Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

AdultSexFriendFinder Pop-up [RESOLVED]


  • This topic is locked This topic is locked

#16
Element9846

Element9846

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
Logfile of HijackThis v1.99.1
Scan saved at 12:34:30 PM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Preferred Customer\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://static.35mb.c...et/applet_o.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C44AFB17-2647-4A94-8698-A6A730757F46}: NameServer = 204.117.214.10,199.2.252.10
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


I obviously deleted what was in HiJackThis but i couldnt find ANY of the files you mentioned in windows exploror...I did find WOWEXEC.EXE BUT IT SAID THE COMPANY WAS MICROSOFT SO I DIDNT TOUCH,.....PLUS NO "?" IN IT

thx for help im sure i have a long way to go

Edited by Element9846, 24 May 2005 - 10:36 AM.

  • 0

Advertisements


#17
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Set your system to SHOW HIDDEN FILES

Then look for these again:

C:\WINDOWS\system32\w?wexec.exe (don't delete the Microsoft wowexec.exe)
C:\Documents and Settings\Preferred Customer\Application Data\psco.exe
C:\documents and settings\preferred customer\local settings\temp\Q1rkIoo.exe

And actually, your log now looks fine!

So please do this for me:
Download, install, and run CleanUp! (so the below scan won't take as long because cleanup will clear temporary files and cookies) Cleanup! deletes EVERYTHING out of temporary/temp files and does not make backups. If you have anything you need in temporary folders, back it up or move it prior to running cleanup!

Then, please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log.
  • 0

#18
Element9846

Element9846

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
I already had it set to show hidden files...when i looked but I can try and look again...i also already have "cleanup!" so thats good

Ill try it again...and thx for the help...but it does help that i already have those things installed so i don't have any dumb questions lol
  • 0

#19
Element9846

Element9846

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
I have yet to run cleanup but I will now I just wanted to say I didnt see these files again and here are pics

I looked manually and I searched my pc...yes it was set to also search hidden folders as well and nothing.

C:\WINDOWS\system32\w?wexec.exe
http://img149.echo.c.../wowexec7bg.jpg

C:\Documents and Settings\Preferred Customer\Application Data\psco.exe
http://img149.echo.c...5/pthing9cb.jpg

C:\documents and settings\preferred customer\local settings\temp\Q1rkIoo.exe
http://img149.echo.c...5/qthing1ke.jpg

Ill run CleanUp! now ... but Im eating so the response will be slighty delayed...again thx
  • 0

#20
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Did you use Windows Explorer? If that file is there it's not going to show up by search. Just go directly into the C:\Windows\System32 folder and look. If it isn't there, good! Just follow my previous instructions for running cleanup and activescan :tazz:
  • 0

#21
Element9846

Element9846

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
I ran clean up earlier...Just now started active scan


You are very very nice THANK YOU! However I am almost 15...but don't have a credit card etc...my grandma isnt keen on online cc...but by all means ma'am you deserve a butt load of cash...since i have no way of getting it to you...Ill just use "friendship bucks" i'd love to pay if i could but either way thx for the help and Im glad I found this community...right now its found 3 infected files so...Ill keep you posted lol
  • 0

#22
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're very welcome!!

I'll keep an eye out for your ActiveScan log :tazz:
  • 0

#23
Element9846

Element9846

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\ritsacnk.dat
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Preferred Customer\My Documents\hijackthis\backups\backup-20050524-122356-310.inf
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\ap2nqrd4.dat
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\ap9h4qmo.ini
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\baur5s9q.dat
Adware:Adware/BrilliantDigitalNo disinfected C:\WINDOWS\system32\msinet.ocx
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\q10pvbrv.dat
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\ritsacnk.dat
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\WWEXEC~1.EXE
  • 0

#24
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I need you to copy all of the Killbox instructions below and paste them into Notepad and save it.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\system32\ap2nqrd4.dat
C:\WINDOWS\system32\ap9h4qmo.ini
C:\WINDOWS\system32\baur5s9q.dat
C:\WINDOWS\system32\msinet.ocx
C:\WINDOWS\system32\q10pvbrv.dat
C:\WINDOWS\system32\ritsacnk.dat
C:\WINDOWS\system32\WWEXEC~1.EXE


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, post a new HiJackThis log.
  • 0

#25
Element9846

Element9846

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
This website I am supposed to go to...Is unavailable
  • 0

Advertisements


#26
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
hmm ok, I'll find another link for you, sorry about that!
  • 0

#27
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Here you go:
http://www.geekstogo...n=download&id=4

Then just follow my instructions in my previous post. :tazz:
  • 0

#28
Element9846

Element9846

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:45:30 PM, on 5/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\crypserv.exe
C:\Documents and Settings\Preferred Customer\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ps2.ign.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://static.35mb.c...et/applet_o.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C44AFB17-2647-4A94-8698-A6A730757F46}: NameServer = 204.117.214.10,199.2.252.10
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

I think I did the killbox thing right...Knowin in me I probably ran into a few other things since it took me so long to get back with you
  • 0

#29
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Actually it looks pretty good!

Run HijackThis. Place a check next to the following item and click FIX CHECKED:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ps2.ign.com/

Close HiJackThis.

And let me know how it's running now!!
  • 0

#30
Element9846

Element9846

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
I have a question...how come thats removed? and how is it effected?

I chose to have ps2.ign.com my startpage


IGN is a game resource for news about anything in games...Im an insider on ign.com so I just choose to have my start load to that...is this bad...or are you mixed up?

PS2 means playstation 2...and ign is just a site that is incresdibly popular for games

a commercial for splinter cell...which is a stealth game even has on their commercial:

"IGN Give it 9 out of 10" etc

Edited by Element9846, 28 May 2005 - 10:07 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP