Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91701 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

pop up ads can be stopped. all logs are attached.


  • This topic is locked This topic is locked
8 replies to this topic

#1 vader1

vader1

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 22 February 2007 - 01:09 PM

please note the hijack this file. Ive tried several sources of software to elimnate the popups, but it only stops for a while. Once the tracking cookings are reloaded, then the popups start again.

Logfile of HijackThis v1.99.1
Scan saved at 8:47:32 PM, on 2/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\thinkorswim\thinkorswim.exe
C:\Program Files\thinkorswim\jre\bin\javaw.exe
C:\Program Files\ProfitSource\ProfitSource.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\IEViewBar.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Thunk new manager else] C:\Documents and Settings\All Users\Application Data\PING SEND THUNK NEW\Dashbore.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ford dumb] C:\DOCUME~1\Ed\APPLIC~1\HTMSTART\AXIS DRIVE.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\AdsGone.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1157306228193
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157307020250
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...841/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

I have Kepersky logs too. let me knowif yuo need that as well.

Any help would be appreciated.

Ed

    Advertisements

Register to Remove


#2 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,948 posts

Posted 23 February 2007 - 05:41 PM

Welcome to the forum.

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

---------------

Next....

Please download SUPERAntiSpyware Home Edition (free)

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes, Let it through your firewall!
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
  • Ignore System Restore/Volume Information on ME and XP
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click
Yes.

To retrieve the removal information - please do the following:
  • After reboot, double-click the SUPERAntispyware icon on your desktop.
  • Click Preferences . Click the Statistics/Logs tab .
  • Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Please highlight everything , then right-click and choose copy.
  • Click close and close again to exit the program.
Now please paste the removal information, the log from NoLop along with a fresh HijackThis log in your reply. If it's a large log, you may need several replies to post it.


#3 vader1

vader1

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 26 February 2007 - 02:26 PM

Ok her are the logs yuo requested

I did not do the HiJackthis until after all the scans and removals were complete.

SUPERAntiSpyware Scan Log
Generated 02/26/2007 at 01:28 PM

Application Version : 3.5.1016

Core Rules Database Version : 3189
Trace Rules Database Version: 1199

Scan type : Complete Scan
Total Scan Time : 01:34:03

Memory items scanned : 520
Memory threats detected : 0
Registry items scanned : 6330
Registry threats detected : 2
File items scanned : 116175
File threats detected : 142

