infected with some nastiness

Question

r4tl3g 0 Newbie Poster

17 Years Ago

Hello I'm brand new here coming to look for help.
I keep getting popups and cant get rid of them.

Heres the highjackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:57:11 AM, on 6/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\MQ\command.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ipwins\ipwins.exe
C:\WINDOWS\system32\swinpqez.exe
C:\PROGRA~1\COMMON~1\PPATCH~1\userinit.exe
C:\WINDOWS\?racle\s?chost.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Uninstall Information\odbc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pebbf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bahfqpf.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [w05c75cc.dll] RUNDLL32.EXE w05c75cc.dll,I2 0014d6c2005c75cc
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\swinpqez.exe GID003
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Eear] "C:\PROGRA~1\COMMON~1\PPATCH~1\userinit.exe" -vt yazb
O4 - HKCU\..\Run: [Mair] C:\WINDOWS\?racle\s?chost.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinpqez.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = angelos
O17 - HKLM\Software\..\Telephony: DomainName = angelos
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = angelos
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\system32\x3cqp0.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\csrss.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk

Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\MQ\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec

AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

windows-virus

3 Contributors
13 Replies
323 Views
1 Month Discussion Span
Latest Post 17 Years Ago Latest Post by DMR

All 13 Replies

tayspen 28 <Insert title here>

17 Years Ago

Please post an up to date HJT log, and I will have a look at it.

Try to get the spaces out of it to, as it makes it hard to read.

:)

DMR 152 Wombat At Large

17 Years Ago

Apologies for the delays- we seem to be a bit shothanded lately.

You are absolutely right about the suspicious files- they are part of your infections, although there are other malicious files which are recreating the ones you are trying to kill.

Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

* Download the most current updates for Norton AV and Spy Sweeper.

* Download and install the following utilities:

Windows Defender - http://www.microsoft.com/downloads/d...displaylang=en
ewido Anti-spyware (30-day trial version) - http://www.ewido.net/en/download/

To Install and Configure ewido:

Close all other Applications and then run the ewido installer
Select language click Ok
Click I Agree
Click next
Click Install
Click Finish
Wait Ewido will open main screen automatically.
Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
This in very important to get updates
When updating has finished. Close Ewido.

* Download ATF-Cleaner and save it to a convenient location. Don 't actually run the program yet.

* Close all open programs/windows, (especially web browsers). Run another HijackThis scan, put a check in the boxes to the left of the following entries, and then click the "Fix Checked" button.
Close HiajckThis once the fixes complete:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pebbf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bahfqpf.exe
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\csrss.dll

* Reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Log in to the Administrator account.

* Run ATF-Cleaner
- Double-click ATF-Cleaner.exe to open the program.
- Under Main choose: Select All
- Click the Empty Selected button.

If you use Firefox browser : Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser: Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

* Run full system scans with Norton, Defender, and Spy Sweeper. Have the programs fix all malicious items they find.

* Open Ewido

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

* Search for the following files and delete them if found:
C:\WINDOWS\system32\pebbf.exe
bahfqpf.exe
C:\WINDOWS\system32\csrss.dll

* Empty your Recycle Bin and reboot normally.

* Run HijackThis again and post the new log. Also post the logs that ewido and Spy Sweeper generated.

-

DMR 152 Wombat At Large

17 Years Ago

The problem is still there :(

I'm not surprised- ewido detected a few hidden infections which are difficult to kill, and your HJT log is showing different indications of the infections.

Let's start with the Qoologic infection; Please follow these removal instructions:

You will need to close/quit all web browser programs and disconnect from the Internet for the following, so you should print out these instructions or save them into a text file with Notepad.

* Download the most current updates for Norton, ewido, Defender, and Spy Sweeper.

* Downloadthe QooFix utility.
- Unzip the downloaded file into its own new folder.
- Double click on the file named Qoofix.exe.
- Click the Begin Removal button.
It may take a while to scan, and a reboot may be necessary if an infection is found. Once the scan/fix has completed, the utility will create a file named "Qoofix Logfile.txt" in the QooFix folder.

* Close all open programs/windows, (especially web browsers). Run another HijackThis scan, put a check in the boxes to the left of the following entries (if they're still present), and then click the "Fix Checked" button.
Close HijackThis once the fixes complete:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pebbf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,bahfqpf.exe
O4 - HKLM\..\Run: [ymnofi] C:\WINDOWS\system32\yujwgk.exe reg_run
O4 - HKCU\..\Run: [uiuph] C:\WINDOWS\system32\yujwgk.exe reg_run
* Reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Log in to the Administrator account.

* Run full system scans with Norton, Defender, and Spy Sweeper. Have the programs fix all malicious items they find.

* Open Ewido

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

* Search for the following files and delete them if found:
C:\WINDOWS\system32\pebbf.exe
bahfqpf.exe
C:\WINDOWS\system32\yujwgk.exe
* Empty your Recycle Bin and reboot normally.

* Run HijackThis again and post the new log. Also post the logs that ewido, Spy Sweeper, and QooFix generated.

DMR 152 Wombat At Large

17 Years Ago

There are no more signs of infections in your logs. Can you give us any specific information (websites, product names, company names, etc.) that appear in the ads?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

r4tl3g 0 Newbie Poster · Answer 1 · 2006-06-14T23:24:17+00:00

Somebody please help. I keep getting mad pop-ups that pop up blocker constantly has to block and sometimes it crashes everything !!

r4tl3g 0 Newbie Poster · Answer 2 · 2006-06-19T22:08:13+00:00

Anybody have any suggestions? I'm getting desperate. Virus scans and other various utilities can not get rid of it, I don't know what to do, besides reformatting.....

r4tl3g 0 Newbie Poster · Answer 3 · 2006-06-20T03:13:39+00:00

Ok, heres the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:23:02 PM, on 6/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pebbf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bahfqpf.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = angelos
O17 - HKLM\Software\..\Telephony: DomainName = angelos
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = angelos
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\csrss.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DDIIYEVD - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1.ANG\LOCALS~1\Temp\DDIIYEVD.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

r4tl3g 0 Newbie Poster · Answer 4 · 2006-06-22T02:41:17+00:00

r4tl3g 0 Newbie Poster

17 Years Ago

anything?

r4tl3g 0 Newbie Poster · Answer 5 · 2006-07-07T21:32:11+00:00

this pebbf.exe
and yujwgk.exe seem to be the problem
I can not stop them
every time i try to end process on one, two more appear. Those two kind of back each other up or something.

r4tl3g 0 Newbie Poster · Answer 6 · 2006-07-11T19:42:10+00:00

Thank you for the reply.
Heres the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:48:02 AM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pebbf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,bahfqpf.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ymnofi] C:\WINDOWS\system32\yujwgk.exe reg_run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [uiuph] C:\WINDOWS\system32\yujwgk.exe reg_run
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = angelos
O17 - HKLM\Software\..\Telephony: DomainName = angelos
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = angelos
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DDIIYEVD - Unknown owner - C:\DOCUME~1\ADMINI~1.ANG\LOCALS~1\Temp\DDIIYEVD.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Here's the EWIDO log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:46:36 PM 7/10/2006

+ Scan result:

C:\WINDOWS\vlprmhsf.exe -> Adware.BookedSpace : Cleaned.
C:\WINDOWS\system32\ftuninst.exe -> Adware.Linkmaker : Cleaned.
C:\WINDOWS\system32ftuninst.exe -> Adware.Linkmaker : Cleaned.
C:\WINDOWS\system32\services.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32tfthot.exe -> Adware.SearchAssistant : Cleaned.
C:\WINDOWS\system32\gbe90qs.exe -> Adware.Suggestor : Cleaned.
C:\WINDOWS\system32\swinpqez.exe -> Adware.ZenoSearch : Cleaned.
C:\WINDOWS\system32\fryar.dat -> Downloader.Qoologic.bj : Cleaned.
[1884] C:\WINDOWS\system32\fcjwwsq.dll -> Downloader.Qoologic.bj : Cleaned.
[708] C:\WINDOWS\system32\fcjwwsq.dll -> Downloader.Qoologic.bj : Error during cleaning.
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned.
:mozilla.38:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.41:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.49:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.50:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.51:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.52:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.19:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.53:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.54:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.55:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.57:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.58:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.59:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.60:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.61:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.62:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.78:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.26:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.86:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.87:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.88:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.89:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.95:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.96:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.97:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.66:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.67:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.68:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.63:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.22:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.23:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.24:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.25:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.90:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.91:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.92:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.81:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.84:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.44:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.45:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.46:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.47:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.48:C:\Documents and Settings\administrator.ANGELOS\Application Data\Mozilla\Firefox\Profiles\s4g8bcrc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

::Report end

Spy-Sweeper log:
********
12:28 PM: | Start of Session, Monday, July 10, 2006 |
12:28 PM: Spy Sweeper started
12:28 PM: Sweep initiated using definitions version 556
12:28 PM: Starting Memory Sweep
12:29 PM: Memory Sweep Complete, Elapsed Time: 00:00:36
12:29 PM: Starting Registry Sweep
12:29 PM: Registry Sweep Complete, Elapsed Time:00:00:07
12:29 PM: Starting Cookie Sweep
12:29 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:29 PM: Starting File Sweep
12:30 PM: File Sweep Complete, Elapsed Time: 00:01:30
12:30 PM: Full Sweep has completed. Elapsed time 00:02:21
12:30 PM: Traces Found: 0
1:41 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
1:41 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
2:47 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
2:47 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
3:43 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
3:43 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
4:14 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
4:14 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
4:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
4:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
4:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
4:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
7:02 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
7:02 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
7:03 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
7:03 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
7:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
7:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
7:53 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
7:53 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:32 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
9:32 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
********

The problem is still there :(

r4tl3g 0 Newbie Poster · Answer 7 · 2006-07-13T21:27:36+00:00

Here are the latest logs:

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 11:34:24 AM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\AutoCAD 2005\acad.exe
C:\DOCUME~1\angelos\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\HijackThis.exe
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = angelos
O17 - HKLM\Software\..\Telephony: DomainName = angelos
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = angelos
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DDIIYEVD - Unknown owner - C:\DOCUME~1\ADMINI~1.ANG\LOCALS~1\Temp\DDIIYEVD.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

EWIDO:

ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Scan result:

C:\Documents and Settings\angelos\Local Settings\Temp\Temporary Internet Files\Content.IE5\8BI3WJ2H\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\angelos\Local Settings\Temp\Temporary Internet Files\Content.IE5\ILSVUNG9\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\angelos\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q1QTIV4Z\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\angelos\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q1QTIV4Z\popup[2].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.68:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.69:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.75:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.76:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.77:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.78:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.79:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.139:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.140:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.141:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.142:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.143:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.58:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.36:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.37:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.45:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.51:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.38:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.39:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.40:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.41:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.42:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.43:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.44:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.13:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.156:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.199:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.207:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.211:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.227:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.228:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.229:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.230:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.185:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.186:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.187:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.188:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.215:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.216:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.217:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.218:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.18:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.177:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.178:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.72:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.73:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.74:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.150:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.151:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.236:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.99:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.52:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.53:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.54:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.55:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.85:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.86:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.14:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.15:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.16:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.17:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.110:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.260:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.262:C:\Documents and Settings\angelos\Application Data\Mozilla\Firefox\Profiles\in2e3wr3.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.

::Report end

Qoofix:

Qoofix v1.02 by http://www.malwarebytes.org
Scan started on [7/12/2006] at [4:16:50 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
C:\WINDOWS\system32\fryar.dat will be deleted on reboot!

User prompted YES to reboot, system now rebooting...
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [7/12/2006] at [4:18:32 PM]

Note: Some registry keys may have been removed.

The problem still remains :(

r4tl3g 0 Newbie Poster · Answer 8 · 2006-07-20T00:21:08+00:00

Right now I get these windows yes/no pop-ups that are titled: Internet Redirection.
and then inside it says:

"You are about to be redirected to a new internet site.

Any information you exchanged wiht the current site could be retransmitted to the new internet site you are about to connect with. Do you wish to continue?"

The actual pop-ups seem to get blocked most of the time. But here is an example of one that got through:

http://media.fastclick.net

"You have been chosen to receive a new laptop...... blah blah blah......."

DMR 152 Wombat At Large Team Colleague · Answer 9 · 2006-07-21T07:37:16+00:00

Ahhh- that explains it. You probably don't have any more infections; "fastclick" ads are usually served from the website you're visiting, not from something malicious that's actually installed on your computer.
The specific message you're getting from Internet Explorer is due to this IE option being enabled.

The FastClick folks work pretty hard to find ways to get around pop-up blocking software, but these solutions might help with fastclick and other annoyances that you can encounter at different site:

Configuring popup blocking settings built in to IE: http://www.microsoft.com/windowsxp/using/web/sp2_popupblocker.mspx

Configuring popup blocking settings built in to Firefox is done by going to Tools->Options->Content. The settings are pretty self-explanatory.

The free "IE-SpyAd" utility for IE: http://www.spywarewarrior.com/uiuc/resource.htm

The free SpyBot Search & Destroy utility has an "Immunize" feature.

The free SpywareBlaster utility blocks "bad" sites in IE.

infected with some nastiness

Recommended Answers Collapse Answers

All 13 Replies

Recommended Answers