Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Pop-ups w/ staying power on fresh Win2000 sys [CLOSED]


  • This topic is locked This topic is locked

#1
qwerrk

qwerrk

    New Member

  • Member
  • Pip
  • 2 posts
groping in the dark -- help, can't stop the pop-ups!!

running ZoneAlarm w/ Win2000 OS here is the ewido & HijackThis logs......

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:03:48 PM, 11/1/2005
+ Report-Checksum: E3239A84

+ Scan result:

:mozilla.14:C:\Documents and Settings\Mark DelGreco\Application Data\Mozilla\Firefox\Profiles\949q0qdh.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Thomas Hanlon\Application Data\Mozilla\Firefox\Profiles\ymrgsx9w.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
C:\WINNT\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup


::Report End

--- HJT----

Logfile of HijackThis v1.99.1
Scan saved at 8:10:58 PM, on 11/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Documents and Settings\Mark DelGreco\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129094751335
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37370.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

---

Followed all the basic instructions given CleanUp4.0 / Killbox / AdAware / Spybot......

the pop up come as regular as ever --- these pop-ups are the gray & black "WARNING found 55 Critical Errors.....blah blah blah" type boxes that take up between 30 - 70% of the screen and are accompanied by a "ding!" .... doing this for a near PC-illiterate friend (so we are a step above the blind leading the blind ;p ).....we're at wits end w/ this deeply entrenched POS hack/virus or whatever it is --- please help -- thx!

TR Hanlon (& Mark)
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:
I apologize for the delay getting to your log, the helpers here are very busy.

Before we can get started on fixing your problem you must change the location of Hijackthis. It should not run directly from your desktop or a temp directory. Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory. Run the program from that directory from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.

Once you have Hijackthis running from a permanent folder, please reboot and post a new hijackthis log.
  • 0

#3
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP