Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Me Remove Pop-ups


  • This topic is locked This topic is locked
13 replies to this topic

#1 maldita

maldita

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 16 October 2005 - 01:42 AM

Hello,

Can someone please help me? I keep getting annoying pop-ups whenever I surf the net...it's from http://64.192.130.141, paypopup.com, ez-savings.com, super-stock.com, abc-search.com, etc... And by the time I minimize my browser, I see that I have about 20 that actually popped up and didn't even noticed....

Anyway, I have Windows XP Home. I already tried running Spyboy S&D and Spyblaster. But they did not solve my problem. I still have to deal with them ...

If there is someone out there who can help me out, please please do so..I would greatly appreciate it...

Thanks very much....

Here is my Hijackthis log:


-------------
Logfile of HijackThis v1.99.0
Scan saved at 12:26:08 AM, on 16/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Removal Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\SpywareRemover\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.daewoocomputer.net
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://remote1.na.amec.com/dana-cached/set...oterisSetup.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123301601218
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC-cillin Personal Firewall - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:02 PM

Posted 20 October 2005 - 11:26 AM

Welcome to the BleepingComputer forum. We are currently studying your log and will have instructions for you shortly. Thank you for your patience.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:02 PM

Posted 20 October 2005 - 12:15 PM

Step 1

Please download Ad-Aware SE

Using Ad-Aware To Remove Spyware From Your Computer <<Please check this link for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible.

Step 2

To help prevent further infection, please download SpywareBlaster SpywareBlaster helps to:
  • Prevent the installation of ActiveX-based spyware, Ad-Aware, browser hijackers, dialers, and other potentially unwanted software.
  • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
Step 3

Please Download and Install Ewido
  • Please download Ewido Security Suite
  • After the download is complete, double click on the file to launch the install process.
  • During installation under the Additional Options menu, you will be asked if you want to "Install background guard (required for automatic updates)" and "Install scan via context menu". Please UNCHECK both of these options.
  • Once installation is complete, launch Ewido by double clicking the big "E" icon on your desktop. The program will prompt you to update click the 'OK' button.
  • The program will now go to the main screen. On the left hand side of the main screen, click on Update and then click 'Start Update'. The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see 'Update Successful' in the lower left corner.
  • Click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'
  • Please make sure 'Scan Every File' is selected. Finally, please click 'OK'
  • On the main screen, please select 'Complete System Scan' and the scan should begin.
  • While the scan is in progress, you will be prompted to clean the first infected file it finds. Choose clean, then put a check next to 'Perform action on all infections' . Doing this enables the scan to proceed automatically until its completion. Click OK.
  • When the scan is complete, click "Save Report". Your scan results will be saved in a text file.
Please submit that report with your next post.

If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this:
  • Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
  • If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and uncheck "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
Note: Ewido is a free trial product for 14 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days (which is the reason we uncheck them during installation). You can use Ewido as an on demand scanner (recommended) but you will have to manually update the definition file each time you scan by clicking on “Update” and “Start Update”.

If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".

Step 4

When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, please write down the filenames and locations and post that in your reply.

Step 5

Please download Cleanup! CleanUp! is a powerful and easy to use application that removes temporary files created while surfing the web, empties the Recycle Bin, deletes files from your temporary folders and more. Open CleanUp!, click on Options. Make sure that the following are checked:
  • Empty Recycle Bins
  • Delete cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • CleanUp! All Users
The others are optional. Do not run it yet.
*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders; it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!.

Step 6

You may want to print out this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Now we will address the HiJackThis fixes.

Please run HiJackThis and click "Scan." Place checks next to the following entries (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


If you did not add the listed domain to the Trusted Zones yourself, have HiJackThis fix it.

O15 - Trusted IP range: 206.161.125.149

O15 - Trusted IP range: 206.161.124.130 (HKLM)


Close all browsers and other windows except for HiJackThis, and click "Fix Checked" to have HiJackThis fix the entries you checked.

Step 7

Let’s run Cleanup to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 8

Please run HiJackThis again and post a fresh log so I can make sure that all the malware was deleted according to plan
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:02 PM

Posted 20 October 2005 - 12:51 PM

I keep getting annoying pop-ups whenever I surf the net...it's from http://64.192.130.141, paypopup.com, ez-savings.com, super-stock.com, abc-search.com, etc... And by the time I minimize my browser, I see that I have about 20 that actually popped up and didn't even noticed


Those are advertising cookies. Check your cookie setting in Internet Explorer. Open Tools>Internet Options>Privacy. Make sure that as a minimum, the cookie setting is on Medium. You can block those sites (paypopup.com, ez-savings.com, super-stock.com, abc-search.com) by clicking on “Sites” on the same page as the cookie settings. Copy/paste each web site in the space under “Address of Web Site”and click “Block”.

Make your Internet Explorer more secure This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it asks you if you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
Use IE-SPYAD Install IE SPYAD. Add another level of protection to your Internet Explorer browser by blocking certain sites that are known to contain malware. IE SPYAD puts several thousand sites in your restricted zone so you'll be protected when you visit innocent looking sites that aren't actually innocent at all. If you happen on a site within its list, they can't hijack you or install anything. Program is free and is updated about once a month. Please follow readme instructions for install; it is a little different. Single user PC use IE Spyad1. Multi user XP PC use IE Spyad2.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 maldita

maldita
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 21 October 2005 - 10:48 PM

Hi suebaby41! Here is the saved report I got from Ewido Security Suite:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:14:36 PM, 21/10/2005
+ Report-Checksum: 790A7FB1

+ Scan result:

HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\SSaver.SaverObj -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\SSaver.SaverObj\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\SSaver.SaverObj\Clsid\\ -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Updater.BHO\CLSID\\ -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WinStatX.Installer\CLSID\\ -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/QDow_AS2.dll\\.Owner -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/QDow_AS2.dll\\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DS3.dll\\.Owner -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DS3.dll\\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1101.dll\\.Owner -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1101.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/mp3.ocx\\.Owner -> Spyware.Crazywinnings : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/mp3.ocx\\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/WinStatX.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/WinStatX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-3749347595-2791625709-2185142891-1006\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
[1828] C:\WINDOWS\system32\iietppui.dll -> Spyware.Look2Me : Error during cleaning
[604] C:\WINDOWS\system32\iietppui.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\bisita\Cookies\bisita@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\bisita\Cookies\bisita@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\bisita\Cookies\bisita@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\bisita\Local Settings\Temporary Internet Files\Content.IE5\0X2Z016Z\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\bisita\Local Settings\Temporary Internet Files\Content.IE5\8LM3092R\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\gwen\Cookies\gwen@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\gwen\Cookies\gwen@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\gwen\Cookies\gwen@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\gwen\Local Settings\Application Data\Microsoft\Internet Explorer\V0.26.dat -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\gwen\Local Settings\Temp\ICD1.tmp\m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\Documents and Settings\gwen\Local Settings\Temp\upd203.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\mp3.ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
C:\WINDOWS\LastGood\banner.dll -> Spyware.Banex : Cleaned with backup
C:\WINDOWS\strqxst.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\abl71.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\arl70.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cafgnt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cdb.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ceodm.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ciyptdll.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\crbjmon.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dacpmon.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\daprov.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\datmsft.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ddnet.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dn6201joe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dnl2013oe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dwskadp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dxnet.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\f60o0gd3e60.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\fn0021dmg.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\fp8403lqe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\fpn6035se.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\frdrclnr.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\g604lgdq160e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\gjtuname.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\gplul3391.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\h84m0ih1e84.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hm0205doe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hr0205doe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\i024lafq1d2e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\i206lcds1f06.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\i8420ihoe84c0.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ibxsap.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\IpkEd.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\jysh400.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\k6js0g17e6.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kedtat.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kjdlt1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ksdgae.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ktp2l77o1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ktpml7711.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\l4l60e3seh.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\Lckrn12n.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\Lkefx12n.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\LSXLMPM.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\LTX2KUSB.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\LUX2KUSB.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lvl8093ue.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lvpu0979e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lxkrn10N.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\m028lafu1d28.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\m2lslc371f.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mbxdm.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mmsap.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mv00l9dm1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mv28l9fu1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mv8ml9l11.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mvpql9751.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mxrd2x40.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\myawt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\n2r20c9oef.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\nhtapi32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\njtid.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\nnmsmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\nxtapi32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\o0480ahued480.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\oeesvr32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\okecli.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\osbcbcp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\p06slaj71do.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\p66slgj716o.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\pmgfilt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\q0nu0a59ed.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\q2ps0c77ef.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rBsctrs.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rwcdll.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sbell.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\shrwvdrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ssns.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sxdpsrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sxns.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\syrwvdrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\u4rule991h.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ujrsvpia.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wtadmod.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\Temp\bw2.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\WINDOWS\Temp\ICD2.tmp\UWFX5LP_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINDOWS\Temp\ICD3.tmp\UWFX5NetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
C:\WINDOWS\Temp\upd203.exe -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\Temp\upd204.exe -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\Temp\upd205.exe -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\Temp\upd207.exe -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\Temp\upd208.exe -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\Temp\upd209.exe -> Spyware.Look2Me : Error during cleaning


::Report End

#6 maldita

maldita
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 21 October 2005 - 11:21 PM

Here is my latest Hijackthis log file (after following your instructions). By the way, I did not find this entry after I ran Hijackthis:

O15 - Trusted IP range: 206.161.124.130 (HKLM)

....but there is a "O15 - Trusted IP range: (HKLM) entry, are they the same?"
--------------------------------------------------------------------



Logfile of HijackThis v1.99.0
Scan saved at 10:13:01 PM, on 21/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SpywareRemover\ewido security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Removal Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.daewoocomputer.net
O15 - Trusted IP range: (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://remote1.na.amec.com/dana-cached/set...oterisSetup.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123301601218
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\SpywareRemover\ewido security suite\ewidoctrl.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC-cillin Personal Firewall - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe

#7 maldita

maldita
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 21 October 2005 - 11:32 PM

Also, I get a pop up with this message whenever I surf the web now:

"Your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly"

How do I stop this message from popping up whenever I jump from page to page?

#8 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:02 PM

Posted 22 October 2005 - 06:09 PM

Just to be sure after seeing all those references to Look2Me in the Ewido log, let's do this.
  • Please download
    Webroot’s SpySweeper Free 14 day trial version.
  • Open and Run the Installer. Double-click the installer file on your desktop to launch the installation wizard.
  • The installation wizard displays. Click Next.
  • Select “I Accept the Agreement” and click Next.
  • Select your install type. Webroot recommends selecting Typical, as this will properly install the software for most users.
  • Click Install when you are ready to install the software.
  • Finish setup and run Spy Sweeper
    The Finish button displays when installation is complete. Be sure that Run Spy Sweeper Now is selected and click Finish.
  • Spy Sweeper will ask if you want to update now. Select "yes" After that, the updates will be automatic.
  • Open Spy Sweeper.
  • Click on “Sweep”.
  • Click on “Start”.
  • Spy Sweeper will scan your computer and report what it finds.
  • Please post a new HijackThis log

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#9 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:02 PM

Posted 22 October 2005 - 06:31 PM

Also, I get a pop up with this message whenever I surf the web now:

"Your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly"

How do I stop this message from popping up whenever I jump from page to page?


You can do the following:

ActiveX controls & plug-ins :Disable All

* Download signed ActiveX controls
* Download unsigned ActiveX controls
* Run ActiveX controls and plug-ins
* Initialize and run ActiveX controls and plug-ins not
marked as safe
* Script ActiveX controls marked as safe for scripting


A good site for setting Internet Explorer security settings

Change all settings for ActiveX controls and plug-ins to Disable. (Prompt might initially seem like a good compromise between Enable and Disable, but most users will be unable to cope with the flood of popup confirmation boxes that result.)


That is the safest setting for surfing the web but you will have to change your Internet Options if you want to use the Windows Update site or any site that requires an ActiveX. I use Firefox and there is no ActiveX allowed. I have the Windows Update set to automatic.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from HERE
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#10 maldita

maldita
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 22 October 2005 - 11:00 PM

Here is the result from Spy Sweeper:
---------------------------------------------



********
9:30 PM: | Start of Session, October 22, 2005 |
9:30 PM: Spy Sweeper started
9:30 PM: Sweep initiated using definitions version 560
9:30 PM: Starting Memory Sweep
9:31 PM: Found Adware: icannnews
9:31 PM: Detected running threat: C:\WINDOWS\system32\u8ru0i99e8.dll (ID = 83)
9:31 PM: Detected running threat: C:\WINDOWS\system32\meacm.dll (ID = 83)
9:32 PM: Memory Sweep Complete, Elapsed Time: 00:01:59
9:32 PM: Starting Registry Sweep
9:32 PM: Found Adware: blazefind_adstat
9:32 PM: HKLM\software\classes\winstatx.installer\ (2 subtraces) (ID = 104588)
9:32 PM: HKCR\winstatx.installer\ (2 subtraces) (ID = 104594)
9:33 PM: Found Adware: media-motor
9:33 PM: HKCR\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\ (23 subtraces) (ID = 140032)
9:33 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\inprocserver32\ (2 subtraces) (ID = 140081)
9:33 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\miscstatus\ (3 subtraces) (ID = 140082)
9:33 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\progid\ (1 subtraces) (ID = 140083)
9:33 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\toolboxbitmap32\ (1 subtraces) (ID = 140084)
9:33 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\typelib\ (1 subtraces) (ID = 140085)
9:33 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\version\ (1 subtraces) (ID = 140086)
9:33 PM: Found Adware: searchrelevancy
9:33 PM: HKCR\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (8 subtraces) (ID = 141290)
9:33 PM: HKLM\software\classes\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (8 subtraces) (ID = 141293)
9:33 PM: HKLM\software\classes\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (9 subtraces) (ID = 141295)
9:33 PM: HKLM\software\classes\updater.bho\ (4 subtraces) (ID = 141297)
9:33 PM: HKCR\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (9 subtraces) (ID = 141302)
9:33 PM: HKCR\updater.bho\ (4 subtraces) (ID = 141303)
9:33 PM: Found Trojan Horse: topconverting downloader
9:33 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mp3.ocx\ (ID = 143816)
9:33 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mp3.ocx (ID = 143830)
9:33 PM: Found Adware: websearch toolbar
9:33 PM: HKCR\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (7 subtraces) (ID = 146339)
9:33 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (7 subtraces) (ID = 146402)
9:33 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\qdow_as2.dll (ID = 146497)
9:33 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (7 subtraces) (ID = 155047)
9:33 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\ (5 subtraces) (ID = 155058)
9:33 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\{7dd95801-9882-11cf-9fa9-00aa006c42c4}\ (1 subtraces) (ID = 155060)
9:33 PM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\{7dd95802-9882-11cf-9fa9-00aa006c42c4}\ (1 subtraces) (ID = 155062)
9:33 PM: Found Adware: internetoptimizer
9:33 PM: HKU\WRSS_Profile_S-1-5-21-3749347595-2791625709-2185142891-1007\software\avenue media\ (11 subtraces) (ID = 128887)
9:33 PM: Found Adware: directrevenue-abetterinternet
9:33 PM: HKU\WRSS_Profile_S-1-5-21-3749347595-2791625709-2185142891-1007\software\ceres\ (28 subtraces) (ID = 145851)
9:33 PM: HKU\WRSS_Profile_S-1-5-21-3749347595-2791625709-2185142891-1007\software\aurora\ (18 subtraces) (ID = 360174)
9:33 PM: HKU\WRSS_Profile_S-1-5-21-3749347595-2791625709-2185142891-1007\software\microsoft\windows\currentversion\run\ || internet optimizer (ID = 818746)
9:33 PM: Registry Sweep Complete, Elapsed Time:00:00:14
9:33 PM: Starting Cookie Sweep
9:33 PM: Found Spy Cookie: yieldmanager cookie
9:33 PM: gwen@ad.yieldmanager[2].txt (ID = 3751)
9:33 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:33 PM: Starting File Sweep
9:33 PM: c:\windows\inst (ID = -2147480086)
9:33 PM: Found Adware: winmovie dialer
9:33 PM: c:\windows\downloaded program files\conflict.1 (ID = -2147476814)
9:36 PM: m67m.inf (ID = 74028)
9:39 PM: abiuninst.htm (ID = 83087)
9:47 PM: Found Adware: winantispyware 2005
9:47 PM: uwfx5lp_0001_0715netinstaller.exe (ID = 114990)
9:48 PM: Found Adware: isearch desktop search
9:48 PM: deskbar.ini (ID = 64321)
9:48 PM: deskbar.ini (ID = 64321)
9:48 PM: File Sweep Complete, Elapsed Time: 00:15:04
9:48 PM: Full Sweep has completed. Elapsed time 00:17:20
9:48 PM: Traces Found: 201
9:49 PM: Removal process initiated
9:50 PM: Quarantining All Traces: directrevenue-abetterinternet
9:50 PM: Quarantining All Traces: websearch toolbar
9:50 PM: Quarantining All Traces: topconverting downloader
9:50 PM: Quarantining All Traces: blazefind_adstat
9:50 PM: Quarantining All Traces: icannnews
9:50 PM: icannnews is in use. It will be removed on reboot.
9:50 PM: C:\WINDOWS\system32\u8ru0i99e8.dll is in use. It will be removed on reboot.
9:50 PM: C:\WINDOWS\system32\meacm.dll is in use. It will be removed on reboot.
9:50 PM: Quarantining All Traces: internetoptimizer
9:50 PM: Quarantining All Traces: isearch desktop search
9:50 PM: Quarantining All Traces: media-motor
9:50 PM: Quarantining All Traces: searchrelevancy
9:50 PM: Quarantining All Traces: winantispyware 2005
9:50 PM: Quarantining All Traces: winmovie dialer
9:50 PM: Quarantining All Traces: yieldmanager cookie
9:50 PM: Warning: Launched explorer.exe
9:50 PM: Warning: Quarantine process could not restart Explorer.
9:51 PM: Preparing to restart your computer. Please wait...
9:51 PM: Removal process completed. Elapsed time 00:01:41
********
9:29 PM: | Start of Session, October 22, 2005 |
9:29 PM: Spy Sweeper started
9:29 PM: Messenger service has been disabled.
9:30 PM: Your spyware definitions have been updated.
9:30 PM: | End of Session, October 22, 2005 |

