Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

HELP! Pop-ups are killing me!


  • This topic is locked This topic is locked
12 replies to this topic

#1 ShawBuck

ShawBuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 139 posts

Posted 09 May 2006 - 03:34 PM

Please help...this is my second posting...there was no response to my March 31, 2006 post, and my problem is getting worse. I am continuously getting pop-ups, even when I have by browser closed...my toolbars change sporadically...and I have some serious lag time when I am online (occasionally, not all the time..which is wierd)...please help!! Thanks, in advance... Steve

Logfile of HijackThis v1.99.1
Scan saved at 5:32:12 PM, on 5/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT-2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xgaqq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ibhubwv.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DosSpecFolder Object - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - C:\WINDOWS\system32\jkhgf.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CRS.local
O17 - HKLM\Software\..\Telephony: DomainName = CRS.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CRS.local
O20 - Winlogon Notify: jkhgf - C:\WINDOWS\system32\jkhgf.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    Advertisements

Register to Remove


#2 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 09 May 2006 - 04:02 PM

Pleaswe disable Windows Defender.

Please download Brute Force Uninstaller to your desktop. (right click on this link and choose save as, if using IE save target as)
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then

    click "Finish".
  • Download qoofix.bat (rightclick on this link and choose save as, if using IE save target as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another hijackthis log.


#3 ShawBuck

ShawBuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 139 posts

Posted 09 May 2006 - 04:51 PM

Thanks Siggyx for the help...

As requested, here's my latest HiJackThis Log after runing qoofix.bat...

Logfile of HijackThis v1.99.1
Scan saved at 6:51:20 PM, on 5/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT-2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DosSpecFolder Object - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - C:\WINDOWS\system32\jkhgf.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CRS.local
O17 - HKLM\Software\..\Telephony: DomainName = CRS.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CRS.local
O20 - Winlogon Notify: jkhgf - C:\WINDOWS\system32\jkhgf.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#4 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 09 May 2006 - 05:21 PM

Please download VundoFix.exe from here:

http://www.atribune..../click.php?id=4

and save it to your desktop


Double-click VundoFix.exe to run it.

Checkmark the box "Run Vundo as task"

You will receive a message saying vundofix will close and re-open in a minute or less. Click OK

When VundoFix re-opens, click the Scan for Vundo button

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click OK.

Turn your computer back on.

NEXT

Please download the trial version of Ewido Security Suite here:

http://www.ewido.net/en/

Install it, and update the definitions to the newest files.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Restart your computer please post the contents of C:\vundofix.txt, the Ewido log and a new hijackthis log.

#5 ShawBuck

ShawBuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 139 posts

Posted 09 May 2006 - 06:26 PM

Thanks again! I hope things are looking better. I did as instructed....below are the requested logs:

vundofix.txt log

VundoFix V4.2.74

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.5

Scan started at 7:31:54 PM 5/9/2006

Listing files found while scanning....

C:\WINDOWS\system32\jkhgf.dll
C:\WINDOWS\system32\fghkj.ini
C:\WINDOWS\system32\fghkj.bak1
C:\WINDOWS\system32\fghkj.bak2
C:\WINDOWS\system32\fghkj.ini2
C:\WINDOWS\system32\fghkj.tmp

C:\WINDOWS\system32\babay.bak1
C:\WINDOWS\system32\babay.bak2
C:\WINDOWS\system32\babay.ini
C:\WINDOWS\system32\fghkj.bak1
C:\WINDOWS\system32\fghkj.bak2
C:\WINDOWS\system32\fghkj.tmp
C:\WINDOWS\system32\fghkj.ini
C:\WINDOWS\system32\fghkj.ini2
C:\WINDOWS\system32\jkhgf.dll
C:\WINDOWS\system32\fghkj.ini2
C:\WINDOWS\system32\fghkj.bak2
C:\WINDOWS\system32\fghkj.tmp
C:\WINDOWS\system32\fghkj.ini
C:\WINDOWS\system32\fghkj.ini2
C:\WINDOWS\system32\jkhgf.dll
Attempting to delete C:\WINDOWS\system32\jkhgf.dll
C:\WINDOWS\system32\jkhgf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fghkj.ini
C:\WINDOWS\system32\fghkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fghkj.bak1
C:\WINDOWS\system32\fghkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\fghkj.bak2
C:\WINDOWS\system32\fghkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\fghkj.ini2
C:\WINDOWS\system32\fghkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\fghkj.tmp
C:\WINDOWS\system32\fghkj.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\babay.bak1
C:\WINDOWS\system32\babay.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\babay.bak2
C:\WINDOWS\system32\babay.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\babay.ini
C:\WINDOWS\system32\babay.ini Has been deleted!

Performing Repairs to the registry.
Done!



Ewido Log
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:19:46 PM, 5/9/2006
+ Report-Checksum: 88EE93F6

+ Scan result:

C:\Program Files\ѕуstem32\spool32.exe -> Downloader.PurityScan.w : Ignored
HKLM\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CLSID -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CurVer -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1 -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CLSID -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CurVer -> Adware.Screensavers : Cleaned with backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1 -> Adware.Screensavers : Cleaned with backup
C:\328520.exe -> Trojan.Small : Cleaned with backup
C:\ac2_0003.exe -> Downloader.Small.cpu : Cleaned with backup
C:\Documents and Settings\sshaw\Cookies\sshaw@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\sshaw\Cookies\sshaw@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\sshaw\Cookies\sshaw@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\sshaw\Cookies\sshaw@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\sshaw\Cookies\sshaw@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\sshaw\Cookies\sshaw@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\sshaw\Cookies\sshaw@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\sshaw\Cookies\sshaw@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\sshaw\Cookies\sshaw@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\HJT-2\backups\backup-20060331-161137-747.dll -> Adware.Suggestor : Cleaned with backup
C:\HJT-2\backups\backup-20060331-161137-951.dll -> Trojan.BHO.c : Cleaned with backup
C:\installerwnus.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\krw1dn.exe -> Downloader.Agent.afi : Cleaned with backup
C:\Program Files\EQAdvice\EQAdvice.exe -> Adware.CASClient : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\15AD5619-6264-4AA0-8AE8-74B420\A70DA695-0306-4FC0-85BC-EDB3A4 -> Adware.Look2Me : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\26FBD2BD-709C-4B51-82CF-0E59C7\312F7876-1C5A-4697-8086-7DE3FD -> Adware.Softomate : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6DA0E108-BD10-42D5-91DA-D8445F\F71324C9-6010-4357-9028-631A63 -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\70152D22-AEB5-4389-A426-412DF4\176A1588-96D0-4771-ACBE-3F763E -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\70152D22-AEB5-4389-A426-412DF4\31662EB0-9025-43AE-8546-ED203A -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\70152D22-AEB5-4389-A426-412DF4\6AD6A2B6-DEB1-41CE-8A28-9B3693 -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\70152D22-AEB5-4389-A426-412DF4\8CD1C734-9598-45C0-AB65-B40AA5 -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\70152D22-AEB5-4389-A426-412DF4\F682022E-AEF7-4855-BABF-869B7B -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\73F3CCC4-F405-4BF5-8ACA-6355E1\932EE26C-DB4D-4532-B2AA-5396FF -> Adware.BookedSpace : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7B9E041B-1DCE-4968-8FE6-27DC43\4555B525-550D-4FA9-895F-5E7F70 -> Dropper.Small.qn : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\803F05EB-D4D7-433E-8D5C-BC0D06\438FE701-12C2-4608-8DE7-9FB7FF -> Adware.CommAd : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\803F05EB-D4D7-433E-8D5C-BC0D06\B7A07AFA-B633-4A1C-8BFE-B3C2AC -> Adware.CommAd : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AF4E54E7-4A53-4946-AD84-A22A08\4FE021B8-7617-4DD4-A71B-E4E04B -> Hijacker.Small.jf : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\CB6A20E2-253E-431D-B5D9-B64BE4\6B875660-ECF1-4561-81B5-CB4540 -> Adware.Look2Me : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E4D99F0C-18DB-4C6D-ACE8-189DC8\1B954ACE-502C-4C0A-83B2-6B8763 -> Adware.Look2Me : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E4D99F0C-18DB-4C6D-ACE8-189DC8\86C1E72D-F361-4F67-B5CF-66D4D0 -> Adware.Look2Me : Cleaned with backup
C:\Temp\KB887472-x86.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WHCC2.exe/whAgent.exe -> Adware.WebHancer : Error during cleaning
C:\WINDOWS\CheckS02.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\country.exe -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\WINDOWS\errorhandler.exe -> Downloader.VB.nw : Cleaned with backup
C:\WINDOWS\hosts -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\WINDOWS\keyboard7.exe -> Downloader.VB.zg : Cleaned with backup
C:\WINDOWS\kl1.exe -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\WINDOWS\mousepad7.exe -> Downloader.VB.zw : Cleaned with backup
C:\WINDOWS\newname7.exe -> Downloader.Adload.ae : Cleaned with backup
C:\WINDOWS\secure32.html -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\WINDOWS\system32\485048524A4F54.exe -> Trojan.VB.aft : Cleaned with backup
C:\WINDOWS\system32\en0ul1d91.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\eoiolbkd.dll -> Adware.Agent : Cleaned with backup
C:\WINDOWS\system32\installer.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\system32\MTE2ODI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\WINDOWS\system32\q.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\q3.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\q5.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\qmdsregl.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\sуstem32\explorer.exe -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\viptr76yg.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\w021d891.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\wvusq.dll -> Trojan.BHO.c : Cleaned with backup
C:\WINDOWS\system32\xxx2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\z1.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\z3.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\toolbar.exe -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\WINDOWS\uniq -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\WINDOWS\xrzafav.exe_tobedeleted -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\xrzafavA.exe -> Hijacker.VB.ij : Cleaned with backup


::Report End

HiJackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 8:27:21 PM, on 5/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\HJT-2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CRS.local
O17 - HKLM\Software\..\Telephony: DomainName = CRS.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CRS.local
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#6 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 09 May 2006 - 06:41 PM

C:\Program Files\ѕуstem32\spool32.exe -> Downloader.PurityScan.w : Ignored Did you choose to ignore this one?

#7 ShawBuck

ShawBuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 139 posts

Posted 09 May 2006 - 06:46 PM

Inadvertently...I accidently hit skip....I was hoping it wasn't a big deal. Should I redo the Ewido scan?

#8 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 09 May 2006 - 07:22 PM

Yes please rescan with ewido and then allow it to clean. Then the ewido log and a new hijackthis log.

#9 ShawBuck

ShawBuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 139 posts

Posted 09 May 2006 - 08:05 PM

Thanks again Siggyx. Hopefully things are looking better....let me know what I have to do next.


Ewido Log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:02:06 PM, 5/9/2006
+ Report-Checksum: AE72EA3E

+ Scan result:

C:\Documents and Settings\sshaw\Cookies\sshaw@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Program Files\ѕуstem32\spool32.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\WHCC2.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup


::Report End


HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 10:05:23 PM, on 5/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\mobsync.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT-2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CRS.local
O17 - HKLM\Software\..\Telephony: DomainName = CRS.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CRS.local
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#10 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 09 May 2006 - 09:10 PM

Looks good :), how is it running?

#11 ShawBuck

ShawBuck

    Authentic Member

  • Authentic Member
  • PipPip
  • 139 posts

Posted 09 May 2006 - 09:21 PM

Seems to be running pretty good right now...no pop-ups for a while.... Thanks for your help!!

#12 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 09 May 2006 - 09:21 PM

If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. In my signature below is also a tutorial on how to harden IE, a good read and very helpful to stop these things in the future. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on.

Safe Surfing. :D

#13 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 09 May 2006 - 09:21 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users