running ZoneAlarm w/ Win2000 OS here is the ewido & HijackThis logs......
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 8:03:48 PM, 11/1/2005
+ Report-Checksum: E3239A84
+ Scan result:
:mozilla.14:C:\Documents and Settings\Mark DelGreco\Application Data\Mozilla\Firefox\Profiles\949q0qdh.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
C:\WINNT\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
::Report End
--- HJT----
Logfile of HijackThis v1.99.1
Scan saved at 8:10:58 PM, on 11/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Documents and Settings\Mark DelGreco\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129094751335
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37370.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
---
Followed all the basic instructions given CleanUp4.0 / Killbox / AdAware / Spybot......
the pop up come as regular as ever --- these pop-ups are the gray & black "WARNING found 55 Critical Errors.....blah blah blah" type boxes that take up between 30 - 70% of the screen and are accompanied by a "ding!" .... doing this for a near PC-illiterate friend (so we are a step above the blind leading the blind ;p ).....we're at wits end w/ this deeply entrenched POS hack/virus or whatever it is --- please help -- thx!
TR Hanlon (& Mark)