LinkBack URL
About LinkBacks- 01-23-2006 05:04 PM #1Member
- Join Date
- Jan 2006
- Posts
- 2
- Points
- 0
Help with Web Nexus Network Removal and Popups
I need help in removing web nexus network. I've done every thing in the "Get Rid of Spyware, Adware" Guide and am still having problems. I also posted my HijackThis log into Help2Go Detective, and perform the necessary steps. It also told me to create a post on this forum. Please help. My HijackThis log file is pasted below. Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 4:57:25 PM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\windows\winsysban.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HijackThis\HijackThis.exe
c:\windows\system\hpsysdrv.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ycpqpc.exe reg_run
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [mkmo] C:\PROGRA~1\COMMON~1\mkmo\mkmom.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webma...rtload106a.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c6.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://downloads.taxslayer.com/books003/disk1/setup.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\dnn0015me.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
- 01-23-2006 05:49 PM #2Member
- Join Date
- Sep 2003
- Location
- Yorkshire U.K.
- Posts
- 14,022
- Points
- 2335
Hi
You have several different malware in your log...
to address the web nexus problem first...
Please Download the FindQoologic.zip to your desktop :-
http://downloads.subratam.org/Find-Qoologic.zip
Extract the files to a folder, open the folder and double-click on the Find-Qoologic.bat file...
A DOS window will appear...
Choose option #1 and press enter
The scan will take a while, please be patient...
Post the contents of the text file which appears after the scan is complete.
steam
- 01-23-2006 05:55 PM #3Member
- Join Date
- Jan 2006
- Posts
- 2
- Points
- 0
Here are the contents of the log from running Find-Qoologic. Thanks in advance for your help.
Find Qoologic last edited 01/08/2006
Running from
C:\Downloads\Find-Qoologic\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
C:\WINDOWS\SYSTEM32\YCPQPC.EXE
C:\WINDOWS\SYSTEM32\QKWGW.DAT
C:\WINDOWS\SYSTEM32\GWKQK.DLL
C:\WINDOWS\SYSTEM32\QNISINP.DLL
C:\WINDOWS\SYSTEM32\KDJVJDD.EXE
C:\WINDOWS\SYSTEM32\QKWGW.DAT
C:\WINDOWS\SYSTEM32\YCPQPC.EXE
C:\WINDOWS\BQNENQ.DAT
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\PJOW.EXE
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gxmsmxtx]
@="{f86b676f-0914-4ddb-abb4-c03f4c3e71cb}"
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"="C:\\WINDOWS\\system32\\ycpqpc.exe reg_run"
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
- 01-24-2006 05:34 PM #4Member
- Join Date
- Sep 2003
- Location
- Yorkshire U.K.
- Posts
- 14,022
- Points
- 2335
Hi
1. Open a new notepad and copy everything in the quote box into it...
(Make sure there is NO space above or in front of REGEDIT4)
2. save as type "all files" call it remove reg and save it to your desktop, do no more, you will use it later in safemode...
REGEDIT4
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gxmsmxtx]
[-HKEY_CLASSES_ROOT\CLSID\{f86b676f-0914-4ddb-abb4-c03f4c3e71cb}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
THEN...
Download the following programs:-
1. Download Pocket KillBox ...
http://www.help2go.com/modules.php?n...ownload&id=378 (unzip to the desktop)
We'll use it later
2. Download & install CCleaner ..
http://www.ccleaner.com/ (click the download tab)
We'll use it later
3. Download ewido security suite install, and update it (I know you've allready run ewido, no need to download it again, but please run it as described below)
Please set up as :-
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful")
5. You may need to manually update the definitions which you can get HERE
6. Exit Ewido. DO NOT scan yet.
We'll use it later
Then reboot into >>>safe mode
1. Double click on the remove.reg file and allow it to merge with the registry...
2. run hijackthis and tick the following lines :-
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ycpqpc.exe reg_run
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [mkmo] C:\PROGRA~1\COMMON~1\mkmo\mkmom.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webma...rtload106a.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c6.cab
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\dnn0015me.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing)
click fix checked
THEN ...
RUN ccleaner
go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history
under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Tick ALL these ...
under "Advanced"
no need to tick any of these (but you can if you want, and realise what they do)
Applications tab...
These will mostly clean out old log files for these applications...
Clean:- (if you use them)
Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...
Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your passward when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
THEN...
Run ewido
7. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
8. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
9. Once the ewido scan has completed, there will be a button located on the bottom of the screen called Save report.
Important - You need to click "Save report" and Save it to your desktop, or you wont have a log
THEN ...
Run the Killbox.exe file
Click on > Tools > Delete Temp Files
THEN ...
check the box "Delete on Reboot"
copy and paste the following bold lines into the "Full Path of File to Delete" box in Killbox (one at a time) ...after each one,click the red button with the white X on it.
Say yes to "delete on reboot" and NO to reboot now, untill you have entered ALL the files, then say "yes" to reboot now...
C:\WINDOWS\SYSTEM32\YCPQPC.EXE
C:\WINDOWS\SYSTEM32\QKWGW.DAT
C:\WINDOWS\SYSTEM32\GWKQK.DLL
C:\WINDOWS\SYSTEM32\QNISINP.DLL
C:\WINDOWS\SYSTEM32\KDJVJDD.EXE
C:\windows\winsysupd.exe
C:\windows\winsysban.exe
C:\WINDOWS\BQNENQ.DAT
C:\Program Files\Common Files\VCClient
C:\Program Files\Common Files\mkmo
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PJOW.EXE
Let it reboot (reboot manualy if you have to)
Post the following new logs :-
1. hijackthis
2. find-qoologic
3. ewido
4. Pandascan
cheers
steam
============
