used mcfee, spybot, adware, etc. POPUP PERSISTS! HELP! Hijack log is here

G

genedna

New Member
Hello, on my wife´s family´s computer I get constantly this message:

Microsoft Windows has encountered an Internal Error. Your windows registry is corrupted. We recommend a complete system scan.
Visit
http://FixRegNow.com
To repair now!
OK

-------------

I know it´s a scam. I´ve run CSW shredder, spybot, adware 6, spyblaster, reg mechanic, and used hijack now, and read tutorials to fix numerous things...but...still this little hardy bastard persists!!!!! I know you all work so hard, so I wanted to fix myself, and will continue to learn, I want to fix this computer for them, so your expertise is well appreciated!!!!!!!

Here is the log:

--------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 21:42:22, on 5/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\pctspk.exe
C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T 1.EXE
C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\PDF-XChange 2.5\pdfSaver.exe
C:\Arquivos de programas\PDF-XChange 2.5\pdfSaver.exe
C:\Arquivos de programas\Yahoo!\Messenger\ymsgr_tray.exe
C:\Arquivos de programas\Microsoft AntiSpyware\gcasDtServ.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Daniel\Configurações locais\Temp\Diretório temporário 7 para hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dnanow.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: G-Buster Browser Defense Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Arquivos de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Arquivos de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [Ink Monitor] C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Arquivos de programas\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [pdfSaver] C:\Arquivos de programas\PDF-XChange 2.5\pdfSaver.exe
O4 - Startup: PDF-XChange Capture.lnk = C:\Arquivos de programas\PDF-XChange 2.5\pdfSaver.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1123213722703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...b?1123274772046
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/m...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7553AEF-B3C9-4D4E-A2EB-6EFD22712A24}: NameServer = 200.204.0.10 200.204.0.138
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe

-------------------------------------------------
Kind Regards,
Vern
 
A

alienmidget

New Member
Adaware 6 is outdated. You'd have better luck using adaware SE 1.06
It sounds like a spyware problem to me. Download spyware doctor and edwido security suite. UPDATE all anti-spyware/virus programs and run them in safe mode and see what happens. Let us know how it turns out.
 
Buzz1927

Buzz1927

Digaredd
Let's see if Ewido finds anything.
Download Ewido. Update it, then boot into safemode by tapping f8 on startup.
Once in safemode, run a full scan with Ewido. Let it clean anything it finds. When it's finished, save the report and post it here.
 
Lorand

Lorand

<b>VIP Member</b>
That log is pretty clear. But this running process could be dubious:
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe

Edit: at a second look at the log, this entry seems to be definitely dubious:
O2 - BHO: G-Buster Browser Defense Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll
 
Last edited:
Lorand

Lorand

<b>VIP Member</b>
The first one could be a malware that stole the name of a legit file.
And I couldn't find any info on the second one...
 
You must log in or register to reply here.
Top