#11 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:02 PM

Posted 23 October 2005 - 04:59 PM

Please run Ewido and reboot. Please run Spy Sweeper and reboot. Please post the logs from both. Just want to make sure everything is gone.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#12 maldita

maldita
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 24 October 2005 - 10:38 PM

Here is the SpySweeper log :

********
8:44 PM: | Start of Session, October 24, 2005 |
8:44 PM: Spy Sweeper started
8:44 PM: Sweep initiated using definitions version 560
8:44 PM: Starting Memory Sweep
8:45 PM: Memory Sweep Complete, Elapsed Time: 00:01:23
8:45 PM: Starting Registry Sweep
8:45 PM: Registry Sweep Complete, Elapsed Time:00:00:12
8:45 PM: Starting Cookie Sweep
8:45 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:45 PM: Starting File Sweep
9:00 PM: File Sweep Complete, Elapsed Time: 00:14:26
9:00 PM: Full Sweep has completed. Elapsed time 00:16:09
9:00 PM: Traces Found: 0
********

-----------------------------------------------------------------------------------------------------------
....And here is the Ewido log :

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:42:52 PM, 24/10/2005
+ Report-Checksum: 9E27A1FC

+ Scan result:

No infected objects found.


::Report End




I followed your advice and so I am now using Mozilla Firefox as my browser. With the Spysweeper still running in the background, I now get zero pop-up and life is fantastic! I am so happy! I am considering on getting the full version (of SpySweeper) of it because I think it's a great shield...and Mozilla is just awesome.

Thanks so much for all the help and all the advices. I really appreciate it ;o)

Keep up the good work!

#13 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:02 PM

Posted 25 October 2005 - 10:57 AM

Your log appears to be clean. Please advise me of any problems you still have.

Please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. If you are using Windows ME or XP then you should disable and enable system restore to make sure there are no infected files found in a restore point.
    You can find instructions on how to disable and enable system restore here:
    Managing Windows Millennium System Restore

    or
    Windows XP System Restore Guide
    Computer Safety On line Anti Virus
  • Update your Anti Virus Software It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software, then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Windows Update Site Frequently It is important that you visit Microsoft Windows Update regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • You should scan your computer with Spybot S&D on a regular basis just as you would an anti- virus software. A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware from Your Computer
  • You should scan your computer with Ad-Aware as well as Spybot S&D and your anti-virus program on a regular basis. A tutorial on installing & using this product can be found here:
    Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button on the task bar at the bottom of your screen
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then double click it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok..
  • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow these steps and your potential for being infected again will reduce dramatically.

Good luck!
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#14 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:02 PM

Posted 15 December 2005 - 04:40 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users