Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Paypopup [CLOSED]


  • This topic is locked This topic is locked

#1
MeghanKawa

MeghanKawa

    Member

  • Member
  • PipPip
  • 19 posts
Hi,
I started getting Winfixer pop up's and now I get Paypopup pop up's. I can't get them to stop no matter what spyware programs. This is a work computer connected to a network. Please help!
  • 0

Advertisements


#2
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello MeghanKawa,

Welcome to GeekstoGo my name is Snickets and I will be helping you today!!!

1.Set up a folder by doing the following.
To create a folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder.

2. Then go here to download the latest version of hijack this 1.99.1 and save this into the folder you created for hijackthis.

3. Double-click on the hijackthis.exe to scan.
Select "Scan and Save Log".
After the scan save the log somewhere where you will remember.
Then go to the location where you saved the hijack this log and open it up, then hit CTRL A to highlight all the text inside, then right click and hit the copy option then paste the contents back into this thread.

Thank you,

Snickets

:tazz:
  • 0

#3
MeghanKawa

MeghanKawa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks for your fast response, here's what I have:

Logfile of HijackThis v1.99.1
Scan saved at 10:47:16 AM, on 01/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Profile\PROFILEDBSERVICE.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\CaseWare Practice Administration\Pa.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.cibc.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E158AA0F-9C43-48BA-AC32-827F12E9B03B}: Domain = domain
O17 - HKLM\System\CCS\Services\Tcpip\..\{E158AA0F-9C43-48BA-AC32-827F12E9B03B}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pr1.on.wave.home.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pr1.on.wave.home.com
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Greenpoint ProFile Database Service Ver. 1.00 (GreenpointDBService) - Unknown owner - C:\Program Files\Profile\PROFILEDBSERVICE.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello MeghanKawa,

Download the following file:

Here and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here into the next reply.

*IMPORTANT* - From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

Thank you,

Snickets

:tazz:
  • 0

#5
MeghanKawa

MeghanKawa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Okay, here you go

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label.
Volume Serial Number is 9C86-0AA5

Directory of C:\WINDOWS\System


------- Hidden Files in System Directory -------

Volume in drive C has no label.
Volume Serial Number is 9C86-0AA5

Directory of C:\WINDOWS\System


---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FB3FB2F3-2B92-0365-95E6-AD2DEBBDC8EF}"=""


------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HPWNTOOLBOX"="C:\\Program Files\\Hewlett-Packard\\hp business inkjet 1200 series\\Toolbox\\HPWNTBX.exe \"-i\""
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"BCMSMMSG"="BCMSMMSG.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



  • 0

#6
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello MeghanKawa,

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Thank you,

Snickets

:tazz:
  • 0

#7
MeghanKawa

MeghanKawa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I can't save it to the desktop. Everytime I go to change where to save it to the program stops responding. Also, when I run internet explorer, I can longer go to the address bar and type in sites. Examples....www.gmail.com..i press enter...and nothing happens. So I have to go to the search section on cnn.com (my homepage) and get to gmail that way.

What is going on? Can I just save the file wherever?
  • 0

#8
MeghanKawa

MeghanKawa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Sorry, I figured it out, here you go:

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
  • 0

#9
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello MeghanKawa,

1.Please go here and download the free trial for SpySweeper.

2.Once installed please open up the program and push on the options tab then click on update definitions.

3.Once the definitions are installed please click on the sweep now tab and do a complete scan and removal of all items found for me.

4.Then please reboot your computer at this time.

5.Then please reopen spysweeper and click on the results tab and copy and paste all of the information that is in this section into your next post. Also please run a new HijackThis scan and post the log from this into the thread as well.


Thank you,

Snickets

:tazz:
  • 0

#10
MeghanKawa

MeghanKawa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Okay here is what I have

Logfile of HijackThis v1.99.1
Scan saved at 12:25:35 PM, on 01/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Profile\PROFILEDBSERVICE.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\CaseWare Practice Administration\Pa.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.cibc.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E158AA0F-9C43-48BA-AC32-827F12E9B03B}: Domain = domain
O17 - HKLM\System\CCS\Services\Tcpip\..\{E158AA0F-9C43-48BA-AC32-827F12E9B03B}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pr1.on.wave.home.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pr1.on.wave.home.com
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Greenpoint ProFile Database Service Ver. 1.00 (GreenpointDBService) - Unknown owner - C:\Program Files\Profile\PROFILEDBSERVICE.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

and from spysweeeper

********
11:58 AM: |··· Start of Session, September 1, 2005 ···|
11:58 AM: Spy Sweeper started
11:58 AM: Sweep initiated using definitions version 525
11:58 AM: Starting Memory Sweep
12:00 PM: Memory Sweep Complete, Elapsed Time: 00:02:02
12:00 PM: Starting Registry Sweep
12:00 PM: Found Adware: addestroyer
12:00 PM: HKCR\interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be}\ (8 subtraces) (ID = 102732)
12:00 PM: HKCR\interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06}\ (8 subtraces) (ID = 102734)
12:00 PM: HKLM\software\classes\interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be}\ (8 subtraces) (ID = 102741)
12:00 PM: HKLM\software\classes\interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06}\ (8 subtraces) (ID = 102743)
12:00 PM: HKLM\software\classes\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}\ (9 subtraces) (ID = 102747)
12:00 PM: HKCR\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}\ (9 subtraces) (ID = 102751)
12:00 PM: Found Adware: altnet
12:00 PM: HKLM\software\classes\clsid\{b7156514-a76c-4545-9d5b-a4e1d02c7aec}\ (23 subtraces) (ID = 103494)
12:00 PM: Found Adware: ist software
12:00 PM: HKU\WRSS_Profile_S-1-5-21-1664826357-1847337212-142223018-1015\software\ist\ (2 subtraces) (ID = 129108)
12:00 PM: Found Adware: topsearch
12:00 PM: HKCR\clsid\{b7156514-a76c-4545-9d5b-a4e1d02c7aec}\ (23 subtraces) (ID = 143925)
12:00 PM: HKLM\software\classes\typelib\{edd3b3e9-3ffd-4836-a6de-d4a9c473a971}\ (9 subtraces) (ID = 143928)
12:00 PM: HKCR\typelib\{edd3b3e9-3ffd-4836-a6de-d4a9c473a971}\ (9 subtraces) (ID = 143930)
12:00 PM: Registry Sweep Complete, Elapsed Time:00:00:12
12:00 PM: Starting Cookie Sweep
12:00 PM: Found Spy Cookie: yieldmanager cookie
12:00 PM: donna@ad.yieldmanager[2].txt (ID = 3751)
12:00 PM: Found Spy Cookie: advertising cookie
12:00 PM: donna@advertising[2].txt (ID = 2175)
12:00 PM: Found Spy Cookie: atwola cookie
12:00 PM: donna@atwola[1].txt (ID = 2255)
12:00 PM: Found Spy Cookie: 2o7.net cookie
12:00 PM: donna@cnn.122.2o7[1].txt (ID = 1958)
12:00 PM: Found Spy Cookie: overture cookie
12:00 PM: donna@overture[1].txt (ID = 3105)
12:00 PM: Found Spy Cookie: servedby advertising cookie
12:00 PM: donna@servedby.advertising[1].txt (ID = 3335)
12:00 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:00 PM: Starting File Sweep
12:01 PM: Found Adware: commonname
12:01 PM: c:\windows\temp\adware (ID = -2147481214)
12:01 PM: Found Adware: bullguard popup ad
12:01 PM: c:\windows\temp\bullguard (1 subtraces) (ID = -2147476409)
12:01 PM: Found Adware: icannnews
12:01 PM: upd208.exe (ID = 111107)
12:01 PM: 7abf7bdd-090b-440d-b970-cfc715 (ID = 110801)
12:01 PM: 3d0df1bb-318e-48ee-ad91-112880 (ID = 110801)
12:01 PM: Found Adware: look2me
12:01 PM: bw2.com (ID = 65722)
12:01 PM: e17e595f-081a-4a2b-b754-8dd61d (ID = 49040)
12:01 PM: bw2.com (ID = 65721)
12:01 PM: upd209.exe (ID = 116467)
12:01 PM: 89291fb2-d5e0-446a-86e8-0c0090 (ID = 49041)
12:01 PM: iconu.exe (ID = 65721)
12:01 PM: icont.exe (ID = 65722)
12:01 PM: d1709935-4ab6-4725-979c-3ce157 (ID = 49037)
12:01 PM: upd206.exe (ID = 115468)
12:01 PM: bulldownload.exe (ID = 52017)
12:01 PM: ipspolcy.dll (ID = 110804)
12:01 PM: nsh_115.exe (ID = 93699)
12:02 PM: e802lido180c.dll (ID = 116464)
12:02 PM: Found Adware: virtualbouncer
12:02 PM: 0a58b639-ee46-400a-9521-88f69c (ID = 82790)
12:02 PM: 336021ba-370a-404d-bbfb-8b1fec (ID = 82821)
12:02 PM: 9f59b735-369d-43df-bc1a-0750bc (ID = 49030)
12:02 PM: f18e2ffb-fd7c-4df2-89a0-0f3a8f (ID = 82815)
12:02 PM: 45defb24-99e5-4eec-ab5b-e66a61 (ID = 82839)
12:02 PM: b255366f-202d-4db0-b948-f48505 (ID = 49027)
12:02 PM: dmtrans.dll (ID = 116464)
12:02 PM: bf1d174b-4ba3-4722-afe4-9826b0 (ID = 110804)
12:02 PM: pvapi.dll (ID = 110804)
12:02 PM: ooethk32.dll (ID = 120432)
12:02 PM: kodpo.dll (ID = 110804)
12:02 PM: ploinst.dll (ID = 110804)
12:02 PM: e449edf3-6e3b-4f9b-864f-5c661d (ID = 110804)
12:02 PM: 0cc62d1d-8a1b-4372-bd64-06302c (ID = 110804)
12:02 PM: 2d13f69c-c282-49bc-8fe3-e63b1c (ID = 82839)
12:02 PM: 4dadda02-5481-401b-b78c-6c859d (ID = 82821)
12:02 PM: b6f48a36-e462-4b86-bb98-c91cfb (ID = 110804)
12:02 PM: 2fadc829-9eef-452e-a76d-958c09 (ID = 110804)
12:02 PM: 276f7960-ae94-4833-9dde-fc8f3c (ID = 110804)
12:02 PM: oiethk32.dll (ID = 120432)
12:02 PM: slmpsnap.dll (ID = 110804)
12:02 PM: dxwave.dll (ID = 110804)
12:02 PM: whdtrace.dll (ID = 116464)
12:02 PM: woecedit.dll (ID = 116464)
12:02 PM: okesvr.dll (ID = 110804)
12:02 PM: oeedlg.dll (ID = 110804)
12:02 PM: d0d68cd0-ea92-4b7e-82f5-5aaffe (ID = 110804)
12:02 PM: 07de41b2-bc8f-48e6-9c0f-8d7e05 (ID = 110804)
12:02 PM: rkpdd.dll (ID = 110804)
12:02 PM: rkstapi.dll (ID = 110804)
12:02 PM: itmp.dll (ID = 110804)
12:02 PM: iddkcs32.dll (ID = 110804)
12:02 PM: 3e4582c2-0aee-43ae-9ab4-67d307 (ID = 82790)
12:02 PM: qxartz.dll (ID = 116464)
12:02 PM: mvpdox35.dll (ID = 112210)
12:02 PM: mfutb.dll (ID = 112210)
12:02 PM: 55a19538-4b73-4b19-9118-ac8a26 (ID = 110804)
12:02 PM: uwrvpa.dll (ID = 110804)
12:02 PM: vrajet.dll (ID = 110804)
12:02 PM: 0b1fa3db-29a5-490b-b230-e3795f (ID = 110804)
12:02 PM: 8d5ad395-9f2a-4b43-a4e1-b5aa85 (ID = 110804)
12:02 PM: vfoy.dll (ID = 110804)
12:02 PM: vasapi.dll (ID = 110804)
12:02 PM: dtprov.dll (ID = 110804)
12:02 PM: itspolcy.dll (ID = 110804)
12:02 PM: insnap.dll (ID = 110804)
12:02 PM: 62659dad-ef7e-4258-9806-ae8061 (ID = 49027)
12:02 PM: wtdtools.dll (ID = 110804)
12:02 PM: wddconns.dll (ID = 110804)
12:02 PM: sksbkup.dll (ID = 110804)
12:02 PM: sbdpapi.dll (ID = 110804)
12:02 PM: l2p2lc7o1f.dll (ID = 116464)
12:02 PM: en4ml1h11.dll (ID = 116464)
12:02 PM: Found Adware: adlogix
12:02 PM: wmplayer.exe.tmp (ID = 123416)
12:02 PM: sdmpapi.dll (ID = 110804)
12:02 PM: qdencutl.dll (ID = 110804)
12:02 PM: qksname.dll (ID = 110804)
12:02 PM: c7c2f04a-a83f-4a12-a0f3-1b8ca3 (ID = 82817)
12:03 PM: File Sweep Complete, Elapsed Time: 00:03:04
12:03 PM: Full Sweep has completed. Elapsed time 00:05:27
12:03 PM: Traces Found: 210
12:05 PM: Removal process initiated
12:05 PM: Quarantining All Traces: addestroyer
12:06 PM: Quarantining All Traces: altnet
12:06 PM: Quarantining All Traces: ist software
12:06 PM: Quarantining All Traces: topsearch
12:06 PM: Quarantining All Traces: yieldmanager cookie
12:06 PM: Quarantining All Traces: advertising cookie
12:06 PM: Quarantining All Traces: atwola cookie
12:06 PM: Quarantining All Traces: 2o7.net cookie
12:06 PM: Quarantining All Traces: overture cookie
12:06 PM: Quarantining All Traces: servedby advertising cookie
12:06 PM: Quarantining All Traces: commonname
12:06 PM: Quarantining All Traces: bullguard popup ad
12:06 PM: Quarantining All Traces: icannnews
12:06 PM: Quarantining All Traces: look2me
12:06 PM: Quarantining All Traces: virtualbouncer
12:06 PM: Quarantining All Traces: adlogix
12:07 PM: Removal process completed. Elapsed time 00:01:48
********
11:55 AM: |··· Start of Session, September 1, 2005 ···|
11:55 AM: Spy Sweeper started
11:56 AM: Updating spyware definitions
11:56 AM: Your definitions are up to date.
11:58 AM: |··· End of Session, September 1, 2005 ···|
  • 0

#11
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello MeghanKawa,

Here is what I would like to do next.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Step 1- Downloading Necessary Programs

1.Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

2.Download: CCleaner
http://www.ccleaner.com/
http://www.filehippo...d_ccleaner.html

Once installed, launch CCleaner:
Do not change any settings, except to make sure on the Options tab>Advanced "Only delete files in Windows Temp folders older than 48 hours" is NOT checked. Do not run it at this time we will do this later in the fix.

Step 2- The Fix

1.Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
2.Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

3.Now scan with HJT and place a checkmark next to each of the following items:
===================================================
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\guard.tmp (file missing)

Optional Removals-
Fixing them here will not prevent you from opening them manually as needed. Your choice to fix based on your needs:
O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
(Description: WinZip system tray application. Not necessary. Removing this entry will free up a small amount of system resources.)


After checking these entries CLOSE ALL open windows [browsers and programs] EXCEPT HijackThis and click "Fix Checked."
===================================================

4. Open up CCleaner and click Run Cleaner (bottom right). When finished> Exit.(top right)

5.Please reboot into Normal Windows at this time.

6. Please rescan with HijackThis and post this log along with the ewido scan log into your next reply.

Please let me know how your system is running at this time as well.

Thank you,

Snickets

:tazz:
  • 0

#12
MeghanKawa

MeghanKawa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I will probably do that last bit in a couple of hours as I have some work to do. Thanks for all your help. Out of curiousity, how is it that I got all of these problems & also...what makes you want to help people? Isn't this just a waste of your time?
  • 0

#13
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Hello MeghanKawa,

I enjoy helping other's and it is not a waste of my time if someone else benefits from my knowledge.

I will give you a tutorial that will show you how you get infected and how to avoid this in the future once we have cleaned out your machine.

Have a good one,

Snickets

:tazz:
  • 0

#14
Snickets

Snickets

    Visiting Staff

  • Member
  • PipPipPip
  • 425 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP