driving me crazy!

I need a little help, I know most of you will laugh at me for being so stupid, but I am trying to learn all of this. First of all, I have 5 computers networked, w/swbell DSL, a firewall an antivirus protection, and running xp. Why is it that every 2 or 3 seconds I am ambushed by pop up adds so bad that I can not do my work? I do not leave my browser up, I have a pop up stopper HA HA the ad-ware program is forever interrupting me to let me know it has quarantined an unheard of amount of files. This is driving me crazy, do you have any suggestions? I would deeply appreciate it. Thanks Matti

 

first thing to do is disable the messenger service In Windows XP, you can do this through the Control Panel. Navigate to Administrative Tools | Services. Double-click on Messenger and click on Stop. Then set the Startup type to disabled

if this doesnt help you may have got some nasty spyware so post back and we can take it from there

 

Thank you for the reply, I did turn off the messenger, I ran ad-ware in fact that darn program is really driving me to drink! When I open browser (opera) it takes almost 1 min to get to opening page because of all the pop ups, and now while I am here I am being pushed around by all these POP UPs. Thanks again.
Matti

 

i would suggest going over to the majorgeeks main site and downloading spybot search and destroy update it then scan and delete any nastys also download and run cw shredder
after running these download hijack this run the scan save the log
i would suggest starting a new thread in software explaining what youve done so far and copy and paste your hijack log there as well then myself or someone here can go through it and hopefully fix your problem
all these programs can be found here
http://www.majorgeeks.com/downloads31.html

 

Thank you again, I will down load and let you know. until then have a great day. Matti

 

I tried to download and this is what I got: Warning: Host 'www3.hostcolony.com' is blocked because of many connection errors. Unblock with 'mysqladmin flush-hosts' in /home/enigmasoftwaregroup.com/affiliate/link.php on line 36

Warning: MySQL Connection Failed: Host 'www3.hostcolony.com' is blocked because of many connection errors. Unblock with 'mysqladmin flush-hosts' in /home/enigmasoftwaregroup.com/affiliate/link.php on line 36
Error conecting to database

 

Try using the download link that says "BTN".

 

Crazy woman needs help

I need a little help, I know most of you will laugh at me for being so stupid, but I am trying to learn all of this. First of all, I have 5 computers networked, w/swbell DSL, a firewall an antivirus protection, and running xp. Why is it that every 2 or 3 seconds I am ambushed by pop up adds so bad that I can not do my work? I do not leave my browser up, I have a pop up stopper HA HA the ad-ware program is forever interrupting me to let me know it has quarantined an unheard of amount of files. This is driving me crazy, do you have any suggestions? I would deeply appreciate it.
I turned off the messenger, I ran ad-ware in fact that darn program is really driving me to drink! When I open browser (opera) it takes almost 1 min to get to opening page because of all the pop ups, and now while I am here I am being pushed around by all these POP UPs. BTW, what is my firewall doing? Thanks again.

I downloaded spybot search and destroy and hijack this. This is the log
Logfile of HijackThis v1.97.7
Scan saved at 9:06:14 AM, on 2/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\wt\updater\wcmdmgr.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\System32\IEDriver\IEDriver.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\WINNT\System32\iefeatures.exe
C:\WINNT\mwsvm.exe
Thank you for taking time to help
Matti

 

You say youve run Ad-aware, but looks like youve got more spyware than you can shake a stick at! Set it to a thorough scan (use custom scan options, customize, check everything in the bottom section) and scan it.

http://www.sysinfo.org/startuplist.php?filter=iefeatures.exe&count=&type=
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_POPMON.A

Also looks like you have a virus!

http://www.sysinfo.org/startuplist.php?filter=dpi.exe&count=&type=
http://www.sysinfo.org/startuplist.php?filter=pcsvc.exe&count=&type=
http://www.sysinfo.org/startuplist.php?filter=slmss.exe&count=&type=
http://www.sysinfo.org/startuplist.php?filter=mwsvm.exe&count=&type=

more adware.

