PopUps, PopUps, PopUps ...
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 37

Thread: PopUps, PopUps, PopUps ...

  1. #1
    Junior Member
    Join Date
    Apr 2005
    Posts
    18

    PopUps, PopUps, PopUps ...

    For the past several weeks I have been inundated with popups, redirects, and to a lesser extent browser hijacks. I had an application called "pop64" running for awhile but was apparantly able to delete it, I think by deleting my restore files. I also found a file in my Windows temp folder called "sixtypopsix" which I was able to delete. Since ridding myself of those, the browser hijacks seem to have stopped. I still get alot of popups and redirects. I have also run CWshredder and now when I run that I come up clean. I have SpyBot, The Microsoft Beta Anti-Spyware, Aol Spyware Protection, AdAware SE, SpySubtract, and Window Washer 5, not to mention AVG version 7, all of which I update and run at least daily. Occasionally AVG locates a trojan but it seems to fix them. The anti-spyware programs do catch a few things almost every time I run them but it doesn't seem to be any more than I ever used to have nor more than I would expect. I am posting a "HighJackThis" log in hopes somebody can help me.

    I am also unable to activate my Windows firewall. When I try and enable it I get a message saying the "firewall settings cannot be enabled because the associated service is not running." It prompts me to start the "Firewall/Internet Connection Sharing Service." When I attempt to do that I get a message advising me that "Windows cannot start the ICS service." I don't know what any of this means and would be very grateful if someone can help me get it turned back on.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:45:05 PM, on 4/7/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\AIM\aim.exe
    C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLHOS~1.EXE
    C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLServiceHost.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
    C:\WINDOWS\system32\DfrgNtfs.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\n20050308.EXE
    C:\WINDOWS\system32\ipiprz.exe
    C:\Program Files\America Online 9.0a\waol.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\America Online 9.0a\shellmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105105845\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [qt4tOm6] C:\documents and settings\molly\local settings\temp\qt4tOm6.exe
    O4 - HKLM\..\Run: [PpnL] C:\documents and settings\molly\local settings\temp\PpnL.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [L] C:\documents and settings\molly\local settings\temp\L.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [esLcbM] C:\docume~1\molly\locals~1\temp\esLcbM.exe
    O4 - HKLM\..\Run: [dqiwizho] C:\WINDOWS\System32\dqyknk.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [A3v] C:\documents and settings\molly\local settings\temp\A3v.exe
    O4 - HKLM\..\Run: [4nj9mZq] C:\documents and settings\molly\local settings\temp\4nj9mZq.exe
    O4 - HKLM\..\Run: [8pQFrT] C:\documents and settings\molly\local settings\temp\8pQFrT.exe
    O4 - HKLM\..\Run: [5Fsi36e] atmlbmsg.exe
    O4 - HKLM\..\Run: [p07kYOpv] c:\documents and settings\molly\local settings\temp\p07kYOpv.exe
    O4 - HKLM\..\Run: [0gd0LDrut] C:\documents and settings\molly\local settings\temp\0gd0LDrut.exe
    O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ipiprz.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe /startup
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Ko3sRWK2e] urladdin.exe
    O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
    O4 - HKCU\..\Run: [Ogcidhc] C:\WINDOWS\system32\r?ndll.exe
    O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Molly"
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\m8640ijqe8oe0.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Posts
    707
    Curious did this happen after you installed SP2 ??

    If it did then read this : You cannot start the Windows Firewall service in Windows XP Service Pack 2

    I see that you got Kazaa Lite K++ I dont know if you use it... But if you do well uninstall the program ... Gave me way too many headaches for what it's worth ....

    As for spyware I dont see anything ... But I may be wrong ...
    Operation Cyberslam
    \"I\'ve noticed that everybody that is for abortion has already been born.\" Author Unknown
    Microsoft Shared Computer Toolkit
    Proyecto Ututo EarthCam

  3. #3
    Senior Member
    Join Date
    Mar 2005
    Posts
    400

    Exclamation

    Your computer is infected based on the print out you provided.
    There seems to be another virus too - AOL.


    I know I'm not much help, but....

    With all the spyware stuff you have loaded (despite the presence of your antispyware arsenal), the BHO's, AOL (yecch) and whatever, I think it's better for all of us, you included:

    Get yourself a fresh start in life: Reformat, reinstall.

    (That's not my normal advice, but this time it is.)
    ZT3000
    Beta tester of "0"s and "1"s"

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Install adaware and spybot search and destroy, update them completely.
    http://www.lavasoftusa.com/software/adaware/
    http://security.kolla.de/

    Update m$'s antispyware program.

    Boot into save mode (press F8 at boot [after bios] and choose safe mode with or without networking, doesn't really matter).
    Run spybot first, then adaware, then finally m$'s antispyware.

    Then run another hjack this and post it here again.

    BTW: You have a lot of programs starting up that are not needed at boot. That will slow down your PC.

    I normally only say format/reload if the repair/removal doesn't fix the problem(s).
    Sometimes your operating system can get quite damaged from malware and won't operate properly.

    You may have become a victum of the recent widespread DNS Cache Poisoning attacks.
    There isn't much you can do about that, other than to make sure your PC is up to date and contact your ISP to make sure they are not vulnerable to the DNS Cache Poisoning attacks. I wouldn't think that AOL would be vulnerable. These attacks are probably unrelated, but you can read about them at www.incidents.org
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Junior Member
    Join Date
    Apr 2005
    Posts
    18
    wow, quick reponses, thank you. Agent I thank you for the link to the SP2 article. After quickly scanning it I think you are right on the money about the firewall problem. ZT, If I really thought all I had to do to get a fresh start in life was to simply reformat and reinstall I would first find out what those things mean, find out how to do them and then, believe me, I would do it. Please realize I am not a hardcore computer user. I do have KaZaaLite and I have been using it for years with really very little trouble. I know AOL is a bit of trouble too, but I am willing to put up with the minor trouble I get from them and don't plan to uninstall either of these programs. First of all, my kids would kill me and secondly I have been running both these programs for over two years and not had any problems like this before and I am sure I can fix it and still enjoy these programs. Do you think that perhaps my problem is just that I am without my firewall protection?
    You said my computer was infected with some sort of virus, do you know what it is and what I can do to fix it?

    Thank You

  6. #6
    Junior Member
    Join Date
    Apr 2005
    Posts
    18
    Hello Phish, I did what you said. Spybot found 1 threat, AdAware found 16; all dataminers in cookies, MS SpyWare found none. Here is the HiJackThis log after restarting. Thank You

    Logfile of HijackThis v1.99.1
    Scan saved at 12:54:08 AM, on 4/8/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ipiprz.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLHOS~1.EXE
    C:\Program Files\America Online 9.0a\waol.exe
    C:\PROGRA~1\COMMON~1\AOL\110510~1\EE\AOLServiceHost.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\America Online 9.0a\shellmon.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105105845\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [qt4tOm6] C:\documents and settings\molly\local settings\temp\qt4tOm6.exe
    O4 - HKLM\..\Run: [PpnL] C:\documents and settings\molly\local settings\temp\PpnL.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [L] C:\documents and settings\molly\local settings\temp\L.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [esLcbM] C:\docume~1\molly\locals~1\temp\esLcbM.exe
    O4 - HKLM\..\Run: [dqiwizho] C:\WINDOWS\System32\dqyknk.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [A3v] C:\documents and settings\molly\local settings\temp\A3v.exe
    O4 - HKLM\..\Run: [4nj9mZq] C:\documents and settings\molly\local settings\temp\4nj9mZq.exe
    O4 - HKLM\..\Run: [8pQFrT] C:\documents and settings\molly\local settings\temp\8pQFrT.exe
    O4 - HKLM\..\Run: [5Fsi36e] atmlbmsg.exe
    O4 - HKLM\..\Run: [p07kYOpv] c:\documents and settings\molly\local settings\temp\p07kYOpv.exe
    O4 - HKLM\..\Run: [0gd0LDrut] C:\documents and settings\molly\local settings\temp\0gd0LDrut.exe
    O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ipiprz.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe /startup
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Ko3sRWK2e] urladdin.exe
    O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
    O4 - HKCU\..\Run: [Ogcidhc] C:\WINDOWS\system32\r?ndll.exe
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\l42s0ef7eh2.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

  7. #7
    Senior Member frpeter's Avatar
    Join Date
    Dec 2004
    Posts
    131
    Hello,

    Also in Windows, FireFox with AdBlock can be an incredible tool for blocking *before* they download.

    Blocking the IFRAME entries with AdBlock has reduced my PopUp problems quite a bit. There is also a free program call KillAd that is remarkable simple yet very effective at stopping popups/unders.

    Here is the link to KillAd:

    http://www.fsc-soft.com/pleasedontlinkheredirectly.htm

    This is the correct, but unuasul URL.

    The file can be downloaded here but be sure to read the above link:

    http://www.fsc-soft.com/downloads/killad.zip

    To keep my install simple, I put my copy in C:\KILLAD and added it to my StartUp.

    Hope this helps.

  8. #8
    Junior Member
    Join Date
    Nov 2002
    Posts
    1
    i think you should try another firewall, so you didn't get those problems

  9. #9
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    You are running plenty of spyware removal programs but you don't seem to have a working firewall to stop them comeing in. It could be that you are cleaning the machine only to have more malware appear as soon as you go back on line.
    If the XP firewall is not working you should get something else installed until you can fix it.
    Zonealarm is quite easy to use and there is a free version,

    http://www.zonelabs.com/store/conten...ulist_download

    I would download that and install it.
    Go online and update all of your spyware tools and windows if you can.
    Run your spyware tools again.

    That should clear out what you've got and stop anything else coming in.

    You might also want to try Spyware Blaster:

    http://www.javacoolsoftware.com/

    It is another tool which acts to stop spyware coming.

    Additionall you might want to add one of the anti-spyware HOSTS files that are available on the web. Adding one of these might help to stop the spyware calling home if it does get in and downloading further nasties.

    http://www.mvps.org/winhelp2002/hosts.htm

    IF after all of that you still have lots of problems it's probably worth reformatting the machine to give you a clean sheet to start from again. If you are doing that keep a copy of zonealarm on a disk and install that before you go on line again.
    I've personally had a machine compromised within 2 minutes while I downloaded a firewall as a first step. I think it happens even faster now. So get the firewall on before you do anything else.

  10. #10
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    i think you should try another firewall, so you didn't get those problems
    YEp and pigs will fly..

    First we discuss the FIX then we postulate over the prevention.. and ****ing firewalls DONT block Adware...

    To the problem:

    HAVE YOU:
    Enabled to view hidden and system files? (that is two settings)
    Did you run adaware and spybot snd in SAFE MODE?
    HAve you CLEARED ALL the TEMP folders.. thats is Windows\TEMP, Doc&Setting\USERNAME\Localsettings\TEMP, Temp internet etc etc..?

    You will note in the HJT log the prevelence of programs in the Startup\RUN where the files exist in the user temp folder.. AND THAT IS NOT A RED FLAG TO ANYONE?

    O4 - HKCU\..\Run: [Ogcidhc] C:\WINDOWS\system32\r?ndll.exe
    and that is santa ? come on guys RED FLAG RED FLAG

    try these tools IN SAFE MODE..

    AdwareAway http://www.adwareaway.com/
    CleanUp312 http://home.comcast.net/~sgould4567/.../download.html
    Silent Runners.vbs (Attach the log from this baby.to the your post.. .DONT paste it in the thread)
    getservice http://www.bleepingcomputer.com/files/getservice.php (Attach the log from this baby.to the your post.. .DONT paste it in the thread)


    You will find yourself in Command mode(Dont call it DOS to my face) playing with the Attrib command, and manually deleting things..

    Here is my red flag list:

    O4 - HKLM\..\Run: [qt4tOm6] C:\documents and settings\molly\local settings\temp\qt4tOm6.exe
    O4 - HKLM\..\Run: [PpnL] C:\documents and settings\molly\local settings\temp\PpnL.exe

    O4 - HKLM\..\Run: [L] C:\documents and settings\molly\local settings\temp\L.exe

    O4 - HKLM\..\Run: [esLcbM] C:\docume~1\molly\locals~1\temp\esLcbM.exe
    O4 - HKLM\..\Run: [dqiwizho] C:\WINDOWS\System32\dqyknk.exe

    O4 - HKLM\..\Run: [A3v] C:\documents and settings\molly\local settings\temp\A3v.exe
    O4 - HKLM\..\Run: [4nj9mZq] C:\documents and settings\molly\local settings\temp\4nj9mZq.exe
    O4 - HKLM\..\Run: [8pQFrT] C:\documents and settings\molly\local settings\temp\8pQFrT.exe
    O4 - HKLM\..\Run: [5Fsi36e] atmlbmsg.exe
    O4 - HKLM\..\Run: [p07kYOpv] c:\documents and settings\molly\local settings\temp\p07kYOpv.exe
    O4 - HKLM\..\Run: [0gd0LDrut] C:\documents and settings\molly\local settings\temp\0gd0LDrut.exe
    O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ipiprz.exe

    O4 - HKCU\..\Run: [Ko3sRWK2e] urladdin.exe

    O4 - HKCU\..\Run: [Ogcidhc] C:\WINDOWS\system32\r?ndll.exe
    Also.. I would consider running a quick scan for VX2 aka VX2finder http://tools.zerosrealm.com/VX2Finder.exe



    ,,, BAck to You

    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •