Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help...annoying Pop Ups


  • This topic is locked This topic is locked
27 replies to this topic

#1 janbas

janbas

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 05 March 2007 - 10:53 AM

Hi

Just recently I started getting annoying pop up sites, and i didn't have that problem before...

I've checked with adware and spybot and AVG, but found nothing

Please help

Hre is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 17:50:25, on 3/5/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\LEXBCES.EXE
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\LEXPPS.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINNT\system32\cisvc.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\012Net\012Net-Cable dialer\fts.exe
D:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\WINNT\system32\internat.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINNT\system32\wuauclt.exe
D:\WINNT\system32\cidaemon.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://israelinfo.ru/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "D:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "D:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] D:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ats] D:\WINNT\system32\asd\loadqm.exe noshow
O4 - HKLM\..\Run: [Babylon Client] D:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = D:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B26018A-1D8D-4C19-9A9B-F6C49453A21D} (LauncherV1 Class) - http://irc.msn.co.il/Day/launcher.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://www.viidoo.tv/TVUAx.dll
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.euchannels.net/update/KooPlayer.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157638106109
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUniversal...eck_1_0_0_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7821A8B-7F11-4D52-9D35-E9F53BA03C28}: NameServer = 84.95.14.250 212.116.161.40
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: HP CI Service (En1207CI) - Unknown owner - D:\WINNT\System32\En1207d.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINNT\system32\LEXBCES.EXE


Hope you can help me

Thanks

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:44 PM

Posted 09 March 2007 - 01:00 PM

Hello janbas,


Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan". This scan may take a few hours. It all depends on the number of files on your computer.

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************

Download ATF (Atribune Temp File) Cleaner© by Atribune DO NOT run it yet.

Run AVG Anti-Spyware 7.5

Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.

4. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine
(1)
, if not click on the link and choose Quarantine from the popup menu.
(2) At the bottom of the window click on the Apply all Actions button.
(3) When done, click the Save Scan Report button.
(4) Click the Save Report as button.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
Save to your desktop.
A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot to Normal Mode.

******************

You have a suspicious file we need to check.

You will need to configure Windows to show Hidden files.

Go to Jotti Online File Scanner copy and paste D:\WINNT\system32\asd\loadqm.exe to the upload and scan it.

Let me know the results.
Copy and paste the output to this thread

It should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken)


If Jotti's Malware scan is busy, you can also use this one
Virus Total:
http://www.virustotal.com/flash/index_en.html

******************

I need you to rename Hijackthis because I believe that you may have the Vundo infection that can hide some entries in your log.
  • Please go to the folder where you saved Hijackthis.exe:
    C:\Program Files\HijackThis\HijackThis.exe
  • Right-click on it, then select Rename.
  • Name it something like: AnalyzeThis.exe (or whatever you want)
  • Then double-click AnalyzeThis.exe to scan and then post the new logfile.
When done, submit the BitDefender log, the [b]AVG Anti-Spyware 7.5
log and a fresh Hijackthis log.
What are the popups saying?

Edited by SifuMike, 09 March 2007 - 01:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 janbas

janbas
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 10 March 2007 - 10:03 AM

Hi

First of all, I wanted to tell you that since posting the first log, i've installed zonealarm, nod32, spysweeper and Pop-Up Washer, thinking that may help... Thought you should know :flowers:

When I scanned with Bitdefender the first time, at the very beginning it found some kind of malware and deleted it... It was Ypager.exe, if i'm not mistaken... I cant post the log, because during the scan, my computer stopped responding and I had to shut it down... I've tried scanning with Bitdefender two more times, but each time it got stuck at some point, so I had to give it up :thumbsup:

While at Safe mode, I used Atf-cleaner, as you've said

I also scanned with AVG-Antispyware and here is the log:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 16:13:11 3/10/2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Ignored.
D:\!KillBox\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Ignored.


::Report end


When I used Jotti Online scanner to check D:\WINNT\system32\asd\loadqm.exe

I got this message:

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

I tried again without Zonealarm or any other antivirus turned on, but still got the same message even with the other online scanner you mentioned.

I renamed hijackthis.exe

The pop ups are different kinds of websites showing suddenly of nowhere like: game websites, sex websites and commercial websites... I never visited those websites before

Just wanted also to say that since posting the first time, I have now another problem:

When I try typing Hebrew or Russian letters in websites, like Google Search I see gibrish letters, but when I type Hebrew or Russian letters in different programs like: Office Word, Skype chat etc the letters are fine...
I checked and everything is ok with my Language Settings...
There is no problem with English letters when typing in websites...
This started only yesterday and before then everything was just fine

Thougt it's important for you to know, bcause I have a felling it's all somehow reated

Here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 16:35:08, on 3/10/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\LEXBCES.EXE
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\LEXPPS.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINNT\system32\cisvc.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\012Net\012Net-Cable dialer\fts.exe
D:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINNT\system32\internat.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINNT\system32\wuauclt.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\WINNT\system32\cidaemon.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\AnalyzeThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://israelinfo.ru/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - D:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "D:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "D:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] "D:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [ats] D:\WINNT\system32\asd\loadqm.exe noshow
O4 - HKLM\..\Run: [Babylon Client] "D:\Program Files\Babylon\Babylon-Pro\Babylon.exe" -AutoStart
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = D:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B26018A-1D8D-4C19-9A9B-F6C49453A21D} (LauncherV1 Class) - http://irc.msn.co.il/Day/launcher.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://www.viidoo.tv/TVUAx.dll
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.euchannels.net/update/KooPlayer.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157638106109
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUniversal...eck_1_0_0_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7821A8B-7F11-4D52-9D35-E9F53BA03C28}: NameServer = 212.117.129.5 212.116.161.38
O20 - Winlogon Notify: WRNotifier - D:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: HP CI Service (En1207CI) - Unknown owner - D:\WINNT\System32\En1207d.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINNT\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


Thanks for your help

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:44 PM

Posted 10 March 2007 - 12:39 PM

Hi janbas,

I started getting annoying pop up sites


Are you still getting popups?


HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Ignored.
D:\!KillBox\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Ignored.


It looks like you chose to "ignore" the two malware items that AVG antispyware found.
Please boot to the Safe Mode and run it again and quarentine everything it finds.

*******************************************

You will need to disable AVG AntiSpyware Guard, Spy Sweeper as they will prevent registry changes with Hijackthis.

To disable SpySweeper:
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm


The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [TkBellExe] \"D:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [ats] D:\WINNT\system32\asd\loadqm.exe noshow
(Description: This is the Microsoft MSN Queue Manager. There is disagreement over whether it is spying on you or not. Nevertheless, we suggest you check this entry and remove it. Removing this entry will free up some system resources. more information: http://www.bleepingcomputer.com/startups/l...m.exe-2591.html )

O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
(Description: WinZip system tray application. Not necessary. Removing this entry will free up a small amount of system resources.)




*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

Do not use the "Issues" block . It's meant for professionals.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot to the Normal Mode , post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 10 March 2007 - 01:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 janbas

janbas
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 10 March 2007 - 02:21 PM

Hi

Thanks for your guidelines :huh:

Yeah, I am still getting pop-ups :thumbsup:

Here is the new spyware log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:37:02 3/10/2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned.
D:\Documents and Settings\Administrator\Cookies\administrator@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
D:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end



I've fixed everything you mentioned except:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm

it wasn't there...

I ran CCleaner

The computer is definitely running faster, but still I get the pop ups and i still get gibrish instead of Hebrew or Russian letters when typing in websites... :flowers: :huh:

Here is a new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 21:08:53, on 3/10/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\system32\LEXBCES.EXE
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\LEXPPS.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINNT\system32\cisvc.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\012Net\012Net-Cable dialer\fts.exe
D:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINNT\system32\internat.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\WINNT\system32\cidaemon.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\AnalyzeThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://israelinfo.ru/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - D:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "D:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "D:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] "D:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [Babylon Client] "D:\Program Files\Babylon\Babylon-Pro\Babylon.exe" -AutoStart
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = D:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B26018A-1D8D-4C19-9A9B-F6C49453A21D} (LauncherV1 Class) - http://irc.msn.co.il/Day/launcher.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://www.viidoo.tv/TVUAx.dll
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.euchannels.net/update/KooPlayer.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157638106109
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUniversal...eck_1_0_0_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7821A8B-7F11-4D52-9D35-E9F53BA03C28}: NameServer = 84.95.14.250 212.116.161.39
O20 - Winlogon Notify: WRNotifier - D:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: HP CI Service (En1207CI) - Unknown owner - D:\WINNT\System32\En1207d.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINNT\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


Thanks for your help

Thanks for your

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:44 PM

Posted 10 March 2007 - 02:45 PM

Hi janbas,

Yeah, I am still getting pop-ups


Are these messenger popups? If not, what sites are they going to?


O17 - HKLM\System\CCS\Services\Tcpip\..\{E7821A8B-7F11-4D52-9D35-E9F53BA03C28}: NameServer = 84.95.14.250 212.116.161.39


Do you know the IP or Domain '84.95.14.250 212.116.161.39'?



1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.


****************


You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.

You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts.
Afterwards, HijackThis will launch.
Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, the ComboFix log , and a new HijackThis log.

Edited by SifuMike, 10 March 2007 - 03:00 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 janbas

janbas
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 10 March 2007 - 03:43 PM

Hi

The pop ups are going to sites like:

http://okveryfun.com/fun/
http://okveryfun.com/fun/
http://tvlord.com/tv/
http://singkar.com/karaoke/


I don't know the IP/Domain you mentioned....

Here is the logfile of C:\fixwareout\report.txt :

"
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"%FP%012-L2TP fts.exe"="\"D:\\Program Files\\012Net\\012Net-Cable dialer\\fts.exe\""
"%FP%012-L2TP FWPortal.exe"="\"D:\\Program Files\\012Net\\012Net-Cable dialer\\FWPortal.exe\" -no_dialog"
"NeroCheck"="D:\\WINNT\\system32\\NeroCheck.exe"
"REGSHAVE"="\"D:\\Program Files\\REGSHAVE\\REGSHAVE.EXE\" /AUTORUN"
"Babylon Client"="\"D:\\Program Files\\Babylon\\Babylon-Pro\\Babylon.exe\" -AutoStart"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="\"D:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP"
"ZoneAlarm Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"nod32kui"="\"D:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
"updateMgr"="\"D:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


Here is the ComboFix log:

""Administrator" - Sat 03/10/2007 22:21:35 Service Pack 3
ComboFix 07-03-09.3 - Running from: "D:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-02-10 to 2007-03-10 ))))))))))))))))))))))))))))))))))


2007-03-10 20:55 <DIR> d-------- D:\Program Files\CCleaner
2007-03-10 20:41 16,384 --a----t- D:\WINNT\system32\Perflib_Perfdata_500.dat
2007-03-10 20:09 2,685,104 --a------ D:\Program Files\ccsetup138.exe
2007-03-09 22:35 50,688 --a------ D:\Program Files\ATF-Cleaner.exe
2007-03-09 22:27 <DIR> d-------- D:\WINNT\BDOSCAN8
2007-03-09 08:57 22,080 --a------ D:\WINNT\system32\drivers\sshrmd.sys
2007-03-09 08:57 21,056 --a------ D:\WINNT\system32\drivers\sskbfd.sys
2007-03-09 08:57 20,544 --a------ D:\WINNT\system32\drivers\SSFS0509.sys
2007-03-09 08:57 144,960 --a------ D:\WINNT\system32\drivers\ssidrv.sys
2007-03-09 08:57 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\Webroot
2007-03-09 08:53 <DIR> d-------- D:\Program Files\Webroot
2007-03-09 08:51 13,198,504 --a------ D:\Program Files\ssftrialsnrsetup5240_1912562380.exe
2007-03-09 08:51 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-03-09 08:47 2,547,864 --a------ D:\Program Files\pwsetup5240_1912562380.exe
2007-03-06 06:11 512,096 --a------ D:\WINNT\system32\drivers\amon.sys
2007-03-06 06:11 298,104 --a------ D:\WINNT\system32\imon.dll
2007-03-06 06:11 15,424 --a------ D:\WINNT\system32\drivers\nod32drv.sys
2007-03-06 06:10 12,112,328 --a------ D:\Program Files\nentenst.exe
2007-03-05 19:27 75,512 --a------ D:\WINNT\zllsputility.exe
2007-03-05 19:27 11,264 --a------ D:\WINNT\system32\SpOrder.dll
2007-03-05 19:27 1,087,216 --a------ D:\WINNT\system32\zpeng24.dll
2007-03-05 19:27 <DIR> d-a------ D:\WINNT\system32\ZoneLabs
2007-03-05 19:25 39,994,008 --a------ D:\Program Files\zlsSetup_70_302_000_en.exe
2007-03-05 18:48 6,809,960 --a------ D:\Program Files\ssfsetup1_1800640662.exe
2007-03-05 18:48 427,520 --a------ D:\WINNT\WRServices.dll
2007-03-01 07:53 13,707,688 --a------ D:\Program Files\zlsSetup_65_722_000_en.exe
2007-02-26 18:10 <DIR> d-------- D:\Program Files\MSN Messenger
2007-02-26 18:10 <DIR> d-------- D:\Program Files\Messenger
2007-02-22 18:32 3,534,076 --a------ D:\Program Files\eMule0.47c-Installer.exe
2007-02-22 18:26 <DIR> d-------- D:\Program Files\Emule
2007-02-20 09:27 50,688 --a------ D:\WINNT\system32\wbhelp2.dll
2007-02-20 09:27 1,060,864 --a------ D:\WINNT\system32\MFC71.dll
2007-02-20 09:27 <DIR> d-------- D:\WINNT\system32\E177E04D548C4006A465EEB92D3DE021
2007-02-20 09:27 <DIR> d-------- D:\Program Files\Ipswitch
2007-02-20 09:27 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Ipswitch
2007-02-20 09:27 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\Ipswitch
2007-02-20 09:26 11,027,270 --a------ D:\Program Files\WSFTP_HomeT128_Install.exe
2007-02-19 23:51 3,968 --a------ D:\WINNT\system32\drivers\AvgAsCln.sys
2007-02-19 23:49 775,680 --a------ D:\WINNT\system32\drivers\avg7core.sys
2007-02-19 23:49 4,960 --a------ D:\WINNT\system32\drivers\avgtdi.sys
2007-02-19 23:49 4,224 --a------ D:\WINNT\system32\drivers\avg7rsw.sys
2007-02-19 23:49 3,968 --a------ D:\WINNT\system32\drivers\avgclean.sys
2007-02-19 23:49 27,776 --a------ D:\WINNT\system32\drivers\avg7rsxp.sys
2007-02-19 23:49 26,944 --a------ D:\WINNT\system32\drivers\avg7rsnt.sys
2007-02-19 23:49 19,840 --a------ D:\WINNT\system32\drivers\avgmfx86.sys
2007-02-19 23:49 <DIR> d-------- D:\DOCUME~1\DEFAUL~1\APPLIC~1\AVG7
2007-02-19 23:49 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2007-02-19 23:49 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\AVG7
2007-02-19 23:48 25,081,408 --a------ D:\Program Files\avg75avwt_441a919.exe
2007-02-19 23:47 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\CoffeeCup Software
2007-02-19 23:46 3,742,383 --a------ D:\Program Files\CoffeeFreeFTPInstaller.exe
2007-02-19 23:46 <DIR> d-------- D:\Program Files\CoffeeCup Software
2007-02-19 23:39 3,297,436 --a------ D:\Program Files\bpftpclient_install.exe
2007-02-19 23:13 8,249,096 --a------ D:\Program Files\cuteftppro3p.exe
2007-02-19 09:13 <DIR> d-a------ D:\DOCUME~1\ALLUSE~1\APPLIC~1\Avg7
2007-02-17 12:47 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-02-16 18:51 4,076,784 --a------ D:\Program Files\FlashFXP_34_Setup.exe
2007-02-16 18:51 <DIR> d-------- D:\Program Files\FlashFXP
2007-02-16 15:13 <DIR> d-------- D:\Program Files\Booksearch
2007-02-16 15:12 243,233 --a------ D:\Program Files\sbksrch.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-10 22:19 -------- d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\skype
2007-03-09 08:42 5186048 --a------ D:\Program Files\windowsdefender.msi
2007-03-08 23:31 -------- d-------- D:\Program Files\tvu player
2007-03-05 19:29 4212 ---h----- D:\WINNT\system32\zllictbl.dat
2007-02-26 18:11 -------- d---s---- D:\DOCUME~1\ADMINI~1\APPLIC~1\microsoft
2007-02-20 09:27 -------- d--h----- D:\Program Files\installshield installation information
2007-02-19 23:47 6469352 --a------ D:\Program Files\avgas-setup-7.5.0.50.exe
2007-02-19 11:23 -------- d-------- D:\Program Files\p2ptvrecorder
2007-02-19 11:22 2882261 --a------ D:\Program Files\pprecorder.exe
2007-02-19 09:41 -------- d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\adobeum
2007-02-16 20:04 -------- d-------- D:\Program Files\divx
2007-02-08 12:33 304957 --a------ D:\Program Files\hjsplit.zip
2007-02-08 11:19 9255712 --a------ D:\Program Files\a5u1t1.exe
2007-02-08 10:32 -------- d-------- D:\Program Files\yahoo!
2007-02-07 16:24 -------- d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\adobe
2007-02-07 11:07 278528 --a------ D:\WINNT\system32\livesnth.dll
2007-02-02 09:57 3606944 --a------ D:\Program Files\sftpmsi.exe
2007-02-02 09:57 -------- d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\smartftp
2007-01-31 20:56 823296 --a------ D:\WINNT\system32\divx_xx0c.dll
2007-01-31 20:56 823296 --a------ D:\WINNT\system32\divx_xx07.dll
2007-01-31 20:56 802816 --a------ D:\WINNT\system32\divx_xx11.dll
2007-01-31 20:56 639066 --a------ D:\WINNT\system32\divx.dll
2007-01-31 13:27 524288 --a------ D:\WINNT\system32\divxsm.exe
2007-01-30 15:15 118784 --a------ D:\WINNT\system32\divxcodecupdatechecker.exe
2007-01-29 21:03 36624 --------- D:\WINNT\system32\drivers\PxHelp20.sys
2007-01-29 21:03 3596288 --a------ D:\WINNT\system32\qt-dx331.dll
2007-01-29 21:03 200704 --a------ D:\WINNT\system32\ssldivx.dll
2007-01-29 21:03 129784 --------- D:\WINNT\system32\pxafs.dll
2007-01-29 21:03 118520 --------- D:\WINNT\system32\pxinsi64.exe
2007-01-29 21:03 116472 --------- D:\WINNT\system32\pxcpyi64.exe
2007-01-29 21:03 1044480 --a------ D:\WINNT\system32\libdivx.dll
2007-01-29 20:56 73728 --a------ D:\WINNT\system32\dpl100.dll
2007-01-29 20:56 593920 --a------ D:\WINNT\system32\dpugui11.dll
2007-01-29 20:56 57344 --a------ D:\WINNT\system32\dpv11.dll
2007-01-29 20:56 53248 --a------ D:\WINNT\system32\dpugui10.dll
2007-01-29 20:56 344064 --a------ D:\WINNT\system32\dpus11.dll
2007-01-29 20:56 294912 --a------ D:\WINNT\system32\dpu11.dll
2007-01-29 20:56 294912 --a------ D:\WINNT\system32\dpu10.dll
2007-01-29 20:56 196608 --a------ D:\WINNT\system32\dtu100.dll
2007-01-28 06:17 868 --a------ D:\DOCUME~1\ADMINI~1\APPLIC~1\adobedlm.log
2007-01-28 06:17 6 --a------ D:\DOCUME~1\ADMINI~1\APPLIC~1\dm.ini
2007-01-28 06:17 21277080 --a------ D:\Program Files\adberdr709_en_us.exe
2007-01-21 15:01 -------- d-------- D:\Program Files\apple software update
2007-01-20 09:45 1308 --a------ D:\Program Files\kooplayer.ocx
2007-01-20 09:45 108032 --a------ D:\Program Files\upactivex.exe
2007-01-03 08:03 19666504 --a------ D:\Program Files\quicktimeinstaller.exe
2006-12-12 08:24 12288 --a------ D:\WINNT\system32\divxwmpexttype.dll
2006-12-05 15:25 11349992 --a------ D:\Program Files\babylon6_setup_eng_eng.exe
2006-12-02 20:55 6064640 --a------ D:\Program Files\icq5_1_setup.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"
"updateMgr"="\"D:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"%FP%012-L2TP fts.exe"="\"D:\\Program Files\\012Net\\012Net-Cable dialer\\fts.exe\""
"%FP%012-L2TP FWPortal.exe"="\"D:\\Program Files\\012Net\\012Net-Cable dialer\\FWPortal.exe\" -no_dialog"
"NeroCheck"="D:\\WINNT\\system32\\NeroCheck.exe"
"REGSHAVE"="\"D:\\Program Files\\REGSHAVE\\REGSHAVE.EXE\" /AUTORUN"
"Babylon Client"="\"D:\\Program Files\\Babylon\\Babylon-Pro\\Babylon.exe\" -AutoStart"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="\"D:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP"
"ZoneAlarm Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"nod32kui"="\"D:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="D:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="D:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://usad.us.tf

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN



Contents of the 'Scheduled Tasks' folder
D:\WINNT\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: Sat 2007-03-10 22:23:59


Here is my new HJT log:

"Logfile of HijackThis v1.99.1
Scan saved at 22:39:13, on 3/10/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\system32\LEXBCES.EXE
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\LEXPPS.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\012Net\012Net-Cable dialer\fts.exe
D:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINNT\system32\internat.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\AnalyzeThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://israelinfo.ru/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - D:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "D:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "D:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] "D:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [Babylon Client] "D:\Program Files\Babylon\Babylon-Pro\Babylon.exe" -AutoStart
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = D:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B26018A-1D8D-4C19-9A9B-F6C49453A21D} (LauncherV1 Class) - http://irc.msn.co.il/Day/launcher.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://www.viidoo.tv/TVUAx.dll
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.euchannels.net/update/KooPlayer.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157638106109
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUniversal...eck_1_0_0_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7821A8B-7F11-4D52-9D35-E9F53BA03C28}: NameServer = 84.95.14.250 212.116.161.40
O20 - Winlogon Notify: WRNotifier - D:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: HP CI Service (En1207CI) - Unknown owner - D:\WINNT\System32\En1207d.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINNT\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


Can you tell me what do you think about the gibrish problem?

Hope this helps

Thanks a lot

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:44 PM

Posted 10 March 2007 - 04:32 PM

Hi janbas,

The pop ups are going to sites like:

h**p://okveryfun.com/fun/
h**p://okveryfun.com/fun/
h**p://tvlord.com/tv/
h**tp://singkar.com/karaoke/



When do you get the popups ?
When you visit cetain sites ?
Generally those particular popups are generated from script on the webpages you are visiting.


Please disable AVG guard, as it will prevent registry changes and preven Hijackthis from working.

Open AVG Antispyware and in the main window click "Resident Shield", then toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.

*******************************************

I did a WHOIS on 84.95.14.250
and it said it was a site in Israel :thumbsup:

country: IL
remarks: Golden Lines International Communication Services Ltd.
address: Hasivim 25 Petach-Tikva Israel



212.116.161.40 is in Israel :flowers:

org-name: Golden Lines International Communication Services Ltd.
org-type: LIR
address: 25 Hasivim St.
K. Matalon
address: 41970
address: Petach Tikva
address: Israel




In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

O17 - HKLM\System\CCS\Services\Tcpip\..\{E7821A8B-7F11-4D52-9D35-E9F53BA03C28}: NameServer = 84.95.14.250 212.116.161.40

*******************************************


Let's empty the temp files:

Run CCleaner.

Do not use the "Issues" block . It's meant for professionals.


Finally, reboot to the Normal Mode , post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 10 March 2007 - 04:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 janbas

janbas
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 10 March 2007 - 04:54 PM

I get the pop ups randomly, all of a sudden... not when I visit particular sites :thumbsup:

I think this IP belongs to my Internet Provider....Should I still fix it?


Here is new HJT log:

"

Logfile of HijackThis v1.99.1
Scan saved at 23:48:46, on 3/10/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\system32\LEXBCES.EXE
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\012Net\012Net-Cable dialer\fts.exe
D:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINNT\system32\internat.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\AnalyzeThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://israelinfo.ru/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - D:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "D:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "D:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] "D:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [Babylon Client] "D:\Program Files\Babylon\Babylon-Pro\Babylon.exe" -AutoStart
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = D:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://D:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B26018A-1D8D-4C19-9A9B-F6C49453A21D} (LauncherV1 Class) - http://irc.msn.co.il/Day/launcher.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://www.viidoo.tv/TVUAx.dll
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.euchannels.net/update/KooPlayer.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157638106109
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUniversal...eck_1_0_0_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7821A8B-7F11-4D52-9D35-E9F53BA03C28}: NameServer = 84.95.14.250 212.116.161.40
O20 - Winlogon Notify: WRNotifier - D:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: HP CI Service (En1207CI) - Unknown owner - D:\WINNT\System32\En1207d.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINNT\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


Since posting the last message, the pop ups reappeared and the gibrish continues as well :flowers:

Thanks

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:44 PM

Posted 10 March 2007 - 05:01 PM

I think this IP belongs to my Internet Provider....Should I still fix it?


No, if it your IP then do not fix it.

I dont see any malware in your Hijackthis log.


Lets try blocking the web sites on your computer.

You can use the Windows 'Hosts' file to accomplish this, here's how:
In Windows XP, the hosts file is found here:
C:\Windows\System32\Drivers\etc\hosts

Once you have found the hosts file, right click it and select Properties.
Uncheck the "Read-Only" attribute (if checked). Click OK.

Double click the 'Hosts' file and select "Notepad" from the list of programs to open it with.

Once you have the hosts file open in Notepad, you will see an entry such as:

127.0.0.1 localhost

You can ignore all the lines that have # in the first character, as those are comment lines.

To block a web pages from loading, add the following:

127.0.0.1 okveryfun.com
127.0.0.1 tvlord.com
127.0.0.1 singkar.com


Your Hosts file will now look like this:

127.0.0.1 localhost
127.0.0.1 okveryfun.com
127.0.0.1 tvlord.com
127.0.0.1 singkar.com


Add as many web addresses as you like in the same fashion.

Once you are finished, go up to 'File' and click 'Save'.

The web pages listed in your 'Hosts' file should be blocked from access. It may be necessary for you to reboot your computer for these changes to take effect

Let me know how it works.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 janbas

janbas
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 10 March 2007 - 11:09 PM

Hi

I did as you've said...

The problem is that new websites are constantly showing up :flowers: :huh:
It's so strange these sites keep reappearing for no apparent reason :thumbsup:

What about the gibrish letters? Can you help me with that?

Thanks for your help

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:44 PM

Posted 10 March 2007 - 11:16 PM

Looks like you have some new kind of malware. :thumbsup:

Do you have some more examples of sites? It may help me find the cause.

Go here and run the online scan, allow it to delete whatever is found:

Panda ActiveScan
Note: This Scanner is for Internet Explorer Only!
Once you are on the Panda site click the Scan your PC button
[*]A new window will open...click the Check Now button
[*]Enter your Country
[*]Enter your State/Province
[*]Enter your e-mail address and click send
[*]Select either Home User or Company
[*]Click the big Scan Now button
[*]If it wants to install an ActiveX component allow it
[*]It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes, so be patient)
[*]When download is complete, click on Local Disks to start the scan
[*]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Note any thing that can't be fixed

Please post the contents of Panda scan

*****************


Lets check deeper for hidden files and for rootkits.

Download SilentRunners.vbs
Unzip it to a permanent folder.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
When the scan is done, notepad will open with a log in it. Please close this again.
I'll need that log later.
Normally that log is saved automatically in your silent runners-folder.
Post the log it created.



Download and Save blacklight to your desktop.

Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.

Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe" :!:

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply together with the silent runners-log

Edited by SifuMike, 10 March 2007 - 11:19 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 janbas

janbas
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 10 March 2007 - 11:22 PM

Sorry, just one more thing I forgot to add:

I ran Ad Aware and it found 5 infected objects: 4 cookies and one registry entrance

I didn't delete it because I wanted you to see it

Here is the Ad Aware log:


Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, March 11, 2007 6:10:12
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R157 05.03.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):1 total references
MRU List(TAC index:0):8 total references
Tracking Cookie(TAC index:3):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


3-11-2007 6:10:12 - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 164
ThreadCreationTime : 3-11-2007 13:39:23
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\D:\WINNT\system32\
ProcessID : 196
ThreadCreationTime : 3-11-2007 13:39:40
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\D:\WINNT\system32\
ProcessID : 216
ThreadCreationTime : 3-11-2007 13:39:41
BasePriority : High


#:4 [services.exe]
FilePath : D:\WINNT\system32\
ProcessID : 244
ThreadCreationTime : 3-11-2007 13:39:43
BasePriority : Normal
FileVersion : 5.00.2195.3940
ProductVersion : 5.00.2195.3940
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : D:\WINNT\system32\
ProcessID : 256
ThreadCreationTime : 3-11-2007 13:39:43
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : D:\WINNT\system32\
ProcessID : 424
ThreadCreationTime : 3-11-2007 13:39:46
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [vsmon.exe]
FilePath : D:\WINNT\system32\ZoneLabs\
ProcessID : 464
ThreadCreationTime : 3-11-2007 13:39:47
BasePriority : Normal
FileVersion : 7.0.302.000
ProductVersion : 7.0.302.000
ProductName : TrueVector Service
CompanyName : Zone Labs, LLC
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC
OriginalFilename : vsmon.exe

#:8 [lexbces.exe]
FilePath : D:\WINNT\system32\
ProcessID : 576
ThreadCreationTime : 3-11-2007 13:39:54
BasePriority : Normal
FileVersion : 8.16
ProductVersion : 8.16
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:9 [spoolsv.exe]
FilePath : D:\WINNT\system32\
ProcessID : 604
ThreadCreationTime : 3-11-2007 13:39:54
BasePriority : Normal
FileVersion : 5.00.2195.4299
ProductVersion : 5.00.2195.4299
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:10 [lexpps.exe]
FilePath : D:\WINNT\system32\
ProcessID : 632
ThreadCreationTime : 3-11-2007 13:39:55
BasePriority : Normal
FileVersion : 8.16
ProductVersion : 8.16
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:11 [guard.exe]
FilePath : D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\
ProcessID : 656
ThreadCreationTime : 3-11-2007 13:39:56
BasePriority : Normal
FileVersion : 7, 5, 0, 47
ProductVersion : 7, 5, 0, 47
ProductName : AVG Anti-Spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : AVG Anti-Spyware guard
InternalName : AVG Anti-Spyware guard
LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.
OriginalFilename : guard.exe

#:12 [avgamsvr.exe]
FilePath : D:\PROGRA~1\Grisoft\AVG7\
ProcessID : 668
ThreadCreationTime : 3-11-2007 13:39:57
BasePriority : Normal
FileVersion : 7.5.0.445
ProductVersion : 7.5.0.445
ProductName : AVG Anti-Virus system
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2007 GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:13 [avgupsvc.exe]
FilePath : D:\PROGRA~1\Grisoft\AVG7\
ProcessID : 696
ThreadCreationTime : 3-11-2007 13:39:58
BasePriority : Normal
FileVersion : 7.5.0.420
ProductVersion : 7.5.0.420
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:14 [avgemc.exe]
FilePath : D:\PROGRA~1\Grisoft\AVG7\
ProcessID : 720
ThreadCreationTime : 3-11-2007 13:39:59
BasePriority : Normal
FileVersion : 7.5.0.442
ProductVersion : 7.5.0.442
ProductName : AVG Anti-Virus system
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2007 GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:15 [svchost.exe]
FilePath : D:\WINNT\System32\
ProcessID : 776
ThreadCreationTime : 3-11-2007 13:40:02
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:16 [nod32krn.exe]
FilePath : D:\Program Files\Eset\
ProcessID : 804
ThreadCreationTime : 3-11-2007 13:40:03
BasePriority : Normal
FileVersion : 2, 70, 32
ProductVersion : 2, 70, 32
ProductName : NOD32 Antivirus System
CompanyName : Eset
FileDescription : NOD32 Kernel Service
InternalName : NOD32 Kernel
LegalCopyright : Copyright © 1992-2005 Eset
LegalTrademarks : NOD, NOD32, AMON, ESET are registered trademarks of Eset
OriginalFilename : nod32krn.exe

#:17 [regsvc.exe]
FilePath : D:\WINNT\system32\
ProcessID : 880
ThreadCreationTime : 3-11-2007 13:40:06
BasePriority : Normal
FileVersion : 5.00.2195.3649
ProductVersion : 5.00.2195.3649
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:18 [mstask.exe]
FilePath : D:\WINNT\system32\
ProcessID : 980
ThreadCreationTime : 3-11-2007 13:40:09
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:19 [stisvc.exe]
FilePath : D:\WINNT\system32\
ProcessID : 1008
ThreadCreationTime : 3-11-2007 13:40:10
BasePriority : Normal
FileVersion : 5.00.2195.3649
ProductVersion : 5.00.2195.3649
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1996-1997
OriginalFilename : STIMON.EXE

#:20 [spysweeper.exe]
FilePath : D:\Program Files\Webroot\Spy Sweeper\
ProcessID : 1080
ThreadCreationTime : 3-11-2007 13:40:12
BasePriority : Normal
FileVersion : 3,3,2,2609
ProductVersion : 3, 3
ProductName : Spy Sweeper SDK
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper Engine
LegalCopyright : Copyright © 2002 - 2007, All Rights Reserved.
LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.
OriginalFilename : SpySweeper.exe

#:21 [winmgmt.exe]
FilePath : D:\WINNT\System32\WBEM\
ProcessID : 1272
ThreadCreationTime : 3-11-2007 13:40:18
BasePriority : Normal
FileVersion : 1.50.1085.0070
ProductVersion : 1.50.1085.0070
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:22 [mspmspsv.exe]
FilePath : D:\WINNT\System32\
ProcessID : 1284
ThreadCreationTime : 3-11-2007 13:40:18
BasePriority : Normal
FileVersion : 7.10.00.3059
ProductVersion : 7.10.00.3059
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:23 [svchost.exe]
FilePath : D:\WINNT\system32\
ProcessID : 1296
ThreadCreationTime : 3-11-2007 13:40:18
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:24 [explorer.exe]
FilePath : D:\WINNT\
ProcessID : 1636
ThreadCreationTime : 3-11-2007 13:43:41
BasePriority : Normal
FileVersion : 5.00.3502.5321
ProductVersion : 5.00.3502.5321
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:25 [fts.exe]
FilePath : D:\Program Files\012Net\012Net-Cable dialer\
ProcessID : 1420
ThreadCreationTime : 3-11-2007 13:43:53
BasePriority : Normal
FileVersion : 3, 0, 0, 0
ProductVersion : 3, 0, 0, 0
ProductName : Friendly Products
CompanyName : Friendly Technologies
FileDescription : fts
InternalName : fts
LegalCopyright : Copyright © 2001 Friendly Technologies
OriginalFilename : fts.exe
Comments : Built 08/06/2003

#:26 [fwportal.exe]
FilePath : D:\Program Files\012Net\012Net-Cable dialer\
ProcessID : 1400
ThreadCreationTime : 3-11-2007 13:43:53
BasePriority : Normal
FileVersion : 3.0.0.9
ProductVersion : 3.0
ProductName : FriendlyAccess
CompanyName : Friendly Technologies
FileDescription : FriendlyAccess front-end module
InternalName : FWPortal
LegalCopyright : Copyright © 2001- 2002, Friendly Technologies
LegalTrademarks : FriendlyWeb ® FriendlyAccess ®
OriginalFilename : FWPortal.exe

#:27 [wuauclt.exe]
FilePath : D:\WINNT\system32\
ProcessID : 1668
ThreadCreationTime : 3-11-2007 13:43:55
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:28 [qttask.exe]
FilePath : D:\Program Files\QuickTime\
ProcessID : 1700
ThreadCreationTime : 3-11-2007 13:43:57
BasePriority : Normal
FileVersion : 7.1.5a38
ProductVersion : QuickTime 7.1.5a38
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
FileDescription : QuickTime Task
InternalName : QuickTime Task
LegalCopyright : Copyright Apple Computer, Inc. 1989-2007
OriginalFilename : QTTask.exe

#:29 [avgcc.exe]
FilePath : D:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1724
ThreadCreationTime : 3-11-2007 13:43:58
BasePriority : Normal
FileVersion : 7.5.0.438
ProductVersion : 7.5.0.438
ProductName : AVG Anti-Virus system
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2007 GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:30 [zlclient.exe]
FilePath : D:\Program Files\Zone Labs\ZoneAlarm\
ProcessID : 1736
ThreadCreationTime : 3-11-2007 13:43:59
BasePriority : Normal
FileVersion : 7.0.302.000
ProductVersion : 7.0.302.000
ProductName : ZoneAlarm Client
CompanyName : Zone Labs, LLC
FileDescription : ZoneAlarm Client
InternalName : zlclient
LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC
OriginalFilename : zlclient.exe

#:31 [nod32kui.exe]
FilePath : D:\Program Files\Eset\
ProcessID : 1760
ThreadCreationTime : 3-11-2007 13:44:01
BasePriority : Normal
FileVersion : 2, 70, 32
ProductVersion : 2, 70, 32
ProductName : NOD32 Antivirus System
CompanyName : Eset
FileDescription : NOD32 Control Center GUI
InternalName : NOD32 Control Center GUI
LegalCopyright : Copyright © 1992-2005 Eset
LegalTrademarks : NOD, NOD32, AMON, ESET are registered trademarks of Eset
OriginalFilename : nod32kui.exe

#:32 [internat.exe]
FilePath : D:\WINNT\system32\
ProcessID : 1768
ThreadCreationTime : 3-11-2007 13:44:01
BasePriority : Normal
FileVersion : 5.00.2920.0000
ProductVersion : 5.00.2920.0000
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Keyboard Language Indicator Applet
InternalName : INTERNAT
LegalCopyright : Copyright © Microsoft Corp. 1994-1999
OriginalFilename : INTERNAT.EXE

#:33 [quickdcf.exe]
FilePath : D:\Program Files\FinePixViewer\
ProcessID : 1824
ThreadCreationTime : 3-11-2007 13:44:05
BasePriority : Normal
FileVersion : 4, 1, 0, 1
ProductVersion : 4, 1, 0, 1
ProductName : FinePixViewer
CompanyName : FUJI PHOTO FILM CO., LTD.
FileDescription : Exif Launcher
InternalName : QuickDCF
LegalCopyright : Copyright 2000-2003 FUJI PHOTO FILM CO.,LTD.
OriginalFilename : QuickDCF.exe

#:34 [iexplore.exe]
FilePath : D:\Program Files\Internet Explorer\
ProcessID : 1952
ThreadCreationTime : 3-11-2007 13:44:27
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:35 [ad-aware.exe]
FilePath : D:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1924
ThreadCreationTime : 3-11-2007 14:09:49
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-1078081533-1647877149-839522115-500\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@list[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:administrator@list.ru/
Expires : 6-8-2007 6:22:26
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@adbrite[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:administrator@adbrite.com/
Expires : 3-9-2008 19:05:14
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@stat.onestat[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:administrator@stat.onestat.com/
Expires : 3-9-2017 16:00:00
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@adengage[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:administrator@adengage.com/
Expires : 4-9-2007 14:09:22
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 5



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\WINNT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

Disk Scan Result for D:\WINNT\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

Disk Scan Result for D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Scanning Hosts file......
Hosts file location:"D:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
4 entries scanned.
New critical objects:0
Objects found so far: 5



MRU List Object Recognized!
Location: : D:\Documents and Settings\Administrator\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : D:\Documents and Settings\Administrator\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1078081533-1647877149-839522115-500\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1078081533-1647877149-839522115-500\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1078081533-1647877149-839522115-500\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1078081533-1647877149-839522115-500\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1078081533-1647877149-839522115-500\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13

6:11:34 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:01:22.188
Objects scanned:57457
Objects identified:5
Objects ignored:0
New critical objects:5


I don't know about the registry infected value, but I noticed that the cookies listed keep reappearing constantly in my COOKIES folder, even though I don't know this sites and i'm almost sure that they don't belong to the pop up sites...
I've tried deleting them, but after rebooting the computer, they reappear..
Maybe they trigger the pop up websites, I don't know...

I'm almost desperate already :thumbsup: :flowers:

Thanks

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:44 PM

Posted 10 March 2007 - 11:36 PM

Just run CCleaner to delete the cookies. :thumbsup:
In CCleaner, make sure you have IE and FireFox box checked to delete cookies.
Cookies are not malicous, but are used for tracking.

You will get cookies if you use the web, so dont worry about it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:44 PM

Posted 10 March 2007 - 11:40 PM

Are you running two antivirus programs? :thumbsup:
I see AVG antivirus and NOD antivirus listed in the Adaware log.

You should only be running ONE antivirus on your computer. Two will cause major problems, and they will fight over the files.

Uninstall one of them.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users