10 replies to this topic

[HalberdBlue]

Hi, first time I've come here

I recently acquired some nasty spyware of some sort. Occasionally I will get pop ups using Internet Explorer, but I don't really use Internet Explorer much; I only use it if a page doesn't work in Opera or Firefox. I am having a really weird problem with accessing the internet. It stops working anywhere from 5 minutes to days after I have rebooted my computer. Its something like this:

I'll turn on the computer, and go to a few web sites. Then, I'll try to go to a new one, but my computer will say that it can't find it. However, I will still be able to access any webpages that I have already been to, or ones located on the same server. For example, I can go to yahoo.com and look at some news. Then, I'll try to go to google.com and my computer will say that it can't find the site. However, I can still go back to Yahoo.com and look at new pages I hadn't looked at before I could no longer go to google, such as new news stories. This is just an example, its not like Google is blocked to me. This also happens to me in games. If I am playing Counterstrike or something, I will be able to go to several different servers, but then after the first few any I go to afterwards will just timeout. However, I will still be able to go to servers that I had already been to. ALL of this is temporarily fixed by simply restarting my computer. This problem appeared earlier this week. The "no-longer-being-able-to-access-new-servers" problem usually happens within 10 minutes to 8 hours of my computer restarting.

Normally I try to fix problems like this myself, but the usual thing I do is just search for stuff in my hijack this log on google and try to fix it that way. But unfortunately, that often involves booting into safe mode, which is my other problem. My computer will no longer boot into safe mode. I will tell it to from the F8 menu and then it will give me the warning about using Safe Mode, I'll click Yes, and then nothing will happen. I'll be left with a black screen with Safe Mode in the 4 corners. I thought it might just be loading but I left it like that for over an hour and it still hadn't loaded up.

Last but not least, my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 12:33:45 PM, on 6/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\DOCUME~1\Jon\MYDOCU~1\YMANTE~1\wuaclt.exe
C:\DOCUME~1\Jon\APPLIC~1\APPATC~1\WAUCLT~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Jon\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {348DA4E7-137E-1CD9-2F05-4AB60A15AD9C} - C:\WINDOWS\System32\amlei.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Jon\MYDOCU~1\YMANTE~1\wuaclt.exe" -vt yax
O4 - HKCU\..\Run: [Jzzhfpm] C:\DOCUME~1\Jon\APPLIC~1\APPATC~1\WAUCLT~1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1148767531657
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148767525563
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O20 - AppInit_DLLs: C:\WINDOWS\System32\rundll32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[Micah_6:8]

Sorry for the delay in responding to your log.

Please post a new HijackThis! log, into this thread, and I will advise.

[HalberdBlue]

Hi, here is my new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:16:35 PM, on 7/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\DOCUME~1\Jon\MYDOCU~1\YMANTE~1\wuaclt.exe
C:\Documents and Settings\Jon\Application Data\A?pPatch\w?auclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Documents and Settings\Jon\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {348DA4E7-137E-1CD9-2F05-4AB60A15AD9C} - C:\WINDOWS\System32\amlei.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Jon\MYDOCU~1\YMANTE~1\wuaclt.exe" -vt yax
O4 - HKCU\..\Run: [Jzzhfpm] C:\DOCUME~1\Jon\APPLIC~1\APPATC~1\WAUCLT~1.EXE
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1148767531657
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148767525563
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O20 - AppInit_DLLs: C:\WINDOWS\System32\rundll32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


Stuff that has changed since I posted the thread:

I'm not having that internet connectivity erorr I was having before anymore. I've moved since then so it may have just been my ISP. I'll check to see if I can boot up in safe mode now. I'm actually at a university now and I can't get into my internet options in internet explorer so I assume there is probably something in there that causes that, but I think thats a result of something the university did so that I can't get by the proxy server.

I get occasional ad pop ups now though. I usually get one when I open up Internet Explorer, but not all the time. The ads only come up when I open an application, but not every application. For example, I usually get an ad popup when I open up Steam or Dawn of War, but not when I open up Opera or EverQuest 1. That is really the only issue I'm having now. After I make this post I'll see if I can boot up into safe mode now, since a few other problems I had before disappeared.

EDIT: OK I tried to boot up in safe mode, still couldn't do it. I did notice that it said Service Pack 1 at the top of the black screen with Safe Mode in each corner. I know I have Service Pack 2 installed in "normal" Windows XP. Also, restarting my computer made me remember that it now takes significantly longer to boot up my computer. Before a couple weeks ago I would go from hitting the power button on my computer to opening applications in about 60 seconds. Now its about 3-4 minutes after I hit my power button before I am opening applications.

Edited by HalberdBlue, 02 July 2006 - 06:34 PM.

[Micah_6:8]

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Run Hijack This!
Click "Do a systen scan only".
Then "check" the box to the left of these item(s):

R3 - URLSearchHook: (no name) - {348DA4E7-137E-1CD9-2F05-4AB60A15AD9C} - C:\WINDOWS\System32\amlei.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Jon\MYDOCU~1\YMANTE~1\wuaclt.exe" -vt yax

O4 - HKCU\..\Run: [Jzzhfpm] C:\DOCUME~1\Jon\APPLIC~1\APPATC~1\WAUCLT~1.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123

Then click "Fix checked" and close Hijack This!.
Reboot in "safe" mode.

Delete all of the following noted (in red) file(s)/FOLDER(s) you can find:

c:\documents and settings\jon\application data\a?ppatch\w?auclt.exe <--- file

c:\documents and settings\jon\application data\appatc~1\wauclt~1.exe <--- file

c:\documents and settings\jon\mydocu~1\ymante~1\wuaclt.exe <--- file

Some malware files may be "hidden".
Be sure to show hidden files when looking for these file(s) and/or folder(s).

Reboot in normal mode and "copy/paste" a new HijackThis! log file into this thread.

Please go to these free online file checkers:

Kaspersky Online File Scanner

Jotti Online File Scanner

VirusTotal Online File Scanner

And submit this file for a virus scan:

C:\WINDOWS\System32\rundll32.dll

Let me know the results.

[HalberdBlue]

I have done that which you have asked. I still couldn't boot into safe mode, but I could get into safe mode with command prompt. I went into the folders that you told to me to but no files were to be found within. I looked in the folders in "normal" windows and found the same, but deleted the folders just to be sure. In Kapersky Online File Scanner I received this result: rundll32.dll - infected by not-a-virus:AdWare.Win32.PurityScan.en In Jotti Online File Scanner: File: rundll32.dll Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 c55738c167ccee9acf67f42b4a29afc5 Packers detected: - Scanner results AntiVir Found Adware-Spyware/PurityScan.EN.1 adware ArcaVir Found Adware.Bho.Purityscan.Jha Avast Found Win32:Ndrv AVG Antivirus Found Generic.OFX BitDefender Found nothing ClamAV Found Trojan.PurityScan.EN Dr.Web Found Adware.ClickSpring F-Prot Antivirus Found nothing Fortinet Found Adware/PurityScan Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.PurityScan.en NOD32 Found Win32/Adware.PurityScan application Norman Virus Control Found W32/PurityScan.YM UNA Found nothing VirusBuster Found nothing VBA32 Found AdWare.Win32.PurityScan.en At VirusTotal Online File Scanner: Antivirus Version Update Result AntiVir 6.35.0.19 07.02.2006 ADSPY/PurityScan.EN.1 Authentium 4.93.8 06.30.2006 no virus found Avast 4.7.844.0 06.29.2006 Win32:Ndrv AVG 386 06.30.2006 Adware Generic.OFX BitDefender 7.2 07.03.2006 no virus found CAT-QuickHeal 8.00 07.01.2006 no virus found ClamAV devel-20060426 07.01.2006 Trojan.PurityScan.EN DrWeb 4.33 07.02.2006 Adware.ClickSpring eTrust-InoculateIT 23.72.56 07.02.2006 no virus found eTrust-Vet 12.6.2283 06.30.2006 no virus found Ewido 3.5 07.02.2006 Adware.PurityScan Fortinet 2.77.0.0 07.01.2006 Adware/PurityScan F-Prot 3.16f 06.30.2006 no virus found Ikarus 0.2.65.0 06.30.2006 no virus found Kaspersky 4.0.2.24 07.03.2006 not-a-virus:AdWare.Win32.PurityScan.en McAfee 4797 06.30.2006 no virus found Microsoft 1.1481 07.01.2006 no virus found NOD32v2 1.1638 07.02.2006 Win32/Adware.PurityScan Norman 5.90.21 06.30.2006 W32/PurityScan.YM Panda 9.0.0.4 07.02.2006 Adware/PurityScan Sophos 4.07.0 07.02.2006 no virus found Symantec 8.0 07.03.2006 no virus found TheHacker 5.9.8.167 06.30.2006 Adware/PurityScan.en UNA 1.83 06.30.2006 Adware.PurityScan VBA32 3.11.0 07.02.2006 AdWare.Win32.PurityScan.en VirusBuster 4.3.7:9 07.02.2006 no virus found Thank you for your help =)

[Micah_6:8]

Fix this with HijackThis!:

O20 - AppInit_DLLs: C:\WINDOWS\System32\rundll32.dll

Reboot and post a new HijackThis! log file into this thread.

[HalberdBlue]

OK, I did that. My computer is still starting up really slow. I forgot to mention another problem I'm having while starting up: sometimes after logging in the start bar and icons will never appear, and I'll just have the desktop background until I hold down the power button to restart. This happened to me two times in a row after fixing rundll32.dll and then if that doesn't happen then the start bar at the bottom of the screen will be "blank" for a period of time after logging in. By that I mean that the start button will be solid green (but a darker green than its normal color) and the area to the right of the start button will be solid blue (but a darker blue than its normal color).

On the bright side, I don't seem to be getting pop-up ads anymore. I got pop-ups when I went to all three of those virus scanning websites in Internet Explorer before, and now I'm not getting any. The other problem I had that I forgot to mention (sorry about forgetting so much!) was that occasionally a command prompt window (with no text in it) would appear for a split second and then disappear. This happens rather infrequently so I can't say whether that last fix you gave me helped it. Its rather irritating though because it makes full screen applications minimize.

Anyways, here is my new HiJack This log

Logfile of HijackThis v1.99.1
Scan saved at 7:54:06 AM, on 7/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Jon\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1148767531657
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148767525563
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe




Oh, I just noticed that is says that my platform is Windows SP 1 at the top? Is it supposed to say that? Because I know I have or at least had SP 2 installed.

[Micah_6:8]

The log has no malware showing any longer.

Let's try some "off the shelf" programs to see what they remove that we can't see.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Under Firefox choose: Firefox cache and Firefox cookies
Click the Empty Selected button.
Under Opera choose: Opera cache and Opera cookies
Click the Empty Selected button.
Close the program.

Note: It is normal for your machine to boot up a little slower for the first couple of times right after running ATF Cleaner. "Normal" boot time will be achieved after two, or three reboots.


Please download and run Spybot-Search&Destroy and Ad-Aware; they are the standard programs for finding and cleaning malware off your system. Here are links to both programs, and instructions for their use.

Get Spybot - Search & Destroy from Spybot Search and Destroy
(This is the NEW Version 1.4)
Get AdAware SE Personal from Lavasoft
(This is the NEW Build 1.6)

Download and install these programs if you don't already have them. If you do have them, make sure they are UPDATED AND CONFIGURED AS DESCRIBED here:

Configure Adaware

Configure Spybot

Reboot after running each program.

Try this free online virus scan of your system:

Panda Activescan
Accept default settings.

When it is finished, save the report.

Reboot.

Post a fresh HijackThis! log, and the report from Panda, into this thread.

[HalberdBlue]

Sorry for the delay in the reply:
I have done what you have asked.
I am getting popups again

Logfile of HijackThis v1.99.1
Scan saved at 5:13:14 PM, on 7/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Jon\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1148767531657
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148767525563
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\Jon\Local Settings\Application Data\051c0579.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Jon\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\83S5C78R\!update-4038[1].0000
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\AHIPKFMB\!update-4095[1].0000
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Jon\My Documents\M?crosoft.NET\?serinit.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\Common Files\Y1123OA.exe
Dialer:dialer.avv Not disinfected C:\WINDOWS\Downloaded Program Files\gdnUS2339.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\051c0579.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\amlei.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fcccaab.dll
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\system32\oins.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\rundll32.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\smss.dll
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\winstr32.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\Temp\!update.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\Temp\h91746.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\Temp\OA.exe
Adware:Adware/YazzleSudoku Not disinfected C:\WINDOWS\Temp\RL2_SudokuInstaller.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\Temp\svshost.exe
Virus:Trj/DNSChanger.GG Disinfected C:\WINDOWS\Temp\win726A.tmp.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\Temp\win990A.tmp.exe
Spyware:Cookie/Com.com Not disinfected G:\Documents and Settings\Jonathan\Cookies\jonathan@com[1].txt
Spyware:Cookie/Entrepreneur Not disinfected G:\Documents and Settings\Jonathan\Cookies\jonathan@entrepreneur[2].txt
Spyware:Cookie/2o7 Not disinfected G:\Documents and Settings\Jonathan\Cookies\jonathan@microsofteup.112.2o7[1].txt
Spyware:Cookie/BurstBeacon Not disinfected G:\Documents and Settings\Jonathan\Cookies\jonathan@www.burstbeacon[2].txt

[Micah_6:8]

Boot in "safe mode". Run ATF cleaner again, per previous instructions. Run an Ewido scan, have it delete evrything it finds. Save the log. Boot in normal mode. Post a new HijackThis! log, and the log from Ewido.

[Micah_6:8]

Due to lack of feedback:

This topic is now closed.

If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.