I suggest you make sure Adaware is updated (click the little globe with a magnifiying glass, then hit connect, then finish) and run a thorough scan as i said above.

Any more input from anyone else is most welcome!

 

thanks goldfish, but as I stated I am just learning, what is it I should do? and if I am running ad-ware, why do I have all this stuff still on board? and what virus? thank you

 

Threads merged.
Welcome to Major Geeks Matti. We geeks here are always around to help! with that, only one thread is needed and you can be sure that someone will respond to it
Thanks!

 

to be sure, I am sorry, and I thank you for your help.

 

Well, I suggest updating and running adaware using the method i wrote above, which SHOULD catch all the nasties. And ill just go get some info on the virus.

Make sure Norton is updated and do a scan with it, which should get that irritating virus which is probably how all the other stuff got there.

the virus is POPMON.A which is in one of the links I pointed you to above.

 

Thank you Goldfish, I am scanning now with norton, not sure If I like norton, I thought it was scanning on boot up each day, why didn't it catch that? I looked up the virus, good grief! and I thought I was careful!

 

Whoa thread merging confusing!? But, err, yes. Norton isnt one of my favourites, but it usually gets everything (eventually anyway). Make sure its updated! ... actually come to think of it when i looked for the virus on the symantec website, i got no hits perhaps they dont know about this one?
http://www.techsupportforum.com/showthread.php?s=&threadid=12126
same problem. shame they didnt post the solution to it!

 

Boy, by the time I finish running all those apps, I will not have time to work! I will do all the above mentioned, my virus scan is still running I'll let you know the outcome. Thanks again my fellow Texan and to you too Goldfish.
Matti

 

Okay, virus scan finished found nothing I keep it updated. Maybe I should go to Mcaffee? Thanks guys, I am still being pushed around with the ads.

 

Ok, well a temporary solution to stop the popups would be to end the tasks in the task manager. Just so you can surf without getting bombarded.
Hit Ctrl-Shft-Esc, go to processes, right click and go end task to the following :

iefeatures.exe
dpi.exe
pcsvc.exe
slmss.exe

That should subdew the popups while youre looking for a solution. I wouldnt really recomend Mcaffee either actually, thats a resource hog IMX and just as well updated as anything else. Personally i would use EZ antivirus by CA *BUT* this is a discussion we probably dont want to have as it wont really help your situation and weve had it hundreds of times before.

What you need right now is somthing that will remove that virus, and then you can start thinking about re-evaluating what AV you use. I'll do some searching for a removal tool or instructions

Check the Virus forum, that will give you an idea of all the products worth thinking about that are out there currently

 

Thanks Goldfish, I did as you suggested and yes the popups have slowed down. I am searching for a cure. I hope it has not traveled around in my network. OH well.

 

I found the tool to remove the virus located here http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.removal.tool.html But I am afraid to do it! this will be a long day I can already tell. by what I read, symantec upgreaded early this month so it should of caught it, right?

 

hi matti
looking at the info from goldfish(good job btw) you need to sort the trojan out before anything else the info is on this link provided by goldfish
http://www.trendmicro.com/vinfo/vir...e=TROJ_POPMON.A

witch basically means going into safe mode deleting the rogue keys from the registry and uninstalling the components its a fairly routine procedure just go to the link and read through carefully anything your not sure of just ask

once youve done this go here and run a online scan to make sure your clean
http://housecall.trendmicro.com/
then rerun hijack this and post your full log up including your home page details etc so we can then deal with the spyware

 

this removal tool is for a different trojan im afraid you really need to delete this manually

 

Is that the right virus you got there? i was under the impression it wasnt Mydoom but POPMON.A ? maybe it got labeled differently by symantec.

http://majorgeeks.com/download.php?det=1666
As its a trojan you could try downloading that and trying it out, worth a shot

 

oh my gosh! I think I'll just teach this puter to fly! now first I think I need to know which virus I have right? and how do I do this? I know you guys prob want to hit me by now. I am running scan on the network now.

