Pop-Up Problem, Possible Spyware?

Computing.Net > Forums > Security and Virus > Pop-Up Problem, Possible Spyware?

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Pop-Up Problem, Possible Spyware?

Name: p8ntballer5150
Date: January 3, 2006 at 17:17:07 Pacific
OS: windows
CPU/Ram: 2.4ghz/256mb

Comment:

so apparently my sister somehow downloaded a program to the desktop of my computer, and then my dad opened it to see what it was, and it started having a bunch of pop-ups then started downloading programs to my computer. so far we have uninstalled all the programs it downloaded and the pop-ups are to a minimum but still get about 10 every hour or so. as long as the internet is connected to the computer through the router, pop-ups will just show up, even when you do not have internet explorer open. we've ran spybot and adaware twice each, and deleted all that was connected to the spyware. but now we cant find any clues to where the pop-ups are coming from. any help out there?
-If it helps, the pop-ups show up both at the top of pages and as separate windows.
-Also, i have a 2.4ghz p4 processor with windows xp w/256mb ram if that helps

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: January 3, 2006 at 17:24:44 Pacific

Reply:

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.
Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum.
Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.
Then download ccleaner to clean out all your temp files. Make sure there is not anything in the recycle bin that you need as ccleaner will delete recycle bin items unless checked not to do so.(Do not run this yet}

Response Number 2

Name: p8ntballer5150
Date: January 3, 2006 at 17:46:32 Pacific

Reply:

ok so i've done the hijackthis scan and saved it as a textpad document. what do you mean by (copy its contents into the text editor at this forum)? is there a certain place to paste this.
thanks for the help so far, i really appreciate it.
Heres what it said after i scanned it though:
Logfile of HijackThis v1.99.1
Scan saved at 5:35:03 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\urtlhrzA.exe
C:\WINDOWS\newfrn.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\CMMan\CMMan.exe
C:\Program Files\sf\sf.exe
C:\WINDOWS\opmrket.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\urtlhrz.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPRV10.exe
C:\HJT\HJT.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.coolwwwsearch.com/z/b/x1.cgi?101 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.coolwwwsearch.com/z/b/x1.cgi?101 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.coolwwwsearch.com/z/a/x1.cgi?101 (obfuscated)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsa10.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [urtlhrzA] C:\WINDOWS\urtlhrzA.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinnsap.exe CORN001
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000121.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [opmrket] C:\WINDOWS\opmrket.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinnsap.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {6793D547-38DD-4325-B35A-F1817EDFA567} - C:\Program Files\CMMan\mfhlp.dll
O19 - User stylesheet: C:\WINDOWS\default.css (file missing)
O19 - User stylesheet: C:\WINDOWS\default.css (file missing) (HKLM)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\urtlhrz.exe

Response Number 3

Name: jabuck
Date: January 3, 2006 at 19:01:11 Pacific

Reply:

You should print this
Text editor is the comments box on this forum.
Download Ewido Security Suite then set it up this way Ewido Setup Instructions <b. do not run it yet
Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.
Go to start>control panel>admistrative tools>services>scroll down to "Windows Overlay Components" and double click on it>in the properties box click "stop">on the right side of "startup type" click the blue drop down arrow and click disabled>apply>ok>exit services.
Run HT again,close all windows and browsers except HT, place a check to the left of the following items and press "fix checked":
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.coolwwwsearch.com/z/b/x1.cgi?101 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.coolwwwsearch.com/z/b/x1.cgi?101 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.coolwwwsearch.com/z/a/x1.cgi?101 (obfuscated)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsa10.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O4 - HKLM\..\Run: [urtlhrzA] C:\WINDOWS\urtlhrzA.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinnsap.exe CORN001
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000121.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [opmrket] C:\WINDOWS\opmrket.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinnsap.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O18 - Filter: text/html - {6793D547-38DD-4325-B35A-F1817EDFA567} - C:\Program Files\CMMan\mfhlp.dll
O19 - User stylesheet: C:\WINDOWS\default.css (file missing)
O19 - User stylesheet: C:\WINDOWS\default.css (file missing) (HKLM)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\urtlhrz.exe

Reboot into safe mode a s directed here
Navigate to and delete these files and folders if found:
C:\WINDOWS\urtlhrzA.exe (file)

C:\WINDOWS\newfrn.exe (file)
C:\Program Files\CMMan (folder)

C:\Program Files\sf (folder)

C:\WINDOWS\opmrket.exe (file)
C:\Program Files\Common Files\Windows\services32.exe (file)
C:\WINDOWS\system32\nsa10.dll (file)
C:\WINDOWS\DH.dll (file)
C:\WINDOWS\system32\pwinnsap.exe (file)
C:\Program Files\AWS (folder
C:\WINDOWS\urtlhrz.exe (file)
reboot into here
Run Ewido and when the scan has completed, Ewido will create a report.txt file. Click the "Save Report" button on the bottom of the screen and save the log to your desktop in case you need it later.
Run ccleaner
Please reboot into normal mode and post the ewido log and a new HT log..

Response Number 4

Name: p8ntballer5150
Date: January 3, 2006 at 21:26:18 Pacific

Reply:

ewido anti-malware - Scan report

+ Created on: 9:15:51 PM, 1/3/2006
+ Report-Checksum: D61FA175
+ Scan result:
HKLM\SOFTWARE\Classes\drs.n -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2382750585-2781504589-1887795725-1007\Software\DR_S -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2382750585-2781504589-1887795725-1007\Software\DR_S\dp -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2382750585-2781504589-1887795725-1007\Software\DR_S\dp\adsh -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2382750585-2781504589-1887795725-1007\Software\DR_S\dp\sfitb -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2382750585-2781504589-1887795725-1007\Software\DR_S\dp\sfitb\163 -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2382750585-2781504589-1887795725-1007\Software\searchforit -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-2382750585-2781504589-1887795725-1007\Software\searchforit\searchforit -> Adware.Searchforit : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@data1.perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@data2.perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@ehg-bestbuy.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@hypertracker[2].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@partygaming.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@pro-market[1].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@weborama[1].txt -> Spyware.Cookie.Weborama : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temp\adwsetup_upd.exe -> Dropper.Agent.abb : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temp\GLF9GLF9.exe -> Downloader.TSUpdate.f : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temp\i4.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temp\ts_8_new.exe -> Downloader.TSUpdate.f : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\4HA7K92R\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\5GGVXL05\adsetup.silent.1.20[1].exe -> Dropper.Agent.abb : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\5GGVXL05\MTE3MTk6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\8H6N0LAR\ErrorSafeScannerInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\8TIJ8H6Z\stub_109_4_0_4_0[1].exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\C9QJCP6Z\director_install[1].exe -> Spyware.Maxifiles : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\C9QJCP6Z\ppt1[1].exe -> Downloader.Small.cdy : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E2RN9SNZ\launcher[1].exe -> Spyware.Maxifiles : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E2RN9SNZ\opmrket[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\E2RN9SNZ\ts_8_new[1].exe -> Downloader.TSUpdate.f : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\GLU3OPQN\freeprodtb[1].exe -> Spyware.Maxifiles : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\SPAZWDIB\101[1].wmf -> Not-A-Virus.Exploit.Win32.IMG-WMF : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\SPAZWDIB\newfrn[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\VM72RKQ7\stubNsbg[1].exe -> Spyware.Maxifiles : Cleaned with backup
C:\Documents and Settings\MICHAEL\Local Settings\Temporary Internet Files\Content.IE5\ZU3AWYMM\SysProtectScannerInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\HJT\backups\backup-20060103-202744-339.dll -> Hijacker.Small.jf : Cleaned with backup
C:\HJT\backups\backup-20060103-202744-665.dll -> Adware.EZula : Cleaned with backup
C:\HJT\backups\backup-20060103-202745-986.dll -> Trojan.VB.aft : Cleaned with backup
C:\n.exe -> Downloader.Small.cdy : Cleaned with backup
C:\Program Files\Common Files\Download\freeprodtb.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\Download\mc-110-12-0000121.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\friu\friud\friuc.dll -> Downloader.Small : Cleaned with backup
C:\Program Files\Common Files\friu\friul.exe -> Downloader.TSUpdate.p : Cleaned with backup
C:\Program Files\Common Files\friu\friup.exe -> Downloader.TSUpdate.f : Cleaned with backup
C:\Program Files\Common Files\InetGet\mc-110-12-0000121.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\Windows\mc-110-12-0000121.exe -> Spyware.Maxifiles : Cleaned with backup
C:\RECYCLER\S-1-5-21-2382750585-2781504589-1887795725-1007\Dc15.exe -> Downloader.Adload.k : Cleaned with backup
C:\RECYCLER\S-1-5-21-2382750585-2781504589-1887795725-1007\Dc17.exe -> Adware.DownloadWare : Cleaned with backup
C:\RECYCLER\S-1-5-21-2382750585-2781504589-1887795725-1007\Dc23.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup
C:\WINDOWS\system32\399.exe -> Dropper.Agent.xw : Cleaned with backup
C:\WINDOWS\system32\dtti.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\dwdsregt.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\Explorer.exe -> Trojan.VB.aft : Cleaned with backup
C:\WINDOWS\system32\idl.exe -> Downloader.Small.buy : Cleaned with backup
C:\WINDOWS\system32\jumb.exe -> Downloader.Adload.k : Cleaned with backup
C:\WINDOWS\system32\mc-110-12-0000121.exe -> Spyware.Maxifiles : Cleaned with backup
C:\WINDOWS\system32\nsxD.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\PopOops.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\PopOops2.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\rmdsregs.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\satl.exe -> Downloader.IstBar : Cleaned with backup
C:\WINDOWS\system32\ssmk.exe -> Dropper.Small.qn : Cleaned with backup
C:\WINDOWS\system32\SWLAD1.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\SWLAD2.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\zdinst_CORN001.exe -> Spyware.ZenoSearch : Cleaned with backup
Logfile of HijackThis v1.99.1
Scan saved at 9:17:06 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Ewido\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.exe
C:\HJT\HJT.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [friu] C:\PROGRA~1\COMMON~1\friu\frium.exe
O4 - HKCU\..\Run: [opmrket] C:\WINDOWS\opmrket.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TUlDSEFFTA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MissDNS logs DNS cache miss hits (Network Monitor) - Unknown owner - C:\Program Files\Network Monitor\MissDNS.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Response Number 5

