Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92232 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

My Hijackthis Log


  • This topic is locked This topic is locked
22 replies to this topic

#1 nodo

nodo

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 04 November 2005 - 10:10 AM

HI,
Below is my hijackthis log file. What should I remove since I am having a problem popup, advertisement, spyware...etc even though I run Ad-Ware profesional 6.0 and popup sentry, still doesn't help. If I look into add/remove software, there are my way search assistant and quick links which I cannot remove? Please advise.

Logfile of HijackThis v1.99.1
Scan saved at 7:54:55 AM, on 11/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Quincy Do\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: PopupSentry Class - {00000000-6C30-11D8-9363-000AE6309657} - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSBHO.dll
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpSentry] C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\PSENTRY.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SABWinLogon - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABWINLO.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Pop-Up Sentry! Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\PopUpSentry.com\Pop-Up Sentry!\SABSVC.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    Advertisements

Register to Remove


#2 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 08 November 2005 - 04:57 PM

Hello Quincy Do, and welcome to TomCoyote forum. If you still need help, please follow these instructions. I see little, but you have somehow allowed an item that is on the IE-Spyad restricted list to have access to the "Trusted Zone" on your computer. I will run some scans and remove what I find and that TZ item and we will see how that goes. First I need to relocate HJT.exe. You are running from the Desktop, I would prefer C:\HJT\HijackThis.exe. If you must run from the Desktop, create a folder by RIGHT clicking a blank spot and move the HJT.exe into that folder: Desktop\HJT\HijackThis.exe.

1) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp and please do not run it until I ask you to.

2) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

3) Ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


Your spyware programs, especially Adwatch, may block the HJT removal. I suggest you turn them off until you are done.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files and folders
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate this folder C:\Windows\Prefetch\ and delete all of the contents (NOT THE FOLDER) This link will tell you more about Prefetch:
http://www.windowsne...refetch-XP.html

5) Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do. Then restart the computer and post a new HJT log and the Ewido scan results in this same thread along with any feedback you have. Let me know if that fixed it.

Thanks...pskelley
TomCoyote forum
Slyware Warrior
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#3 nodo

nodo

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 09 November 2005 - 04:52 PM

Thanks for reply PSKELLY. Below are the log files of HijackThis and ewido scan log files. I am really appreciate for your help.

Logfile of HijackThis v1.99.1
Scan saved at 8:01:39 AM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Quincy Do\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE






---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:55:44 AM, 11/9/2005
+ Report-Checksum: EA89391C

+ Scan result:

