0

For the past week or so I've been experiencing a lot of annoying pop-up ads. Some open in Browser windows, others open up like the roll-over ads that you find on some web pages. Most of the web pages that open up are for www.ad-w-a-r-e.com or oas-central.realmedia.com or something like that. I've been doing a lot of reading of threads on here and other sites to try to solve this problem. Unfortunately, when it comes to this sort of thing I'm not real handy with it. I've tried running the HijackThis program that seems to be a favorite here but every time I do my McAfee pops up a virus warning and won't let it run.

I've posted as much info about my system as I can below. I really appreciate any help that can be offered to me.

Thanks in advance.

System Info
P4-2.66 GHz
1GB Ram
ATI Radeon 9700 Pro video card
Soundblaster Audigy 2 sound card
NetGear Ethernet card
MSI Motherboard

If you need any other info, let me know

4
Contributors
15
Replies
17
Views
11 Years
Discussion Span
Last Post by tutonk
0

Hi tutonk, welcome to the Daniweb forum. What is your operating system? Do you have all your Windows Updates installed? I am giving you a list of free programs that I recommend.

I only list here, the programs that I have used and I’m satisfied with, I know there are other great programs, but these are just the ones that I use, and can verify, as being worthy.

SYSTEM INVENTORY
Everest: http://www.lavalys.com/products.php?lang=en

SPYWARE
AdAware: http://www.lavasoftusa.com/software/adaware/
Spybot S&D: http://www.safer-networking.org/en/index.html
SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
Microsoft AntiSpyware (XP only): http://www.microsoft.com/athome/security/spyware/software/default.mspx

VIRUS PROTECTION
AVG Free: http://www.majorgeeks.com/download886.html

VIRUS and SPYWARE DETECTION
Ewido (XP only - trial version): http://www.ewido.net/en/
HijackThis: http://www.majorgeeks.com/download3155.html

ONLINE HijackThis ANALYZERS
HijackThis analyzer #1: (website) http://www.hijackthis.de/index.php?langselect=english
HijackThis analyzer #2: (website) http://www.help2go.com/modules.php?name=HJTDetective
HijackThis analyzer #3: (website) http://hjt.iamnotageek.com/

ONLINE VIRUS SCAN WEBSITE
Trend Micro: http://housecall.trendmicro.com/

Miscellaneous Tools
Starter: http://www.snapfiles.com/download/dlstarter.html
Icon Restore: http://www.majorgeeks.com/download4125.html
Erunt (XP only): http://www.larshederer.homepage.t-online.de/erunt/
MemTest86: http://www.memtest86.com/
A-Squared: http://www.emsisoft.com/en/software/download/
CWShredder: http://www.softpedia.com/get/Intern...WShredder.shtml

0

I have Windows XP Professional Edition SP 2 running. I typically install all of the automatic updates from Microsoft, so I would have to answer yes to that question. I did download and run the Everest Report, I've copied the system summary below.

-------[ Summary ]-----------------------------------------------------------------------------------------------------

Computer:
Operating System Microsoft Windows XP Professional
OS Service Pack Service Pack 2
DirectX 4.09.00.0904 (DirectX 9.0c)
Computer Name JONES
User Name Christopher Jones

Motherboard:
CPU Type Intel Pentium 4, 2733 MHz (20 x 137)
Motherboard Name MSI GNB Max-FISR (MS-6565) (5 PCI, 1 AGP Pro, 4 DIMM, Audio, Gigabit LAN, IEEE-1394)
Motherboard Chipset Intel Granite Bay E7205
System Memory 1024 MB (PC2100 DDR SDRAM)
BIOS Type Award (01/10/03)
Communication Port Communications Port (COM1)
Communication Port Communications Port (COM2)
Communication Port Printer Port (LPT1)

Display:
Video Adapter RADEON 9700 PRO - Secondary (128 MB)
Video Adapter RADEON 9700 PRO (128 MB)
3D Accelerator ATI Radeon 9700 Pro (R300)
Monitor HP D5258A Pavilion M50 [15" LCD] (THTDM00219)

Multimedia:
Audio Adapter C-Media CMI8738 Audio Chip
Audio Adapter Creative Audigy 2 LS Sound Card

Storage:
IDE Controller Intel(R) 82801DB Ultra ATA Storage Controller - 24CB
SCSI/RAID Controller WinXP Promise FastTrak 376 (tm) Controller
Floppy Drive Floppy disk drive
Disk Drive Maxtor 6E040L0 (40 GB, 7200 RPM, Ultra-ATA/133)
Disk Drive Maxtor 6Y120L0 (120 GB, 7200 RPM, Ultra-ATA/133)
Disk Drive Lexmark USB Mass Storage USB Device
Disk Drive SCSI Disk Device
Optical Drive TDK DVDRW420N (DVD:4x/2.4x/12x, CD:16x/10x/40x DVD+RW)
SMART Hard Disks Status OK

Partitions:
C: (NTFS) 39195 MB (19238 MB free)
D: (NTFS) 117232 MB (115252 MB free)
Total Size 152.8 GB (131.3 GB free)

Input:
Keyboard Easy Internet Keyboard
Mouse Microsoft USB Trackball Optical (IntelliPoint)

Network:
Network Adapter NETGEAR FA311 Fast Ethernet Adapter (24.3.229.244)

Peripherals:
Printer Lexmark 6200 Series
Printer LexmarkFax
USB1 Controller Intel 82801DB ICH4 - USB Controller [B-0]
USB1 Controller Intel 82801DB ICH4 - USB Controller [B-0]
USB1 Controller Intel 82801DB ICH4 - USB Controller [B-0]
USB2 Controller Intel 82801DB ICH4 - Enhanced USB2 Controller [B-0]
USB Device Generic USB Hub
USB Device Lexmark 6200 Series
USB Device Microsoft USB Trackball Optical
USB Device USB Composite Device
USB Device USB Human Interface Device
USB Device USB Mass Storage Device
USB Device USB Printing Support

0

Ok, on that list that I gave you in my last post, download SpywareBlaster, and update it. It will keep a lot of the nasties from getting to your computer. Also, download the Google toolbar, it has a pretty good popup stopper. Download Ewido and try that, it finds viruses and spyware.

You can download a trial version of Ewido here: http://www.ewido.net/en/

Be sure you update it before using it, and when it finds a problem, be sure to select the check box to do the same action (clean) when it finds a problem, otherwise, you will have to click continue, to keep scanning with every problem it finds.

0

Sorry it's taken so long to reply, but I took a few days off for the holiday. I have downloaded and run several different spyware/adware blockers/scanners. I did run the Ewido scanner as suggested in the previous post. However, I am still getting all the annoying ads. Some pop up with Taskbar icons, some just open windows. It seems that they don't pop up when I have my McAfee Privacy Service running, but the Privacy Service tends to give me more headaches than it's worth when I try to play games at Pogo or someplace like that. After the Ewido, how can I detect/find/destroy whatever is causing all of these pop-up ads??

0

We shold get a HijackThis log from you at this point.

1. Disconnect from the Internet.

2. Disable McAfee if it's still preventing HijackThis from running.

3. Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log".

4. Re-enable McAfee and reconnect your computer to the Net.

5.Open the HijackThis log file with Windows Notepad and cut-n-paste the entire contents of the Notepad file here.

0

OK I got the HiJack This log. It is attached below. Thanks again for your help.

Logfile of HijackThis v1.99.1
Scan saved at 7:37:43 PM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Documents and Settings\Christopher Jones\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [foqf] C:\PROGRA~1\COMMON~1\foqf\foqfm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.moove.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_2.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126479805468
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.33/ttinst.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab36107.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4598/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\fppu0379e.dll
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\vzrbisenc.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe

0

OK- your log does show signs of infections. Please do the following:

1. Download and install ewido Security Suite - http://www.ewido.net/en/download/


2. Open ewido. If you receive a warning message saying "Database not found"; just click "OK" for this. Next, in the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.


3. Open MS Antispyware beta. Make sure the "AntiSpyware AutoUpdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.


4. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).


5. Run ewido and MS Antispyware beta consecutively (the order doesn't matter), and have both programs fix whatever they find.
When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.


6. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.


7. Reboot normally, run HijackThis again, and post the new log. Also post the "Scan Report" that ewido generated.

0

Ok. I've followed your instructions. The new HijackThis log and the Ewido log are below. I ran the Ewido scan first, then the MS AntiSpyware. Please let me know what is next.

Hijack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:28:43 PM, on 11/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\runservice.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\kodak\Kodak EasyShare software\bin\EasyShare.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Documents and Settings\Christopher Jones\Desktop\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [foqf] C:\PROGRA~1\COMMON~1\foqf\foqfm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.moove.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_2.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126479805468
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.33/ttinst.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab36107.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4635/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe


********Ewido Scan Log*********


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           12:30:30 PM, 11/26/2005
+ Report-Checksum:      DDC2DF63


+ Scan result:


[700] C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Error during cleaning
[804] C:\WINDOWS\system32\imvu9_32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@2o7[2].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@atdmt[1].txt[/email] -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@doubleclick[1].txt[/email] -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wfkygmazolp.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wfmiegcjagp.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wgkosnazwlp.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wjkocldpedo.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wjkyqpcjoaq.stats.esomniture[1].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wjkyukazebp.stats.esomniture[1].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wjl4kpczgdo.stats.esomniture[1].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wjliwodpecp.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wjloeldzofp.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wjmyeiajkgp.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wjmygmdjelq.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wjny-1ndpwh.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wjnygkdpsgp.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@e-2dj6wjnyspajolp.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@edge.ru4[1].txt[/email] -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@mediaplex[1].txt[/email] -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@questionmarket[1].txt[/email] -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Christina Jones\Local Settings\Temp\Cookies\christina [email]jones@serving-sys[2].txt[/email] -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@2o7[2].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@ad.yieldmanager[2].txt[/email] -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@ads.pointroll[1].txt[/email] -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@advertising[2].txt[/email] -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@atdmt[1].txt[/email] -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@bfast[1].txt[/email] -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@burstnet[2].txt[/email] -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@citi.bridgetrack[1].txt[/email] -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@doubleclick[2].txt[/email] -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@ehg-dig.hitbox[1].txt[/email] -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@excite[2].txt[/email] -> Spyware.Cookie.Excite : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@hitbox[1].txt[/email] -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@linksynergy[2].txt[/email] -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@statse.webtrendslive[1].txt[/email] -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Christopher Jones\Cookies\christopher [email]jones@trafficmp[1].txt[/email] -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\system32\imvu9_32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ir22l5fo1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@2o7[2].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@ad.yieldmanager[1].txt[/email] -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@adopt.specificclick[2].txt[/email] -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@ads.addynamix[2].txt[/email] -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@advertising[2].txt[/email] -> Spyware.Cookie.Advertising : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@as1.falkag[2].txt[/email] -> Spyware.Cookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@atdmt[2].txt[/email] -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@centrport[2].txt[/email] -> Spyware.Cookie.Centrport : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@doubleclick[1].txt[/email] -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@edge.ru4[2].txt[/email] -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@fastclick[1].txt[/email] -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@mediaplex[1].txt[/email] -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@paypopup[1].txt[/email] -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@questionmarket[1].txt[/email] -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@revenue[2].txt[/email] -> Spyware.Cookie.Revenue : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@rotator.adjuggler[1].txt[/email] -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@targetnet[2].txt[/email] -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@trafficmp[1].txt[/email] -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@tribalfusion[2].txt[/email] -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@valuead[2].txt[/email] -> Spyware.Cookie.Valuead : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@valueclick[1].txt[/email] -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\christina [email]jones@z1.adserver[1].txt[/email] -> Spyware.Cookie.Adserver : Cleaned with backup



::Report End

Edited by happygeek: fixed formatting

0

What's going on here. It's been a week since I posted these logs and I've heard nothing back. THe problem is that I am still getting these annoying pop-ups. I really need some help here. Anyone?

0

What's going on here. It's been a week since I posted these logs and I've heard nothing back. THe problem is that I am still getting these annoying pop-ups. I really need some help here. Anyone?

Hey go to Tools - Pop-up Blocker - Pop-up Blocker settings - see whether the Filter Level is set to medium or not

0

Yes the IE Pop Up Blocker controls are set to medium. But the ones that pop up are for www.ad-w-a-r-e.com or www-searc-h.com or others like that. I'm sure it's just a matter of something simple that got downloaded by accident, but I don't know what to do next.

0

Yes the IE Pop Up Blocker controls are set to medium. But the ones that pop up are for www.ad-w-a-r-e.com or www-searc-h.com or others like that. I'm sure it's just a matter of something simple that got downloaded by accident, but I don't know what to do next.

Sorry 4 the late reply, matter luks really serious. Win xp with SP2 and still popups, something to luk about.

Boot into safe mode, disable system restore, Go to registry by typing regedit at run, search for the entries related to the above url u mentioned, if u find any entry delete it, press F3 to find the next entry, install the attachment Regcleaner, start the program click on startup, and delete all the entries u think are suspicious, use CWShredder to delete all the cool web search. Empty the temp internet folder and recycle bin and reboot

0

Yes the IE Pop Up Blocker controls are set to medium. But the ones that pop up are for www.ad-w-a-r-e.com or www-searc-h.com or others like that. I'm sure it's just a matter of something simple that got downloaded by accident, but I don't know what to do next.

I wanna attach other software called Xoftspy, but it is a cracked version and it is illeagal to post such pirated software, its a gud utility to deleted spyware, which adware, spybot, and other spyware programs fail to deleted, it even deletes CWS, its about 1.6 MB, if u want i can upload it

0

I wanna attach other software called Xoftspy, but it is a cracked version and it is illeagal to post such pirated software, its a gud utility to deleted spyware, which adware, spybot, and other spyware programs fail to deleted, it even deletes CWS, its about 1.6 MB, if u want i can upload it

Ok iam sending the link pls click on it a seperate webpage will open scroll down and click on free, again scroll down, u will see a message (download ticket reserved) wait for a few second and now click on the link to download

http://rapidshare.de/files/8582859/XoftSpy_3.45.zip.html

install it run the program click on help-about xoftspy-register and insert the key and scan ur system in safe mode

0

Well I must have spoke too soon. Just when I thought things were looking like they were fixed. I'm getting more pop-ups again. This time the sites are www.cool-discount.com, www.discount-home.com, etc. The one thing I keep noticing is that the URLs coming up are something like www.cool-discount.com/normal/yyy65.html. The yyy65.html is coming up with the majority of the pop-ups. I've tried searching the registry and running the Registry Cleaner and Xoft and scanning, but it's not finding it.

Help!!

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.