BHO keeps getting addded

Hello,

I have SpywareGuard and it keeps alerting me about a BHO that keeps getting added. The Spyware Guard Browser protection alert then asks me if I want to remove it which is what I do. But the BHO keeps getting added every minute or so so I'm constantly being prompted to remove the BHO. After about 3 minutes the computer freezes up and I have to reboot. I can't even get it to where I can download anything to try and remove it (ie Spybot, CW shredder, hijack this).

BHO # 5321-E378-FFAD-4999-03CA-8155-F0B3

Thanks for your help.

 

I disabled Spywareguard but BHO prompt still popped up. I clicked "keep it" so it wouldn't keep popping up which seemed to solve the pop up problem, but computer still freezes up after a few minutes and I cannot even download any of the programs you suggested. I almost completed the Spybot download but it froze before finalizing and then Spybot folder was empty. I rebooted and was able to delete quarantine list from Ad-Aware SE. I'll keep trying but any suggestions? Thanks again sorry for the bother. Also I had downloaded Spyware Doctor but now cannot unistall it from ADD/Remove programs.

 

Hello...the problem is computer freezes up after about 2-3 minutes. It seems I have more time if system was down (as opposed to restarts). After many tries I was finally able to download Spybot in normal mode (in safe mode web pages don't load up) and scan in safe mode. It found and fixed 3 things (Coolwwwsearch, Mailbot, Tibs.vq) but it could not fix "Torpig".

I already had AdAware SE and did the updates and ran a scan in safe mode.

Computer still freezes up after a few min. in normal mode. I'm still trying to download CCleaner CW Shredder and Kill2Me and also BitDefender and Panda.

I think I have enough time to get emails otherwise I have a laptop which I'm working form that can get emails. I will try to run programs you indicated and try to upload as attachments.

Thanks.

 

Please runn the scans Chaslang requested in his last post.

Attach the logs when finished.

 

Hey Shadow, I got the email asking me to reply but i haven't yet because I'm still trying to run scans. I was able to download and unzip both (after a few tries) and I ran getrunkey but it never finished (computer froze up) so I didn't get anything to attach. I haven't tried the Shownew yet.

I'll keep trying...

Thanks,

AlexJ.

 

Chas is on vacation. When you get the logs I'll take a look at them.

 

I can't seem to finish running the scans. I tried to look for runkeys.txt but not found so I imagine scan never completed. Computer freezes at different stages of scan. Any other suggestions? When loading up I get error messages "cannot find WINLOGON.EXE" and "cannot load or run WINLOGON.EXE" in the WIN.INI file. Can I run these scans in safe mode?

Thanks,

AlexJ.

 

I was able to finish getrunkey scan!

Here is info. Hopefully I attached/uploaded it correctly. I'll keep trying with Shownew.

Listing Standard Startup (Run) Registry Keys
----------------------------------------------------------------------------

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER FREE EDITION\\PSFREE.EXE\""
"SpySweeper"=""
"E6TaskPanel"="\"C:\\PROGRAM FILES\\EARTHLINK TOTALACCESS\\TASKPANL.EXE\" -winstart"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"shell"="\"C:\\WINDOWS\\SYSTEM\\ibm00001.exe\""
"xp_system"="C:\\WINDOWS\\INET20091\\WINLOGON.EXE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"LVComs"="c:\\windows\\SYSTEM\\LVComS.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"LoadQM"="loadqm.exe"
"CreateCD50"="\"c:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r"
"AdaptecDirectCD"="\"c:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"EarthLink Installer"="\" /C"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"ICSDCLT"="c:\\windows\\rundll32.exe c:\\windows\\SYSTEM\\icsdclt.dll,ICSClient"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"ClamWin"="\"C:\\Program Files\\ClamWin\\bin\\ClamTray.exe\" --logon"
"xp_system"="C:\\WINDOWS\\INET20091\\WINLOGON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"
"Machine Debug Manager"="C:\\WINDOWS\\SYSTEM\\MDM.EXE"
"KB891711"="c:\\windows\\SYSTEM\\KB891711\\KB891711.EXE"
"SSDPSRV"="c:\\windows\\SYSTEM\\ssdpsrv.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunServicesOnce]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER FREE EDITION\\PSFREE.EXE\""
"SpySweeper"=""
"E6TaskPanel"="\"C:\\PROGRAM FILES\\EARTHLINK TOTALACCESS\\TASKPANL.EXE\" -winstart"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"shell"="\"C:\\WINDOWS\\SYSTEM\\ibm00001.exe\""
"xp_system"="C:\\WINDOWS\\INET20091\\WINLOGON.EXE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

 

oops sorry forgot to click on manage attachments to attach. Apologize...my bad.

 

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

Post a fresh HijackThis log.

 

that sucks...attached is hijackthis log. I'm also working off a laptop that is on same connection (router/modem) as main computer. Should I do cleaning and scans on laptop too? Am I at risk?

Thanks for your continued help.

alexJ.

 

HijackThis is not in the proper location. Move HijackThis to C:\Program Files\HJT. After HijackThis is in the proper location rename hijackthis.exe to analyse.exe.

Download
- Pocket Killbox

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the dirctions for Using GetRunKey.

Post runkeys.txt and a fresh HijackThis log.

At some point you will want to run scans on your laptop.

 

Thanks, you guys are awesome. Just a few questions...

I'm not sure what you mean by moving hijackthis to C:\Program File/HJT?

And how do I rename file once in the right location?

Also, just to confirm I have the key logger threat right?

Thanks again.

 

Downloading, Installing, and Running HijackThis

Yes, there is a keylogger on your system. ibm00001.exe