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Ignored
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\\ -> Spyware.VX2 : Ignored
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\\CLSID -> Spyware.VX2 : Ignored
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Ignored
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C} -> Spyware.PowerStrip : Ignored
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Ignored
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Ignored
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Ignored
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Ignored
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Ignored
:mozilla.22:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Doubleclick : Ignored
:mozilla.23:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Atdmt : Ignored
:mozilla.24:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.26:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.27:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.57:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.59:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.60:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.61:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.62:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.415:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Ignored
:mozilla.422:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Ignored
:mozilla.448:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Ignored
:mozilla.454:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Ignored
:mozilla.460:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Ignored
:mozilla.536:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.537:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
C:\WINDOWS\SYSTEM32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Ignored
C:\WINDOWS\SYSTEM32\nsc19.dl$ -> Spyware.HotSearchBar : Ignored
C:\WINDOWS\SYSTEM32\wuauclt.dll -> TrojanDownloader.Small : Ignored
:mozilla.58:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.538:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.539:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.545:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.584:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
:mozilla.595:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.596:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.597:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.598:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.599:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.600:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.601:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.602:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.603:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.604:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.605:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.606:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.615:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.645:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.646:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.647:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.648:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.649:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.661:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.688:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.689:C:\Documents and Settings\Quincy Do\Application Data\Netscape\NSB\Profiles\ieoatnb8.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@riptownmedia.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Quincy Do\Local Settings\Temp\Cookies\quincy do@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Quincy Do\Local Settings\Temp\Cookies\quincy do@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Quincy Do\Local Settings\Temp\Cookies\quincy do@popunder.paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Quincy Do\Local Settings\Temp\RelatedSetup.exe -> TrojanDownloader.Small.bmx : Cleaned with backup
C:\Documents and Settings\Quincy Do\Local Settings\Temp\setup4110.tmp/lhoc03njq_.dll -> Adware.Saha : Cleaned with backup
C:\Documents and Settings\Quincy Do\Local Settings\Temp\setup4110.tmp/hxk8pjf7w_.exe -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Quincy Do\Local Settings\Temp\SSK3_B5.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\Documents and Settings\Quincy Do\Local Settings\Temp\tm60884.exe -> Trojan.Pakes : Cleaned with backup
C:\Documents and Settings\Quincy Do\Local Settings\Temporary Internet Files\Content.IE5\2X0BKRC9\876029[1].exe -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Quincy Do\Local Settings\Temporary Internet Files\Content.IE5\SHMZKXAN\rcverlib[1].exe -> Trojan.Pakes : Cleaned with backup
C:\Documents and Settings\Quincy Do\Local Settings\Temporary Internet Files\Content.IE5\WVH7AE3X\pcs_0002[1].exe -> Spyware.Pacer : Cleaned with backup
C:\RECYCLER\S-1-5-21-1726760241-3662417297-1333279794-1005\Dc10.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\RECYCLER\S-1-5-21-1726760241-3662417297-1333279794-1005\Dc12.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\RECYCLER\S-1-5-21-1726760241-3662417297-1333279794-1005\Dc13.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\RECYCLER\S-1-5-21-1726760241-3662417297-1333279794-1005\Dc15.txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\RECYCLER\S-1-5-21-1726760241-3662417297-1333279794-1005\Dc16.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\RECYCLER\S-1-5-21-1726760241-3662417297-1333279794-1005\Dc17.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\S-1-5-21-1726760241-3662417297-1333279794-1005\Dc18.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\RECYCLER\S-1-5-21-1726760241-3662417297-1333279794-1005\Dc4.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-1726760241-3662417297-1333279794-1005\Dc5.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\RECYCLER\S-1-5-21-1726760241-3662417297-1333279794-1005\Dc6.txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\RECYCLER\S-1-5-21-1726760241-3662417297-1333279794-1005\Dc7.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-1726760241-3662417297-1333279794-1005\Dc8.txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\RECYCLER\S-1-5-21-1726760241-3662417297-1333279794-1005\Dc9.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\WINDOWS\SYSTEM32\dcxorxm.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\SYSTEM32\qlink32.dll -> TrojanDownloader.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\sav2.exe -> TrojanDownloader.Agent.vp : Cleaned with backup
C:\WINDOWS\SYSTEM32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\WINDOWS\SYSTEM32\vgactl.cpl -> TrojanDownloader.Qoologic.ad : Cleaned with backup


::Report End

#4 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 09 November 2005 - 08:21 PM

I am sorry, but you chose to ignore a bunch of bad stuff when ewido ran, all of the stuff you did not delete is bad. I want you to open ewido and check for updates in case there are any new ones. Once this is done, close ewido, then use these instruction to start the computer in safe mode: http://www.bleepingc...tutorial61.html Once in safe mode, open ewido and run it again, this time have it delete everything it finds. Don't forget to save the scan report. Once finished, restart to normal mode.

Ad-watch.exe may stop the HJT fix, use these isntructions to turn it off, turn it back on when you finish with HJT.
In the Ad-Watch window have them check the Active option instead of Automatic and it will stop undoing your fix.
1. Right-click on Ad-watch icon in the System Tray.
2.Go to Ad-Watch Settings and uncheck Load Ad-Watch on Windows start up
3. Again in Ad-Watch Settings Select Unload Ad-watch.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Post the new Ewido scan report run in safe mode, and a new HJT log. Run the computer a little and this time give me some information about how you are running now.

Thanks...Phil

Edited by pskelley, 09 November 2005 - 08:22 PM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#5 nodo

nodo

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 10 November 2005 - 11:34 AM

Here are the logs again PSKELLY. I haven't surf around using IE to see if any spyware is still popping up the advertisement windows or not yet.

Logfile of HijackThis v1.99.1
Scan saved at 9:32:30 AM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Quincy Do\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE







---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:26:57 AM, 11/10/2005
+ Report-Checksum: A432B963

+ Scan result:

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\\ -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\\CLSID -> Spyware.VX2 : Cleaned with backup
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C} -> Spyware.PowerStrip : Cleaned with backup
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@ehg-foxsports.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@riptownmedia.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Quincy Do\Cookies\quincy do@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\SYSTEM32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsc19.dl$ -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\wuauclt.dll -> TrojanDownloader.Small : Cleaned with backup


::Report End

#6 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 10 November 2005 - 01:19 PM

Whoa Quincy, but your ewido log looks much better this time. ewido removed many very bad things that HJT could not see. We hope ewido got it all, some of those items are very nasty and no doubt the cause of the popups.
You should look at both logs carefully and you may want to print them to keep track of the places the bad cookies are hiding so you can add those to your routine maintenance. Here is some information that may help you control cookies better:
http://www.microsoft...acy/config.mspx

Your HJT log is clean, Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html

Let me know how you are running, I will leave this topic open for a couple of days for any response or questions.

Thanks...Phil :wavey:
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#7 nodo

nodo

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 10 November 2005 - 06:25 PM

There is still pop up advertisement IE windows. I think more than before....:( Any suggestion? Thanks, Quincy

#8 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 10 November 2005 - 10:17 PM

Hello Quincy, I could ask you the same question...any suggestions? Since the log appears clean, it may well be something hidden. There are some trojans like Qoologic that can do this, and I have been worried about this since I saw mention of this trojan in the first ewido log, near the end. I also fear some kind of rootkit infection. I will try to come up with a game plan in the morning, but here is some information about what we may be up against:
http://forums.spywar....php/t52360.htm I know you won't understand a lot of what they are talking about, I don't either, but it will give you an idea of what your issue may be. What I want from you is a fresh HJT log in the morning. Please also try to tell me how often these popups are occuring and see if you can spot some of the sites they point to. I would also appreciate any other thoughts or suggestions you have. We will start there.

Thanks...Phil
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#9 nodo

nodo

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 11 November 2005 - 09:45 AM

Thanks Phil for information. I read last night and I believe I got trojan as they explain in the thread. But some how ewido cannot catch the hidden executable file. Everytime I click on IE to get online, it often generate another IE advertisement windows (at least one, but most more than one). The most is search and most casino online (888 casino). Here is the hijackthis log again.

Logfile of HijackThis v1.99.1
Scan saved at 7:35:06 AM, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Quincy Do\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#10 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 13 November 2005 - 08:03 AM

Hello Quincy, Thanks for the new log, and it is still clean. What ever is causing your problem is very hidden. We will start our search today. Here is the one that worries me:
C:\WINDOWS\SYSTEM32\vgactl.cpl -> TrojanDownloader.Qoologic.ad : Cleaned with backup while ewido cleaned some of the infection, I fear more is there because this trojan morphs and returns and is rarely that easy to get rid of. I want to use a couple of the tools we already have first.

Because of this item:
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Ignored which ewido removed later, I want to run a tool to make sure nothing is left of VX2 that is causing the problem. I am going to give you the complete canned and I want you to run is just like it says, but there is no need to download the tools you already have. Just follow the directions for downloading, installing and running Vx2 finder, If anything is located by Vx2 finder, follow the directions to clean it and let me know what was found. Continue through the balance of the fix, running ewido again in safe mode then post a new Ewido log alone with any information you think I should have.

Now this is VERY IMPORTANT!! With the Ewido scan... you have to let the poster know not to use the computer while Ewido is doing it's thing. If Explorer or the Control Panel are opened, Qoologic will reinfect and won't be cleaned properly. Make sure you are in safe mode and that everything else is closed when you run ewido, thanks.

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Please finish up by rebooting your system once more, and posting the log from the Ewido scan.

Thanks...Phil
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

    Advertisements

Register to Remove


#11 nodo

nodo

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 14 November 2005 - 07:20 PM

Thanks Phil for your time and help. I am really appreciate it. As I follow your instruction, I run VX2 Cleaner Plugin from Ad-Ware and it said "status system clean". There is no found VX2 at all. I am not sure if it running or not but keep saying it everytime I run it. I have notice there is a red x on VX2 Cleaner if I open a plug in window. Is it okie or something is wrong? Here is ewido log again. --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 5:00:09 PM, 11/14/2005 + Report-Checksum: 464AE820 + Scan result: C:\Documents and Settings\Quincy Do\Cookies\quincy do@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Quincy Do\Cookies\quincy do@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup C:\Documents and Settings\Quincy Do\Cookies\quincy do@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup C:\Documents and Settings\Quincy Do\Cookies\quincy do@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Quincy Do\Local Settings\Temporary Internet Files\Content.IE5\UDOZAHE5\mm[1].js -> Spyware.Chitika : Cleaned with backup ::Report End Thanks, Quincy

#12 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 14 November 2005 - 07:56 PM

Hi Quincy, you said:

I have notice there is a red x on VX2 Cleaner if I open a plug in window. Is it okie or something is wrong? Here is ewido log again.

I have it installed and I would have to run it to remember, but I have no infection and it appears neither do you. It was very important that nothing be running when you ran the ewido scan, according to the folks who know, if Qoologic trojan is present, it won't
be removed if anything at all is running.

This item: :\Documents and Settings\Quincy Do\Local Settings\Temporary Internet Files\Content.IE5\UDOZAHE5\mm[1].js -> Spyware.Chitika : Cleaned with backup <<< how did that get on the computer? Make sure you review those links I gave you as they cover how to stop that stuff.

Let's try this tool to see what it does. I don't like to use it because it removes a few bad trojans and once the trial is used, it can't be used again without purchasing it. Maybe the trial will kill what is causing your issues.

Follow the instructions carefully:

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer, <<< very important
and then please copy and paste the SpySweeper log and a new HJT log into this thread.

Thanks...Phil

Edited by pskelley, 14 November 2005 - 07:58 PM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#13 nodo

nodo

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 15 November 2005 - 09:17 AM

I think webroot spysweeper found some trojan which is causing display advertisement as the result. Here are the logs again.

