TheTechGuide Forum

General Category => Tech Clinic => Topic started by: smoochyleigh on August 11, 2005, 11:54:45 PM

Title: Getting Overrun with Pop-ups
Post by: smoochyleigh on August 11, 2005, 11:54:45 PM: Hi,

I have run and re-run ad-aware and spy-bot repeatedly on this machine and the adware/spyware keeps appearing. It's effecting productivity and makes this computer almost unusable. I could really use some help fixing this.

Thank you in advance.

Here is a current HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:53:09 PM, on 8/11/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISUM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\SYMPXSVC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\IAMAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\CSSRD2.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\COREL\OFFICE7\DAD7\QUICK.EXE
C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE
C:\WINDOWS\SYSTEM\CSSRD2.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.langloisfoods.com/ (http://\"http://www.langloisfoods.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SDWin32 Class - {87DD96A0-0389-11DA-AB8F-0010DC3CBE2C} - C:\WINDOWS\SYSTEM\KDCUN.DLL
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security Professional\NISSERV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [CSSRD2] C:\WINDOWS\SYSTEM\CSSRD2.exe
O4 - HKCU\..\Run: [Opao] C:\Program Files\puhs\loes.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [CSSRD2] C:\WINDOWS\SYSTEM\CSSRD2.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - User Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - User Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...tall_popup.pl?2 (http://\"https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?2\")
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx (http://\"http://www.investors.com/member/ocx/plotwon.ocx\")
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab (http://\"http://24.234.255.102/activex/AxisCamControl.cab\")
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx (http://\"http://www.icannnews.com/app/ST/ActiveX.ocx\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")

Thanks for any help you can give me,

Leigh
Title: Getting Overrun with Pop-ups
Post by: guestolo on August 12, 2005, 08:44:27 AM: Just on my way to work, but if you do the following for me
I'll post up a fix later

Open Hijackthis>>Open Misc tools section>>Open Uninstall manager
Click the SAVE LIST button
Save the list to desktop and post it contents back here

Also
Can you do the following
Can you go to this link
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")

Use the browse button and navigate to this file on your hard drive
C:\WINDOWS\SYSTEM\CSSRD2.EXE <-this file
Right click on it and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Title: Getting Overrun with Pop-ups
Post by: smoochyleigh on August 12, 2005, 03:42:48 PM: Hi,

Here are the two scans you requested:

HijackThis

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
AnyTime Deluxe Edition
Corel Remove Program
Display Utility
E2give Plug-in
HijackThis 1.99.1
HP LaserJet 1200 Uninstaller
Internet Explorer Q834707
LiveReg (Symantec Corporation)
LiveUpdate 1.7 (Symantec Corporation)
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 4.0
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 97, Professional Edition
Microsoft Outlook Express 6
Microsoft Publisher 2002
Microsoft VGX Q833989
Microsoft Web Publishing Wizard 1.6
Multimedia keyboard driver uninstall
NetMeeting 3.01
Norton Internet Security Professional
OIN
Outlook Express Q837009
Paradox 7
Spybot - Search & Destroy 1.4
System Files Update
The Food Processor
VIA Tech KLE/PLE Display Driver and Utilities
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows Media Player 7.1
WinZip

Jotti's Online Malware Scan

Service load: 0% 100%

File: cssrd2.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 9a20560922f0a94d44807b5356dc877a
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found BackDoor.Generic.923
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Spy.Win32.VB.eh
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Spy.Win32.VB.eh

I was trying to figure out what that file was too. When you go to properties of that file, the company is Ptech, internal and original file name is skytown.exe. I don't know if that helps you or not.

-Leigh
Title: Getting Overrun with Pop-ups
Post by: guestolo on August 14, 2005, 12:39:56 AM: Access your Add/Remove programs and uninstall the following
Viewpoint Manager (Remove Only)
Viewpoint Media Player
E2give Plug-in

I would also like to remove OIN, but I don't trust thieir uninstaller, so we'll leave it for now

Restart your computer

Please download l2m9xfix.exe (http://\"http://swandog46.geekstogo.com/l2m9xfix.exe\")

Save it to the desktop and run it. Extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat.
Title: Getting Overrun with Pop-ups
Post by: smoochyleigh on August 15, 2005, 04:00:20 PM: Hi,

I tried to uninstall the programs but only viewpoint manager & media player were listed. Many of the items listed in the HJ list were not present in the list windows gave me. The ones highlighted in red are not present in my add/remove programs selection:

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
AnyTime Deluxe Edition
[color=\"red\"]Corel Remove Program[/color]
Display Utility
[color=\"red\"]E2give Plug-in[/color]
[color=\"red\"]HijackThis 1.99.1[/color]
HP LaserJet 1200 Uninstaller
Internet Explorer Q834707
[color=\"red\"]LiveReg (Symantec Corporation)
LiveUpdate 1.7 (Symantec Corporation)[/color]
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 4.0
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 97, Professional Edition
Microsoft Outlook Express 6
Microsoft Publisher 2002
Microsoft VGX Q833989
Microsoft Web Publishing Wizard 1.6
Multimedia keyboard driver uninstall
NetMeeting 3.01
[color=\"red\"]Norton Internet Security Professional
OIN[/color]
Outlook Express Q837009
[color=\"red\"]Paradox 7
Spybot - Search & Destroy 1.4[/color]
System Files Update
The Food Processor
VIA Tech KLE/PLE Display Driver and Utilities
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows Media Player 7.1
WinZip

Here is the requested log.txt file:

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\Profiles\DON\Desktop\l2m9xfix

************

Files found:

C:\WINDOWS\system\BUOWSELC.DLL
C:\WINDOWS\system\BUOWSELC.DLL
C:\WINDOWS\system\BUOWSELC.DLL
C:\WINDOWS\system\BUOWSELC.DLL
C:\WINDOWS\system\CEYPTNET.DLL
C:\WINDOWS\system\CEYPTNET.DLL
C:\WINDOWS\system\CEYPTNET.DLL
C:\WINDOWS\system\CEYPTNET.DLL
C:\WINDOWS\system\CFMCTL32.DLL
C:\WINDOWS\system\CFMCTL32.DLL
C:\WINDOWS\system\CFMCTL32.DLL
C:\WINDOWS\system\CFMCTL32.DLL
C:\WINDOWS\system\CVUSALGO.DLL
C:\WINDOWS\system\CVUSALGO.DLL
C:\WINDOWS\system\CVUSALGO.DLL
C:\WINDOWS\system\CVUSALGO.DLL
C:\WINDOWS\system\DADRG56X.DLL
C:\WINDOWS\system\DADRG56X.DLL
C:\WINDOWS\system\DADRG56X.DLL
C:\WINDOWS\system\DADRG56X.DLL
C:\WINDOWS\system\DLDRGBXF.DLL
C:\WINDOWS\system\DLDRGBXF.DLL
C:\WINDOWS\system\DLDRGBXF.DLL
C:\WINDOWS\system\DLDRGBXF.DLL
C:\WINDOWS\system\DNDRM16F.DLL
C:\WINDOWS\system\DNDRM16F.DLL
C:\WINDOWS\system\DNDRM16F.DLL
C:\WINDOWS\system\DNDRM16F.DLL
C:\WINDOWS\system\DQDRAMPF.DLL
C:\WINDOWS\system\DQDRAMPF.DLL
C:\WINDOWS\system\DQDRAMPF.DLL
C:\WINDOWS\system\DQDRAMPF.DLL
C:\WINDOWS\system\DR16GT.DLL
C:\WINDOWS\system\DR16GT.DLL
C:\WINDOWS\system\DR16GT.DLL
C:\WINDOWS\system\DR16GT.DLL
C:\WINDOWS\system\DSGSIG.DLL
C:\WINDOWS\system\DSGSIG.DLL
C:\WINDOWS\system\DSGSIG.DLL
C:\WINDOWS\system\DSGSIG.DLL
C:\WINDOWS\system\DXDIM.DLL
C:\WINDOWS\system\DXDIM.DLL
C:\WINDOWS\system\DXDIM.DLL
C:\WINDOWS\system\DXDIM.DLL
C:\WINDOWS\system\DXTACLEN.DLL
C:\WINDOWS\system\DXTACLEN.DLL
C:\WINDOWS\system\DXTACLEN.DLL
C:\WINDOWS\system\DXTACLEN.DLL
C:\WINDOWS\system\ECYD7US.DLL
C:\WINDOWS\system\ECYD7US.DLL
C:\WINDOWS\system\ECYD7US.DLL
C:\WINDOWS\system\ECYD7US.DLL
C:\WINDOWS\system\EFYSH7.DLL
C:\WINDOWS\system\EFYSH7.DLL
C:\WINDOWS\system\EFYSH7.DLL
C:\WINDOWS\system\EFYSH7.DLL
C:\WINDOWS\system\FU20ENU.DLL
C:\WINDOWS\system\FU20ENU.DLL
C:\WINDOWS\system\FU20ENU.DLL
C:\WINDOWS\system\FU20ENU.DLL
C:\WINDOWS\system\FUAMEBUF.DLL
C:\WINDOWS\system\FUAMEBUF.DLL
C:\WINDOWS\system\FUAMEBUF.DLL
C:\WINDOWS\system\FUAMEBUF.DLL
C:\WINDOWS\system\GEDEF.DLL
C:\WINDOWS\system\GEDEF.DLL
C:\WINDOWS\system\GEDEF.DLL
C:\WINDOWS\system\GEDEF.DLL
C:\WINDOWS\system\HGHEIMG0.DLL
C:\WINDOWS\system\HGHEIMG0.DLL
C:\WINDOWS\system\HGHEIMG0.DLL
C:\WINDOWS\system\HGHEIMG0.DLL
C:\WINDOWS\system\HHAGENT.DLL
C:\WINDOWS\system\HHAGENT.DLL
C:\WINDOWS\system\HHAGENT.DLL
C:\WINDOWS\system\HHAGENT.DLL
C:\WINDOWS\system\HOP95EN.DLL
C:\WINDOWS\system\HOP95EN.DLL
C:\WINDOWS\system\HOP95EN.DLL
C:\WINDOWS\system\HOP95EN.DLL
C:\WINDOWS\system\HPAGENT.DLL
C:\WINDOWS\system\HPAGENT.DLL
C:\WINDOWS\system\HPAGENT.DLL
C:\WINDOWS\system\HPAGENT.DLL
C:\WINDOWS\system\hypamon0.dll
C:\WINDOWS\system\hypamon0.dll
C:\WINDOWS\system\hypamon0.dll
C:\WINDOWS\system\hypamon0.dll
C:\WINDOWS\system\IHETCPLC.DLL
C:\WINDOWS\system\IHETCPLC.DLL
C:\WINDOWS\system\IHETCPLC.DLL
C:\WINDOWS\system\IHETCPLC.DLL
C:\WINDOWS\system\IJRNONCE.DLL
C:\WINDOWS\system\IJRNONCE.DLL
C:\WINDOWS\system\IJRNONCE.DLL
C:\WINDOWS\system\IJRNONCE.DLL
C:\WINDOWS\system\ITMFILTER.DLL
C:\WINDOWS\system\ITMFILTER.DLL
C:\WINDOWS\system\ITMFILTER.DLL
C:\WINDOWS\system\ITMFILTER.DLL
C:\WINDOWS\system\IWS.DLL
C:\WINDOWS\system\IWS.DLL
C:\WINDOWS\system\IWS.DLL
C:\WINDOWS\system\IWS.DLL
C:\WINDOWS\system\jwsd400.dll
C:\WINDOWS\system\jwsd400.dll
C:\WINDOWS\system\jwsd400.dll
C:\WINDOWS\system\jwsd400.dll
C:\WINDOWS\system\madmo.dll
C:\WINDOWS\system\madmo.dll
C:\WINDOWS\system\madmo.dll
C:\WINDOWS\system\madmo.dll
C:\WINDOWS\system\MESYSTEM.DLL
C:\WINDOWS\system\MESYSTEM.DLL
C:\WINDOWS\system\MESYSTEM.DLL
C:\WINDOWS\system\MESYSTEM.DLL
C:\WINDOWS\system\MFCI.DLL
C:\WINDOWS\system\MFCI.DLL
C:\WINDOWS\system\MFCI.DLL
C:\WINDOWS\system\MFCI.DLL
C:\WINDOWS\system\MIXDM.DLL
C:\WINDOWS\system\MIXDM.DLL
C:\WINDOWS\system\MIXDM.DLL
C:\WINDOWS\system\MIXDM.DLL
C:\WINDOWS\system\MKLTUS40.DLL
C:\WINDOWS\system\MKLTUS40.DLL
C:\WINDOWS\system\MKLTUS40.DLL
C:\WINDOWS\system\MKLTUS40.DLL
C:\WINDOWS\system\MKR.DLL
C:\WINDOWS\system\MKR.DLL
C:\WINDOWS\system\MKR.DLL
C:\WINDOWS\system\MKR.DLL
C:\WINDOWS\system\mmdxmlc.dll
C:\WINDOWS\system\mmdxmlc.dll
C:\WINDOWS\system\mmdxmlc.dll
C:\WINDOWS\system\mmdxmlc.dll
C:\WINDOWS\system\MOPI.DLL
C:\WINDOWS\system\MOPI.DLL
C:\WINDOWS\system\MOPI.DLL
C:\WINDOWS\system\MOPI.DLL
C:\WINDOWS\system\MQCI.DLL
C:\WINDOWS\system\MQCI.DLL
C:\WINDOWS\system\MQCI.DLL
C:\WINDOWS\system\MQCI.DLL
C:\WINDOWS\system\MQVBVM50.DLL
C:\WINDOWS\system\MQVBVM50.DLL
C:\WINDOWS\system\MQVBVM50.DLL
C:\WINDOWS\system\MQVBVM50.DLL
C:\WINDOWS\system\MRREPL35.DLL
C:\WINDOWS\system\MRREPL35.DLL
C:\WINDOWS\system\MRREPL35.DLL
C:\WINDOWS\system\MRREPL35.DLL
C:\WINDOWS\system\MSFMIG32.DLL
C:\WINDOWS\system\MSFMIG32.DLL
C:\WINDOWS\system\MSFMIG32.DLL
C:\WINDOWS\system\MSFMIG32.DLL
C:\WINDOWS\system\mtcrlrev.dll
C:\WINDOWS\system\mtcrlrev.dll
C:\WINDOWS\system\mtcrlrev.dll
C:\WINDOWS\system\mtcrlrev.dll
C:\WINDOWS\system\MUDAMG9X.DLL
C:\WINDOWS\system\MUDAMG9X.DLL
C:\WINDOWS\system\MUDAMG9X.DLL
C:\WINDOWS\system\MUDAMG9X.DLL
C:\WINDOWS\system\MVI.DLL
C:\WINDOWS\system\MVI.DLL
C:\WINDOWS\system\MVI.DLL
C:\WINDOWS\system\MVI.DLL
C:\WINDOWS\system\MWIMUSIC.DLL
C:\WINDOWS\system\MWIMUSIC.DLL
C:\WINDOWS\system\MWIMUSIC.DLL
C:\WINDOWS\system\MWIMUSIC.DLL
C:\WINDOWS\system\MXAWT.DLL
C:\WINDOWS\system\MXAWT.DLL
C:\WINDOWS\system\MXAWT.DLL
C:\WINDOWS\system\MXAWT.DLL
C:\WINDOWS\system\MXCPXL32.DLL
C:\WINDOWS\system\MXCPXL32.DLL
C:\WINDOWS\system\MXCPXL32.DLL
C:\WINDOWS\system\MXCPXL32.DLL
C:\WINDOWS\system\MXPCIC.DLL
C:\WINDOWS\system\MXPCIC.DLL
C:\WINDOWS\system\MXPCIC.DLL
C:\WINDOWS\system\MXPCIC.DLL
C:\WINDOWS\system\MYTCP.DLL
C:\WINDOWS\system\MYTCP.DLL
C:\WINDOWS\system\MYTCP.DLL
C:\WINDOWS\system\MYTCP.DLL
C:\WINDOWS\system\MZR2C.DLL
C:\WINDOWS\system\MZR2C.DLL
C:\WINDOWS\system\MZR2C.DLL
C:\WINDOWS\system\MZR2C.DLL
C:\WINDOWS\system\OJBCTRAC.DLL
C:\WINDOWS\system\OJBCTRAC.DLL
C:\WINDOWS\system\OJBCTRAC.DLL
C:\WINDOWS\system\OJBCTRAC.DLL
C:\WINDOWS\system\OUESVR32.DLL
C:\WINDOWS\system\OUESVR32.DLL
C:\WINDOWS\system\OUESVR32.DLL
C:\WINDOWS\system\OUESVR32.DLL
C:\WINDOWS\system\OWDIS400.DLL
C:\WINDOWS\system\OWDIS400.DLL
C:\WINDOWS\system\OWDIS400.DLL
C:\WINDOWS\system\OWDIS400.DLL
C:\WINDOWS\system\PPSPL.DLL
C:\WINDOWS\system\PPSPL.DLL
C:\WINDOWS\system\PPSPL.DLL
C:\WINDOWS\system\PPSPL.DLL
C:\WINDOWS\system\PSSPL.DLL
C:\WINDOWS\system\PSSPL.DLL
C:\WINDOWS\system\PSSPL.DLL
C:\WINDOWS\system\PSSPL.DLL
C:\WINDOWS\system\RFCLTCCM.DLL
C:\WINDOWS\system\RFCLTCCM.DLL
C:\WINDOWS\system\RFCLTCCM.DLL
C:\WINDOWS\system\RFCLTCCM.DLL
C:\WINDOWS\system\RJCNS4.DLL
C:\WINDOWS\system\RJCNS4.DLL
C:\WINDOWS\system\RJCNS4.DLL
C:\WINDOWS\system\RJCNS4.DLL
C:\WINDOWS\system\RTCLTCCM.DLL
C:\WINDOWS\system\RTCLTCCM.DLL
C:\WINDOWS\system\RTCLTCCM.DLL
C:\WINDOWS\system\RTCLTCCM.DLL
C:\WINDOWS\system\SULSTR.DLL
C:\WINDOWS\system\SULSTR.DLL
C:\WINDOWS\system\SULSTR.DLL
C:\WINDOWS\system\SULSTR.DLL
C:\WINDOWS\system\TCPIUI.DLL
C:\WINDOWS\system\TCPIUI.DLL
C:\WINDOWS\system\TCPIUI.DLL
C:\WINDOWS\system\TCPIUI.DLL
C:\WINDOWS\system\TIID_P3D.DLL
C:\WINDOWS\system\TIID_P3D.DLL
C:\WINDOWS\system\TIID_P3D.DLL
C:\WINDOWS\system\TIID_P3D.DLL
C:\WINDOWS\system\TLD32.DLL
C:\WINDOWS\system\TLD32.DLL
C:\WINDOWS\system\TLD32.DLL
C:\WINDOWS\system\TLD32.DLL
C:\WINDOWS\system\tPembed.dll
C:\WINDOWS\system\tPembed.dll
C:\WINDOWS\system\tPembed.dll
C:\WINDOWS\system\tPembed.dll
C:\WINDOWS\system\TPPIUI.DLL
C:\WINDOWS\system\TPPIUI.DLL
C:\WINDOWS\system\TPPIUI.DLL
C:\WINDOWS\system\TPPIUI.DLL
C:\WINDOWS\system\UNL.DLL
C:\WINDOWS\system\UNL.DLL
C:\WINDOWS\system\UNL.DLL
C:\WINDOWS\system\UNL.DLL
C:\WINDOWS\system\WE32DLL.DLL
C:\WINDOWS\system\WE32DLL.DLL
C:\WINDOWS\system\WE32DLL.DLL
C:\WINDOWS\system\WE32DLL.DLL
C:\WINDOWS\system\WKI.DLL
C:\WINDOWS\system\WKI.DLL
C:\WINDOWS\system\WKI.DLL
C:\WINDOWS\system\WKI.DLL
C:\WINDOWS\system\wkpui.dll
C:\WINDOWS\system\wkpui.dll
C:\WINDOWS\system\wkpui.dll
C:\WINDOWS\system\wkpui.dll
C:\WINDOWS\system\WLNMM.DLL
C:\WINDOWS\system\WLNMM.DLL
C:\WINDOWS\system\WLNMM.DLL
C:\WINDOWS\system\WLNMM.DLL
C:\WINDOWS\system\WSNNET16.DLL
C:\WINDOWS\system\WSNNET16.DLL
C:\WINDOWS\system\WSNNET16.DLL
C:\WINDOWS\system\WSNNET16.DLL
C:\WINDOWS\system\wxerrenu.dll
C:\WINDOWS\system\wxerrenu.dll
C:\WINDOWS\system\wxerrenu.dll
C:\WINDOWS\system\wxerrenu.dll
C:\WINDOWS\system\WYN32S16.DLL
C:\WINDOWS\system\WYN32S16.DLL
C:\WINDOWS\system\WYN32S16.DLL
C:\WINDOWS\system\WYN32S16.DLL

************

Registry entries found:

[HKEY_CLASSES_ROOT\CLSID\{5EBECAE0-E95E-11D9-AB8F-0010DC3CBE2C}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\MKR.DLL"
[HKEY_CLASSES_ROOT\CLSID\{5EBECAE0-E95E-11D9-AB8F-0010DC3CBE2C}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\MKR.DLL"
[HKEY_CLASSES_ROOT\CLSID\{5EBECAE0-E95E-11D9-AB8F-0010DC3CBE2C}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\MKR.DLL"
[HKEY_CLASSES_ROOT\CLSID\{5EBECAE0-E95E-11D9-AB8F-0010DC3CBE2C}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\MKR.DLL"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{33F9A507-F9A3-92AC-724D-2A38EB4E3BBF}"=""

************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!

Finished!

Here is the new HJ file:

Logfile of HijackThis v1.99.1
Scan saved at 1:36:27 PM, on 8/15/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISUM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\IAMAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\CSSRD2.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\WINDOWS\SYSTEM\INICCU32.EXE
C:\COREL\OFFICE7\DAD7\QUICK.EXE
C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE
C:\WINDOWS\SYSTEM\CSSRD2.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\SYMPXSVC.EXE
C:\WINDOWS\JAPNQB.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SDWin32 Class - {87DD96A0-0389-11DA-AB8F-0010DC3CBE2C} - C:\WINDOWS\SYSTEM\KDCUN.DLL
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rnhalp.exe reg_run
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [kdcunc] C:\WINDOWS\SYSTEM\kdcunc.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\japnqb.exe reg_run
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security Professional\NISSERV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [CSSRD2] C:\WINDOWS\SYSTEM\CSSRD2.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Opao] C:\Program Files\puhs\loes.exe
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [Spam Shredder] "C:\PROGRAM FILES\WEBROOT\SHREDDER\SPSHREDDER.EXE" -tray
O4 - HKCU\..\Run: [Ypr7RWepR] INICCU32.EXE
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [CSSRD2] C:\WINDOWS\SYSTEM\CSSRD2.exe
O4 - HKCU\..\RunServices: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\RunServices: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunServices: [Opao] C:\Program Files\puhs\loes.exe
O4 - HKCU\..\RunServices: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\RunServices: [Spam Shredder] "C:\PROGRAM FILES\WEBROOT\SHREDDER\SPSHREDDER.EXE" -tray
O4 - HKCU\..\RunServices: [Ypr7RWepR] INICCU32.EXE
O4 - HKCU\..\RunServices: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - HKCU\..\RunOnce: [CSSRD2] C:\WINDOWS\SYSTEM\CSSRD2.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Profiles\DON\Application Data\Microsoft\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
O4 - User Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - User Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - User Startup: Microsoft Office.lnk = C:\WINDOWS\Profiles\DON\Application Data\Microsoft\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...tall_popup.pl?2 (http://\"https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?2\")
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx (http://\"http://www.investors.com/member/ocx/plotwon.ocx\")
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab (http://\"http://24.234.255.102/activex/AxisCamControl.cab\")
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx (http://\"http://www.icannnews.com/app/ST/ActiveX.ocx\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")

There may be a few more things listed in the HJ log file. I realized I had the selective start-up checked to try to make the pop-ups go away. I thought you might need to have everything load to get everything off the system so I changed it back to full start-up.

Look forward to the next step in the process.

-Leigh
Title: Getting Overrun with Pop-ups
Post by: smoochyleigh on August 15, 2005, 04:35:15 PM: By the way,

One of those things I had unchecked in the start-up processes is really nasty. After I had allowed all processes to start up, one of them altered my paradox program so I was not able to load any databases or create any new databases. It actually took away the New, Open & Close options under File. They weren't even listed. I had to go back in and uncheck all suspicious processes again to get paradox to work properly.

-Leigh
Title: Getting Overrun with Pop-ups
Post by: guestolo on August 16, 2005, 11:56:15 PM: Thanks for having everything load on startup
Your right, I need to see everything

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet

==Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet

Download Track qoo.zip (http://\"http://www.bleepingcomputer.com/files/mosaic1/Trackqoo.zip\")
UNZIP it to your Desktop

Set Windows to show hidden files
* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Uncheck the Hide Extensions for known file types
* Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

Find and delete these files or folders in bold if found
FILES
C:\WINDOWS\SYSTEM\KDCUN.DLL <-file
C:\WINDOWS\SYSTEM\wintask.exe
C:\WINDOWS\SYSTEM\DATADX.DLL
C:\WINDOWS\SYSTEM\exp.exe
C:\WINDOWS\SYSTEM\kdcunc.exe
C:\WINDOWS\SYSTEM\CSSRD2.exe
C:\WINDOWS\SYSTEM\INICCU32.EXE
C:\WINDOWS\CFGMGR52.DLL
C:\WINDOWS\japnqb.exe
C:\WINDOWS\rnhalp.exe
Search for the next files and remove them if found
E6F1873B.DLL
D9EBC318C
AUNPS2.DLL

FOLDERS
C:\WINDOWS\SYSTEM\VIDCTRL
C:\WINDOWS\SYSTEM\nsvsvc
C:\Program Files\BullsEye Network
C:\Program Files\VBOUNCER
C:\Program Files\NaviSearch
C:\Program Files\CashBack
C:\Program Files\puhs
C:\Program Files\ezula
C:\Program Files\Web Offer
C:\Program Files\E2G
C:\PROGRAM FILES\MEDIA ACCESS

Stay in safe mode
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files
DECLINE to Log off or Restart when scan is done.

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank

O2 - BHO: SDWin32 Class - {87DD96A0-0389-11DA-AB8F-0010DC3CBE2C} - C:\WINDOWS\SYSTEM\KDCUN.DLL
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL

O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rnhalp.exe reg_run
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe

O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [kdcunc] C:\WINDOWS\SYSTEM\kdcunc.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\japnqb.exe reg_run

O4 - HKCU\..\Run: [CSSRD2] C:\WINDOWS\SYSTEM\CSSRD2.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Opao] C:\Program Files\puhs\loes.exe

O4 - HKCU\..\Run: [Ypr7RWepR] INICCU32.EXE
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"

O4 - HKCU\..\RunServices: [CSSRD2] C:\WINDOWS\SYSTEM\CSSRD2.exe
O4 - HKCU\..\RunServices: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\RunServices: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunServices: [Opao] C:\Program Files\puhs\loes.exe

O4 - HKCU\..\RunServices: [Ypr7RWepR] INICCU32.EXE
O4 - HKCU\..\RunServices: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - HKCU\..\RunOnce: [CSSRD2] C:\WINDOWS\SYSTEM\CSSRD2.exe

O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx (http://\"http://www.icannnews.com/app/ST/ActiveX.ocx\")

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
This could take some time as it will scan your drive
Once the Scan is Complete
1. Reboot back to Normal mode
2. Go to the WinPFind folder
3. Locate WinPFind.txt in the WinPfind folder

Post the results of the WindPFind.txt
Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Window asking you what to do. Allow this Entire Script to Run, its harmless!
Wait a few seconds and copy and paste the contents of the notepad file that opens
Also save this notepad file somewhere

Run another scan with Hijackthis and post a fresh log
Title: Getting Overrun with Pop-ups
Post by: smoochyleigh on August 18, 2005, 02:46:04 AM: Hi Again,

I ran through everything you asked. I do have a question though. When I went into safe mode, I couldn't find anything that was on my desktop. I realized that because I use a logon name and password, windows keeps that info separate in a profile folder. I was able to get to everything I needed to run your steps but I noticed that different things showed up in the HJT log file depending on how I was logged on. How do I compensate for this? There is only one person who uses this computer so there really isn't a need for a logon.

Here are the logs you requested:

WinPfind.txt

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows 98 Version: 4.10.1998
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
KavSvc 7/4/05 3:19:30 AM 6373408 C:\SYSTEM.1ST

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
KavSvc 7/4/05 3:25:26 AM 249888 C:\WINDOWS\HWINFO.DAT
KavSvc 8/18/05 12:06:56 AM 6516768 C:\WINDOWS\SYSTEM.DAT
winsync 8/18/05 12:06:56 AM 6516768 C:\WINDOWS\SYSTEM.DAT
qoologic 7/4/05 4:04:28 AM 172032 C:\WINDOWS\web2_212.exe
aspack 7/4/05 4:04:28 AM 172032 C:\WINDOWS\web2_212.exe
KavSvc 7/4/05 4:04:28 AM 172032 C:\WINDOWS\web2_212.exe
69.59.186.63 7/4/05 4:04:28 AM 172032 C:\WINDOWS\web2_212.exe
209.66.67.134 7/4/05 4:04:28 AM 172032 C:\WINDOWS\web2_212.exe
66.63.167.97 7/4/05 4:04:28 AM 172032 C:\WINDOWS\web2_212.exe
66.63.167.77 7/4/05 4:04:28 AM 172032 C:\WINDOWS\web2_212.exe
web-nex 7/4/05 4:04:28 AM 172032 C:\WINDOWS\web2_212.exe
yourkey 7/4/05 4:04:28 AM 172032 C:\WINDOWS\web2_212.exe
rec2_run 7/4/05 4:04:28 AM 172032 C:\WINDOWS\web2_212.exe
UPX! 12/11/02 4:13:36 PM 44032 C:\WINDOWS\unwash.exe
UPX! 9/29/03 4:09:26 PM 161792 C:\WINDOWS\UnPopUpWasher.exe
UPX! 6/18/04 8:03:46 AM 278016 C:\WINDOWS\unshred1.exe

Items found in C:\WINDOWS\hosts

UPX! 8/11/05 9:42:30 PM 46080 C:\WINDOWS\InstallAPS.exe
UPX! 7/4/05 3:58:24 AM 65024 C:\WINDOWS\thin-144-1-x-x.exe
UPX! 7/4/05 12:57:28 PM 65024 C:\WINDOWS\thin-144-1-5-8-8.exe
UPX! 7/5/05 12:17:26 AM 65024 C:\WINDOWS\thin-178-1-2-x.exe
UPX! 7/5/05 12:23:26 AM 65024 C:\WINDOWS\thin-175-1-x-x.exe
qoologic 7/5/05 6:42:30 AM 200192 C:\WINDOWS\seedcorn_2_215.exe
aspack 7/5/05 6:42:30 AM 200192 C:\WINDOWS\seedcorn_2_215.exe
KavSvc 7/5/05 6:42:30 AM 200192 C:\WINDOWS\seedcorn_2_215.exe
69.59.186.63 7/5/05 6:42:30 AM 200192 C:\WINDOWS\seedcorn_2_215.exe
209.66.67.134 7/5/05 6:42:30 AM 200192 C:\WINDOWS\seedcorn_2_215.exe
66.63.167.97 7/5/05 6:42:30 AM 200192 C:\WINDOWS\seedcorn_2_215.exe
66.63.167.77 7/5/05 6:42:30 AM 200192 C:\WINDOWS\seedcorn_2_215.exe
web-nex 7/5/05 6:42:30 AM 200192 C:\WINDOWS\seedcorn_2_215.exe
yourkey 7/5/05 6:42:30 AM 200192 C:\WINDOWS\seedcorn_2_215.exe
rec2_run 7/5/05 6:42:30 AM 200192 C:\WINDOWS\seedcorn_2_215.exe
PTech 7/7/05 3:08:00 PM 5632 C:\WINDOWS\pi1_60.exe
UPX! 7/8/05 12:00:30 AM 223232 C:\WINDOWS\Pop2.exe
UPX! 8/17/05 11:22:56 PM 82432 C:\WINDOWS\ru.exe
UPX! 7/28/05 3:48:04 PM 17408 C:\WINDOWS\icont.exe
69.59.186.63 8/17/05 11:23:08 PM 46080 C:\WINDOWS\skfsfsg.dll
209.66.67.134 8/17/05 11:23:08 PM 46080 C:\WINDOWS\skfsfsg.dll
web-nex 8/17/05 11:23:08 PM 46080 C:\WINDOWS\skfsfsg.dll
winsync 8/17/05 11:23:08 PM 46080 C:\WINDOWS\skfsfsg.dll
69.59.186.63 8/17/05 11:23:08 PM 10240 C:\WINDOWS\joear.dll
209.66.67.134 8/17/05 11:23:08 PM 10240 C:\WINDOWS\joear.dll
web-nex 8/17/05 11:23:08 PM 10240 C:\WINDOWS\joear.dll
winsync 8/17/05 11:23:08 PM 10240 C:\WINDOWS\joear.dll

Checking %System% folder...
WinShutDown 6/28/96 7:00:00 AM 69120 C:\WINDOWS\SYSTEM\WPAUTO.DLL
WinShutDown 6/28/96 7:00:00 AM 61952 C:\WINDOWS\SYSTEM\PRAUTO.DLL
WinShutDown 6/28/96 7:00:00 AM 57856 C:\WINDOWS\SYSTEM\PFAUTO.DLL
WinShutDown 6/28/96 7:00:00 AM 61952 C:\WINDOWS\SYSTEM\QPAUTO.DLL
PEC2 7/11/97 163384 C:\WINDOWS\SYSTEM\ODBCJET.HLP
qoologic 6/30/05 4:09:22 PM 172032 C:\WINDOWS\SYSTEM\web2_212.exe
aspack 6/30/05 4:09:22 PM 172032 C:\WINDOWS\SYSTEM\web2_212.exe
KavSvc 6/30/05 4:09:22 PM 172032 C:\WINDOWS\SYSTEM\web2_212.exe
69.59.186.63 6/30/05 4:09:22 PM 172032 C:\WINDOWS\SYSTEM\web2_212.exe
209.66.67.134 6/30/05 4:09:22 PM 172032 C:\WINDOWS\SYSTEM\web2_212.exe
66.63.167.97 6/30/05 4:09:22 PM 172032 C:\WINDOWS\SYSTEM\web2_212.exe
66.63.167.77 6/30/05 4:09:22 PM 172032 C:\WINDOWS\SYSTEM\web2_212.exe
web-nex 6/30/05 4:09:22 PM 172032 C:\WINDOWS\SYSTEM\web2_212.exe
yourkey 6/30/05 4:09:22 PM 172032 C:\WINDOWS\SYSTEM\web2_212.exe
rec2_run 6/30/05 4:09:22 PM 172032 C:\WINDOWS\SYSTEM\web2_212.exe
aspack 7/4/05 4:04:28 AM 29184 C:\WINDOWS\SYSTEM\supdate.dll
KavSvc 7/4/05 4:04:28 AM 29184 C:\WINDOWS\SYSTEM\supdate.dll
69.59.186.63 7/4/05 4:04:28 AM 29184 C:\WINDOWS\SYSTEM\supdate.dll
209.66.67.134 7/4/05 4:04:28 AM 29184 C:\WINDOWS\SYSTEM\supdate.dll
66.63.167.97 7/4/05 4:04:28 AM 29184 C:\WINDOWS\SYSTEM\supdate.dll
66.63.167.77 7/4/05 4:04:28 AM 29184 C:\WINDOWS\SYSTEM\supdate.dll
web-nex 7/4/05 4:04:28 AM 29184 C:\WINDOWS\SYSTEM\supdate.dll
yourkey 7/4/05 4:04:28 AM 29184 C:\WINDOWS\SYSTEM\supdate.dll
rec2_run 7/4/05 4:04:28 AM 29184 C:\WINDOWS\SYSTEM\supdate.dll
PTech 8/5/05 3:05:28 PM 5632 C:\WINDOWS\SYSTEM\snuninst.exe
UPX! 8/5/05 5:37:28 PM 25105 C:\WINDOWS\SYSTEM\MTE2NzY6ODoxNg.exe
UPX! 8/5/05 3:05:30 PM 66048 C:\WINDOWS\SYSTEM\hphi_c.exe
UPX! 8/17/05 11:11:50 AM 68096 C:\WINDOWS\SYSTEM\ddahex.exe
UPX! 8/17/05 11:22:54 PM 82432 C:\WINDOWS\SYSTEM\loes.exe

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
H 8/18/05 12:06:54 AM 585760 C:\WINDOWS\USER.DAT
H 7/4/05 3:25:26 AM 249888 C:\WINDOWS\HWINFO.DAT
H 8/18/05 12:06:56 AM 6516768 C:\WINDOWS\SYSTEM.DAT
H 7/4/05 3:24:32 AM 12746 C:\WINDOWS\folder.htt
H 7/4/05 3:24:32 AM 266 C:\WINDOWS\desktop.ini
H 8/17/05 11:33:48 PM 738082 C:\WINDOWS\ShellIconCache
H 8/17/05 11:19:04 PM 38068 C:\WINDOWS\ttfCache
SH 8/17/05 11:22:56 PM 82432 C:\WINDOWS\ru.exe
H 7/4/05 3:24:32 AM 12746 C:\WINDOWS\SYSTEM\folder.htt
H 7/4/05 3:24:32 AM 266 C:\WINDOWS\SYSTEM\desktop.ini
S 7/21/05 2:04:12 PM 135168 C:\WINDOWS\SYSTEM\mjidntld.dll
S 7/21/05 2:04:12 PM 45056 C:\WINDOWS\SYSTEM\WYOCK32.DLL
S 7/21/05 2:04:12 PM 57344 C:\WINDOWS\SYSTEM\HOHBXTR0.DLL
S 7/21/05 2:04:12 PM 4096 C:\WINDOWS\SYSTEM\IKONLIB.DLL
SH 8/17/05 11:22:54 PM 82432 C:\WINDOWS\SYSTEM\loes.exe
H 7/4/05 3:24:32 AM 12746 C:\WINDOWS\SYSTEM32\folder.htt
H 7/4/05 3:24:32 AM 266 C:\WINDOWS\SYSTEM32\desktop.ini
H 7/7/05 3:35:44 PM 9793 C:\WINDOWS\HELP\windows.GID
H 7/4/05 2:43:34 AM 8628 C:\WINDOWS\HELP\SECAUTH.GID
H 7/4/05 3:24:32 AM 19600 C:\WINDOWS\WEB\WVLOGO.GIF
H 7/4/05 3:24:32 AM 4204 C:\WINDOWS\WEB\CONTROLP.HTT
H 7/4/05 3:24:32 AM 11530 C:\WINDOWS\WEB\FOLDER.HTT
H 7/4/05 3:24:32 AM 4988 C:\WINDOWS\WEB\MYCOMP.HTT
H 7/4/05 3:24:32 AM 5044 C:\WINDOWS\WEB\PRINTERS.HTT
H 7/4/05 3:24:32 AM 855 C:\WINDOWS\WEB\webview.css
H 7/4/05 3:24:32 AM 14258 C:\WINDOWS\WEB\default.htt
H 7/4/05 3:24:32 AM 5403 C:\WINDOWS\WEB\nethood.htt
H 7/4/05 3:24:32 AM 8088 C:\WINDOWS\WEB\recycle.htt
H 7/4/05 3:24:32 AM 5495 C:\WINDOWS\WEB\schedule.htt
H 7/4/05 3:24:32 AM 5521 C:\WINDOWS\WEB\dialup.htt
H 7/4/05 3:24:32 AM 44686 C:\WINDOWS\WEB\wvleft.bmp
H 7/4/05 3:24:32 AM 840 C:\WINDOWS\WEB\wvline.gif
SH 8/17/05 11:20:20 PM 1092 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
SH 6/30/05 12:34:48 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\desktop.ini
SH 6/30/05 12:34:50 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\8TAZKX2N\desktop.ini
SH 6/30/05 12:38:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\54D1R5H3\desktop.ini
SH 6/30/05 2:08:34 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\9STUDEXP\desktop.ini
SH 6/30/05 4:33:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\1IGECFY0\desktop.ini
SH 6/30/05 5:33:34 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\82VP70OO\desktop.ini
SH 8/1/05 10:14:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\QLU3UDS9\desktop.ini
SH 8/1/05 10:14:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\WHYJETIP\desktop.ini
SH 8/1/05 10:14:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\DLKZPP6K\desktop.ini
SH 8/1/05 10:14:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\4P69ONIL\desktop.ini
SH 8/12/05 3:03:58 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\0LIP618L\desktop.ini
SH 8/12/05 3:03:58 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\WTY7C1Q7\desktop.ini
SH 8/12/05 3:03:58 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\K7CFOREN\desktop.ini
SH 8/12/05 3:03:58 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\GDQVC96V\desktop.ini
H 8/17/05 11:22:46 PM 6 C:\WINDOWS\Tasks\SA.DAT
SH 8/17/05 11:22:58 PM 178 C:\WINDOWS\Tasks\RUTASK.job
H 8/17/05 11:30:02 PM 843808 C:\WINDOWS\Profiles\DON\USER.DAT
SH 8/17/05 10:35:42 PM 1092 C:\WINDOWS\Profiles\DON\Application Data\Microsoft\Internet Explorer\Desktop.htt

Checking for CPL files...
Microsoft Corporation 5/11/98 8:01:00 PM 72192 C:\WINDOWS\SYSTEM\APPWIZ.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 221280 C:\WINDOWS\SYSTEM\DESK.CPL
Microsoft Corporation 8/29/02 292352 C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 58880 C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 138752 C:\WINDOWS\SYSTEM\JOY.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 103424 C:\WINDOWS\SYSTEM\MAIN.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 420864 C:\WINDOWS\SYSTEM\MMSYS.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 93248 C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL
5/11/98 8:01:00 PM 70656 C:\WINDOWS\SYSTEM\STICPL.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 385104 C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 57856 C:\WINDOWS\SYSTEM\TIMEDATE.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 44720 C:\WINDOWS\SYSTEM\POWERCFG.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 14848 C:\WINDOWS\SYSTEM\TELEPHON.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 15360 C:\WINDOWS\SYSTEM\THEMES.CPL
Microsoft Corporation 8/8/99 2:17:12 AM 41232 C:\WINDOWS\SYSTEM\ODBCCP32.CPL
Microsoft Corporation 7/11/97 53520 C:\WINDOWS\SYSTEM\MLCFG32.CPL
7/11/97 22528 C:\WINDOWS\SYSTEM\FINDFAST.CPL
8/15/05 1:32:06 PM 28672 C:\WINDOWS\SYSTEM\conres.cpl
Sun Microsystems, Inc. 6/3/05 3:52:54 AM 49265 C:\WINDOWS\SYSTEM\jpicpl32.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
8/17/05 11:23:08 PM 91648 C:\WINDOWS\Start Menu\Programs\StartUp\npra.exe
8/17/05 11:06:08 PM 423 C:\WINDOWS\Start Menu\Programs\StartUp\PerfectPrint.LNK

Checking files in %USERPROFILE%\Application Data folder...
12/12/02 1:35:48 PM 0 C:\WINDOWS\Application Data\dm.ini
7/8/04 3:31:48 PM 844 C:\WINDOWS\Application Data\dw.log
4/22/04 7:44:52 AM 784 C:\WINDOWS\Application Data\mpauth.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
   {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}    = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{B95057E0-44DB-11CE-A5D1-00608C83bD3F}
       = shellwp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SharingMenu
   {6D78EC20-5AA6-101B-8681-366FBD64CEB9}    = msshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
   {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}    = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\QuickFinderMenu
   {CD949A20-BDC8-11CE-8919-00608C39D066}    = C:\COREL\OFFICE7\SHARED\QFINDER7\PFSE70.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
   {CD949A20-BDC8-11CE-8919-00608C39D066}    = C:\COREL\OFFICE7\SHARED\QFINDER7\PFSE70.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
   CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{50B4D2B3-723F-41B3-AEC4-0BD66F0F45FF}
   Web Offer Bar = C:\WINDOWS\SYSTEM\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{A166C1B0-5CDB-447A-894A-4B9FD7149D51}
   Web Offer Bar = C:\WINDOWS\SYSTEM\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}    = Norton AntiVirus   : C:\Program Files\Norton AntiVirus\NavShExt.dll
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : C:\WINDOWS\SYSTEM\MSDXM.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
   Search Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
   Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   ScanRegistry   C:\WINDOWS\scanregw.exe /autorun
   TaskMonitor   C:\WINDOWS\taskmon.exe
   SystemTray   SysTray.Exe
   CHotKey   mHotkey.exe
   POINTER   point32.exe
   iamapp   C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
   LoadPowerProfile   Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
   NAV Agent   C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
   QuickFinder Scheduler   C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   ScriptBlocking   "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
   nisserv   C:\Program Files\Norton Internet Security Professional\NISSERV.EXE
   LoadPowerProfile   Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
   SchedulingAgent   C:\WINDOWS\SYSTEM\mstask.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   Taskbar Display Controls   RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
   washindex   C:\Program Files\Washer\washidx.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
   HideSharePwds

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   •
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/18/05 12:11:16 AM

Track qoo log file

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"CHotKey"="mHotkey.exe"
"POINTER"="point32.exe"
"iamapp"="C:\\Program Files\\Norton Internet Security Professional\\IAMAPP.EXE"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE"
"QuickFinder Scheduler"="C:\\COREL\\OFFICE7\\SHARED\\QFINDER7\\QFSCHED.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- {B95057E0-44DB-11CE-A5D1-00608C83bD3F}

shellwp.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey ---

==============================

==============================
C:\WINDOWS\Profiles\DON\Start Menu\Programs\StartUp

Corel Desktop Application Director.LNK
PerfectPrint.LNK
Microsoft Office.lnk
==============================
C:\WINDOWS\SYSTEM cpl files

APPWIZ.CPL Microsoft Corporation
DESK.CPL Microsoft Corporation
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
MODEM.CPL Microsoft Corporation
NETCPL.CPL Microsoft Corporation
PASSWORD.CPL Microsoft Corporation
STICPL.CPL
SYSDM.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
THEMES.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
MLCFG32.CPL Microsoft Corporation
FINDFAST.CPL Microsoft Corporation
conres.cpl
jpicpl32.cpl Sun Microsystems, Inc.

HJT log file

Logfile of HijackThis v1.99.1
Scan saved at 12:27:07 AM, on 8/18/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\SYMPXSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\IAMAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\RunDLL.exe
C:\COREL\OFFICE7\DAD7\QUICK.EXE
C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\PUHS\LOES.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security Professional\NISSERV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [Spam Shredder] "C:\PROGRAM FILES\WEBROOT\SHREDDER\SPSHREDDER.EXE" -tray
O4 - HKCU\..\Run: [Opao] C:\Program Files\puhs\loes.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Profiles\DON\Application Data\Microsoft\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
O4 - User Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - User Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - User Startup: Microsoft Office.lnk = C:\WINDOWS\Profiles\DON\Application Data\Microsoft\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab (http://\"http://24.234.255.102/activex/AxisCamControl.cab\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")

I'm so glad that you can make sense of all this!

-Leigh
Title: Getting Overrun with Pop-ups
Post by: guestolo on August 21, 2005, 09:53:31 AM: Sorry for the late reply, I couldn't access the forum during the week, it all seems clear now

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet

==Go here and download and install the free version of A-Squared by Emsisoft
http://www.emsisoft.com/en/software/free/ (http://\"http://www.emsisoft.com/en/software/free/\")
After installation, reboot if prompted and then open it and ensure it is right up to date
By click the Check for Updates Online and then click ENTER on your keyboard
After updating, close it down for now
Don't run a scan yet

Can you do the following please
==Download the Killbox by Option^Explicit (http://\"http://www.atribune.org/downloads/KillBox.exe\"). [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Please Save these instructions too a Notepad file on the desktop for reference
Disconnect from the Internet

Run Pocket KillBox.exe

In the killbox program, select the Delete on Reboot option.
Copy the file names below to the clipboard by highlighting them and pressing
Control + C

Killbox files to highlight between dotted lines
===================================================
C:\WINDOWS\web2_212.exe
C:\WINDOWS\unshred1.exe
C:\WINDOWS\InstallAPS.exe
C:\WINDOWS\thin-144-1-x-x.exe
C:\WINDOWS\thin-144-1-5-8-8.exe
C:\WINDOWS\thin-178-1-2-x.exe
C:\WINDOWS\thin-175-1-x-x.exe
C:\WINDOWS\seedcorn_2_215.exe
C:\WINDOWS\pi1_60.exe
C:\WINDOWS\Pop2.exe
C:\WINDOWS\ru.exe
C:\WINDOWS\icont.exe
C:\WINDOWS\skfsfsg.dll
C:\WINDOWS\joear.dll
C:\WINDOWS\SYSTEM\WPAUTO.DLL
C:\WINDOWS\SYSTEM\PRAUTO.DLL
C:\WINDOWS\SYSTEM\PFAUTO.DLL
C:\WINDOWS\SYSTEM\QPAUTO.DLL
C:\WINDOWS\SYSTEM\supdate.dll
C:\WINDOWS\SYSTEM\snuninst.exe
C:\WINDOWS\SYSTEM\MTE2NzY6ODoxNg.exe
C:\WINDOWS\SYSTEM\hphi_c.exe
C:\WINDOWS\SYSTEM\ddahex.exe
C:\WINDOWS\SYSTEM\loes.exe
C:\WINDOWS\SYSTEM\conres.cpl
C:\WINDOWS\SYSTEM\mjidntld.dll
C:\WINDOWS\SYSTEM\WYOCK32.DLL
C:\WINDOWS\SYSTEM\HOHBXTR0.DLL
C:\WINDOWS\SYSTEM\IKONLIB.DLL
C:\WINDOWS\Tasks\RUTASK.job
C:\WINDOWS\Start Menu\Programs\StartUp\npra.exe

===================================================
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer doesn't restart, please restart it now manually
Restart back to SAFE MODE

Back in Safe mode
Find and delete this folder if it still exists
C:\Program Files\puhs <-folder

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files
DECLINE to Log off or Restart when scan is done.

Open A-Squared>>Click the Scan your computer for Malware Infections
Then Hit ENTER on your keyboard
Let it finish scanning, give this time to finish
When it's done, save a report of what was found to desktop and then select all problems and remove them

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKCU\..\Run: [Opao] C:\Program Files\puhs\loes.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Afterwards, run WPFind.exe again

Restart back to Normal mode
Post the new log from WPFind and a new hijackthis log
and the results from a-squared

Could you also
Download and UNZIP to desktop Find-Qoologic Narrator.zip (http://\"http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981\")
Open the FindQoologic folder you extracted to desktop
Double click on Find-Qoologic2.bat
* The tool will open a DOS window and begin to check your system.
When it is finished a text file will open in Notepad called "file.txt".
* Save this text file in the FindQoologic folder.
Then post the contents of file.txt back here please
Title: Getting Overrun with Pop-ups
Post by: smoochyleigh on August 23, 2005, 12:57:10 AM: Hi,

Here are all the reports you asked for:

WPFind Log

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows 98 Version: 4.10.1998
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
KavSvc 7/4/05 3:19:30 AM 6373408 C:\SYSTEM.1ST

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
KavSvc 7/4/05 3:25:26 AM 249888 C:\WINDOWS\HWINFO.DAT
KavSvc 8/22/05 10:05:58 PM 6516768 C:\WINDOWS\SYSTEM.DAT
winsync 8/22/05 10:05:58 PM 6516768 C:\WINDOWS\SYSTEM.DAT
UPX! 12/11/02 4:13:36 PM 44032 C:\WINDOWS\unwash.exe
UPX! 9/29/03 4:09:26 PM 161792 C:\WINDOWS\UnPopUpWasher.exe

Items found in C:\WINDOWS\hosts

Checking %System% folder...
PEC2 7/11/97 163384 C:\WINDOWS\SYSTEM\ODBCJET.HLP

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
H 8/22/05 10:31:48 PM 585760 C:\WINDOWS\USER.DAT
H 7/4/05 3:25:26 AM 249888 C:\WINDOWS\HWINFO.DAT
H 8/22/05 10:05:58 PM 6516768 C:\WINDOWS\SYSTEM.DAT
H 7/4/05 3:24:32 AM 12746 C:\WINDOWS\folder.htt
H 7/4/05 3:24:32 AM 266 C:\WINDOWS\desktop.ini
H 8/22/05 10:03:02 PM 828262 C:\WINDOWS\ShellIconCache
H 8/18/05 12:11:54 AM 38068 C:\WINDOWS\ttfCache
H 7/4/05 3:24:32 AM 12746 C:\WINDOWS\SYSTEM\folder.htt
H 7/4/05 3:24:32 AM 266 C:\WINDOWS\SYSTEM\desktop.ini
H 7/4/05 3:24:32 AM 12746 C:\WINDOWS\SYSTEM32\folder.htt
H 7/4/05 3:24:32 AM 266 C:\WINDOWS\SYSTEM32\desktop.ini
H 7/7/05 3:35:44 PM 9793 C:\WINDOWS\HELP\windows.GID
H 7/4/05 2:43:34 AM 8628 C:\WINDOWS\HELP\SECAUTH.GID
H 7/4/05 3:24:32 AM 19600 C:\WINDOWS\WEB\WVLOGO.GIF
H 7/4/05 3:24:32 AM 4204 C:\WINDOWS\WEB\CONTROLP.HTT
H 7/4/05 3:24:32 AM 11530 C:\WINDOWS\WEB\FOLDER.HTT
H 7/4/05 3:24:32 AM 4988 C:\WINDOWS\WEB\MYCOMP.HTT
H 7/4/05 3:24:32 AM 5044 C:\WINDOWS\WEB\PRINTERS.HTT
H 7/4/05 3:24:32 AM 855 C:\WINDOWS\WEB\webview.css
H 7/4/05 3:24:32 AM 14258 C:\WINDOWS\WEB\default.htt
H 7/4/05 3:24:32 AM 5403 C:\WINDOWS\WEB\nethood.htt
H 7/4/05 3:24:32 AM 8088 C:\WINDOWS\WEB\recycle.htt
H 7/4/05 3:24:32 AM 5495 C:\WINDOWS\WEB\schedule.htt
H 7/4/05 3:24:32 AM 5521 C:\WINDOWS\WEB\dialup.htt
H 7/4/05 3:24:32 AM 44686 C:\WINDOWS\WEB\wvleft.bmp
H 7/4/05 3:24:32 AM 840 C:\WINDOWS\WEB\wvline.gif
SH 8/17/05 11:20:20 PM 1092 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
SH 6/30/05 12:34:48 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\desktop.ini
SH 6/30/05 12:34:50 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\8TAZKX2N\desktop.ini
SH 8/18/05 12:40:38 AM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\G5MJIZ85\desktop.ini
SH 6/30/05 12:38:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\54D1R5H3\desktop.ini
SH 8/18/05 12:48:02 AM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\QSY1BX80\desktop.ini
SH 6/30/05 2:08:34 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\9STUDEXP\desktop.ini
SH 6/30/05 4:33:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\1IGECFY0\desktop.ini
SH 6/30/05 5:33:34 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\82VP70OO\desktop.ini
SH 8/1/05 10:14:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\QLU3UDS9\desktop.ini
SH 8/1/05 10:14:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\WHYJETIP\desktop.ini
SH 8/1/05 10:14:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\DLKZPP6K\desktop.ini
SH 8/1/05 10:14:36 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\4P69ONIL\desktop.ini
SH 8/12/05 3:03:58 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\0LIP618L\desktop.ini
SH 8/12/05 3:03:58 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\WTY7C1Q7\desktop.ini
SH 8/12/05 3:03:58 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\K7CFOREN\desktop.ini
SH 8/12/05 3:03:58 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\GDQVC96V\desktop.ini
H 8/22/05 10:00:50 PM 6 C:\WINDOWS\Tasks\SA.DAT
H 8/22/05 10:03:40 PM 843808 C:\WINDOWS\Profiles\DON\USER.DAT
SH 8/17/05 10:35:42 PM 1092 C:\WINDOWS\Profiles\DON\Application Data\Microsoft\Internet Explorer\Desktop.htt

Checking for CPL files...
Microsoft Corporation 5/11/98 8:01:00 PM 72192 C:\WINDOWS\SYSTEM\APPWIZ.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 221280 C:\WINDOWS\SYSTEM\DESK.CPL
Microsoft Corporation 8/29/02 292352 C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 58880 C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 138752 C:\WINDOWS\SYSTEM\JOY.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 103424 C:\WINDOWS\SYSTEM\MAIN.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 420864 C:\WINDOWS\SYSTEM\MMSYS.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 93248 C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL
5/11/98 8:01:00 PM 70656 C:\WINDOWS\SYSTEM\STICPL.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 385104 C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 57856 C:\WINDOWS\SYSTEM\TIMEDATE.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 44720 C:\WINDOWS\SYSTEM\POWERCFG.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 14848 C:\WINDOWS\SYSTEM\TELEPHON.CPL
Microsoft Corporation 5/11/98 8:01:00 PM 15360 C:\WINDOWS\SYSTEM\THEMES.CPL
Microsoft Corporation 8/8/99 2:17:12 AM 41232 C:\WINDOWS\SYSTEM\ODBCCP32.CPL
Microsoft Corporation 7/11/97 53520 C:\WINDOWS\SYSTEM\MLCFG32.CPL
7/11/97 22528 C:\WINDOWS\SYSTEM\FINDFAST.CPL
Sun Microsystems, Inc. 6/3/05 3:52:54 AM 49265 C:\WINDOWS\SYSTEM\jpicpl32.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
8/17/05 11:06:08 PM 423 C:\WINDOWS\Start Menu\Programs\StartUp\PerfectPrint.LNK

Checking files in %USERPROFILE%\Application Data folder...
12/12/02 1:35:48 PM 0 C:\WINDOWS\Application Data\dm.ini
7/8/04 3:31:48 PM 844 C:\WINDOWS\Application Data\dw.log
4/22/04 7:44:52 AM 784 C:\WINDOWS\Application Data\mpauth.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
   {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}    = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{B95057E0-44DB-11CE-A5D1-00608C83bD3F}
       = shellwp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SharingMenu
   {6D78EC20-5AA6-101B-8681-366FBD64CEB9}    = msshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
   {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}    = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\QuickFinderMenu
   {CD949A20-BDC8-11CE-8919-00608C39D066}    = C:\COREL\OFFICE7\SHARED\QFINDER7\PFSE70.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
   {CD949A20-BDC8-11CE-8919-00608C39D066}    = C:\COREL\OFFICE7\SHARED\QFINDER7\PFSE70.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
   CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{50B4D2B3-723F-41B3-AEC4-0BD66F0F45FF}
   Web Offer Bar = C:\WINDOWS\SYSTEM\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{A166C1B0-5CDB-447A-894A-4B9FD7149D51}
   Web Offer Bar = C:\WINDOWS\SYSTEM\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}    = Norton AntiVirus   : C:\Program Files\Norton AntiVirus\NavShExt.dll
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : C:\WINDOWS\SYSTEM\MSDXM.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
   Search Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
   Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   ScanRegistry   C:\WINDOWS\scanregw.exe /autorun
   TaskMonitor   C:\WINDOWS\taskmon.exe
   SystemTray   SysTray.Exe
   CHotKey   mHotkey.exe
   POINTER   point32.exe
   iamapp   C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
   LoadPowerProfile   Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
   NAV Agent   C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
   QuickFinder Scheduler   C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
   autoupdate   rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
   winsync   C:\WINDOWS\l4spxs.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   ScriptBlocking   "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
   nisserv   C:\Program Files\Norton Internet Security Professional\NISSERV.EXE
   LoadPowerProfile   Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
   SchedulingAgent   C:\WINDOWS\SYSTEM\mstask.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   Taskbar Display Controls   RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
   washindex   C:\Program Files\Washer\washidx.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
   HideSharePwds

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   •
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/22/05 10:34:45 PM

HiJack This

Logfile of HijackThis v1.99.1
Scan saved at 10:38:51 PM, on 8/22/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISUM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\SYMPXSVC.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\IAMAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\L4SPXS.EXE
C:\WINDOWS\RunDLL.exe
C:\COREL\OFFICE7\DAD7\QUICK.EXE
C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\l4spxs.exe reg_run
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security Professional\NISSERV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [Spam Shredder] "C:\PROGRAM FILES\WEBROOT\SHREDDER\SPSHREDDER.EXE" -tray
O4 - HKCU\..\Run: [Opao] C:\Program Files\puhs\loes.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Profiles\DON\Application Data\Microsoft\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
O4 - User Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - User Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - User Startup: Microsoft Office.lnk = C:\WINDOWS\Profiles\DON\Application Data\Microsoft\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab (http://\"http://24.234.255.102/activex/AxisCamControl.cab\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")

Results for A-squared

a² Report
Filename    Diagnosis
c:\WINDOWS\SYSTEM\datadx.dll    Trojan-Downloader.Win32.Qoologic.p
c:\WINDOWS\SYSTEM\UpdInst.exe    Adware.Look2Me.ag
c:\WINDOWS\SYSTEM\VB3.exe    Trojan-Dropper.Win32.Agent.hl
c:\WINDOWS\SYSTEM\s030109.Stub.exe    Trojan-Dropper.Win32.Agent.hl
c:\WINDOWS\SYSTEM\web2_212.exe    Trojan-Downloader.Win32.Qoologic.v
c:\WINDOWS\SYSTEM\ezstub.exe    Adware.EZula.ap
c:\WINDOWS\SYSTEM\ezPopStub.exe    Adware.EZula.av
c:\WINDOWS\SYSTEM\Osaka.exe    Adware.PurityScan.w
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\BUOWSELC.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\CFMCTL32.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\CVUSALGO.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\DADRG56X.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\DLDRGBXF.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\DNDRM16F.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\DQDRAMPF.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\DR16GT.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\DSGSIG.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\DXDIM.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\DXTACLEN.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\ECYD7US.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\EFYSH7.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\FU20ENU.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\FUAMEBUF.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\GEDEF.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\HGHEIMG0.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\HHAGENT.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\HOP95EN.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\HPAGENT.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\hypamon0.dll    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\IHETCPLC.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\IJRNONCE.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\ITMFILTER.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\IWS.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\jwsd400.dll    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\madmo.dll    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MESYSTEM.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MFCI.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MIXDM.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MKLTUS40.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MKR.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\mmdxmlc.dll    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MOPI.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MQCI.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MQVBVM50.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MRREPL35.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MSFMIG32.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\mtcrlrev.dll    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MUDAMG9X.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MVI.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MWIMUSIC.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MXAWT.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MXPCIC.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MYTCP.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\MZR2C.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\OJBCTRAC.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\OUESVR32.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\OWDIS400.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\PPSPL.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\PSSPL.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\RFCLTCCM.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\RJCNS4.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\RTCLTCCM.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\SULSTR.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\TCPIUI.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\TIID_P3D.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\TLD32.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\tPembed.dll    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\TPPIUI.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\UNL.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\WE32DLL.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\wkpui.dll    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\WLNMM.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\WSNNET16.DLL    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\wxerrenu.dll    Adware.Look2Me.ag
c:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix\backups\WYN32S16.DLL    Adware.Look2Me.ag
c:\WINDOWS\Downloaded Program Files\pcs_0026.exe    Adware.Pacer.j
c:\WINDOWS\VB3.exe    Trojan-Dropper.Win32.Agent.hl
c:\WINDOWS\shopinst.exe    Trojan-Downloader.Win32.Small.apm
c:\WINDOWS\s030109.Stub.exe    Trojan-Dropper.Win32.Agent.hl
c:\WINDOWS\cxtpls_loader.exe    Trojan-Downloader.Win32.Apropo.ae
c:\WINDOWS\dist006.exe    Trojan-Downloader.Win32.Agent.qg
c:\WINDOWS\Osaka.exe    Adware.PurityScan.w
c:\WINDOWS\98_Ventura5_4_0_3_7.exe    Adware.PurityScan.w
c:\WINDOWS\installer_MARKETING58.exe    Trojan-Downloader.Win32.Adload.a
c:\WINDOWS\baslnhvx.exe    Adware.BookedSpace.e
c:\WINDOWS\ezStub.exe    Adware.EZula.ar
c:\WINDOWS\etb\pokapoka61.exe    Trojan-Dropper.Win32.Agent.qz
c:\WINDOWS\etb\xud2f.dll    Adware.ToolBar.EliteBar.am
c:\WINDOWS\eZinstall.exe    Adware.EZula.ak
c:\Program Files\Hijack this\backups\backup-20050818-000634-266.dll    Adware.Look2Me.ag
c:\sbackup\robert\Radmin\RADMIN22.EXE    Riskware.RemoteAdmin.Win32.RAdmin.22

find-qoologic report

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* winsync C:\WINDOWS\SKFSFSG.DLL
* winsync C:\WINDOWS\JOEAR.DLL
* KavSvc C:\WINDOWS\HWINFO.DAT
»»»»»»»»»»»»»»»»»»»»»»»» Packed files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\NPRA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»

Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Profiles\DON\Start Menu\Programs\StartUp

After last normal startup I received an error message:

error loading windows\system\datadx.dll

I think we almost have it! /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

I was having problems loading pages with internet explorer so I downloaded a new browser - Mozilla Foxfire. I read that it was a pretty good alternative to IE.

-Leigh
Title: Getting Overrun with Pop-ups
Post by: guestolo on August 23, 2005, 09:01:32 AM: Just on my way to work, can I have you try a couple steps please
I'll see how you made out later

Download LQfix.exe (http://\"http://users.pandora.be/bluepatchy/LQfix.exe\") and place it on your desktop.
Doubleclick LQfix.exe and click install.
This will create a new folder called LQfix on your desktop.
We'll need this later

Copy and paste these instructions too a Notepad file and then save it too your desktop
Keep this notepad file open

Close down all other windows
Open Killbox.exe, so now you have Killbox and Notepad open
On the bottom right of Killbox use the drop down menu
left click and select L4SPXS.EXE from the drop down menu and then use the
Yellow triangle to end task on it
Do the same for any instance of rundll32.exe
Finally do the same for explorer.exe
Your task bar and icons will disappear, this is normal

But you will still have notepad and killbox open
Copy and paste the full path to the file in bold below into Killbox

C:\WINDOWS\SKFSFSG.DLL
Select the radio button to Delete File on Reboot
Then click the Red circle with the White X
Agree to Delete file on Reboot but Don't allow to restart yet

Do the same for these paths to the file names
C:\WINDOWS\JOEAR.DLL
C:\WINDOWS\l4spxs.exe
C:\WINDOWS\startm~1\programs\startup\NPRA.EXE

When you have entered the last one allow the computer to reboot
or do it manually by pressing Ctrl+Alt+Del a couple of times

Back in Windows
Don't open a browser yet
Instead
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\l4spxs.exe reg_run

O4 - HKCU\..\Run: [Opao] C:\Program Files\puhs\loes.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open the LQFix folder on your desktop
Doubleclick ClickThis.bat
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.

Back in Windows

Can I see a few logs please
Run another scan with Hijackthis and post a fresh log
Run Find-Qoologic2.bat and post the log it produces

Addionally, Open the l2m9xfix folder and run RunThis.bat.
Can you post the entire text of the log.txt file which should be in the same folder as RunThis.bat.
Title: Getting Overrun with Pop-ups
Post by: smoochyleigh on August 23, 2005, 04:23:33 PM: Thanks for getting back to me so quickly. You're help is greatly appreciated! /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Here are the logs you requested:

HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 1:52:40 PM, on 8/23/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISUM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\SYMPXSVC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\IAMAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\RunDLL.exe
C:\COREL\OFFICE7\DAD7\QUICK.EXE
C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security Professional\NISSERV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [Spam Shredder] "C:\PROGRAM FILES\WEBROOT\SHREDDER\SPSHREDDER.EXE" -tray
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Profiles\DON\Application Data\Microsoft\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
O4 - User Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - User Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - User Startup: Microsoft Office.lnk = C:\WINDOWS\Profiles\DON\Application Data\Microsoft\Installer\{90190409-6000-11D3-8CFE-0050048383C9}\misc.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab (http://\"http://24.234.255.102/activex/AxisCamControl.cab\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")

Find Qoologic Log

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINDOWS\HWINFO.DAT
»»»»»»»»»»»»»»»»»»»»»»»» Packed files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»

Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Profiles\DON\Start Menu\Programs\StartUp

RunThis.bat log

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\Desktop\Leigh's Stuff\l2m9xfix

************

Files found:

************

Registry entries found:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!

Finished!

When this machine is clean do you have any suggestions on how to keep it that way?

-Leigh
Title: Getting Overrun with Pop-ups
Post by: guestolo on August 23, 2005, 08:58:47 PM: That looks good now

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"

==You already installed Mozilla Firefox, I wouldn't be without it, it's my favorite browser
A lot safer too /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Note: If you haven't ran a "Disk Defragmenter" for awhile, now would be a good time
Best done in Safe mode, remember to run a standard "Scandisk" on your computer before running the defragger>>Set scandisk to automatically fix errors
Both tools can be found in START>>Programs>>Accessories>>System Tools
location
Title: Getting Overrun with Pop-ups
Post by: smoochyleigh on August 25, 2005, 05:16:45 PM: Hi,

Everything seems to be running smoothly.

I want to thank you for all the help you've given me. This is a great service you provide. Hopefully, soon, they will make adware/spyware illegal!

Keep up the good work. /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Who sponsors this website? Is it run on donations?

-Leigh
Title: Getting Overrun with Pop-ups
Post by: guestolo on August 25, 2005, 11:22:08 PM: Good to hear everything is running good
Donations to the site are welcome but not required

Just stay safe /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> That's good enough for me
Title: Getting Overrun with Pop-ups
Post by: guestolo on August 28, 2005, 10:52:31 AM: As this problem is resolved I'll lock this topic