Hi Adrianne, welcome to TechTalk.


Please do the following to start us off:

1. Download HijackThis:

2. Once downloaded, follow these instructions to install and run the program:

- Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

- Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Here's the log...Thank you!

Logfile of HijackThis v1.99.1
Scan saved at 7:58:45 AM, on 4/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system\rrsi.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\K\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Maribel Mauro\Application Data\Mozilla\Profiles\default\pfso86m1.slt\prefs.js)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [27oW34R] p2cntcreate.exe
O4 - HKLM\..\Run: [bypcbs] c:\windows\system32\bypcbs.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Jw76RQd9e] odeund.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {AB384B5B-1948-4206-901F-9C32E3A3B935} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AB384B5B-1948-4206-901F-9C32E3A3B935} - (no file) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/me...t/twophase.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099683728096
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wwela.com
O17 - HKLM\Software\..\Telephony: DomainName = wwela.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D44A8BAE-E4C5-48C2-85ED-E3DC24D86278}: NameServer = 206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wwela.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{D44A8BAE-E4C5-48C2-85ED-E3DC24D86278}: NameServer = 206.13.28.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wwela.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{D44A8BAE-E4C5-48C2-85ED-E3DC24D86278}: NameServer = 206.13.28.12
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe


----------

1. C:\Program Files\Internet Explorer\iexplore.exe

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis.
Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browsers. HijackThis cannot fully perform its fixes while browsers are running.
Since you won't be online while you're performing the fixes, you might want to print out our instruction or save them to a local text file on your computer.


2. Once Internet Explorer is closed, have HJT fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [27oW34R] p2cntcreate.exe
O4 - HKLM\..\Run: [bypcbs] c:\windows\system32\bypcbs.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Jw76RQd9e] odeund.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab


3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following files:
p2cntcreate.exe
c:\windows\system32\bypcbs.exe
odeund.exe

- Delete the following folder entirely:
C:\Program Files\Ares

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.


4. Run HijackThis again, post a new log, and let us know if the problems persist.

Thank you. I will try to do that and post a new log.
One quick question though...by deleting C:\Program Files\Ares...will that program be deleted? I use Ares to download songs and if possible would like to keep it.

Thanks!

Sorry, my mistake; I should have asked about Ares.
I remebered an "ares.exe" file being associated with a certain trojan/worm, which is why I asked you to remove it. However, I forgot that there was also an "Ares" filesharing program as well. While I personally don't advise people to use such sharing/downloading programs, if you do want to use it, just ignore my HJT fixes regarding the program.

I did what you told me although I did not delete the Ares folder (and it seemed to work out okay. Thanks again. It was working out fine. No annoying popups. However, I noticed that I couldn't get my windows media player to work. Brilliant little me decided to download it again to make it work and was instantly bombarded with those pesky little popups once again. It's working (the media player) but i'd rather not have it if it means having all those popups. I got I did another scan and here it is. I didn't want to delete anything because I might do more damage.

Thanks again!


Logfile of HijackThis v1.99.1
Scan saved at 4:38:38 PM, on 4/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system\rrsi.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\K\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Maribel Mauro\Application Data\Mozilla\Profiles\default\pfso86m1.slt\prefs.js)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {AB384B5B-1948-4206-901F-9C32E3A3B935} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AB384B5B-1948-4206-901F-9C32E3A3B935} - (no file) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/me...t/twophase.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099683728096
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wwela.com
O17 - HKLM\Software\..\Telephony: DomainName = wwela.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D44A8BAE-E4C5-48C2-85ED-E3DC24D86278}: NameServer = 206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wwela.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{D44A8BAE-E4C5-48C2-85ED-E3DC24D86278}: NameServer = 206.13.28.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wwela.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{D44A8BAE-E4C5-48C2-85ED-E3DC24D86278}: NameServer = 206.13.28.12
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

I missed something that's been lurking your logs:

C:\WINDOWS\system\rrsi.exe

I don't recognize that file and I'm a bit suspicious of it; can you do the following please?:

- Open Windows Explorer and locate the file.

- Right-click on it with your mouse. A menu box should pop up; choose Properties from that menu.

- Look through the information in the various Properties tabs and post any indentifying information that you can find there (file size, modification/creation date, company name, etc.).

Good morning. Here we go.

rrsi.exe
size: 10.5 kb
size on disk - 12.0 kb
created: wednesday, March 16, 2005 5:34:37 am
modified: wednesday, March 16, 2005 5:34:37 am

--- what does this do?
also, what are dll files? (are they even files?)

---i didn't do anything yet - didn't delete anything so the log should be the same as the one i posted. I'm waiting for instructions on what to delete.

Thank you!


btw, i can't seem to get on safe mode by pressing the F8 key on start up. Is there another way?

--

1. Was there any version information, company name, etc. in the Properties tabs of the rrsi.exe file? I've never seen that file before and can't find any information about it online. Also, it's running out of your C:\Windows\system folder, which is not where .exe files usually live on an XP system. All of that makes me suspicious of the file, but I don't want to tell you to delete it until I'm sure there's no further indentifying info in the file's Properties.


2. .dll files are Dynamically Linked Libraries, also called Dynamically Loaded Libraries. They aren't programs in and of themselves, but rather they contain instructional code used by programs (or Windows itself) in the course of performing different tasks. Most dlls are legit, but malicious infections can also use dlls to accomplish their "dirty deeds".


3. What does happen when you try to get into Safe Mode?
If Windows just boots as it normally does, you may not be hitting F8 at just the right time. The timing can be pretty tight, and many systems have a "fast boot" option enabled which makes it even harder to catch the F8 keystroke in time to bring up the Safe Mode boot menu. Try repeatedly tapping the F8 key just after the computer starts to boot; you need to catch it well before you see the "Welcome to Windows" or "Windows is Starting Up" screen.