Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

All steps tried, no luck [RESOLVED]

Started by nextyoyoma , Nov 13 2005 03:55 PM

This topic is locked

#1
nextyoyoma

Posted 13 November 2005 - 03:55 PM

New Member

Member
4 posts

I am receiving multiple popups with every page I load in firefox. The popups appear in MSIE, however, not firefox. I have performed all the steps listed in the "read this" pinned article. Here is a Hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 4:53:40 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\WinRoll\winroll.exe
C:\Program Files\AveDesk_1.2\AveDesk.exe
C:\Program Files\RK launcher\RKLauncher.exe
C:\Program Files\Sony Handheld\Hotsync.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
C:\Program Files\YzShadow XP\YzShadow.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Charlie\LOCALS~1\Temp\Rar$EX00.532\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: NXIECatcher Class - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinRoll] "C:\Program Files\WinRoll\winroll.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [AVEDESK] "C:\Program Files\AveDesk_1.2\AveDesk.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_2
O4 - HKCU\..\Run: [RK Launcher] "C:/Program Files/RK launcher/RKLauncher.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Startup: Mp3tag Quick Pick.lnk = C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
O4 - Startup: YzShadow XP.lnk = C:\Program Files\YzShadow XP\YzShadow.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 1.5 - C:\Program Files\Sony\Image Converter 1.5\menu.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'w2pxdrv.dll' missing
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: OdysseyClient - C:\WINDOWS\SYSTEM32\odyEvent.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hhcmxpZQ\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Thanks, hope one of you guys has some idea what's going on.

#2
Buckeye_Sam

Posted 15 November 2005 - 09:47 AM

Malware Expert

Member
10,019 posts

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.

Before we can get started on fixing your problem you must change the location of Hijackthis. It should not run directly from your desktop or a temp directory. Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory. Run the program from that directory from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.

Once you have Hijackthis running from a permanent folder, please reboot and post a new hijackthis log.

#3
nextyoyoma

Posted 15 November 2005 - 02:34 PM

New Member

Topic Starter
Member
4 posts

Sorry, thanks for the instruction. Here is a fresh hijack this file after moving it to c:\Hijackthis and rebooting.

Logfile of HijackThis v1.99.1
Scan saved at 3:32:31 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\stardock\TrayServer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\WinRoll\winroll.exe
C:\Program Files\AveDesk_1.2\AveDesk.exe
C:\Program Files\RK launcher\RKLauncher.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony Handheld\Hotsync.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
C:\Program Files\YzShadow XP\YzShadow.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: NXIECatcher Class - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinRoll] "C:\Program Files\WinRoll\winroll.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [AVEDESK] "C:\Program Files\AveDesk_1.2\AveDesk.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_2
O4 - HKCU\..\Run: [RK Launcher] "C:/Program Files/RK launcher/RKLauncher.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Startup: Mp3tag Quick Pick.lnk = C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
O4 - Startup: YzShadow XP.lnk = C:\Program Files\YzShadow XP\YzShadow.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 1.5 - C:\Program Files\Sony\Image Converter 1.5\menu.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'w2pxdrv.dll' missing
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: OdysseyClient - C:\WINDOWS\SYSTEM32\odyEvent.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hhcmxpZQ\command.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Thanks again!

#4
Buckeye_Sam

Posted 15 November 2005 - 06:40 PM

Malware Expert

Member
10,019 posts

You've got several programs running on startup that I'm unfamiliar with.

O4 - HKCU\..\Run: [WinRoll] "C:\Program Files\WinRoll\winroll.exe"
O4 - HKCU\..\Run: [AVEDESK] "C:\Program Files\AveDesk_1.2\AveDesk.exe"
O4 - HKCU\..\Run: [RK Launcher] "C:/Program Files/RK launcher/RKLauncher.exe"
O4 - Startup: Mp3tag Quick Pick.lnk = C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
O4 - Startup: YzShadow XP.lnk = C:\Program Files\YzShadow XP\YzShadow.exe

Are you aware of these programs and what they do?

I see you have Ewido installed on your computer. Please run a full scan with Ewido, save the log and post it in your next reply.

#5
nextyoyoma

Posted 16 November 2005 - 09:23 PM

New Member

Topic Starter
Member
4 posts

All of those programs have been on my computer for a long time, and they are all (to my knowledge) totally harmless. Winroll lets your right click a window's title bar to hide everything but the title bar, avedesk is a windows customization app, rklauncher is a mac osx launcher bar emulator, mp3tag lets you tag a bunch of mp3s at once, and yz shadow displays a drop shadow behind all windows. I have performed a full scan with ewidos already, and it "fixed" everything it found, but I ran another scan for purposes of thoroughness:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:22:57 PM, 11/16/2005
+ Report-Checksum: 7DE0FB37

+ Scan result:

:mozilla.29:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.226:C:\Documents and Settings\Charlie\Application Data\Mozilla\Firefox\Profiles\ghc0utda.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\charlie@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\charlie@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\charlie@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\charlie@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\charlie@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\charlie@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\charlie@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\charlie@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\charlie@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Charlie\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup

::Report End

Thanks!

#6
Buckeye_Sam

Posted 17 November 2005 - 01:38 PM

Malware Expert

Member
10,019 posts

As long as you know what those programs are and what they do, that's good enough for me.

Your hijackthis log is not showing anything and Ewido is only finding cookies. So essentially it's clean too. Assuming you are still getting popups now, then we may be looking at a rootkit infection.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

#7
nextyoyoma

Posted 17 November 2005 - 09:33 PM

New Member

Topic Starter
Member
4 posts

Ok, so, problem solved, but in a roundabout manner. I can't believe I neglected to mention this earlier, but when I was restarting my computer, I kept having these processes that wouldn't stop and I'd have to stop manually. These processes didn't show up in Taskman or in Security Taskman, and ewidos and everything else missed them. The directory was c:\program files\aqucasa2\ something. When I tried to get to it through normal windows mode, though, it couldn't find the directory. When I booted to safe mode, I was able to manually type in the path and delete the two programs housed there, one was something like vcdk...soemthing.exe and the other was samutils.exe After I delted these, I had windows search for all the files that were created on 11/8 (the day my computer was infected) and deleted everything created at or about 2:48 pm (the exact time my comuter was infected). So far, no popus and better performance. The only thing I want to know is what kind of protection did this directory have? I had folder options set to view hidden files and folders, and I wasn't able to access or see the directory. Is this, in fact, a rootkit infection that I was able to find manually?

Btw, I did run the util you suggested, but only after I had deleted these programs. I let it run for about 3 hours, and it still had shown no sign of stopping when I returned, so I cancelled it. Is this ok, or should I go back and let it run overnight or something. Thanks, and I hope this is the last time I'll need to enlist your services. (and sorry that i wasted your time with something I probably could've figured out myself.)

Edited by nextyoyoma, 17 November 2005 - 09:34 PM.

#8
Buckeye_Sam

Posted 18 November 2005 - 08:15 AM

Malware Expert

Member
10,019 posts

Sure sounds like a rootkit to me. Unfortunately they are becoming more and more common by the day.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

:tazz:

#9
Buckeye_Sam

Posted 02 December 2005 - 05:21 PM

Malware Expert

Member
10,019 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.