Name: jabuck
Date: January 4, 2006 at 04:09:59 Pacific

Reply:

Looking better, Download aboutbuster 6.0 from this link http://www.majorgeeks.com/download4289.html Unzip it to the desktop, run it, Check for Updates, and update the files.
Reboot into safe mode.
Then please run About:Buster and click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved.
Run Ht again,close all windows and browsers except HT, place a check by the following items and press "fix checked":
O4 - HKCU\..\Run: [friu] C:\PROGRA~1\COMMON~1\friu\frium.exe
O4 - HKCU\..\Run: [opmrket] C:\WINDOWS\opmrket.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TUlDSEFFTA\command.exe (file missing)
While still in safe mode navigate to and delete these files/folders if found:
C:\Program Files\Common\friu (folder)
C:\WINDOWS\opmrket.exe (file(
C:\WINDOWS\TUlDSEFFTA (folder)
Run Ewido againPost the aboutbuster log, Ewido log and a new HT log.

fake trojan+vbs Dc17.exe windows installer pop up problem	yahoo messenger popping up problem windows installer pop up problem auto play pop up problem
See More

Response Number 6

Name: p8ntballer5150
Date: January 4, 2006 at 17:17:53 Pacific

Reply:

Ok, so i've followed all your directions and the only file i cannot navigate and find is the (C:\WINDOWS\opmrket.exe) but i have found a file called (OPMRKET.EXE-06DA132.PF) should i delete that? here are the scans.

ewido anti-malware - Scan report

+ Created on: 5:13:40 PM, 1/4/2006
+ Report-Checksum: DDA84FFD
+ Scan result:
C:\Documents and Settings\MICHAEL\Cookies\michael@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\MICHAEL\Cookies\michael@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup

::Report End
AboutBuster 6.0
Scan started on [1/4/2006] at [4:29:31 PM]
---
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
---
Removed Stream! C:\WINDOWS\Thumbs.db:encryptable
---
No Files Found!
---
Removed Temp Files
Internet Explorer Settings Reset!
---
Scan was COMPLETED SUCCESSFULLY at 4:30:46 PM

AboutBuster 6.0
Scan started on [1/4/2006] at [4:35:06 PM]
---
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
---
No Ads Found!
---
No Files Found!
---
Scan was COMPLETED SUCCESSFULLY at 4:37:39 PM
Logfile of HijackThis v1.99.1
Scan saved at 5:15:39 PM, on 1/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Ewido\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HJT.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TUlDSEFFTA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MissDNS logs DNS cache miss hits (Network Monitor) - Unknown owner - C:\Program Files\Network Monitor\MissDNS.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Response Number 7

Name: jabuck
Date: January 4, 2006 at 18:50:14 Pacific

Reply:

Yes delete that file from safe mode and run HT again and fix this item:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TUlDSEFFTA\command.exe (file missing)
From safe mode search for and delete this file if found:
C:\WINDOWS\TUlDSEFFTA

Response Number 8

Name: p8ntballer5150
Date: January 4, 2006 at 20:13:51 Pacific

Reply:

ok so i did what you told me, now is that it? also, there is this program called zeno in the startup that we disabled, it was on the name of the pop-ups, so i found this file called Zeno.Lnkstartup in the folder pss. so should i delete that? also, do i need to post more HT logs or Ewido logs?

Response Number 9

Name: jabuck
Date: January 4, 2006 at 20:44:20 Pacific

Reply:

Yes, but only that file. Is it a seperate file than the .ini files(boot,system and win). If it is in one of these it needs to be edited out.If it is an individual file just delete it.

Response Number 10

Name: p8ntballer5150
Date: January 4, 2006 at 20:48:03 Pacific

Reply:

ok, so am i done ridding all of the spyware? everything seems to be back to normal. so if I am done, i want to thank you for helping me rid all of the spyware.

Response Number 11

Name: p8ntballer5150
Date: January 4, 2006 at 20:54:07 Pacific

Reply:

ok, so i've deleted the file, but it still shows up in msconfig. is there way to get rid of it from showing up in there?
heres a pic of it:

Response Number 12

Name: p8ntballer5150
Date: January 4, 2006 at 20:55:12 Pacific

Reply:

picture didn't show up. heres the link to the picture.
http://img.photobucket.com/albums/v660/p8ntballer5150/zenopic.jpg

Response Number 13

Name: jabuck
Date: January 4, 2006 at 21:00:08 Pacific

Reply:

Yes,msconfig is running in select mode. I saw that in your HT log. You need to run msconfig in normal mode then maybe you can delete it with HT.If it shows up in HT fix the 04 item and be sure to boot into safe mode and delete the file or folder that it points to.
Or post a HT log after setting msconfig to boot in normal mode.

Response Number 14

Name: p8ntballer5150
Date: January 4, 2006 at 21:10:15 Pacific

Reply:

i booted it in normal mode, but couldn't find the file you were talking about.
Logfile of HijackThis v1.99.1
Scan saved at 9:09:03 PM, on 1/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Ewido\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2003\EDICT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HJT.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TUlDSEFFTA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MissDNS logs DNS cache miss hits (Network Monitor) - Unknown owner - C:\Program Files\Network Monitor\MissDNS.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Response Number 15

Name: jabuck
Date: January 4, 2006 at 21:31:15 Pacific

Reply:

I have got to call it a day. Will post back tommorow.You should be ok for now.There is nothing in HT as you said.

Response Number 16

Name: p8ntballer5150
Date: January 4, 2006 at 21:33:59 Pacific

Reply:

alright cool. you've really helped me out a lot and just wanted to thank you.

Sponsored Link

Ads by Google

Please help me remove iwo...

Computer starts, monitor ...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Pop-Up Problem, Possible Spyware?

new pop-up problem

Summary

www.computing.net/answers/security/new-popup-problem/7942.html

Spyware/Pop-up Problem Hijack log

Summary

www.computing.net/answers/security/spywarepopup-problem-hijack-log/8927.html

(Adware?) Pop-up problem

Summary

www.computing.net/answers/security/adware-popup-problem/12411.html

From the Geek Dictionary
Gender Bender - A device or adaptor used to convert from one connector to another. EG: USB...

Ask a Question!

Weekly Poll
Do you believe in Video Game Addiction?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
What is the need of Zune to be HD?

computer intermittently checks work offline

cd driver not working

Cant find audio files downloading

How to install BIOS

All Awaiting Reply

Tom's News
Queues in Manhattan Form as DROID Launches

Report: $99 iPhone 3GS in Time For the Holidays

Game Boy, Ball Gets Into Toy Hall of Fame

iPhone Developer Stealing Private Info

Nintendo: There is No Wii HD

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE