Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups


  • This topic is locked This topic is locked
12 replies to this topic

#1 ever_looking_up

ever_looking_up

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 10 April 2006 - 11:25 PM

Well, im having some serious problems that im not aware of how to fix. your help would be greatly appreciated. i keep getting popups by a program called zeno, and also a program that i dont remember of hand. heres a HJT log. please help

Logfile of HijackThis v1.99.1
Scan saved at 11:19:30 PM, on 4/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BearShare\BearShare.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1142365287\ee\AOLSoftware.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\pwinkraf.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\program files\common files\aol\1142365287\ee\aim6.exe
C:\DOCUME~1\David\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,dstjgai.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsq16F.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmpjuu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142365287\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [wb40bc14.dll] RUNDLL32.EXE wb40bc14.dll,I2 000324610b40bc14
O4 - HKLM\..\Run: [bgasvr] C:\WINDOWS\system32\bovbvt.exe reg_run
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinkraf.exe FI002
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [wcguw] C:\WINDOWS\system32\bovbvt.exe reg_run
O4 - Startup: Epson printer Registration.lnk = D:\Titles\Ereg\EPSONREG.EXE
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinkraf.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qjdsregp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143588565552
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 11 April 2006 - 08:47 AM

Hello.. :thumbsup:

Please download Brute Force Uninstaller to your desktop.
  • Right-click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk ( C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download QooFix.bat by LonnyRJones.
Save it in the same folder you made earlier (c:\BFU).

Please close ALL other open windows & explorer folder's, then double-click on QooFix.bat.
Choose option 1# (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
Then please post back with a fresh HijackThis log by using AddReply. :flowers:
Hi there, stranger!

#3 ever_looking_up

ever_looking_up
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 11 April 2006 - 06:00 PM

Thanks for the reply. Coincidentally, as i started typing this, i got another pop-up from that zeno thing. but i do appreciate the help. umm, i dont know if this has anything to do with something on my computer, but all of my desktop and window fonts have changed recently from what i had them set as. even when i went in and changed them, the were still not right. hanks again for your continued help.

Logfile of HijackThis v1.99.1
Scan saved at 5:54:48 PM, on 4/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1142365287\ee\AOLSoftware.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\pwinkraf.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\David\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsq16F.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmpjuu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142365287\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [wb40bc14.dll] RUNDLL32.EXE wb40bc14.dll,I2 000324610b40bc14
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinkraf.exe FI002
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Epson printer Registration.lnk = D:\Titles\Ereg\EPSONREG.EXE
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinkraf.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qjdsregp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143588565552
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 12 April 2006 - 07:49 AM

Ok.. Lets continue. Go ahead and delete BFU. :thumbsup:

==

Please print these instructions out, or save them to a notepad file, as you can't read them during the fix.

Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

Please run a scan with Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily. (Maybe Desktop)
  • Close Ewido Anti-Malware.
==

Now, reboot back into Normal mode, open the Report.txt file and copy & paste it's content to this thread along with a fresh HijackThis log. :flowers:
Hi there, stranger!

#5 ever_looking_up

ever_looking_up
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 12 April 2006 - 11:43 PM

i ran that. heres the report and a new HJT log. thanks

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:27:13 PM, 4/12/2006
+ Report-Checksum: BE3DE581

+ Scan result:

C:\Documents and Settings\David\Cookies\david@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup


::Report End









Logfile of HijackThis v1.99.1
Scan saved at 11:40:25 PM, on 4/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1142365287\ee\AOLSoftware.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\pwinkraf.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\Desktop\maintainence stuff\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsq16F.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmpjuu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142365287\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [wb40bc14.dll] RUNDLL32.EXE wb40bc14.dll,I2 000324610b40bc14
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinkraf.exe FI002
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Epson printer Registration.lnk = D:\Titles\Ereg\EPSONREG.EXE
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinkraf.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qjdsregp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143588565552
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 13 April 2006 - 07:46 AM

Well, thats interesting. Do you still seem to have the popups?

Go ahead and uninstall Ewido. :thumbsup:

==

Please run a scan with HijackThis and check the following objects for removal:

O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsq16F.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmpjuu.dll
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [wb40bc14.dll] RUNDLL32.EXE wb40bc14.dll,I2 000324610b40bc14
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinkraf.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Please reboot.

==

Through Add/Remove programs, uninstall the following entry:

BearShare

==

Now, please navigate to and delete the following files & folder (IF PRESENT):

C:\WINDOWS\system32\nsq16F.dll
C:\WINDOWS\system32\irsmpjuu.dll
C:\Program Files\BearShare
wb40bc14.dll <= Locate with Windows Search
C:\WINDOWS\system32\pwinkraf.exe


==


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Then post back with a fresh log. :flowers:
Hi there, stranger!

#7 ever_looking_up

ever_looking_up
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 13 April 2006 - 07:15 PM

well. i went ahead and did everythinmg you said, except deleting bearshare. the reason for this is that i enjoy the ability to download music. if you could recommend a better free program, that would be great. and those 4 files you told me to delete, only one of them was there. anywho. the pop-ups are still coming pretty frequently, the other pop-up thing i told you about is called click2begin. the titles at the top of the windows always have www and a number, followed by click2begin. anywho, thanks for your help


Logfile of HijackThis v1.99.1
Scan saved at 7:05:44 PM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1142365287\ee\AOLSoftware.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\program files\common files\aol\1142365287\ee\aim6.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\Desktop\maintainence stuff\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142365287\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinkraf.exe FI002
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Epson printer Registration.lnk = D:\Titles\Ereg\EPSONREG.EXE
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qjdsregp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143588565552
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 14 April 2006 - 04:21 AM

Read on BearShare: http://www.spywareinfo.com/articles/p2p/
It bundles malware with the free version and you got it.

Please uninstall it, then delete the folder and fix the HijackThis entry for BearShare.

Go ahead and remove ATF-Cleaner. :thumbsup:

==

I don't know why Zeno is being stubborn. It does seem you didn't fix all the entries from HijackThis I asked you to. Lets run SpySweeper to remove it entirely.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click Download Now to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Edited by Rawe, 14 April 2006 - 08:49 AM.

Hi there, stranger!

#9 ever_looking_up

ever_looking_up
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 14 April 2006 - 12:26 PM

touche salesman. anyway, i deleted it and did everything you recomended. computers back to normal. still gettin pop-ups, but no more than i was when i first got the internet. if you could recomend a good pop-up stopper, then thatd be good. any other advice you have, im all ears. thanksd for your help.

