Virus Help PLEASE!

[Sterlingdog]

I've had to do exactly what you just described above.  But you definitely need someone to interpret your hijack this file unless you are a major computer nerd.  Anyway, I think I had a version of Cool Web Search, but no programs would remove it.  PC tools Spyware doctor was able to stop it from executing until I actually got it cleaned off. 

[Back Off Bitch]

Did it.. Most of my stuff is gone but when my IE starts up, http://www.securitybulletin.net/ always comes up even if I change it...

DON'T CLICK ON THAT SITE... IT MIGHT? DO THE SAME TO YOU...

Anyone know how to fix this?

Your browser is hijacked... hmmm... lets see here... first thing you should do is hook up with Windows Defender.? I think it's the best free tool out there for spyware at the moment.? run a scan.? I wouldn't suggest ZoneAlarm as a firewall.? I've used it, Norton (garbage), and the one built in to my router, and I found that Windows Firewall beats them all (it's easier to configure, and doesn't slow down your surfing).? As for an antivirus, I've tried all the free ones.? Unfortunately, the free ones don't usually pick up on everything that the subscription ones do.

Hmm... Pick up Registry Mechanic here: http://www.pctools.com/registry-mechanic/.? Oh, and to fix your hijacked browser, go to Tools, Internet Options, and clear cookies, temporary files, and history, go to the advanced tab and hit Restore browser defaults.? then close out your browser.? Run a windows defender scan and let that go through.? once it's done, reopen the browser and see if your problem is solved.? if it isn't, go to http://www.majorgeeks.com/download3155.html and download hijack this and run it.? post the logfile from hijack this here and we'll see what you should get rid of.

God, I'm a nerd!!? haha... not really, I've just had some experience with this stuff in the past.

Thanks... Here's the log file

Logfile of HijackThis v1.99.1
Scan saved at 10:46:09 PM, on 4/28/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Common Files\AOL\1015154326\ee\AOLSoftware.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.828\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.compuserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.compuserve.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hpA373.tmp
O2 - BHO: (no name) - {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} - C:\WINDOWS\System32\pmnnl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1015154326\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142095534718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: pmnnl - C:\WINDOWS\SYSTEM32\pmnnl.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

[Mr. Dick Purple]

God, I'm a nerd!!  haha... not really, I've just had some experience with this stuff in the past.

Well that makes two of us 

[Neemo]

I've had to do exactly what you just described above.? But you definitely need someone to interpret your hijack this file unless you are a major computer nerd.? Anyway, I think I had a version of Cool Web Search, but no programs would remove it.? PC tools Spyware doctor was able to stop it from executing until I actually got it cleaned off.?

Yeah and you gotta pay for that right? Basically if all else fails thats what you gotta do.....that program is pretty cool. (psst....if you look hard enough everything is free, i dunno where to look but I'm sure you can find someone to help you)

About Mozzilla....I never used it before, just what i was told by a very knowledgeable computer person. whatever, i use IE and outlook express....i never get viruses or major spyware problems....just gotta learn what is safe and what isn't...unfortunately it takes trial and error sometimes...not trying to pick a fight with mozzilla users, i was just stating my preferences for computer programs

adaware and spybot are cool IMO i use both regularily, and i use regestry mechanic too, but it's kinda only good if you use it after the problem has been solved i think. ?Dunno about the highjack....never tried that....give it ?whirl though majorgeeks.com has good stuff on there.

The reason i asked about the searchengine toolbars is cuz alot of those programs are spyware in themselves. the problem you got though...the program loads itself even if you go in safe mode...I've witnessed that problem before...and it sounds like a program that you actually inadvertantly installed....aka the search engine toolbars...never install those fucking things.


also a long way to do it is take evry process that is running and look on a search engine for problems with that file......ones that look suspicious to me are

C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.828\HijackThis.exe

look for info on these processes and see if they are malicious, if so DL a fix tool that last one looks to be the culprit though

[Back Off Bitch]

Nah... HiJackthis is the program I used to get this log and PC-Cillin is my virus scanner... Not sure what this "plaxo" is...

[Sterlingdog]

One thing that has worked for me is to just google the name of the hijacking website.  For example, google "securitybulletin virus" .  If it is a common enough virus, you will probably find remove instructions somewhere.  Often they involve deleting something from your registry, so it depends on how brave you are feeling if you try that.

[Neemo]

Nah... HiJackthis is the program I used to get this log and PC-Cillin is my virus scanner... Not sure what this "plaxo" is...

Sterling i was just gonna say that....


basically go through each and every file listed in that thing and google them all...you'll find the problem area eventually and how to fix it

the alternative is to format and reinstall

[Axls Locomotive]

click these ones and remove them...most likely those popups will disappear, trust me ive done this many times

O20 - Winlogon Notify: pmnnl - C:\WINDOWS\SYSTEM32\pmnnl.dll
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hpA373.tmp
O2 - BHO: (no name) - {E8DEC8EA-8D80-4ec6-AF6B-190A765F1D2F} - C:\WINDOWS\System32\pmnnl.dll
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Q is all knowing and all seeing

[Back Off Bitch]

Can't find em... How do I get to them to delete em?

[Sterlingdog]

Can't find em... How do I get to them to delete em?

You have to edit your registry.  Someone here can probably give you directions on how to do it.  I've never been brave enough to do it myself.

[Axls Locomotive]

Can't find em... How do I get to them to delete em?

didnt you run hijackthis to get the log?

you can delete them from hijackthis

run hijackthis
select "Do a system scan only"
in the list of items there is a box beside each one on the left hand side, click the box beside the ones ive mentioned above so that they have check marks beside them...(make sure you select the right ones)
click the button that says "fix checked" (at the bottom of the window) and hijackthis will remove the items...
close hijackthis
reboot your pc

do another scan with hijackthis to make sure these items have been permanently deleted

voila

[Where is Hassan Nasrallah ?]

no zone alarm
no internet explorer
no firefox
no windows

[Back Off Bitch]

Did some scans and manually deleted all the junk in safe-mode, etc...

That site doesn't come up anymore but when I start of IE, it's blank and when I try to change it, it doesn't work... Anyone help?

[Sterlingdog]

Did some scans and manually deleted all the junk in safe-mode, etc...

That site doesn't come up anymore but when I start of IE, it's blank and when I try to change it, it doesn't work... Anyone help?

Do you mean when you try to change your default home page, it doesn't work?  Or you can't go to a different site?

Also if it says "about:blank", that is sometimes virus. 

[Axls Locomotive]

run hijackthis and post your log again