Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups


  • This topic is locked This topic is locked
5 replies to this topic

#1 abrigant

abrigant

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 07 November 2005 - 10:31 PM

I'm getting pop ups that occur every few minutes. Also every now and then, when I'm using Firefox, I get redirected to a advertisement site. Neither Spybot Search & Destroy or Ad-Adware can fix this problem and I"m pretty much clueless as what to do next. Here my log.

Logfile of HijackThis v1.99.1
Scan saved at 7:22:07 PM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Air Force Institute of Technology Cisco VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\n8l80i3ue8.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:05 PM

Posted 08 November 2005 - 11:48 AM

Hello,

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window and save in in Notepad and place it on your desktop.
  • Click the Summary tab and click Finish.
  • REBOOT (Really important!!)
  • Paste the contents of the session log you copied into your next reply together with a new hijackthislog.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 abrigant

abrigant
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 08 November 2005 - 09:00 PM

Wow, it found a lot of stuff. Here's the Webroot log.

********
5:36 PM: | Start of Session, Tuesday, November 08, 2005 |
5:36 PM: Spy Sweeper started
5:36 PM: Sweep initiated using definitions version 569
5:36 PM: Starting Memory Sweep
5:37 PM: Found Adware: icannnews
5:37 PM: Detected running threat: C:\WINDOWS\system32\p4n8le5u1h.dll (ID = 83)
5:37 PM: Detected running threat: C:\WINDOWS\system32\aatxprxy.dll (ID = 83)
5:38 PM: Detected running threat: C:\WINDOWS\system32\guard.tmp (ID = 83)
5:38 PM: Memory Sweep Complete, Elapsed Time: 00:01:43
5:38 PM: Starting Registry Sweep
5:38 PM: Found Adware: hungryhands
5:38 PM: HKCR\typelib\{03f8822f-8877-4002-8bcd-b532d53d8471}\ (ID = 127834)
5:38 PM: HKLM\software\classes\typelib\{03f8822f-8877-4002-8bcd-b532d53d8471}\ (ID = 127840)
5:38 PM: Found Adware: isearch desktop search
5:38 PM: HKCR\mfiltis\ (3 subtraces) (ID = 129007)
5:38 PM: HKLM\software\classes\mfiltis\ (3 subtraces) (ID = 129010)
5:38 PM: Found Adware: linkmaker
5:38 PM: HKLM\software\lmu\ (4 subtraces) (ID = 129745)
5:38 PM: Found Adware: webrebates
5:38 PM: HKLM\software\classes\typelib\{15e7d23b-736e-46fa-bffd-cbec4126befd}\ (ID = 146296)
5:38 PM: HKCR\typelib\{15e7d23b-736e-46fa-bffd-cbec4126befd}\ (ID = 146304)
5:38 PM: Found Adware: cws-aboutblank
5:38 PM: HKU\S-1-5-21-3302905452-1377488156-2465576000-1003\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
5:38 PM: HKU\S-1-5-21-3302905452-1377488156-2465576000-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
5:38 PM: Found Trojan Horse: findwhatevernow
5:38 PM: HKU\S-1-5-21-3302905452-1377488156-2465576000-1003\software\microsoft\clock\ || of (ID = 126488)
5:38 PM: HKU\S-1-5-21-3302905452-1377488156-2465576000-1003\software\microsoft\clock\ || sf (ID = 126489)
5:38 PM: HKU\S-1-5-21-3302905452-1377488156-2465576000-1003\software\microsoft\clock\ || prc_id (ID = 126490)
5:38 PM: Found Adware: drsnsrch.com hijack
5:38 PM: HKU\S-1-5-21-3302905452-1377488156-2465576000-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
5:38 PM: Found Adware: targetsaver
5:38 PM: HKU\S-1-5-21-3302905452-1377488156-2465576000-1003\software\tsl2\ (1 subtraces) (ID = 143616)
5:38 PM: HKU\S-1-5-21-3302905452-1377488156-2465576000-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
5:38 PM: Found Adware: cram toolbar
5:38 PM: HKU\S-1-5-21-3302905452-1377488156-2465576000-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {01e69986-a054-4c52-abe8-ef63df1c5211} (ID = 826757)
5:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:38 PM: Registry Sweep Complete, Elapsed Time:00:00:11
5:38 PM: Starting Cookie Sweep
5:38 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:38 PM: Starting File Sweep
5:38 PM: Found Adware: 180search assistant/zango
5:38 PM: c:\windows\system32\fleok (ID = -2147480556)
5:38 PM: Found Adware: delfin
5:38 PM: c:\windows\system32\wsxsvc (1 subtraces) (ID = -2147481115)
5:38 PM: c:\documents and settings\all users\application data\wsxs (5 subtraces) (ID = -2147481131)
5:38 PM: c:\windows\system32\vmss (ID = -2147481116)
5:38 PM: Found Adware: findwhatevernow toolbar
5:38 PM: c:\program files\externalicons (ID = -2147480981)
5:38 PM: c:\windows\winskw (5 subtraces) (ID = -2147480862)
5:38 PM: Found Trojan Horse: trojan-downloader-topinstalls
5:38 PM: seedcorn.exe (ID = 80999)
5:39 PM: Found Adware: tinkopal
5:39 PM: mstub-pal_nmw_qt_a353_r15951.exe (ID = 79551)
5:39 PM: Found Trojan Horse: lzio
5:39 PM: 20005.exe (ID = 68949)
5:39 PM: license.txt (ID = 57724)
5:39 PM: Found Adware: surfsidekick
5:39 PM: tvmk14.exe (ID = 77808)
5:39 PM: oty2mjo4ojey.exe (ID = 64339)
5:39 PM: Found Adware: e2g
5:39 PM: pi1_25.exe (ID = 59402)
5:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:39 PM: Found Adware: mindset interactive - favoriteman
5:39 PM: atpartners.dll (ID = 69813)
5:40 PM: saie1108.exe (ID = 70425)
5:40 PM: hlinstaller4.exe (ID = 65561)
5:40 PM: sskb5.exe (ID = 77683)
5:40 PM: saie_gdf.dat (ID = 70440)
5:40 PM: lmf32v.dll (ID = 65591)
5:40 PM: Found Adware: virtualbouncer
5:40 PM: wrapperouter.exe (ID = 82848)
5:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:41 PM: hyperlinker.exe (ID = 65566)
5:41 PM: Found Adware: purityscan
5:41 PM: m?hta.exe (ID = 73100)
5:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:43 PM: Found Adware: tvmedia
5:43 PM: tvmknwrd.dll (ID = 81726)
5:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:43 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:45 PM: Found Adware: isearch toolbar
5:45 PM: delprot.ini (ID = 64356)
5:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:47 PM: im64.dll (ID = 69841)
5:47 PM: deskbar.ini (ID = 64321)
5:47 PM: deskbar.ini (ID = 64321)
5:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:47 PM: File Sweep Complete, Elapsed Time: 00:09:39
5:47 PM: Full Sweep has completed. Elapsed time 00:11:37
5:47 PM: Traces Found: 68
5:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:48 PM: Removal process initiated
5:48 PM: Quarantining All Traces: 180search assistant/zango
5:48 PM: Quarantining All Traces: cws-aboutblank
5:48 PM: Quarantining All Traces: findwhatevernow
5:48 PM: Quarantining All Traces: icannnews
5:49 PM: icannnews is in use. It will be removed on reboot.
5:49 PM: C:\WINDOWS\system32\p4n8le5u1h.dll is in use. It will be removed on reboot.
5:49 PM: C:\WINDOWS\system32\aatxprxy.dll is in use. It will be removed on reboot.
5:49 PM: C:\WINDOWS\system32\guard.tmp is in use. It will be removed on reboot.
5:49 PM: Quarantining All Traces: isearch desktop search
5:49 PM: Quarantining All Traces: lzio
5:49 PM: Quarantining All Traces: purityscan
5:49 PM: Quarantining All Traces: surfsidekick
5:49 PM: Quarantining All Traces: cram toolbar
5:49 PM: Quarantining All Traces: findwhatevernow toolbar
5:49 PM: Quarantining All Traces: trojan-downloader-topinstalls
5:49 PM: Quarantining All Traces: delfin
5:49 PM: Quarantining All Traces: drsnsrch.com hijack
5:49 PM: Quarantining All Traces: e2g
5:49 PM: Quarantining All Traces: hungryhands
5:49 PM: Quarantining All Traces: isearch toolbar
5:49 PM: Quarantining All Traces: linkmaker
5:49 PM: Quarantining All Traces: mindset interactive - favoriteman
5:49 PM: Quarantining All Traces: targetsaver
5:49 PM: Quarantining All Traces: tinkopal
5:49 PM: Quarantining All Traces: tvmedia
5:49 PM: Quarantining All Traces: virtualbouncer
5:49 PM: Quarantining All Traces: webrebates
5:49 PM: Removal process completed. Elapsed time 00:01:00
********
5:35 PM: | Start of Session, Tuesday, November 08, 2005 |
5:35 PM: Spy Sweeper started
5:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:36 PM: Your spyware definitions have been updated.
5:36 PM: | End of Session, Tuesday, November 08, 2005 |

and here's the Hijackthis log after restarting.

Logfile of HijackThis v1.99.1
Scan saved at 5:54:52 PM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Air Force Institute of Technology Cisco VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:05 PM

Posted 09 November 2005 - 02:35 AM

Hello,

Well, it seems like it is fixed. :thumbsup:
Normally popups must be gone now.

Just perform next:

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.
This will create a new folder on your desktop with the name l2mfix.
Open that folder and doubleclick second.bat.
It will scan for a while and delete some leftovers and restore the registry.
Afterwards, a log will open, just close it again.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 abrigant

abrigant
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 09 November 2005 - 07:46 PM

Like you said, all the pop-ups and stuff are gone :thumbsup:. I'm glad it was an easy fix. I've taken the precautions you've suggested so hopefully it won't happen again (but if i does i know where to come :flowers:). Thank you so much for helping me with this problem!!!!!

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:05 PM

Posted 10 November 2005 - 01:00 AM

Glad I could help.

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users