Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups - Cleaning Mom's Computer


  • Please log in to reply
9 replies to this topic

#1 rboone2020

rboone2020

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 26 December 2005 - 03:09 PM

Folks,

While visiting my parent's home for the holidays, I was asked to remove the
demons on my mother's computer, which she uses mostly for online games. The
machine ran somewhat slowly, but more importantly, many many pop-ups
would appear, even with Internet Explorer Pop-up blocker enabled and
no exceptions allowed. I have done scans with Ad-aware 6.0, Webroot,
Spybot, then followed your suggestions and scanned using Housecall
Anti-virus and McAfee Stinger. They all report clean now, except perhaps
for some cookies, after removing what was reported as several malware and
adware packages. I ran the HiJackThis software, which generated the
following report. If you could look through it and let me know if it is clean,
we all would appreciate it very much. If not, some guidance would be equally
appreciated.

Happy holidays,
Randy Boone

********************************************

Logfile of HijackThis v1.99.1
Scan saved at 11:56:06 AM, on 12/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WinFixer\wwfx5.exe
C:\Program Files\WinFixer\wfxcwr.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe
C:\PROGRA~1\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {53829F91-1B06-4DB9-B13E-812A986169F9} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFixer] C:\Program Files\WinFixer\wwfx5.exe /min
O4 - HKLM\..\Run: [WinFixer helper] C:\Program Files\WinFixer\wfxcwr.exe
O4 - HKLM\..\Run: [Webroot Spy Sweeper, Enterprise Edition] C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {18654EAD-F669-490E-AA9E-45A0456B63A3} - http://online.comcast.net/help/ (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {CA5A2476-DC02-410C-A8D5-13D3F2E5A35D} - http://www.comcast.net/ (file missing) (HKCU)
O9 - Extra button: Support - {CF9E0860-5BA9-419D-AB4F-9E830894571D} - http://www.comcastsupport.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: Battle Phlinx by pogo - http://game1.pogo.com/applet-6.3.3.27/batt...x-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.3.4.49/cana...a-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.com/applet-6.0.2.29/soli...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.3.0.46/supe...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.0.4.37/...k-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.3.3.27/harv...t-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-5.9.5.30/hea...s-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-6.1.0.39/keno/keno-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.4.31/mahj...g-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.1.0.39/free...l-ob-assets.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.2.30/peng...s-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.3.3.27/wate...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.3.4.49/flin...r-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.0.3.28/pino...e-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.3.4.64/popf...u-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.3.4.64/popp...2-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.0.4.31/popp...t-ob-assets.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.4.3.28/hots...k-ob-assets.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.4.0.48/squa...s-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://showbiz.pogo.com/applet/slots/showbiz-ob-assets.cab
O16 - DPF: Spades by pogo - http://spades04.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.4.0.34/spid...r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.28...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-6.0.4.31...h-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.4.2.30/peak...s-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker04.pogo.com/applet/videopoker...r-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet/wordwhomp/wor...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.3.28/w...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game5.pogo.com/applet-6.1.2.32/worl...s-ob-assets.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
O23 - Service: Webroot SpySweeper Service (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 26 December 2005 - 05:55 PM

Control Panel - add remove programs - remove WinFixer if present

AdAware 6 is very out of date

Get all of these and/or verify you have the current versions

SpywareBlaster 3.4 http://majorgeeks.com/download2859.html
SpyBot V1.4 http://www.majorgeeks.com/download2471.html
AdAware SE 1.06 http://www.majorgeeks.com/download506.html
MS AntiSpy - http://www.microsoft.com/downloads/details...&displaylang=en (XP and W2K only)

DownLoad them (they are free), install them, check each for their
definition updates
and then run AdAware, MS AntiSpy (W2k/XP) and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
In SpyBot - After an update run immunize


Fix these with HJT – mark them, close IE, click fix checked

O4 - HKLM\..\Run: [WinFixer] C:\Program Files\WinFixer\wwfx5.exe /min

O4 - HKLM\..\Run: [WinFixer helper] C:\Program Files\WinFixer\wfxcwr.exe

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\Program Files\WinFixer

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 rboone2020

rboone2020
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 27 December 2005 - 01:37 PM

Hi,

Things worked well, I believe. I completed the scans with
updated software. AdAware SE 1.06 found some things it
asked to be fixed, but Spybot and Antispy were happy.

The only minor complication, perhaps because of my earlier
efforts, was that
C:\Program Files\WinFixer\wwfx5.exe /min was no longer in
the HJT log. Only the second entry
C:\Program Files\WinFixer\wfxcwr.exe was present. I asked
HJT to fix that entry.
Regardless, the WinFixer directory was removed using
Killbox.exe.

Below is an updated log ...

Thanks once again,
Randy Boone

*****************

Logfile of HijackThis v1.99.1
Scan saved at 10:30:41 AM, on 12/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe
C:\PROGRA~1\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {53829F91-1B06-4DB9-B13E-812A986169F9} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Webroot Spy Sweeper, Enterprise Edition] C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {18654EAD-F669-490E-AA9E-45A0456B63A3} - http://online.comcast.net/help/ (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {CA5A2476-DC02-410C-A8D5-13D3F2E5A35D} - http://www.comcast.net/ (file missing) (HKCU)
O9 - Extra button: Support - {CF9E0860-5BA9-419D-AB4F-9E830894571D} - http://www.comcastsupport.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: Battle Phlinx by pogo - http://game1.pogo.com/applet-6.3.3.27/batt...x-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.3.4.49/cana...a-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.com/applet-6.0.2.29/soli...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.3.0.46/supe...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.0.4.37/...k-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.3.3.27/harv...t-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-5.9.5.30/hea...s-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-6.1.0.39/keno/keno-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.4.31/mahj...g-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.1.0.39/free...l-ob-assets.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.2.30/peng...s-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.3.3.27/wate...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.3.4.49/flin...r-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.0.3.28/pino...e-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.3.4.64/popf...u-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.3.4.64/popp...2-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.0.4.31/popp...t-ob-assets.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.4.3.28/hots...k-ob-assets.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.4.0.48/squa...s-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://showbiz.pogo.com/applet/slots/showbiz-ob-assets.cab
O16 - DPF: Spades by pogo - http://spades04.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.4.0.34/spid...r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.28...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-6.0.4.31...h-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.4.2.30/peak...s-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker04.pogo.com/applet/videopoker...r-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet/wordwhomp/wor...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.3.28/w...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game5.pogo.com/applet-6.1.2.32/worl...s-ob-assets.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
O23 - Service: Webroot SpySweeper Service (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

#4 rboone2020

rboone2020
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 27 December 2005 - 02:25 PM

Hi again,

I should have mentioned that the pop-ups continue,
although processes seem faster.

Thanks,
Randy

#5 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 27 December 2005 - 03:09 PM

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
==========================

It appearst that You Norton is not functional

Get the free AVG 7 install it, check for updates and run a full scan

AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#6 rboone2020

rboone2020
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 27 December 2005 - 11:50 PM

Success, it seems, although more popups suggest some
culprit remains. I first downloaded and updated Ewido,
then downloaded and scanned with AVG 7.0. I then
went into safe mode, and as you say, Ewido took more
than an hour to complete its scan, finding and fixing 20 items it
found offensive. Below, please find an HJT log run upon
reboot, and the Ewido log created during the scan in
safe mode.

Thanks again,
Randy

*********************************************

Logfile of HijackThis v1.99.1
Scan saved at 8:41:48 PM, on 12/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\cmd.exe
C:\PROGRA~1\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft

Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program

Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} -

C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {53829F91-1B06-4DB9-B13E-812A986169F9} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} -

C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program

Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program

Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [Webroot Spy Sweeper, Enterprise Edition] C:\Program

Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {18654EAD-F669-490E-AA9E-45A0456B63A3} -

http://online.comcast.net/help/ (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -

C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {CA5A2476-DC02-410C-A8D5-13D3F2E5A35D} -

http://www.comcast.net/ (file missing) (HKCU)
O9 - Extra button: Support - {CF9E0860-5BA9-419D-AB4F-9E830894571D} -

http://www.comcastsupport.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: Battle Phlinx by pogo -

http://game1.pogo.com/applet-6.3.3.27/batt...x-ob-assets.cab
O16 - DPF: Canasta by pogo -

http://game1.pogo.com/applet-6.3.4.49/cana...a-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo -

http://game3.pogo.com/applet-6.0.2.29/soli...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo -

http://game1.pogo.com/applet-6.3.0.46/supe...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo -

http://greenback.pogo.com/applet-6.0.4.37/...k-ob-assets.cab
O16 - DPF: Harvest Mania by pogo -

http://game1.pogo.com/applet-6.3.3.27/harv...t-ob-assets.cab
O16 - DPF: Hearts by pogo -

http://hearts.pogo.com/applet-5.9.5.30/hea...s-ob-assets.cab
O16 - DPF: Keno by pogo -

http://keno.pogo.com/applet-6.1.0.39/keno/keno-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo -

http://game4.pogo.com/applet-6.0.4.31/mahj...g-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo -

http://game1.pogo.com/applet-6.1.0.39/free...l-ob-assets.cab
O16 - DPF: Penguin Blocks by pogo -

http://game1.pogo.com/applet-6.4.2.30/peng...s-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo -

http://game1.pogo.com/applet-6.3.3.27/wate...l-ob-assets.cab
O16 - DPF: Phlinx by pogo -

http://game1.pogo.com/applet-6.3.4.49/flin...r-ob-assets.cab
O16 - DPF: Pinochle by pogo -

http://game4.pogo.com/applet-6.0.3.28/pino...e-ob-assets.cab
O16 - DPF: Pop Fu by pogo -

http://game1.pogo.com/applet-6.3.4.64/popf...u-ob-assets.cab
O16 - DPF: Poppit by pogo -

http://game1.pogo.com/applet-6.3.4.64/popp...2-ob-assets.cab
O16 - DPF: Poppit TM by pogo -

http://game5.pogo.com/applet-6.0.4.31/popp...t-ob-assets.cab
O16 - DPF: Quick Quack by pogo -

http://game1.pogo.com/applet-6.4.3.28/hots...k-ob-assets.cab
O16 - DPF: QWERTY by pogo -

http://game1.pogo.com/applet-6.4.0.48/squa...s-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo -

http://showbiz.pogo.com/applet/slots/showbiz-ob-assets.cab
O16 - DPF: Spades by pogo -

http://spades04.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo -

http://game1.pogo.com/applet-6.4.0.34/spid...r-ob-assets.cab
O16 - DPF: Squelchies by pogo -

http://squelchies.pogo.com/applet-6.0.1.28...es-ob-assets.ca

b
O16 - DPF: Sweet Tooth TM by pogo -

http://sweettooth.pogo.com/applet-6.0.4.31...th-ob-assets.ca

b
O16 - DPF: Tri-Peaks by pogo -

http://game1.pogo.com/applet-6.4.2.30/peak...s-ob-assets.cab
O16 - DPF: Video Poker by pogo -

http://vpoker04.pogo.com/applet/videopoker...r-ob-assets.cab
O16 - DPF: Word Whomp by pogo -

http://whomp.pogo.com/applet/wordwhomp/wor...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo -

http://whackdown.pogo.com/applet/whackdown...n-ob-assets.cab
O16 - DPF: WordJong by pogo -

http://wordjong.pogo.com/applet-6.0.3.28/w...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo -

http://game5.pogo.com/applet-6.1.2.32/worl...s-ob-assets.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -

http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner

Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -

http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E}

(TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) -

hcp://system/RunExeActiveX.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) -

https://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -

C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot

Software, Inc. - C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
O23 - Service: Webroot SpySweeper Service (WebrootSpySweeperService) -

Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy

Sweeper\SpySweeper.exe



***********************************************************

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:39:05 PM, 12/27/2005
+ Report-Checksum: D9727C3D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-4279865818-469815772-4030538681-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-4279865818-469815772-4030538681-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-4279865818-469815772-4030538681-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-4279865818-469815772-4030538681-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-4279865818-469815772-4030538681-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-4279865818-469815772-4030538681-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@data1.perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0D.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\Yahvirus\Cache\000072ae_4395b047_0003d090 -> Downloader.Phel.d : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP202\A0139259.exe -> Adware.SurfAccuracy : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP202\A0139287.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP202\A0139296.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP202\A0139306.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP202\A0139314.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP202\A0139324.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP202\A0139348.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP202\A0139430.dll -> Spyware.WildTangent : Cleaned with backup


::Report End

#7 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 28 December 2005 - 12:30 PM

When you post the next log - in notepad go to format - click on wordwrap

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#8 rboone2020

rboone2020
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 28 December 2005 - 01:15 PM

That went fine, it seems. Below are the wrapped
log files (if you were asking me to unwrap the logs,
sorry). Thanks once again,

Randy Boone

********************************

Logfile of HijackThis v1.99.1
Scan saved at 10:10:03 AM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {53829F91-1B06-4DB9-B13E-812A986169F9} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Webroot Spy Sweeper, Enterprise Edition] C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {18654EAD-F669-490E-AA9E-45A0456B63A3} - http://online.comcast.net/help/ (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {CA5A2476-DC02-410C-A8D5-13D3F2E5A35D} - http://www.comcast.net/ (file missing) (HKCU)
O9 - Extra button: Support - {CF9E0860-5BA9-419D-AB4F-9E830894571D} - http://www.comcastsupport.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: Battle Phlinx by pogo - http://game1.pogo.com/applet-6.3.3.27/batt...x-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.3.4.49/cana...a-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.com/applet-6.0.2.29/soli...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.3.0.46/supe...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.0.4.37/...k-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.3.3.27/harv...t-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-5.9.5.30/hea...s-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-6.1.0.39/keno/keno-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.4.31/mahj...g-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.1.0.39/free...l-ob-assets.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.2.30/peng...s-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.3.3.27/wate...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.3.4.49/flin...r-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.0.3.28/pino...e-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.3.4.64/popf...u-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.3.4.64/popp...2-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.0.4.31/popp...t-ob-assets.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.4.3.28/hots...k-ob-assets.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.4.0.48/squa...s-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://showbiz.pogo.com/applet/slots/showbiz-ob-assets.cab
O16 - DPF: Spades by pogo - http://spades04.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.4.0.34/spid...r-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.28...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-6.0.4.31...h-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.4.2.30/peak...s-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker04.pogo.com/applet/videopoker...r-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet/wordwhomp/wor...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.3.28/w...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game5.pogo.com/applet-6.1.2.32/worl...s-ob-assets.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
O23 - Service: Webroot SpySweeper Service (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe


***********************************

Running from directory:
C:\RBB\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CpTW8A34MQ99]
@=" K2lhWdEFFEFFGFf3x e21EFFEUHFoafflF6C67w0LKFv5 9w56Fs70 0s3 G6C6"
"Device"="\\\\.\\NpfiMon"
"DriverPath"="C:\\WINNT\\system32\\drivers\\atmimapi.sys"
"DriverName"="i2oTPEL"
"HideUninstallerName"="C:\\Program Files\\Yahvirus\\makrdsvr.exe"
"UninstallerPath"="C:\\WINNT\\system32\\mrtpi(3).exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{72BD8EC9-DCFD-4E17-BB5E-6DB0F8F2E43C}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINNT\\system32\\blabjapi.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X58fd593-4fe1-2e8e-5dcf-882bbbf21b54}"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80

************

Removing hidden service:
Service i2oTPEL removed.

Removing hidden folder:
Deletion of folder Yahvirus succeeded!

Deleting files:

Deletion of file C:\WINNT\system32\drivers\atmimapi.sys succeeded!
Deletion of file C:\WINNT\system32\clitppui.exe succeeded!
Deletion of file C:\WINNT\system32\blabjapi.dll succeeded!
Deletion of file C:\WINNT\system32\mrtpi(3).exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CpTW8A34MQ99]
[-HKEY_LOCAL_MACHINE\Software\CpTW8A34MQ99]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{72BD8EC9-DCFD-4E17-BB5E-6DB0F8F2E43C}]

Done!

Finished!

#9 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 28 December 2005 - 01:29 PM

How are things the log looks good
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#10 rboone2020

rboone2020
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 28 December 2005 - 06:31 PM

Its working like a charm! I guess the infection was deep
(a dreaded rootkit infestation we semi-techies recently
heard so much about?). I wonder what she got into ...
Anyway, the timing is great; I fly out early tomorrow.
Thanks once again for all your help.

Cheers,
Randy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users