[ylwjacket]

I am having an ad server pop up that goes to a site called banners.searchingbooth.com or ads.deskwizz.com to download pop-up ads to my computer. I have tried adaware, spybot, spy hunter, and tds3, to no avail. I can not find the source of this. Here is my Hijack this log file. Any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 4:46:01 PM, on 3/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\system\fnijxs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\MAC\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pubgis.co.pin....3/mgaxctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gc-inc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gc-inc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gc-inc.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

[Advertisements]

Hi ylwjacket

Welcome to geekstogo!

Please read through the instructions before you start (you may want to print this out).The following items are malware and must be fixed

Please set your system to show all files; please see here if you're unsure how to do this.

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:
C:\WINNT\system\fnijxs.exeExit the Task Manager when finished.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINNT\system\fnijxs.exe

Exit Explorer, and reboot as normal afterwards.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.
C:\WINNT\system\fnijxs.exe
[colo=red]End off killbox files[/color]

Reboot your Pc

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc

[ylwjacket]

I've cleaned this file:

C:\WINNT\system\fnijxs.exe

and I'm in the process of running the other scans now. Thanks much. I'll post the logs.

[ylwjacket]

I cleaned up the above mentioned file, which seems to have stopped the pop-ups.

Here's a revised HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:01:20 PM, on 3/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\MAC\Virus Stuff\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pubgis.co.pin....3/mgaxctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gc-inc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gc-inc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gc-inc.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Trend Micro did not find anything. Panda, however, find quite a bit, as follows:

Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/Sqwire No disinfected C:\WINNT\system32\tsuninst.exe
Spyware:Spyware/TVMedia No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs
Adware:Adware/ExactSearch No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\mcraw\Application Data\sskknwrd.dll
Adware:Adware/Transponder No disinfected C:\WINNT\Pynix.dll
Virus:Trj/Startpage.SJ Disinfected C:\RECYCLER\S-1-5-21-1229272821-839522115-1343024091-500\Dc1.exe
Adware:Adware/Transponder No disinfected C:\WINNT\dlmax.dll
Adware:Adware/Transponder No disinfected C:\WINNT\inf\dlmax.inf
Adware:Adware/Transponder No disinfected C:\WINNT\inf\Pynix.inf
Spyware:Spyware/Dyfuca No disinfected C:\WINNT\inst\3p_1.exe
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\desktop.exe
Adware:Adware/FIsearch No disinfected C:\WINNT\isrvs\edmond.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\ffisearch.exe
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\isearch.xpi[isearch.jar][isearch.js]
Adware:Adware/IESearchBar No disinfected C:\WINNT\isrvs\mfiltis.dll
Adware:Adware/FIsearch No disinfected C:\WINNT\isrvs\msdbhk.dll
Adware:Adware/Transponder No disinfected C:\WINNT\Pynix.dll
Adware:Adware/Startpage.CM No disinfected C:\WINNT\system32\elitenpn32.exe
Adware:Adware/Startpage.CM No disinfected C:\WINNT\system32\elitepye32.exe
Adware:Adware/Startpage.CM No disinfected C:\WINNT\system32\elitezio32.exe
Spyware:Spyware/LinkReplacer No disinfected C:\WINNT\system32\lmf32v.dll_tobedeleted
Again, thanks much for helping with this.