hui! Adaware and Spybot are up to date and didn´t find anything else?
Please fix this entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {1D319706-12A4-4DB4-A4CF-2F9F602672D8} - C:\WINDOWS\yiynszflb.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-EEFD-ED6DB186CE4D} - C:\WINDOWS\DOWNLO~1\404SEA~1.DLL
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O4 - HKLM..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM..\Run: [boqlsc] C:\WINDOWS\jmqz.exe
O4 - HKLM..\Run: [nosigtb] C:\WINDOWS\System32\xztete.exe
O4 - HKLM..\Run: [xyx] C:\WINDOWS\xyx.exe
O4 - HKCU..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
and everything starting with “O16”
You have to update your windows by using www.windowsupdate.com
after restart and open and closing the IE, please post an actual log.
Ok I’m assuming you are wanting this new hijackthis log?
Logfile of HijackThis v1.97.7
Scan saved at 8:52:39 AM, on 5/24/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\hijackthis\hijackthis\HijackThis.exe
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [StorageGuard] “C:\Program Files\VERITAS Software\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [Lexmark X74-X75] “C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe”
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip..{511A5197-0F41-4F65-A37A-5B86E030CF6B}: NameServer = 24.116.0.152,24.116.0.202
THank you so much for your help
BTW just after that little bit of a fix, I’ve gotten no ads. Here is the thing this program called healhelper is on my computer. It shows up in add/remove programs but will not allow me to remove it. It says some nonsense about having other programs that I got for free or some crap like that and that they have to be uninstalled first. Now first off I never remember downloading anything of the sort, but it does not give me any clue as to what needs to be gotten rid of first. The websavingsfromebates.exe is still in add/remove programs as well but it refuses to even attempt to remove it. I do not know if that information is helpful or not.
Yes, and i think you only get completly rid of it by formating your Harddisk…
You should fix these Two tings:
O4 - HKLM..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
after a restart delete this folder:
C:\Program Files\TV Media That your CleverIEHooker look here too:
http://www.pestpatrol.com/mscleveriehookersupport.asp
Ok I am doing those things right now. Is the dealhelper program still causing trouble? I would hate to have to reformat, but I’m not totally against it. Any ideas about the websavingsfromebates or the powerscan progs?
edit gammar
Ok while deleting that TVmedia folder I saw a Timsync folder. I have read that is connected to dealhelper. How in the world did I get this stuff? What is it? Any ideas how to get rid of it?
Through security holes and an unpatched Windows and Internetexplorer like yours.
Ok going to take care of windows as soon as I can. I had tried previously to patch windows but it locked up on that system repeatedly. Do you think these programs are posing a threat?
Thank you for your help, I’m not sure if I’m out of the woods yet, but it’s tons better already.
Many thanks,
Raina
Use CW Shredder; that will destroy the malware that it letting the trojans in. You can get this by going to www.komando.com and clicking on the shareware link.
The Hijacker should be away now, and if it return again than it is an backdoor.agent.aX infection and unfortunately CWshredder is not able to fix that.