Adware.Lop-Gen
[Thunk new manager else] C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\PING SEND THUNK NEW\DASHBORE.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\PING SEND THUNK NEW\DASHBORE.EXE
[Ford dumb] C:\DOCUME~1\ED\APPLIC~1\HTMSTART\AXIS DRIVE.EXE
C:\DOCUME~1\ED\APPLIC~1\HTMSTART\AXIS DRIVE.EXE
C:\DOCUMENTS AND SETTINGS\ED\APPLICATION DATA\HTMSTART\AXIS DRIVE.EXE
C:\DOCUMENTS AND SETTINGS\ED\APPLICATION DATA\HTMSTART\BOOBBINDBIN.EXE
C:\DOCUMENTS AND SETTINGS\ED\APPLICATION DATA\HTMSTART\UQNJVOVM.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Ed\Cookies\ed@tribalfusion[2].txt
C:\Documents and Settings\Ed\Cookies\ed@hotlog[2].txt
C:\Documents and Settings\Ed\Cookies\ed@www.crackserialkeygen[2].txt
C:\Documents and Settings\Ed\Cookies\ed@login.tracking101[2].txt
C:\Documents and Settings\Ed\Cookies\ed@www.burstnet[1].txt
C:\Documents and Settings\Ed\Cookies\ed@www.serialadapters[1].txt
C:\Documents and Settings\Ed\Cookies\ed@adlegend[2].txt
C:\Documents and Settings\Ed\Cookies\ed@media303[2].txt
C:\Documents and Settings\Ed\Cookies\ed@usenext[1].txt
C:\Documents and Settings\Ed\Cookies\ed@stopzilla[2].txt
C:\Documents and Settings\Ed\Cookies\ed@server.lon.liveperson[2].txt
C:\Documents and Settings\Ed\Cookies\ed@revsci[2].txt
C:\Documents and Settings\Ed\Cookies\ed@www.googleadservices[2].txt
C:\Documents and Settings\Ed\Cookies\ed@www.burstbeacon[2].txt
C:\Documents and Settings\Ed\Cookies\ed@www.crackedwarez[2].txt
C:\Documents and Settings\Ed\Cookies\ed@blockbuster.112.2o7[1].txt
C:\Documents and Settings\Ed\Cookies\ed@versiontracker[2].txt
C:\Documents and Settings\Ed\Cookies\ed@precisionclick[2].txt
C:\Documents and Settings\Ed\Cookies\ed@edge.ru4[1].txt
C:\Documents and Settings\Ed\Cookies\ed@adserver.adreactor[1].txt
C:\Documents and Settings\Ed\Cookies\ed@linkstattrack[1].txt
C:\Documents and Settings\Ed\Cookies\ed@stat.onestat[2].txt
C:\Documents and Settings\Ed\Cookies\ed@www.googleadservices[1].txt
C:\Documents and Settings\Ed\Cookies\ed@adopt.euroclick[1].txt
C:\Documents and Settings\Ed\Cookies\ed@affiliates.mediaspecials[2].txt
C:\Documents and Settings\Ed\Cookies\ed@publishers.clickbooth[2].txt
C:\Documents and Settings\Ed\Cookies\ed@www.stopzilla[1].txt
C:\Documents and Settings\Ed\Cookies\ed@msnportal.112.2o7[1].txt
C:\Documents and Settings\Ed\Cookies\ed@ad.zanox[1].txt
C:\Documents and Settings\Ed\Cookies\ed@burstnet[1].txt
C:\Documents and Settings\Ed\Cookies\ed@questionmarket[1].txt
C:\Documents and Settings\Ed\Cookies\ed@sonycorporate.122.2o7[1].txt
C:\Documents and Settings\Ed\Cookies\ed@cc.bridgetrack[2].txt
C:\Documents and Settings\Ed\Cookies\ed@pch.122.2o7[1].txt
C:\Documents and Settings\Ed\Cookies\ed@azjmp[1].txt
C:\Documents and Settings\Ed\Cookies\ed@serialdevil[1].txt
C:\Documents and Settings\Ed\Cookies\ed@perf.overture[1].txt
C:\Documents and Settings\Ed\Cookies\ed@ad.cs102175[1].txt
C:\Documents and Settings\Ed\Cookies\ed@www.serialdevil[1].txt
C:\Documents and Settings\Ed\Cookies\ed@firstpremierbankcard.112.2o7[1].txt
C:\Documents and Settings\Ed\Cookies\ed@server.lon.liveperson[1].txt
C:\Documents and Settings\Ed\Cookies\ed@bookspan.122.2o7[1].txt
C:\Documents and Settings\Ed\Cookies\ed@e-2dj6wakislczaeo.stats.esomniture[2].txt
C:\Documents and Settings\Ed\Cookies\ed@nextag[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@a.websponsors[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@ad.contentmedianetwork[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@ad.cs102175[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@ad.zanox[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@adbrite[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@adecn[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@adinterax[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@adlegend[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@adopt.euroclick[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@ads.ak.facebook[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@ads.ft[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@ads.glispa[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@ads.iconator[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@ads.ozonemedia.co[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@ads.realtechnetwork[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@adultfriendfinder[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@aff.primaryads[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@angleinteractive.directtrack[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@as-eu.falkag[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@azjmp[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@bannerads.zwire[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@bannerads.zwire[3].txt
C:\Documents and Settings\Amanda\Cookies\amanda@belnk[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@bizrate[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@clickshift[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@clicksor[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@da-tracking[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@dealtime[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@directtrack[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@dist.belnk[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@ecnext.advertserve[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@fastclick[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@fcstats.bcentral[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@i.screensavers[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@indextools[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@keywordmax[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@login.tracking101[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@media.fastclick[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@media.hotels[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@nextag[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@offers.clickbooth[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@offers.intermediainteractive[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@overture[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@partner2profit[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@publishers.clickbooth[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@qnsr[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@revsci[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@roiservice[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@screensavers[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@server11.clickfacts[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@smileycentral[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@stat.dealtime[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@stats.drivecleaner[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@tracking.schwablearning[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@tripod[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@try.screensavers[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@www.0stats[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@www.googleadservices[2].txt
C:\Documents and Settings\Amanda\Cookies\amanda@www.loonycounter[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@www.ticketsnow2[1].txt
C:\Documents and Settings\Amanda\Cookies\amanda@www.xctrk[2].txt

NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: C:\Documents and Settings\Ed\Desktop
[2/26/2007]
[11:40:30 AM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\AEE818D991878B91.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Aol Downloads
C:\Documents and Settings\All Users\Application Data\Aol Ocp
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Ca
C:\Documents and Settings\All Users\Application Data\Dataviz
C:\Documents and Settings\All Users\Application Data\Hotsync
C:\Documents and Settings\All Users\Application Data\Intuit
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Nvidia Corporation
C:\Documents and Settings\All Users\Application Data\Nview_profiles -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Ping Send Thunk New
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Stopzilla!
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\All Users\Application Data\Zillabar
C:\Documents and Settings\Amanda\Application Data\Acccore
C:\Documents and Settings\Amanda\Application Data\Adobe
C:\Documents and Settings\Amanda\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Amanda\Application Data\Apple Computer
C:\Documents and Settings\Amanda\Application Data\Creative
C:\Documents and Settings\Amanda\Application Data\Hotsync
C:\Documents and Settings\Amanda\Application Data\Identities
C:\Documents and Settings\Amanda\Application Data\Lavasoft
C:\Documents and Settings\Amanda\Application Data\Limewire
C:\Documents and Settings\Amanda\Application Data\Logitech
C:\Documents and Settings\Amanda\Application Data\Macromedia
C:\Documents and Settings\Amanda\Application Data\Microsoft
C:\Documents and Settings\Amanda\Application Data\Roxio
C:\Documents and Settings\Amanda\Application Data\Sun
C:\Documents and Settings\Amanda\Application Data\Viewpoint
C:\Documents and Settings\Amanda\Application Data\Yahoo!
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Ed\Application Data\Acccore
C:\Documents and Settings\Ed\Application Data\Adobe
C:\Documents and Settings\Ed\Application Data\Adobeum
C:\Documents and Settings\Ed\Application Data\Apple Computer
C:\Documents and Settings\Ed\Application Data\Arcsoft
C:\Documents and Settings\Ed\Application Data\Cowon
C:\Documents and Settings\Ed\Application Data\Creative
C:\Documents and Settings\Ed\Application Data\Google
C:\Documents and Settings\Ed\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Ed\Application Data\Hotsync
C:\Documents and Settings\Ed\Application Data\Htmstart
C:\Documents and Settings\Ed\Application Data\Identities
C:\Documents and Settings\Ed\Application Data\Intuit
C:\Documents and Settings\Ed\Application Data\Lavasoft
C:\Documents and Settings\Ed\Application Data\Leadertech
C:\Documents and Settings\Ed\Application Data\Logitech
C:\Documents and Settings\Ed\Application Data\Macromedia
C:\Documents and Settings\Ed\Application Data\Microsoft
C:\Documents and Settings\Ed\Application Data\Roxio
C:\Documents and Settings\Ed\Application Data\Sun
C:\Documents and Settings\Ed\Application Data\Warez
C:\Documents and Settings\Ed\Application Data\Yahoo!
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Susan\Application Data\Hotsync
C:\Documents and Settings\Susan\Application Data\Identities
C:\Documents and Settings\Susan\Application Data\Logitech
C:\Documents and Settings\Susan\Application Data\Macromedia
C:\Documents and Settings\Susan\Application Data\Microsoft
C:\Documents and Settings\Susan\Application Data\Roxio


Logfile of HijackThis v1.99.1
Scan saved at 3:11:37 PM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Ed\LOCALS~1\Temp\Rar$EX00.994\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\IEViewBar.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\AdsGone.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1157306228193
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157307020250
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...841/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE



So far no more popups ,but time will tell if the tracking caouses a problem.

I will provide financial support if this works out., in addition Ill need to provide a donation to the software providers.

Thanks for your help and hopefully im clean

#4 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,948 posts

Posted 26 February 2007 - 05:50 PM

That's good news!