********
6:57 AM: | Start of Session, Tuesday, November 15, 2005 |
6:57 AM: Spy Sweeper started
6:57 AM: Sweep initiated using definitions version 572
6:57 AM: Starting Memory Sweep
6:59 AM: Memory Sweep Complete, Elapsed Time: 00:01:24
6:59 AM: Starting Registry Sweep
6:59 AM: Found Adware: shopathomeselect
6:59 AM: HKLM\software\ || test (ID = 141678)
6:59 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall6.dll\ (2 subtraces) (ID = 509618)
6:59 AM: Found Adware: dealbar toolbar
6:59 AM: HKCR\typelib\{ac7e6de4-1c9f-413d-877d-a8e45ccc1517}\ (9 subtraces) (ID = 726271)
6:59 AM: HKLM\software\microsoft\internet explorer\explorer bars\{3ea5c408-2437-4c40-adac-dfda9aeeea96}\ (3 subtraces) (ID = 726323)
6:59 AM: HKLM\software\classes\typelib\{ac7e6de4-1c9f-413d-877d-a8e45ccc1517}\ (9 subtraces) (ID = 726408)
6:59 AM: HKCR\interface\{ca5ed456-9ecb-4734-a64c-0546147a0cc2}\ (8 subtraces) (ID = 766635)
6:59 AM: Found Adware: clkoptimizer
6:59 AM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
6:59 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/grinstall7.dll\ (2 subtraces) (ID = 836092)
6:59 AM: Found Adware: cas
6:59 AM: HKCR\clsid\{8253d547-38dd-4325-b35a-f1817edfa5f5}\ (4 subtraces) (ID = 862263)
6:59 AM: HKLM\software\classes\clsid\{8253d547-38dd-4325-b35a-f1817edfa5f5}\ (4 subtraces) (ID = 862304)
6:59 AM: HKLM\software\qstat\ || brr (ID = 877670)
6:59 AM: HKLM\software\classes\interface\{ca5ed456-9ecb-4734-a64c-0546147a0cc2}\ (8 subtraces) (ID = 916658)
6:59 AM: Found Adware: search fast communicator toolbar
6:59 AM: HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\software\communicator toolbar\ (9 subtraces) (ID = 140688)
6:59 AM: HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
6:59 AM: Found Trojan Horse: trojan-downloader-pacisoft
6:59 AM: HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\software\apd123\ (12 subtraces) (ID = 861435)
6:59 AM: HKU\S-1-5-21-1726760241-3662417297-1333279794-1005\software\cas2\ (9 subtraces) (ID = 862278)
6:59 AM: Registry Sweep Complete, Elapsed Time:00:00:35
6:59 AM: Starting Cookie Sweep
6:59 AM: Found Spy Cookie: 888 cookie
6:59 AM: quincy do@888[2].txt (ID = 2019)
6:59 AM: Found Spy Cookie: yieldmanager cookie
6:59 AM: quincy do@ad.yieldmanager[2].txt (ID = 3751)
6:59 AM: Found Spy Cookie: adecn cookie
6:59 AM: quincy do@adecn[2].txt (ID = 2063)
6:59 AM: Found Spy Cookie: adknowledge cookie
6:59 AM: quincy do@adknowledge[1].txt (ID = 2072)
6:59 AM: Found Spy Cookie: adlegend cookie
6:59 AM: quincy do@adlegend[2].txt (ID = 2074)
6:59 AM: Found Spy Cookie: hbmediapro cookie
6:59 AM: quincy do@adopt.hbmediapro[2].txt (ID = 2768)
6:59 AM: Found Spy Cookie: adprofile cookie
6:59 AM: quincy do@adprofile[2].txt (ID = 2084)
6:59 AM: Found Spy Cookie: cc214142 cookie
6:59 AM: quincy do@ads.cc214142[2].txt (ID = 2367)
6:59 AM: Found Spy Cookie: ask cookie
6:59 AM: quincy do@ask[1].txt (ID = 2245)
6:59 AM: Found Spy Cookie: belnk cookie
6:59 AM: quincy do@belnk[1].txt (ID = 2292)
6:59 AM: Found Spy Cookie: bizrate cookie
6:59 AM: quincy do@bizrate[1].txt (ID = 2308)
6:59 AM: Found Spy Cookie: centrport net cookie
6:59 AM: quincy do@centrport[2].txt (ID = 2374)
6:59 AM: quincy do@dist.belnk[2].txt (ID = 2293)
6:59 AM: Found Spy Cookie: exitexchange cookie
6:59 AM: quincy do@exitexchange[2].txt (ID = 2633)
6:59 AM: Found Spy Cookie: clickandtrack cookie
6:59 AM: quincy do@hits.clickandtrack[1].txt (ID = 2397)
6:59 AM: Found Spy Cookie: partypoker cookie
6:59 AM: quincy do@partypoker[2].txt (ID = 3111)
6:59 AM: Found Spy Cookie: pricegrabber cookie
6:59 AM: quincy do@pricegrabber[1].txt (ID = 3185)
6:59 AM: Found Spy Cookie: questionmarket cookie
6:59 AM: quincy do@questionmarket[1].txt (ID = 3217)
6:59 AM: Found Spy Cookie: reunion cookie
6:59 AM: quincy do@reunion[1].txt (ID = 3255)
6:59 AM: Found Spy Cookie: 2o7.net cookie
6:59 AM: quincy do@riptownmedia.122.2o7[2].txt (ID = 1958)
6:59 AM: Found Spy Cookie: rn11 cookie
6:59 AM: quincy do@rn11[2].txt (ID = 3261)
6:59 AM: Found Spy Cookie: reliablestats cookie
6:59 AM: quincy do@stats1.reliablestats[2].txt (ID = 3254)
6:59 AM: Found Spy Cookie: tracking cookie
6:59 AM: quincy do@tracking[1].txt (ID = 3571)
6:59 AM: Found Spy Cookie: videodome cookie
6:59 AM: quincy do@videodome[1].txt (ID = 3638)
6:59 AM: quincy do@www.888[1].txt (ID = 2020)
6:59 AM: Cookie Sweep Complete, Elapsed Time: 00:00:03
6:59 AM: Starting File Sweep
7:00 AM: grinstall6.dll (ID = 75775)
7:01 AM: Found Trojan Horse: trojan-downloader-mainstreamdollars
7:01 AM: btnetw3-995329.exe (ID = 155333)
7:03 AM: Found Adware: apropos
7:03 AM: wingenerics.dll (ID = 50187)
7:06 AM: qldf.bin (ID = 131688)
7:08 AM: File Sweep Complete, Elapsed Time: 00:08:24
7:08 AM: Full Sweep has completed. Elapsed time 00:10:29
7:08 AM: Traces Found: 129
7:08 AM: Removal process initiated
7:08 AM: Quarantining All Traces: clkoptimizer
7:08 AM: Quarantining All Traces: apropos
7:08 AM: apropos is in use. It will be removed on reboot.
7:08 AM: wingenerics.dll is in use. It will be removed on reboot.
7:08 AM: Quarantining All Traces: cas
7:08 AM: Quarantining All Traces: trojan-downloader-mainstreamdollars
7:08 AM: Quarantining All Traces: trojan-downloader-pacisoft
7:08 AM: Quarantining All Traces: dealbar toolbar
7:08 AM: Quarantining All Traces: search fast communicator toolbar
7:08 AM: Quarantining All Traces: shopathomeselect
7:08 AM: Quarantining All Traces: 2o7.net cookie
7:08 AM: Quarantining All Traces: 888 cookie
7:08 AM: Quarantining All Traces: adecn cookie
7:08 AM: Quarantining All Traces: adknowledge cookie
7:08 AM: Quarantining All Traces: adlegend cookie
7:08 AM: Quarantining All Traces: adprofile cookie
7:08 AM: Quarantining All Traces: ask cookie
7:08 AM: Quarantining All Traces: belnk cookie
7:08 AM: Quarantining All Traces: bizrate cookie
7:08 AM: Quarantining All Traces: cc214142 cookie
7:08 AM: Quarantining All Traces: centrport net cookie
7:08 AM: Quarantining All Traces: clickandtrack cookie
7:09 AM: Quarantining All Traces: exitexchange cookie
7:09 AM: Quarantining All Traces: hbmediapro cookie
7:09 AM: Quarantining All Traces: partypoker cookie
7:09 AM: Quarantining All Traces: pricegrabber cookie
7:09 AM: Quarantining All Traces: questionmarket cookie
7:09 AM: Quarantining All Traces: reliablestats cookie
7:09 AM: Quarantining All Traces: reunion cookie
7:09 AM: Quarantining All Traces: rn11 cookie
7:09 AM: Quarantining All Traces: tracking cookie
7:09 AM: Quarantining All Traces: videodome cookie
7:09 AM: Quarantining All Traces: yieldmanager cookie
7:09 AM: Preparing to restart your computer. Please wait...
7:09 AM: Removal process completed. Elapsed time 00:00:15
********
6:56 AM: | Start of Session, Tuesday, November 15, 2005 |
6:56 AM: Spy Sweeper started
6:57 AM: Your spyware definitions have been updated.
6:57 AM: | End of Session, Tuesday, November 15, 2005 |




