Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

pls help with my popups!

Started by geh1001 , Mar 05 2006 02:59 PM

  • This topic is locked This topic is locked
14 replies to this topic

#1 geh1001

geh1001

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 05 March 2006 - 02:59 PM

can someone check my log and tell me if there is anything amiss...i've been getting some annoying pop ups for a while now.


ogfile of HijackThis v1.99.1
Scan saved at 20:53:09, on 05/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\My Music\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O4 - HKLM\..\Run: [iTunesHelper] C:\My Music\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CACHE
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O17 - HKLM\System\CCS\Services\Tcpip\..\{C779B839-BCAF-4453-AC32-AC6EF8DB3C5A}: NameServer = 212.159.6.10 212.159.6.9
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



thanks in advance for any help.

    Advertisements

Register to Remove

#2 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 05 March 2006 - 03:55 PM

Download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite and post the results here.
With a new hijackthis log.
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#3 geh1001

geh1001

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 06 March 2006 - 03:30 PM

Download Ewido Security Suite it is a trial version of the program.

  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite and post the results here.
With a new hijackthis log.





Logfile of HijackThis v1.99.1
Scan saved at 21:25:46, on 06/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\My Music\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\windows\system32\dncwleujr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O4 - HKLM\..\Run: [iTunesHelper] C:\My Music\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dncwleujr] c:\windows\system32\dncwleujr.exe dncwleujr
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CACHE
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O17 - HKLM\System\CCS\Services\Tcpip\..\{C779B839-BCAF-4453-AC32-AC6EF8DB3C5A}: NameServer = 212.159.6.9 212.159.6.10
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 21:25:11, 06/03/2006
+ Report-Checksum: FA1A1DBB

+ Scan result:

[800] VM_10001000 -> Adware.NaviPromo : Ignored
C:\Documents and Settings\Angela\Local Settings\Temporary Internet Files\Content.IE5\I9CZ83QX\script-9[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Ignored
C:\Program Files\PestPatrol\Quarantine\20041228214313341.zip/WINDOWS/system32/version.exe -> Adware.DealHelper : Ignored
C:\Program Files\PestPatrol\Quarantine\20050105215036.zip/WINDOWS/system32/version.exe -> Adware.DealHelper : Ignored
C:\Program Files\PestPatrol\Quarantine\2423 -> Adware.EZula : Ignored
C:\WINDOWS\Downloaded Program Files\HDPlugin1018.dll -> Adware.Gator : Ignored
C:\WINDOWS\SYSTEM32\playa.exe -> Adware.WinFetcher : Ignored
C:\WINDOWS\SYSTEM32\Uninstaller.exe -> Adware.DealHelper : Ignored
[824] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[868] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[880] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[888] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1036] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1084] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Cleaned with backup
[1144] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1248] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[1292] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[1392] VM_10001000 -> Adware.NaviPromo : Error during cleaning
[1528] VM_00E81000 -> Adware.NaviPromo : Error during cleaning
[1628] C:\WINDOWS\system32\msclock32.dll -> Adware.NaviPromo : Error during cleaning
[1656] VM_00CB1000 -> Adware.NaviPromo : Error during cleaning
[1964] VM_00B31000 -> Adware.NaviPromo : Error during cleaning
[556] VM_00FB1000 -> Adware.NaviPromo : Error during cleaning
[572] VM_01861000 -> Adware.NaviPromo : Error during cleaning
[616] VM_00A81000 -> Adware.NaviPromo : Error during cleaning
[648] VM_021B1000 -> Adware.NaviPromo : Error during cleaning
[468] VM_10001000 -> Adware.NaviPromo : Error during cleaning
C:\Documents and Settings\GlenH\Cookies\glenh@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\GlenH\Cookies\glenh@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP163\A0026003.exe -> Dialer.PluginAccess : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\A0031511.exe -> Dialer.Holistyc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP177\A0031673.exe -> Dialer.Holistyc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP177\A0031680.exe -> Dialer.Holistyc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP180\A0038971.exe -> Dialer.Juicy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP181\A0041067.exe -> Adware.WinFetcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP181\A0041194.exe -> Dialer.Holistyc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP181\A0043322.exe -> Adware.WinFetcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP182\A0047324.exe -> Adware.WinFetcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP182\A0047578.exe -> Adware.WinFetcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP182\A0047616.exe -> Downloader.Swizzor.cg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP182\A0047618.exe -> Adware.WinFetcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP187\A0047842.exe -> Adware.WinFetcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP187\A0048071.exe -> Adware.WinFetcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP187\A0050105.exe -> Downloader.Swizzor.cg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP187\A0050108.exe -> Adware.WinFetcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP187\A0050133.exe -> Downloader.Swizzor.cg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP187\A0050135.exe -> Adware.WinFetcher : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP190\A0053024.dll -> Adware.WinComm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP190\A0053025.exe -> Adware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP193\A0056529.vxd -> Adware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP193\A0056533.vxd/C:/WINDOWS/system32/exul.exe -> Adware.BargainBuddy : Error during cleaning
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP193\A0056533.vxd/C:/WINDOWS/system32/javexulm.vxd -> Adware.BargainBuddy : Error during cleaning
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP195\A0057274.dll -> Adware.WinComm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP195\A0057275.exe -> Adware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP203\A0058201.exe -> Dropper.Small.nt : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP203\A0059290.exe -> Dropper.Small.nt : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP207\A0061632.exe -> Dropper.Small.nt : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0062329.exe -> Adware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0062353.dll -> Adware.WinComm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0062359.exe -> Downloader.Keenval : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP228\A0071128.exe -> Proxy.Agent.cj : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP243\A0090650.exe -> Adware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP243\A0097137.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP243\A0098137.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP243\A0098242.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP244\A0098292.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP244\A0098299.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0098316.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0098324.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0098334.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0098363.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0098370.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0098384.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0098391.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0098398.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0098415.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0098424.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0098435.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0098443.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0099443.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0099457.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0099469.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0099476.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0099499.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0099520.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0099534.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0100534.dll -> Adware.NaviPromo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP245\A0101530.dll -> Adware.NaviPromo : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\search.inf -> Hijacker.StartPage : Cleaned with backup
C:\WINDOWS\SYSTEM32\7k40_static_keycode_minime_7k40_pk2_int__2004_8_3__14_8_16_minime_morphed.exe -> Downloader.Swizzor.cg : Cleaned with backup
C:\WINDOWS\SYSTEM32\HeidiNorthcott_11yf05fg.exe -> Dropper.Small.nt : Cleaned with backup
C:\WINDOWS\SYSTEM32\mbbi8016.dll -> Adware.BargainBuddy : Cleaned with backup


::Report End

#4 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 07 March 2006 - 08:58 AM

Here are the directions for creating a zip file For Windows XP:
Using Windows Explorer, locate the first file you want to zip.
Right click on the file and select Send To and Compressed (zipped) Folder.

Please Zip this file and send it here

c:\windows\system32\dncwleujr.exe
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#5 geh1001

geh1001

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 07 March 2006 - 12:49 PM

Here are the directions for creating a zip file For Windows XP:
Using Windows Explorer, locate the first file you want to zip.
Right click on the file and select Send To and Compressed (zipped) Folder.

Please Zip this file and send it here

c:\windows\system32\dncwleujr.exe



hi little eagle, i've used the search function but cant find the file: c:\windows\system32\dncwleujr.exe .Any suggestions?

thanx

#6 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 08 March 2006 - 01:05 AM

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
O4 - HKLM\..\Run: [dncwleujr] c:\windows\system32\dncwleujr.exe dncwleujr
Click on Fix Checked when finished and exit HijackThis.

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the file
c:\windows\system32\dncwleujr.exe
paste it into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; answer Yes.
Let the system reboot.

Post back a fresh HijackThis log and we will take another look.
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#7 geh1001

geh1001

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 08 March 2006 - 10:37 AM

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
O4 - HKLM\..\Run: [dncwleujr] c:\windows\system32\dncwleujr.exe dncwleujr
Click on Fix Checked when finished and exit HijackThis.

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the file
c:\windows\system32\dncwleujr.exe
paste it into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; answer Yes.
Let the system reboot.

Post back a fresh HijackThis log and we will take another look.



hi, when i ran HijackThis the file b]O4 - HKLM\..\Run: [dncwleujr] c:\windows\system32\dncwleujr.exe dncwleujr[/b] was not an option to tick and remove so i used the Killbox and pasted in the c:\windows\system32\dncwleujr.exe and did as you said but as the count down was going it came up with "Pending file rename operations registry data has been removed by external process!" and did not reboot....the popups are still coming and there are a couple of new ones i think?

Logfile of HijackThis v1.99.1
Scan saved at 16:33:56, on 08/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\My Music\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O4 - HKLM\..\Run: [iTunesHelper] C:\My Music\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CACHE
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O17 - HKLM\System\CCS\Services\Tcpip\..\{C779B839-BCAF-4453-AC32-AC6EF8DB3C5A}: NameServer = 212.159.6.10 212.159.6.9
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#8 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 09 March 2006 - 12:20 AM

Download AproposFix by Swandog46
Save it to your desktop or to another folder of its own, but do NOT run it yet!

Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)

Once in Safe Mode, double-click aproposfix.exe which will give you a choice of where to unzip/install the program to).
This is called the Destination folder in the window that popsup.
So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to.
It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix.
Follow the prompts.

When the tool is finished, reboot back into normal mode, and post a new HijackThis log,
along with the entire contents of the log.txt file that has been created in the aproposfix folder.
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#9 geh1001

geh1001

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 12 March 2006 - 01:17 PM

Download AproposFix by Swandog46
Save it to your desktop or to another folder of its own, but do NOT run it yet!

Now reboot your computer in Safe Mode! (You must be in safe mode or this fix will not work.)

Once in Safe Mode, double-click aproposfix.exe which will give you a choice of where to unzip/install the program to).
This is called the Destination folder in the window that popsup.
So either install it to the Desktop or the folder where you downloaded the aproposfix.exe file to.
It will create a new folder named aproposfix. Open the aproposfix folder and double click on RunThis.bat to run the fix.
Follow the prompts.

When the tool is finished, reboot back into normal mode, and post a new HijackThis log,
along with the entire contents of the log.txt file that has been created in the aproposfix folder.



Tried the aproposfix a couple of times with the same results...not sure i did it correctly? but he's the log

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\GlenH\Desktop\aproposfix

************



Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!


ile of HijackThis v1.99.1
Scan saved at 19:09:01, on 12/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\My Music\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O4 - HKLM\..\Run: [iTunesHelper] C:\My Music\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CACHE
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

let me know and i'll try again!

#10 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 12 March 2006 - 08:23 PM

Are you still getting popups?
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#11 geh1001

geh1001

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 14 March 2006 - 04:11 AM

Are you still getting popups?



hi, yes still getting lots of pop ups...http://access.rapid-pass.net
products-news.com
static.egwn.net
the-best-promos.com

these seem to be the main ones that keep coming!

#12 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 14 March 2006 - 12:24 PM

Click start > control panel > user accounts > change the way users log on or off > uncheck fast user switching > restart you computor.

Download, unzip and run 'RootkitRevealer' from Sysinternals:
http://www.sysintern...itRevealer.html
Once the program has started, press Scan and let it run.
When the scan is done, use 'File > Save' to place the logfile in a convenient location (such as the desktop). The default filename will be 'RootkitReveal.txt'.

Save your Log File
Copy/Paste the contecnts of that logfile into your next reply

NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

That way you should have a much simpler and clearer log file in which to peruse and evaluate.
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#13 geh1001

geh1001

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 15 March 2006 - 07:26 AM

Click start > control panel > user accounts > change the way users log on or off > uncheck fast user switching > restart you computor.

Download, unzip and run 'RootkitRevealer' from Sysinternals:
http://www.sysintern...itRevealer.html
Once the program has started, press Scan and let it run.
When the scan is done, use 'File > Save' to place the logfile in a convenient location (such as the desktop). The default filename will be 'RootkitReveal.txt'.

Save your Log File
Copy/Paste the contecnts of that logfile into your next reply

NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

That way you should have a much simpler and clearer log file in which to peruse and evaluate.




HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 15/03/2006 13:08 80 bytes Data mismatch between Windows API and raw hive data.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 15/03/2006 13:06 64.00 KB Visible in Windows API, but not in MFT or directory index.

#14 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 15 March 2006 - 03:36 PM

Download mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#15 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 27 March 2006 - 11:19 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Posted Image
My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·