Please move HJT into its own permanent folder so backups can be made and found.
example: C:\MyHJT\HiJackThis.exe, C:\Program Files\MYHJT\HiJackThis.exe or C:\MyDocuments\MyHJT\HiJackThis.exe

----------------

Just some clutter left over......


Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)

Click on Fix Checked and exit HijackThis.

I notice you have Viewpoint Manager on the system, we usually recommend uninstalling it - it's up to you - you can read about it below:
http://www.auditmypc...ess/viewmgr.asp

Use the computer and let me know how it is, MrC


#5 vader1

vader1

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 26 February 2007 - 08:33 PM

Thanks MrC, I had the HiJack in the folder i just didnt see it earlier. Its in a folder by itself now. I removed all the entries including viewpoint manager. Thanks for the info on that. Ill keep you posted. I know form experiance that the popups are really gone by wednesday. ill confirm and get back to you, close this topic, and send in a doanation. Given that it looks like i dont need to reformat the HD, relaod all the applications, drivers and operating system, i need to know what is a fair Doanation to both this website and the supporting software applications that i used. Super.... i already know what they want. All the best Ed

#6 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,948 posts

Posted 26 February 2007 - 08:46 PM

OK, let me know.

Donations to the "supporting software applications" is unnecessary and I wouldn't even know how to do it.
The forum accepts donations, just look at the bottom of my post and click on "Donating"- any amount is appreciated and is up to you and is kept confidential.

Thanks, MrC


#7 vader1

vader1

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 28 February 2007 - 01:06 PM

MrC, Thanks for your help. Ive learned something and realize the valuse of a website like this one. I have no more issies. All the best Ed

#8 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,948 posts

Posted 28 February 2007 - 07:18 PM

Thanks and Good Luck :thumbup:

If you have any questions - please post back

I'll leave you with........

Some preventive maintenance:

------------------Must have or do:-----------------

Now that you're clean: <----Important Step!!!!
Delete your system restore files and create a new restore point:
(ME and XP users only)

XP system restore

ME system restore

Visit Windows Update and install all the lastest critical updates.

Install these two free programs, they sit in the backround and protect your system from spy and adware being installed on your system, also from your browser being hijacked.

SpywareBlaster Check for updates weekly.

SpywareGuard

IE-SPYAD
Puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
or try the new ZonedOut

Blocking Unwanted Parasites with a Hosts File
Direct Download - MVPS HOSTS <==> MVPS HOSTS Tutorial

Need a free anti virus?
AVG*free
Avast free
AntiVirŪ PersonalEdition Classic
-->Check for updates - daily<---

How about a firewall? The front door to your computer.
ZoneAlarm*free
Comodo Free Firewall
Other free firewalls

Keep those temp files off your system use
CCleaner
Uncheck "Cookies" under "Internet Explorer".
or
ATF Cleaner - hit "select all" then just uncheck "cookies" (uncheck cookies is optional - leave it checked if you want to delete all cookies) then "empty selected" That will clear out all the temp files on the system.


IMPORTANT!!
Keep your Sun Java up-to-date JRE 6 <--newest version
Delete ALL old versions from add/remove programs if listed first!
http://forums.tomcoy...showtopic=68632

Keep the registry backed up - use ERUNT
Print this out and save it
ERUNT Tutorial

----------Free malware removal programs:----------

SpyBot
AD-Aware
CW-Shredder
SUPERAntiSpyware (free edition)

AVG Anti-Spyware<---VERY GOOD! (XP and 2K only)

Please consider using FireFox instead of Internet Explorer. A more secure browser! Easy to make the change!
FireFox Tutorial


Pop-up stoppers:
GoogleToolBar
Pop-upStopperFree

Disable Windows MessengerXP - 2K (stops pop-up ads -etc):
Shoot The Messenger

Don't open e-mail attachments without first scanning them with an up-to-date
anti virus program, even after doing that I would be very careful. Don't click on any executables in e-mails or any other links that you're not sure of.
Watch your surfing habits, don't click on or download anything you're not sure of. Don't install a program that hasn't been recommended by a reputable organization.

Good luck and thanks for using the forum - MrC


#9 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,948 posts

Posted 02 March 2007 - 07:13 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users