pop ups w/o internet browser open

**gummygod** · 08-03-2006 10:51 PM

I have been having pop ups just pop up with out a browser open. I forgot to take a screenshot of the popup but it had a small upper bar with a single button; a 'x' to close it. Im running windows XP (on this partition anyways) and have a road runner internet connection thats constantly connected. Im not sure if this is related, but, when i restart windows a window pops up trying to close a program called "ShellIconHiddenWindow" which Im pretty sure shouldnt be running :wink: . Im not sure where the popups come from but heres my log:

Logfile of HijackThis v1.99.1
Scan saved at 10:40:51 PM, on 8/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\IA\command.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINNT\System32\wdfmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ipwins\ipwins.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Audible\Bin\adhelper.exe
C:\Program Files\Norton AntiVirus\NAVCOMUI.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\System32\tetew.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,eyaihpx.exe
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\adhelper.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\System32\dmonwv.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/assets...LStreaming.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://eport1.aurora.org/iNotes6W.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ric...GameLoader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\IA\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Alias Maya 5.0 PLE Help Server (Maya5PLEHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs/Wrapper.conf (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Thank you for any help, and this should be my last time needing help because im switching to ubuntu, a linux distro.

**Basementgeek** · 08-04-2006 10:34 AM

I take this is the same PC we (Steamwiz) worked on less than 1 month ago

(I just locked that topic)

He cleaned it for you -

This log has several problems, possible Qoologic, L2M,adaware, trojan.

Follow all the directions here and post another log. Save the Pandasoft scan log, on things Panda finds and cannot fix. These need to be a NEW scans:

http://www.help2go.com/component/opt...wtopic/t,9709/

Thank you for any help, and this should be my last time needing help because im switching to ubuntu, a linux distro

Don't blame MS or IE for your problems, you probably did it to your self.

BG

**gummygod** · 08-12-2006 01:41 PM

sorry about that, i forgot to do this before i went on vacation.
and thanks steamwiz for helping me last time.

im running all these scans but it takes forever (what i was fearing when i just posted my log). i hope i can finish this today but well see.

Don't blame MS or IE for your problems, you probably did it to your self.

yes, someone caused these problems; either me or someone else who used this computer. but i will be using a spyware-free OS from now on, so the other people using this computer can deal with spyware theirselves. microsoft only has this bad spyware problem because its so popular.

anyways, ill post the pandasoft and hijack this logs in a day or 2.

**Basementgeek** · 08-12-2006 02:03 PM

but i will be using a spyware-free OS from now on,.....

Please let me know when you find one as I want to invest in it their stock.

Need to remember that most computer problems are caused by what is setting in front of the screen, i.e. the user

Not trying to be "smart" here, but the vast majority of problems are created by the user. Granted M$ is full of holes/problems. BUT an up to date OP system, good A/V, firewall and run all things we recommend will go a very long way in protecting you. They have kept me out of trouble for 3 years now.

BG

**gummygod** · 08-13-2006 04:18 PM

well that took longer than id hope, and it did not go smoothly.

panda scan went ok, heres the list of what it couldnt handle:

Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\LocalService\Cookies\system@c.goclick[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\LocalService\Cookies\system@statcounter[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o6p452rs.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o6p452rs.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o6p452rs.default\cookies.txt[.target.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[statse.webtrendslive.com/S0014-01-1-17-218931-48461]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.atdmt.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.realmedia.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.2o7.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.zedo.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[server.iad.liveperson.net/hc/51408128]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.serving-sys.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.revenue.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.statcounter.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.hitbox.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.maxserving.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.com.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.ehg-sonycomputer.hitbox.com/]
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[.mp3search.ru/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wp47qycg.ANDREW\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zqxuzwn1.baader\cookies.txt[.com.com/]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-31f03b99-70e86701.zip[javainstaller/InstallerApplet.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-31f05170-63e10add.zip[javainstaller/InstallerApplet.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-31f05171-704e0106.zip[javainstaller/InstallerApplet.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-4514e5ea-3e668018.zip[javainstaller/InstallerApplet.class]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[3].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[10].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[1].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[3].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[5].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[6].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[8].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[9].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Owner\Cookies\owner@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\Owner\Cookies\owner@btg.btgrab[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Owner\Cookies\owner@c.enhance[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cassava[1].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cliks[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ct.360i[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Owner\Cookies\owner@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[2].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dlm.dlmax[1].txt
Spyware:Cookie/Errorguard Not disinfected C:\Documents and Settings\Owner\Cookies\owner@errorguard[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Owner\Cookies\owner@kount[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Owner\Cookies\owner@offeroptimizer[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rightmedia[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@rn11[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[1].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@targetsaver[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Owner\Cookies\owner@target[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Owner\Cookies\owner@toplist[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Owner\Cookies\owner@webpower[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[2].txt
Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www.seeq[1].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www47.buydomains[1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Owner\Cookies\owner@www48.seeq[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\Spyware prevention\Process.exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@com[1].txt
Adware:Adware/Qoologic Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\f17208140.exe
Adware:Adware/Qoologic Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\f21575250.exe
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\nsb2.tmp\nsProcess.dll
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\nsc3.tmp\nsProcess.dll
Adware:Adware/QoolAid Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\tp7543.exe
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\kzzq\kzzqd\kzzqc.dll
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\kzzq\kzzqm.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\kzzq\kzzqp.exe
Adware:Adware/MyBHOSpy Not disinfected C:\Program Files\hijack this\backups\backup-20050710-132818-898.dll
Adware:Adware/MaxFiles Not disinfected C:\Program Files\ipwins\ipwins.exe
Adware:Adware/Maxifiles Not disinfected

sorry i think i may have chopped off part of that last one.

then when i tried to run housecall, it would never load, even if i left it there for an hr.

then i got some updates, upgraded to sp2 and installed windows defender: that all went well.

i ran spybot, it found a bunch of items and it couldnt remove them all so i set to scan on reboot. it still couldnt remove 2 main items with about 20 things under them.

then adaware went the worst, when i ran it this happened everytime:

it can run but just for 60 seconds before it restarts and i dont think it could remove anything or another error popped up

i did another hijack this scan and put it in the dective, it fixed a bunch of things. now i realized i havent had a pop up since i restarted 10 mins ago, that seems good, but heres my new log anyways:

Logfile of HijackThis v1.99.1
Scan saved at 4:10:41 PM, on 8/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINNT\thiselt.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINNT\CCZoop05.exe
C:\WINNT\system32\vp1i4.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wdfmgr.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Audible\Bin\adhelper.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe,
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,eyaihpx.exe
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Vdrw Class - {8711CF54-E9C5-4DB4-9B9F-7D67393CC771} - C:\WINNT\system32\vf1v62x.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKLM\..\Run: [wGzyM6F48] C:\WINNT\system32\apbzk.exe
O4 - HKLM\..\Run: [epy9J] "C:\WINNT\system32\l3jdfs.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\CCZoop05.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [yinsx] C:\WINNT\System32\dtcawk.exe reg_run
O4 - HKCU\..\Run: [kzzq] C:\PROGRA~1\COMMON~1\kzzq\kzzqm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\adhelper.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/assets...LStreaming.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://eport1.aurora.org/iNotes6W.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ric...GameLoader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1154733102390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O18 - Filter: text/html - {D5BA18F2-FF61-465F-831D-A6850B94FC01} - C:\WINNT\system32\vf1v62x.dll
O20 - AppInit_DLLs: repairs303169590.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Alias Maya 5.0 PLE Help Server (Maya5PLEHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs/Wrapper.conf (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

well thats everything, thanks for your time and effort i appreciate it.

**gummygod** · 08-15-2006 03:41 PM

uh, i couldnt help but notice that post is no longer there. i followed the directions but i didnt notice anything different, although surfsidekick is gone, still get popups tho.

**Basementgeek** · 08-15-2006 10:00 PM

Sorry but I lost the link I was going to use, so I deleted the post. We will do a couple other fixes:

Please down load this program:

http://www.atribune.org/content/view/28/

Please download Look2Me-Destroyer.exe to your desktop.

Close all windows before continuing.

Double-click Look2Me-Destroyer.exe to run it.

Put a check next to Run this program as a task.

You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK

When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.

Once it's done scanning, click the Remove L2M button.

You will receive a Done Scanning message, click OK.

When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.

Turn your computer back on.

Download Qoofix.zip from :- http://www.malwarebytes.org/Qoofix.zip

Unzip to C:\Qoofix

Open the C:\Qoofix folder & double click on the file named Qoofix.exe
select Begin Removal and the removal process will commence

A reboot may be necessary if an infection is found

Post the Qoofix results log located in the same folder as the Qoofix.
Also want to see Look2Me-Destroyer.txt file along with a new HJT log.

Also let us know if the pop ups still appear.

BG

**gummygod** · 08-16-2006 07:11 PM

look2me and Qoofix ran. Qoofix didnt find anything. i dont know about look2me, there was nothing in that big box, but im not sure if it found anything. i seem to still get the occasional pop up 'served by uskyonline' i believe. and i still get a warning telling me it is trying to close 'ShellIconHiddenWindow' when i restart. heres the new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 6:34:17 PM, on 8/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINNT\thiselt.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\WINNT\system32\vp1i4.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Audible\Bin\adhelper.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINNT\System32\msiexec.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Vdrw Class - {8711CF54-E9C5-4DB4-9B9F-7D67393CC771} - C:\WINNT\system32\vf1v62x.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKLM\..\Run: [wGzyM6F48] C:\WINNT\system32\apbzk.exe
O4 - HKLM\..\Run: [epy9J] "C:\WINNT\system32\l3jdfs.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Owner\Desktop\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kzzq] C:\PROGRA~1\COMMON~1\kzzq\kzzqm.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\adhelper.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/assets...LStreaming.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://eport1.aurora.org/iNotes6W.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ric...GameLoader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1154733102390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O18 - Filter: text/html - {D5BA18F2-FF61-465F-831D-A6850B94FC01} - C:\WINNT\system32\vf1v62x.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Alias Maya 5.0 PLE Help Server (Maya5PLEHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs/Wrapper.conf (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

**gummygod** · 08-17-2006 02:23 PM

whoops, heres the look2me log:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 8/16/2006 6:21:03 PM

Attempting to delete infected files...

Making registry repairs.

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

**Basementgeek** · 08-18-2006 10:49 AM

Well the fixes did what I wanted/expected to do.

Re boot the PC in the safe mode by tapping F8 during start up. Select safe mode.

Run the HJT program again and check the following files to have HJT fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: Vdrw Class - {8711CF54-E9C5-4DB4-9B9F-7D67393CC771} - C:\WINNT\system32\vf1v62x.dll

O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)

O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe

O4 - HKLM\..\Run: [wGzyM6F48] C:\WINNT\system32\apbzk.exe

O4 - HKLM\..\Run: [epy9J] "C:\WINNT\system32\l3jdfs.exe"

O4 - HKCU\..\Run: [kzzq] C:\PROGRA~1\COMMON~1\kzzq\kzzqm.exe

O15 - Trusted Zone: *.elitemediagroup.net

O15 - Trusted Zone: *.media-motor.net

O15 - Trusted Zone: *.mmohsix.com

O18 - Filter: text/html - {D5BA18F2-FF61-465F-831D-A6850B94FC01} - C:\WINNT\system32\vf1v62x.dll

Press the fixed check button. Close the HJT program.

Still in the safe mode find and delete the following if found:

C:\WINNT\system32\vf1v62x.dll...file

C:\WINNT\thiselt.exe...file

C:\WINNT\system32\apbzk.exe...file

C:\WINNT\system32\l3jdfs.exe...file

C:\PROGRA~1\COMMON~1\kzzq...FOLDER
(Can't given the exact name on the first 6 letters)

Re boot the PC in the normal mode

Next :

Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

doubleclick the ccsetup.exe file and install the program...

At the Cclean setup screen &Install opitions Uncheck the Add Ccleaner Yahoo ! Tool bar unless you want it

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history

under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...

under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)

Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your passward when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

Next:

Download and install the trial version of Ewido Anti-Spyware here……

www.ewido.net/en/download

The program should launch automatically after installation. If not then double-click the desktop icon.

Deactivate the Resident Shield
> Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
> To do this, click "Change State" to the right of the Resident Shield option in the main window.
> You will clearly see the status change to Inactive if you have done this correctly.

Update Ewido's Definitions
> Ewido automatically updates the spyware definitions if you are connected to the net during installation.
> As a precaution, click the "Update" icon from the main menu.
> Then click the "Start Update" button.
> When you receive the "Update successful" prompt, close Ewido.

-->>Note: If you have any problems with the updater you can update Ewido manually here:

http://download.ewido.net/ewido-signatures-current.exe

Reboot into Safe Mode.

Scanning with Ewido
> Open Ewido Anti-Spyware and click the "Scanner" icon from the main menu.
> Click "Complete System Scan" to start scanning.
> When scanning completes, click "Recommended action" beneath the results window and select Quarantine.
> Then click the "Apply all actions" button to quarantine everything detected.
> Then click Save report > Save report as and save the Report-Scan.txt to your desktop.

Post the results of the Report-Scan.txt in your next post here along with a New HJT log.

BG

Thread: pop ups w/o internet browser open

LinkBack

Thread Tools

pop ups w/o internet browser open