Logfile of HijackThis v1.99.1
Scan saved at 7:13:31 AM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Quincy Do\Desktop\spam\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#14 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 15 November 2005 - 09:59 AM

Thanks Qunicy, now let's do this:

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix Swandog46 from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.


I would also like a look at your uninstall list:

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Once you are clean, make sure you follow these instructions to create fresh System Restore files here:
http://service1.syma...src=sec_doc_nam

Thanks...Phil

Edited by pskelley, 15 November 2005 - 12:04 PM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#15 nodo

nodo

    Authentic Member

  • Authentic Member
  • PipPip
  • 43 posts

Posted 15 November 2005 - 11:32 AM

Here we go again:

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Quincy Do\Desktop\spam\AproposFix\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\C0TToA36Hks9]
@="o5S\\mmmVWWVWWXWtZ1wcnfBVWWVlYW1rwmx1\\WNTNO9HcbW8MDQ9MNWN7NGOHBMXNTN"
"Device"="\\\\.\\K0WN3E6g"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\scsltmgr.sys"
"DriverName"="FaxSDDD"
"HideUninstallerName"="C:\\Program Files\\Youmusic\\couell32.exe"
"HDll"="C:\\WINDOWS\\system32\\lsaxregq.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.con...onbranded.html"
"PartnerId"="CP.SAV2"
"InstallationId"="{X67b121c-70f4-1777-3fa7-633cc36f81ae}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Youmusic\\rsntolfn.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\rsanet.exe"
"Version"="2.0.106"
"LastAURestoreMsgTS"="2005:10:20-04:15:01:711"

************

Removing hidden service:
Service FaxSDDD removed.

Removing hidden folder:
Deletion of folder Youmusic succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\scsltmgr.sys succeeded!
Deletion of file C:\WINDOWS\system32\rsanet.exe succeeded!
Deletion of file C:\WINDOWS\system32\lsaxregq.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\C0TToA36Hks9]
[-HKEY_LOCAL_MACHINE\Software\C0TToA36Hks9]

Done!

Finished!




Logfile of HijackThis v1.99.1
Scan saved at 9:25:10 AM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Quincy Do\Desktop\spam\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE



Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Photoshop 7.0
Adobe Reader 6.0.1
Audacity 1.2.3
Audiograbber 1.83 SE
Broadcom Management Programs
CCleaner (remove only)
Conexant D480 MDC V.9x Modem
Creative WebCam Driver (1.02.08.0807)
Creative WebCam Notebook Driver (1.04.01.0322)
Dell Driver Reset Tool
Dell Printer Software Uninstall
Dell Wireless WLAN Utility
Digital Line Detect
DivX
DivX Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
eFax Messenger 3.4
ewido security suite
HijackThis 1.99.1
InCD
Intel® Extreme Graphics 2 Driver
Internet Explorer Default Page
Java 2 Runtime Environment, SE v1.4.2_03
Lavasoft VX2 Cleaner
Macromedia Flash Player 8
Macromedia Shockwave Player
McAfee VirusScan
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office XP Professional with FrontPage
Modem Helper
Nero 6 Ultra Edition
Nero Media Player
NeroMIX
NeroVision Express 3
NeroVision Express Content
Netscape Browser (remove only)
NetWaiting
PowerDVD 5.1
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Spy Sweeper
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
Texas Instruments PCIxx20 drivers.
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
vanBasco's Karaoke Player
Viewpoint Media Player
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
Yahoo! Anti-Spy
Yahoo! Messenger
Yahoo! Toolbar for Internet Explorer

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users