I've run almost all the virus/spyware/adware software available. I can't find teh source of the popups. The pop ups advertise media.fastclick.com; clean your registry; you have spyware infecting your computer. again i've run symantec, symantec hotbar, adaware SE, spybot SD, ewido, HJT, microsoft antispyware. Here is the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 12:28:30 PM, on 1/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\Program Files\Spyware-Adware\security suite\ewidoctrl.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\ScsiAccess.EXE
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\FarStone\VirtualDrive\VDTask.exe
F:\WINDOWS\vcdplayx.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\LVCOMSX.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Microsoft AntiSpyware\gcasServ.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\MESSEN~1\msmsgs.exe
F:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Spyware-Adware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "F:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [VirtualDrive] "F:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "F:\WINDOWS\vcdplayx.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] F:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [0sis0ijw.dll] RUNDLL32.EXE 0sis0ijw.dll,b 19421953
O4 - HKLM\..\Run: [gcasServ] "F:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: NavLogon - F:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\Spyware-Adware\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - F:\WINDOWS\system32\ScsiAccess.EXE

Thanks a lot

Hey musicrob05 Welcome to Geeks To Go


Please run this online virus scan:
You will need to be using Microsoft Internet Explorer to do this scan : Link to ActiveScan
Click the "Scan Your PC" button in the middle of the page.
You will have to Allow the installation of Active X controls.
You will have to enter a valid e-mail address.
Then click "My Computer" when it asks what you want to scan.
Save the Report after scan finishes. (somewhere you can find it)


Copy the results of the ActiveScan and paste them here along with a new HiJackThis log


Thanks

This post has been edited by retrac: Jan 21 2006, 05:27 AM

Here are the results of the scan.

Logfile of HijackThis v1.99.1
Scan saved at 1:08:41 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\Program Files\Spyware-Adware\security suite\ewidoctrl.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\ScsiAccess.EXE
F:\WINDOWS\system32\svchost.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\FarStone\VirtualDrive\VDTask.exe
F:\WINDOWS\vcdplayx.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\LVCOMSX.EXE
F:\Program Files\Microsoft AntiSpyware\gcasServ.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\MESSEN~1\msmsgs.exe
F:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
F:\WINDOWS\explorer.exe
F:\Program Files\AIM\aim.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Spyware-Adware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "F:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [VirtualDrive] "F:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "F:\WINDOWS\vcdplayx.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] F:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [0sis0ijw.dll] RUNDLL32.EXE 0sis0ijw.dll,b 19421953
O4 - HKLM\..\Run: [gcasServ] "F:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - F:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\Spyware-Adware\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - F:\WINDOWS\system32\ScsiAccess.EXE




Incident Status Location

Adware:adware program Not disinfected F:\WINDOWS\SYSTEM32\data.~
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\Robbie\Cookies\robbie@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Robbie\Cookies\robbie@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Robbie\Cookies\robbie@doubleclick[1].txt
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt[.advertising.com/]
Spyware:Cookie/WebtrendsLive Not disinfected F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt[statse.webtrendslive.com/dcs2ar3j3oifwznntyewsf9iv_7z4j]
Spyware:Cookie/WebtrendsLive Not disinfected F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/PointRoll Not disinfected F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adrevolver Not disinfected F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt[.adrevolver.com/]
Adware:Adware/BrilliantDigital Not disinfected C:\Documents and Settings\Robert Fraleigh\Desktop\Unused Desktop Shortcuts\Kazaa\bdcore.dll.updpnd
Adware:Adware/AzeSearch Not disinfected C:\WINDOWS\Downloaded Program Files\azesearch.inf
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt[]
Spyware:Cookie/WebtrendsLive Not disinfected F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt[dcs2ar3j3oifwznntyewsf9iv_7z4j]
Spyware:Cookie/WebtrendsLive Not disinfected F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt[]
Spyware:Cookie/Advertising Not disinfected F:\Documents and Settings\Robbie\Cookies\robbie@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected F:\Documents and Settings\Robbie\Cookies\robbie@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected F:\Documents and Settings\Robbie\Cookies\robbie@doubleclick[1].txt



Thanks a lot in advance, I really appreciate this.

Welcome Back musicrob05



Please open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [0sis0ijw.dll] RUNDLL32.EXE 0sis0ijw.dll,b 19421953

Now close all windows and browsers other than HiJackThis, then click Fix Checked.




Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  F:\WINDOWS\system32\0sis0ijw.dll
  F:\WINDOWS\SYSTEM32\data.~
  C:\Documents and Settings\Robert Fraleigh\Desktop\Unused Desktop Shortcuts\Kazaa\bdcore.dll.updpnd
  C:\WINDOWS\Downloaded Program Files\azesearch.inf
  
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.





Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.




Then make a New HijackThis Log and post it here

The new Hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 10:37:28 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\Program Files\Spyware-Adware\security suite\ewidoctrl.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\ScsiAccess.EXE
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
F:\Program Files\FarStone\VirtualDrive\VDTask.exe
F:\WINDOWS\vcdplayx.exe
F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\LVCOMSX.EXE
F:\Program Files\Microsoft AntiSpyware\gcasServ.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\MESSEN~1\msmsgs.exe
F:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Spyware-Adware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "F:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [VirtualDrive] "F:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "F:\WINDOWS\vcdplayx.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] F:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [gcasServ] "F:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - F:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\Spyware-Adware\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - F:\WINDOWS\system32\ScsiAccess.EXE

Also: In the System Configuration Utility under Startup programs, I have a program, ghjabslne.exe. I'm not sure where it is from or what it does, so it currently does not startup with windows. Running a search for it comes up empty. Any suggestions? Thanks

Hey musicrob05

Do you have some items unchecked in msconfig ??? Well if you want to get rid of it you will have to enable it in msconfig, reboot and paste a new HijackThis log. ( i would also recommend rechecking anything that you are not sure is legit so i can take a look at it )


Update EWIDO Security Suite Definitions.
If you have problems updating go here ---> ewido manual updates

Once the updates are installed do the following:

• Boot into Safe Mode:
  Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
• Open Ewido
• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

Please post a New HiJackThis Log and the Ewido report.

Logfile of HijackThis v1.99.1
Scan saved at 3:04:06 PM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Spyware-Adware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "F:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [VirtualDrive] "F:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "F:\WINDOWS\vcdplayx.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] F:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] F:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [gcasServ] "F:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Security Panagers] ghjabslne.exe
O4 - HKLM\..\Run: [LogitechVideoTray] F:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] F:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "F:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = F:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = F:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - F:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\Spyware-Adware\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - F:\WINDOWS\system32\ScsiAccess.EXE



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:03:29 PM, 1/23/2006
+ Report-Checksum: B78D3F9F

+ Scan result:

:mozilla.14:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.16:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.21:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.22:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.45:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.46:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.47:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.48:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.50:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.51:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.57:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.58:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.59:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.60:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.61:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.62:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.63:F:\Documents and Settings\Robbie\Application Data\Mozilla\Firefox\Profiles\uqaqtxtt.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
F:\Documents and Settings\Robbie\Cookies\robbie@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
F:\Documents and Settings\Robbie\Cookies\robbie@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
F:\Documents and Settings\Robbie\Cookies\robbie@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup


::Report End

Hey musicrob05

Are you still getting PopUps ?

Hows the computer running ?

Computer is running well. I just have a couple technical questions:

How did you tell that O4 - HKLM\..\Run: [0sis0ijw.dll] RUNDLL32.EXE 0sis0ijw.dll,b 19421953 is spyware or adware. On average, if I am looking at a Hijack log, what obvious things should I look for if this come up in the future.

also, Why did I kill this: F:\WINDOWS\SYSTEM32\data.~,
C:\Documents and Settings\Robert Fraleigh\Desktop\Unused Desktop Shortcuts\Kazaa\bdcore.dll.updpnd,
C:\WINDOWS\Downloaded Program Files\azesearch.inf. I'm just trying to understand some of your reasoning just so that I can be a little more educated in the future.

Thanks a lot!

Hey musicrob

Well I use http://castlecops.com/StartupList.html to research 04's and if they dont have anything I Google the file name.

As far as the rest of the files I got them from the Panda ActiveScan, but you have to be careful here because sometimes it will find something that is not bad.


Well Your Log is CLEAN



Now to clean out your restore points:
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.


Next
Now there are a few things here you can do to keep this from happening Again.


The following 3 Programs use NONE of your computers power So there is no reason to not use them.

1. SpyBot S&D is a great way to protect your PC. Please Download it HERE
Install the program. During installation Make sure Teatimer IS NOT checked.
Then follow all the setup steps "backup registry, Download Updates, Immunize"
After all that Close SpyBot and then restart it.
Now Select the Search and Destroy button, Check for problems and after scanning is complete, Fix selected problems.
Keep Spybot updated and Immunized (weekly)

2. SpywareBlaster is a MUST HAVE. download it HERE and install it. Click Update then Check for Update then after its done Click Protection then Click Enable All Protection..
UPDATE & Enable ALL Protection (Weekly)

3. Mvps hosts file. Read and Download it HERE (look for the Hosts.zip and left click it to download it. Then extract it and copy and paste the HOSTS file into the correct folder for your operating system (Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC) (Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC) (Win 98/ME = C:\WINDOWS) It will ask you if you want to replace ...Click Yes or OK. ) At the time Panda ActiveScan finds this file as Adware but it is incorrect. So if you do another scan with Panda dont be surprised to see an entry like Adware \ secure32 C\Windows\system32\drivers\etc\hosts. Panda Activescan may have already fixed this.
UPDATE the HOSTS File (Monthly)



MUST HAVE
Firefox is like the same thing as Microsofts Internet Explorer but it is much safer for surfing the web. I recommend using it in place of Internet Explorer. HOWEVER you will still need Microsft Internet Explorer for some sites Like Windows Updates, some online payment sites, and some Online Virus scans that require ActiveX Controls. Please download it HERE and install it. Let it import your favorites from Internet explorer and set it as your default browser.
You can always go: Start> IExplore to use Internet Explorer. ( when you need it )


ZoneAlarm it is a free FIREWALL. I use it and its easy to understand. Download it HERE Pretty much every program will ask before it is allowed to access the internet. And it will block any attempt to connect to an unsecure port on your PC from malicious people. Firewall Is a Must Have


ALSO Go to Start> and right click on" My Computer". Select "Properties" then Select the "Automatic Updates" tab and set your updates to "Automatic" and Apply. Windows Updates are VERY critical

If you have Any Questions Let me know

Happy Surfing




This post has been edited by retrac: Jan 25 2006, 04:23 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.