********
8:36 AM: | Start of Session, Friday, April 14, 2006 |
8:36 AM: Spy Sweeper started
8:36 AM: Sweep initiated using definitions version 657
8:36 AM: Starting Memory Sweep
8:38 AM: Memory Sweep Complete, Elapsed Time: 00:02:21
8:38 AM: Starting Registry Sweep
8:38 AM: Found Adware: zenosearchassistant
8:38 AM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\enhanced ads by zeno\ (2 subtraces) (ID = 147931)
8:38 AM: HKLM\software\microsoft\windows\currentversion\uninstall\enhanced ads by zeno\ (2 subtraces) (ID = 147934)
8:38 AM: Found Adware: winad
8:38 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (2 subtraces) (ID = 763026)
8:38 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
8:38 AM: Found Adware: whenu save
8:38 AM: HKCR\acm.acmfactory\ (5 subtraces) (ID = 773927)
8:38 AM: HKCR\acm.acmfactory.1\ (3 subtraces) (ID = 773933)
8:38 AM: HKCR\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\ (12 subtraces) (ID = 773937)
8:38 AM: HKCR\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\ (9 subtraces) (ID = 773950)
8:38 AM: HKCR\appid\acm.dll\ (1 subtraces) (ID = 773960)
8:38 AM: HKCR\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db}\ (1 subtraces) (ID = 773962)
8:38 AM: HKLM\software\classes\acm.acmfactory\ (5 subtraces) (ID = 773964)
8:38 AM: HKLM\software\classes\acm.acmfactory.1\ (3 subtraces) (ID = 773970)
8:38 AM: HKLM\software\classes\appid\acm.dll\ (1 subtraces) (ID = 773974)
8:38 AM: HKLM\software\classes\appid\{127df9b4-d75d-44a6-af78-8c3a8ceb03db}\ (1 subtraces) (ID = 773976)
8:38 AM: HKLM\software\classes\clsid\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad}\ (12 subtraces) (ID = 773979)
8:38 AM: HKLM\software\classes\typelib\{df901432-1b9f-4f5b-9e56-301c553f9095}\ (9 subtraces) (ID = 773992)
8:38 AM: Found Adware: elitemediagroup-pop64
8:38 AM: HKCR\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\ (8 subtraces) (ID = 967541)
8:38 AM: HKLM\software\classes\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\ (8 subtraces) (ID = 967601)
8:38 AM: HKLM\software\microsoft\windows\currentversion\run\ || browserupdatesched (ID = 1075246)
8:38 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/elite.ocx\ (2 subtraces) (ID = 1137453)
8:38 AM: Found Adware: 180search assistant/zango
8:38 AM: HKCR\saix.installercaller.1\ (3 subtraces) (ID = 1156609)
8:38 AM: HKCR\saix.installercaller\ (5 subtraces) (ID = 1156613)
8:38 AM: HKLM\software\classes\saix.installercaller.1\ (3 subtraces) (ID = 1156657)
8:38 AM: HKLM\software\classes\saix.installercaller\ (5 subtraces) (ID = 1156661)
8:38 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/saix.dll\ (2 subtraces) (ID = 1156667)
8:38 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\saix.dll (ID = 1156675)
8:38 AM: Found Adware: safesearch
8:38 AM: HKCR\typelib\{72ec96e8-30eb-4da8-9446-b4366bf00249}\ (9 subtraces) (ID = 1160022)
8:38 AM: HKCR\iman.riemon\ (5 subtraces) (ID = 1160080)
8:38 AM: HKCR\iman.riemon.1\ (3 subtraces) (ID = 1160086)
8:38 AM: HKLM\software\microsoft\windows\currentversion\app paths\irism\ (2 subtraces) (ID = 1160093)
8:38 AM: HKLM\software\microsoft\windows\currentversion\app paths\irssyncd\ (2 subtraces) (ID = 1160096)
8:38 AM: HKLM\software\irismon\ (18 subtraces) (ID = 1165615)
8:38 AM: HKLM\software\classes\iman.riemon\ (5 subtraces) (ID = 1165636)
8:38 AM: HKLM\software\classes\iman.riemon.1\ (3 subtraces) (ID = 1165642)
8:38 AM: HKLM\software\classes\typelib\{72ec96e8-30eb-4da8-9446-b4366bf00249}\ (9 subtraces) (ID = 1165660)
8:38 AM: Found Adware: ezula ilookup
8:38 AM: HKCR\da.bomb\ (5 subtraces) (ID = 1221354)
8:38 AM: HKCR\da.bomb.1\ (3 subtraces) (ID = 1221359)
8:38 AM: HKCR\onone.theimp\ (5 subtraces) (ID = 1221362)
8:38 AM: HKCR\onone.theimp.1\ (3 subtraces) (ID = 1221367)
8:38 AM: HKCR\clsid\{ed5d884b-1a35-482e-bea1-dd52f75b6138}\ (11 subtraces) (ID = 1221449)
8:38 AM: HKCR\typelib\{230290d9-946f-4276-9a91-ce2a2f376b9e}\ (9 subtraces) (ID = 1221495)
8:38 AM: HKLM\software\classes\da.bomb\ (5 subtraces) (ID = 1221507)
8:38 AM: HKLM\software\classes\da.bomb.1\ (3 subtraces) (ID = 1221512)
8:38 AM: HKLM\software\classes\onone.theimp\ (5 subtraces) (ID = 1221515)
8:38 AM: HKLM\software\classes\onone.theimp.1\ (3 subtraces) (ID = 1221523)
8:38 AM: HKLM\software\classes\clsid\{ed5d884b-1a35-482e-bea1-dd52f75b6138}\ (11 subtraces) (ID = 1221605)
8:38 AM: HKLM\software\classes\typelib\{230290d9-946f-4276-9a91-ce2a2f376b9e}\ (9 subtraces) (ID = 1221651)
8:38 AM: Found Adware: seekmo search assistant
8:38 AM: HKU\WRSS_Profile_S-1-5-21-725345543-1993962763-2147175445-1005\software\seekmo\ (15 subtraces) (ID = 1042251)
8:38 AM: HKU\WRSS_Profile_S-1-5-21-725345543-1993962763-2147175445-1005\software\microsoft\windows\currentversion\run\ || irssyncd (ID = 1165604)
8:38 AM: Registry Sweep Complete, Elapsed Time:00:00:10
8:38 AM: Starting Cookie Sweep
8:38 AM: Found Spy Cookie: 888 cookie
8:38 AM: gary@888[1].txt (ID = 2019)
8:38 AM: Found Spy Cookie: yieldmanager cookie
8:38 AM: gary@ad.yieldmanager[1].txt (ID = 3751)
8:38 AM: Found Spy Cookie: adknowledge cookie
8:38 AM: gary@adknowledge[2].txt (ID = 2072)
8:38 AM: Found Spy Cookie: hbmediapro cookie
8:38 AM: gary@adopt.hbmediapro[2].txt (ID = 2768)
8:38 AM: Found Spy Cookie: adrevolver cookie
8:38 AM: gary@adrevolver[2].txt (ID = 2088)
8:38 AM: gary@adrevolver[3].txt (ID = 2088)
8:38 AM: Found Spy Cookie: pointroll cookie
8:38 AM: gary@ads.pointroll[2].txt (ID = 3148)
8:38 AM: Found Spy Cookie: atwola cookie
8:38 AM: gary@ar.atwola[1].txt (ID = 2256)
8:38 AM: Found Spy Cookie: falkag cookie
8:38 AM: gary@as-eu.falkag[1].txt (ID = 2650)
8:38 AM: Found Spy Cookie: casalemedia cookie
8:38 AM: gary@as.casalemedia[1].txt (ID = 2355)
8:38 AM: gary@atwola[1].txt (ID = 2255)
8:38 AM: Found Spy Cookie: azjmp cookie
8:38 AM: gary@azjmp[2].txt (ID = 2270)
8:38 AM: Found Spy Cookie: bluestreak cookie
8:38 AM: gary@bluestreak[1].txt (ID = 2314)
8:38 AM: gary@casalemedia[2].txt (ID = 2354)
8:38 AM: Found Spy Cookie: realmedia cookie
8:38 AM: gary@network.realmedia[1].txt (ID = 3236)
8:38 AM: Found Spy Cookie: pro-market cookie
8:38 AM: gary@pro-market[2].txt (ID = 3197)
8:38 AM: gary@realmedia[1].txt (ID = 3235)
8:38 AM: Found Spy Cookie: trafficmp cookie
8:38 AM: gary@trafficmp[2].txt (ID = 3581)
8:38 AM: Found Spy Cookie: tribalfusion cookie
8:38 AM: gary@tribalfusion[1].txt (ID = 3589)
8:38 AM: gary@www.888[1].txt (ID = 2020)
8:38 AM: Found Spy Cookie: zenotecnico cookie
8:38 AM: gary@zenotecnico[2].txt (ID = 3858)
8:38 AM: Found Spy Cookie: 2o7.net cookie
8:38 AM: david@2o7[2].txt (ID = 1957)
8:38 AM: david@ad.yieldmanager[1].txt (ID = 3751)
8:38 AM: Found Spy Cookie: specificclick.com cookie
8:38 AM: david@adopt.specificclick[2].txt (ID = 3400)
8:38 AM: Found Spy Cookie: nextag cookie
8:38 AM: david@adq.nextag[2].txt (ID = 5015)
8:38 AM: david@adrevolver[2].txt (ID = 2088)
8:38 AM: david@adrevolver[3].txt (ID = 2088)
8:38 AM: david@ads.pointroll[1].txt (ID = 3148)
8:38 AM: Found Spy Cookie: apmebf cookie
8:38 AM: david@apmebf[1].txt (ID = 2229)
8:38 AM: david@ar.atwola[2].txt (ID = 2256)
8:38 AM: david@as-us.falkag[1].txt (ID = 2650)
8:38 AM: david@as.casalemedia[1].txt (ID = 2355)
8:38 AM: Found Spy Cookie: ask cookie
8:38 AM: david@ask[1].txt (ID = 2245)
8:38 AM: Found Spy Cookie: belnk cookie
8:38 AM: david@ath.belnk[2].txt (ID = 2293)
8:38 AM: david@atwola[1].txt (ID = 2255)
8:38 AM: david@belnk[2].txt (ID = 2292)
8:38 AM: david@bluestreak[1].txt (ID = 2314)
8:38 AM: david@casalemedia[1].txt (ID = 2354)
8:38 AM: Found Spy Cookie: did-it cookie
8:38 AM: david@did-it[1].txt (ID = 2523)
8:38 AM: david@dist.belnk[1].txt (ID = 2293)
8:38 AM: david@network.realmedia[1].txt (ID = 3236)
8:38 AM: david@nextag[2].txt (ID = 5014)
8:38 AM: Found Spy Cookie: realtracker cookie
8:38 AM: david@project1.realtracker[2].txt (ID = 3242)
8:38 AM: Found Spy Cookie: questionmarket cookie
8:38 AM: david@questionmarket[1].txt (ID = 3217)
8:38 AM: david@realmedia[2].txt (ID = 3235)
8:38 AM: Found Spy Cookie: tickle cookie
8:38 AM: david@tickle[2].txt (ID = 3529)
8:38 AM: david@trafficmp[2].txt (ID = 3581)
8:38 AM: david@tribalfusion[1].txt (ID = 3589)
8:38 AM: david@volkswagen.122.2o7[1].txt (ID = 1958)
8:38 AM: Found Spy Cookie: adserver cookie
8:38 AM: david@z1.adserver[1].txt (ID = 2142)
8:38 AM: Found Spy Cookie: zedo cookie
8:38 AM: david@zedo[2].txt (ID = 3762)
8:38 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02
8:38 AM: Starting File Sweep
8:38 AM: a0011898.exe (ID = 246193)
8:38 AM: a0011916.dll (ID = 246191)
8:38 AM: Found Adware: mirar webband
8:38 AM: a0010858.exe (ID = 185463)
8:39 AM: a0010808.dll (ID = 271927)
8:39 AM: a0009867.exe (ID = 246195)
8:39 AM: a0010861.exe (ID = 293)
8:39 AM: a0009862.exe (ID = 293)
8:39 AM: a0010833.exe (ID = 293)
8:39 AM: a0004936.dll (ID = 204488)
8:39 AM: backup-20060413-185734-927.inf (ID = 187156)
8:40 AM: a0002825.exe (ID = 233592)
8:40 AM: Found Adware: clkoptimizer
8:40 AM: a0012037.exe (ID = 268798)
8:40 AM: nt68rrtc12.sys (ID = 220230)
8:40 AM: a0010863.exe (ID = 235993)
8:41 AM: a0010857.dll (ID = 182873)
8:42 AM: a0009861.dll (ID = 208226)
8:43 AM: Found Adware: netwebsearch
8:43 AM: stup3.exe (ID = 236066)
8:46 AM: a0002824.exe (ID = 233591)
8:46 AM: a0004780.dll (ID = 182873)
8:46 AM: Warning: Failed to open file "c:\program files\bearshare\temp\". The system cannot find the path specified
8:47 AM: a0007791.dll (ID = 269410)
8:47 AM: a0010862.dll (ID = 185460)
8:47 AM: a0009841.dll (ID = 271927)
8:47 AM: a0009853.exe (ID = 271925)
8:48 AM: a0012183.dll (ID = 246679)
8:48 AM: eliteunstall.exe (ID = 244416)
8:48 AM: justin2a.exe (ID = 279493)
8:48 AM: z_start.lnk (ID = 235994)
8:48 AM: zeno.lnk (ID = 146127)
8:48 AM: z_start.lnk (ID = 235994)
8:48 AM: a0011912.cfg (ID = 91140)
8:48 AM: a0012076.cfg (ID = 91140)
8:48 AM: a0010835.cfg (ID = 91140)
8:48 AM: a0009864.cfg (ID = 91140)
8:48 AM: zxdnt3d.cfg (ID = 91140)
8:49 AM: Warning: Invalid Stream
8:49 AM: File Sweep Complete, Elapsed Time: 00:10:23
8:49 AM: Full Sweep has completed. Elapsed time 00:12:58
8:49 AM: Traces Found: 381
8:49 AM: Removal process initiated
8:49 AM: Quarantining All Traces: 180search assistant/zango
8:49 AM: Quarantining All Traces: clkoptimizer
8:49 AM: Quarantining All Traces: safesearch
8:49 AM: Quarantining All Traces: winad
8:49 AM: Quarantining All Traces: elitemediagroup-pop64
8:49 AM: Quarantining All Traces: ezula ilookup
8:49 AM: Quarantining All Traces: mirar webband
8:49 AM: Quarantining All Traces: netwebsearch
8:49 AM: Quarantining All Traces: seekmo search assistant
8:49 AM: Quarantining All Traces: zenosearchassistant
8:49 AM: Quarantining All Traces: 2o7.net cookie
8:49 AM: Quarantining All Traces: 888 cookie
8:49 AM: Quarantining All Traces: adknowledge cookie
8:49 AM: Quarantining All Traces: adrevolver cookie
8:49 AM: Quarantining All Traces: adserver cookie
8:49 AM: Quarantining All Traces: apmebf cookie
8:49 AM: Quarantining All Traces: ask cookie
8:49 AM: Quarantining All Traces: atwola cookie
8:49 AM: Quarantining All Traces: azjmp cookie
8:49 AM: Quarantining All Traces: belnk cookie
8:49 AM: Quarantining All Traces: bluestreak cookie
8:49 AM: Quarantining All Traces: casalemedia cookie
8:49 AM: Quarantining All Traces: did-it cookie
8:49 AM: Quarantining All Traces: falkag cookie
8:49 AM: Quarantining All Traces: hbmediapro cookie
8:49 AM: Quarantining All Traces: nextag cookie
8:49 AM: Quarantining All Traces: pointroll cookie
8:49 AM: Quarantining All Traces: pro-market cookie
8:49 AM: Quarantining All Traces: questionmarket cookie
8:49 AM: Quarantining All Traces: realmedia cookie
8:49 AM: Quarantining All Traces: realtracker cookie
8:49 AM: Quarantining All Traces: specificclick.com cookie
8:49 AM: Quarantining All Traces: tickle cookie
8:49 AM: Quarantining All Traces: trafficmp cookie
8:49 AM: Quarantining All Traces: tribalfusion cookie
8:49 AM: Quarantining All Traces: whenu save
8:49 AM: Quarantining All Traces: yieldmanager cookie
8:49 AM: Quarantining All Traces: zedo cookie
8:49 AM: Quarantining All Traces: zenotecnico cookie
8:49 AM: Removal process completed. Elapsed time 00:00:16
********
8:30 AM: | Start of Session, Friday, April 14, 2006 |
8:30 AM: Spy Sweeper started
8:30 AM: Your spyware definitions have been updated.
8:36 AM: | End of Session, Friday, April 14, 2006 |


Logfile of HijackThis v1.99.1
Scan saved at 7:05:44 PM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1142365287\ee\AOLSoftware.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\program files\common files\aol\1142365287\ee\aim6.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\Desktop\maintainence stuff\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142365287\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinkraf.exe FI002
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Epson printer Registration.lnk = D:\Titles\Ereg\EPSONREG.EXE
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qjdsregp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143588565552
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 15 April 2006 - 04:55 AM

Go ahead and remove WebRoot SpySweeper :thumbsup:

==

Next:

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\qjdsregp.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

==

After the reboot, run a scan with HijackThis and check the following objects for removal:

O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qjdsregp.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)


Close ALL other open windows except for HijackThis and hit FIX CHECKED. Please close HijackThis.

==

Still getting popups? :flowers:
Hi there, stranger!

#11 ever_looking_up

ever_looking_up
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 15 April 2006 - 07:00 PM

i did recieve this PendingFileRenameOperations when i ran kill box. other than that, no pop-ups, and those HJT files werent there. thanks for your help

Logfile of HijackThis v1.99.1
Scan saved at 6:57:23 PM, on 4/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1142365287\ee\AOLSoftware.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\David\Desktop\maintainence stuff\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142365287\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Epson printer Registration.lnk = D:\Titles\Ereg\EPSONREG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143588565552
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Edited by ever_looking_up, 15 April 2006 - 07:00 PM.


#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 16 April 2006 - 04:02 AM

Thats great news. Your log is looking clean. :thumbsup:

==

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)
Hi there, stranger!

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:35 PM

Posted 16 April 2006 - 03:16 PM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users