 

you have deffo got the POPMON (POP UP MONSTER) virus hence the pop-ups
its this line here
C:\WINNT\System32\iefeatures.exe
explained here
http://www.sysinfo.org/startuplist....xe&count=&type=

which im afraid means manual deletion as i explained read all this carefully
http://www.trendmicro.com/vinfo/vir...e=TROJ_POPMON.A

 

General Lee, thank you for the info

 

ok np
have a read maybe print the page off so you can follow the instructions once in safe mode
youve already done the first part and stopped the processes as goldfish showed you

 

Okay, here goes! I hope! Thank you

 

ok just take your time and it should be a breeze

good luck

 

Hi General Lee
Okay, check this out: I think I did it. Now after looking over this log file, the next step is let hijack do - what and to what. Oh thank you so much for all your help
Logfile of HijackThis v1.97.7
Scan saved at 1:35:03 PM, on 2/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ISTsvc\istsvc.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Save\Save.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\Program Files\Media\Media\UpdateStats.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\SuperBar\sbhc.exe
C:\WINNT\uptodate.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\System32\IEDriver\IEDriver.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\WINNT\System32\KvgNbTS.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\WINNT\System32\WseAs6.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\AproposClient\Apropos.exe
C:\WINNT\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\sb.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=133666
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netspry.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=133666
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WinPage Blocker - {12DF6E3E-6272-4AE8-880B-2158D60791C0} - C:\Program Files\Homepage\WinPage.dll
O2 - BHO: (no name) - {133BBB30-43EC-46A4-A9C9-133A3B87AAEC} - C:\WINNT\System32\hjnetwiz.dll
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\Program Files\SuperBar\SuperBar.Dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\System32\stlbdist.DLL
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem216.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem214.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINNT\System32\stlbdist.DLL
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: SuperBar - {50E929B9-A2DE-4670-8849-90E2DEA9A2E4} - C:\Program Files\SuperBar\SuperBar.Dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\NuzK63G.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [IEDriver] C:\WINNT\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Ebates (HKCU)

 

C:\Program Files\Internet Optimizer\actalert.exe
C:\WINNT\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Media\Media\UpdateStats.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\Program Files\SuperBar\sbhc.exe

All of those can die. DIEDIEDIE!! ARRGH!

Are you COMPLETLEY certain that youve actually scanned with Adaware??

 

Hi goldfish
I am scanning now, a lot of things changed, ie I lost my browser, had to reinstall adware and spybot really strange. now I will kill those that you listed.

 

hi matti
stick around and run ad-aware and spybot make sure you get the latest updates as well delete anything you find then post a new hijack this log

ive just had a quick look and you are riddled with spyware and ive noticed another trojan in there im making a list and i will check it against your new log but theres probably going to be a couple of reg entries and a couple of files your going to need to manually delete

also looks like you killed the other one good job

 

WHAT? not again! that was painful!! will send another log file in just a sec

 

Hi, here is the log report, it looks different, ie format,
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Thursday, February 19, 2004 2:19:50 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R217 08.09.2003
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


2-19-2004 2:19:50 PM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 2-19-2004 7:28:17 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 2-19-2004 7:28:20 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 2-19-2004 7:28:21 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 1/1/1980 5:00:00 AM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 8/29/2002 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 2-19-2004 7:28:21 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 1/1/1980 5:00:00 AM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 8/29/2002 12:00:00 PM

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 2-19-2004 7:28:22 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/1/1980 5:00:00 AM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 8/29/2002 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 2-19-2004 7:28:22 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/1/1980 5:00:00 AM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 8/29/2002 12:00:00 PM

#:7 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 2-19-2004 7:28:25 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 1/1/1980 5:00:00 AM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 8/29/2002 12:00:00 PM

#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 2-19-2004 7:28:25 PM
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 12/23/2003 3:28:35 PM
Last accessed : 2/19/2004 8:00:14 PM
Last modified : 7/17/2003 5:16:38 PM

#:9 [ati2evxx.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 2-19-2004 7:28:33 PM
BasePriority : Normal
FileSize : 276 KB
Created on : 6/2/2003 10:30:18 PM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 6/2/2003 10:30:18 PM

#:10 [incdsrv.exe]
FilePath : C:\Program Files\Ahead\InCD\
ThreadCreationTime : 2-19-2004 7:28:33 PM
BasePriority : Normal
FileSize : 772 KB
FileVersion : 4, 0, 1, 27
ProductVersion : 4, 0, 1, 27
Copyright : Copyright
CompanyName : AHEAD Software
FileDescription : incdsrv
InternalName : incdsrv
OriginalFilename : incdsrv.exe
ProductName : AHEAD Software incdsrv
Created on : 12/2/2003 5:41:14 PM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 8/22/2003 9:57:46 AM

#:11 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 2-19-2004 7:28:33 PM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 12/23/2003 3:28:29 PM
Last accessed : 2/19/2004 8:00:14 PM
Last modified : 11/15/2002 1:41:26 AM

#:12 [slserv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 2-19-2004 7:28:35 PM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 2.80.00(24Apr2000)
ProductVersion : 2.80.00
Copyright : Copyright
FileDescription : User-Level Modem Service
InternalName : slserv
OriginalFilename : slserv.exe
ProductName : Modem
Created on : 9/8/2003 9:00:47 PM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 5/20/2003 6:24:20 PM

#:13 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 2-19-2004 7:28:35 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/1/1980 5:00:00 AM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 8/29/2002 12:00:00 PM

#:14 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 2-19-2004 7:28:35 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 1/1/1980 5:00:00 AM
Last accessed : 2/19/2004 7:49:18 PM
Last modified : 8/29/2002 12:00:00 PM

#:15 [rundll32.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 2-19-2004 7:29:31 PM
BasePriority : Normal
FileSize : 31 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft
Created on : 1/1/1980 5:00:00 AM
Last accessed : 2/19/2004 7:56:10 PM
Last modified : 8/29/2002 12:00:00 PM

#:16 [wcmdmgr.exe]
FilePath : C:\WINNT\wt\updater\
ThreadCreationTime : 2-19-2004 7:29:33 PM
BasePriority : Idle
FileSize : 140 KB
FileVersion : 1.6.0.37
ProductVersion : 1.6.0.37
Copyright : Copyright
CompanyName : WildTangent, Inc.
FileDescription : wcmdmgr
InternalName : WildTangent Updater Service
OriginalFilename : wcmdmgr.exe
ProductName : WildTangent Updater Service
Created on : 12/15/2003 2:18:48 PM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 9/27/2002 8:47:32 PM

#:17 [updatestats.exe]
FilePath : C:\Program Files\Media\Media\
ThreadCreationTime : 2-19-2004 7:29:33 PM
BasePriority : Normal
FileSize : 128 KB
FileVersion : 7, 4, 0, 0
ProductVersion : 7, 4, 0, 0
Copyright : Copyright
CompanyName : Media
FileDescription : updatestats
InternalName : updatestats
OriginalFilename : updatestats.exe
ProductName : updatestats
Created on : 7/28/2003 10:15:40 PM
Last accessed : 2/19/2004 7:29:34 PM
Last modified : 7/28/2003 10:15:40 PM

#:18 [wupdater.exe]
FilePath : C:\Program Files\Common files\updater\
ThreadCreationTime : 2-19-2004 7:29:34 PM
BasePriority : Idle
FileSize : 60 KB
FileVersion : 1, 3, 5, 0
ProductVersion : 1, 3, 5, 0
Copyright : Copyright (C) 2003
FileDescription : Updater Application
InternalName : Updater
OriginalFilename : updater.exe
ProductName : Updater Application
Created on : 11/15/2003 11:06:10 AM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 11/15/2003 11:06:10 AM

#:19 [wkufind.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\
ThreadCreationTime : 2-19-2004 7:29:37 PM
BasePriority : Normal
FileSize : 49 KB
FileVersion : 9.00.0607.0
ProductVersion : 9.00.0607.0
Copyright : Copyright
CompanyName : Microsoft
FileDescription : Microsoft
InternalName : WkUFind
OriginalFilename : WkUFind.exe
ProductName : Update Detection Module
Created on : 9/3/2003 8:07:36 PM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 6/7/2003 11:32:32 AM

#:20 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ThreadCreationTime : 2-19-2004 7:29:38 PM
BasePriority : Normal
FileSize : 1180 KB
FileVersion : 4, 0, 1, 27
ProductVersion : 4, 0, 1, 27
Copyright : Copyright (C) 2003 Ahead Software and its licensors
CompanyName : Ahead Software AG
FileDescription : InCD
InternalName : InCD
OriginalFilename : InCD.exe
ProductName : InCD
Created on : 12/2/2003 5:41:14 PM
Last accessed : 2/19/2004 7:29:38 PM
Last modified : 8/22/2003 9:58:14 AM

#:21 [gwinkmonitor.exe]
FilePath : C:\Program Files\Gateway Utilities\
ThreadCreationTime : 2-19-2004 7:29:38 PM
BasePriority : Normal
FileSize : 296 KB
FileVersion : 1.0.0.21
ProductVersion : 1.0.0.21
Copyright : Copyright
CompanyName : Gateway
FileDescription : Gateway Ink Monitor
ProductName : Gateway Online Ink Purchase Utility
Created on : 9/3/2003 8:04:36 PM
Last accessed : 2/19/2004 7:29:54 PM
Last modified : 6/25/2003 2:33:00 AM

#:22 [cthelper.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 2-19-2004 7:29:39 PM
BasePriority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 0, 11
ProductVersion : 1, 0, 0, 11
Copyright : Copyright (C) 2002
CompanyName : Creative Technology Ltd
FileDescription : CtHelper MFC Application
InternalName : CtHelper
OriginalFilename : CtHelper.EXE
ProductName : CtHelper Application
Created on : 1/21/2003 9:34:42 PM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 1/21/2003 9:34:42 PM

#:23 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 2-19-2004 7:29:40 PM
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 1/21/2004 7:07:24 PM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 12/2/2003 10:11:04 PM

#:24 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 2-19-2004 7:29:47 PM
BasePriority : Normal
FileSize : 1476 KB
FileVersion : 4.7.0041
ProductVersion : Version 4.7
Copyright : Copyright (c) Microsoft Corporation 1997-2001
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 5/16/2003 4:25:25 PM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 8/20/2002 8:08:38 PM

#:25 [mmod.exe]
FilePath : C:\PROGRA~1\ezula\
ThreadCreationTime : 2-19-2004 7:29:47 PM
BasePriority : Normal
FileSize : 184 KB
FileVersion : 2, 0, 70, 00
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2000
CompanyName : EARNStatBlaster2
FileDescription : mmod Module
InternalName : mmod
OriginalFilename : mmod.EXE
ProductName : mmod Module
Created on : 1/6/2004 9:17:13 PM
Last accessed : 2/19/2004 7:53:36 PM
Last modified : 12/4/2003 9:31:38 PM

#:26 [kvgnbts.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 2-19-2004 7:29:53 PM
BasePriority : Normal
FileSize : 220 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : Kern32
OriginalFilename : Kern32.exe
ProductName : Kern32
Created on : 1/6/2004 9:17:15 PM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 1/6/2004 9:17:15 PM

#:27 [wseas6.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 2-19-2004 7:29:54 PM
BasePriority : Normal
FileSize : 220 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : Kern32
OriginalFilename : Kern32.exe
ProductName : Kern32
Created on : 1/6/2004 9:17:15 PM
Last accessed : 2/19/2004 7:28:17 PM
Last modified : 1/6/2004 9:17:15 PM

#:28 [wuauclt.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 2-19-2004 7:30:08 PM
BasePriority : Normal
FileSize : 145 KB
FileVersion : 5.4.3790.17 built by: lab04_n
ProductVersion : 5.4.3790.17
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
OriginalFilename : wuauclt.exe
ProductName : Microsoft
Created on : 5/16/2003 4:24:50 PM
Last accessed : 2/19/2004 7:30:08 PM
Last modified : 10/9/2003 9:27:04 PM

#:29 [apropos.exe]
FilePath : C:\Program Files\AproposClient\
ThreadCreationTime : 2-19-2004 7:30:52 PM
BasePriority : Normal
FileSize : 328 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Apropos Media
FileDescription : Ads
InternalName : Ads
OriginalFilename : Apropos.exe
ProductName : Ads
Created on : 2/19/2004 7:30:14 PM
Last accessed : 2/19/2004 7:30:14 PM
Last modified : 2/19/2004 7:30:07 PM

#:30 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 2-19-2004 8:02:38 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 5/16/2003 4:27:00 PM
Last accessed : 2/19/2004 8:02:39 PM
Last modified : 8/29/2002 12:00:00 PM

#:31 [ypager.exe]
FilePath : C:\PROGRA~1\Yahoo!\MESSEN~1\
ThreadCreationTime : 2-19-2004 8:06:55 PM
BasePriority : Normal
FileSize : 1496 KB
FileVersion : 5, 6, 0, 1358
ProductVersion : 5, 6, 0, 1358
Copyright : Copyright 1998-2003
CompanyName : Yahoo! Inc.
FileDescription : Yahoo! Messenger
InternalName : Yahoo! Messengerr
OriginalFilename : YPager.exe
ProductName : Yahoo! Messenger
Created on : 2/19/2004 8:04:59 PM
Last accessed : 2/19/2004 8:07:15 PM
Last modified : 12/26/2003 9:57:44 PM

#:32 [msiexec.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 2-19-2004 8:13:46 PM
BasePriority : Normal
FileSize : 63 KB
FileVersion : 2.0.2600.1106
ProductVersion : 2.0.2600.1106
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Windows
InternalName : msiexec
OriginalFilename : msiexec.exe
ProductName : Windows Installer - Unicode
Created on : 1/1/1980 5:00:00 AM
Last accessed : 2/19/2004 8:13:45 PM
Last modified : 8/29/2002 12:00:00 PM

#:33 [opera.exe]
FilePath : C:\Program Files\Opera7\
ThreadCreationTime : 2-19-2004 8:15:11 PM
BasePriority : Normal
FileSize : 1368 KB
FileVersion : 3227
ProductVersion : 7.23
Copyright : Copyright
CompanyName : Opera Software
FileDescription : Opera Internet Browser
InternalName : Opera
OriginalFilename : Opera.exe
ProductName : Opera Internet Browser
Created on : 2/19/2004 8:13:35 PM
Last accessed : 2/19/2004 8:15:15 PM
Last modified : 11/21/2003 4:51:40 PM

#:34 [spyblocker.exe]
FilePath : C:\Program Files\SpyBlocker Software\
ThreadCreationTime : 2-19-2004 8:19:15 PM
BasePriority : Normal
FileSize : 729 KB
FileVersion : 7.02
ProductVersion : 7.02
Copyright : Copyright 2001-2003 SpyBlocker Software
CompanyName : SpyBlocker Software
FileDescription : SpyBlocker
InternalName : SpyBlocker
OriginalFilename : SpyBlocker.exe
ProductName : SpyBlocker
Created on : 2/19/2004 7:31:11 PM
Last accessed : 2/19/2004 8:18:19 PM
Last modified : 11/17/2003 4:11:22 PM

#:35 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 2-19-2004 8:19:44 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 12/21/2003 3:39:30 PM
Last accessed : 2/19/2004 7:49:09 PM
Last modified : 7/13/2003 4:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

MySearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\MySearch


Gigatech Superbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : SOFTWARE\superbar


istbar Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value : IST Service


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 3
Objects found so far: 3


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 3


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : owner@bluestreak[1].txt
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 2/19/2004 8:02:41 PM
Last accessed : 2/19/2004 8:02:41 PM
Last modified : 2/19/2004 8:02:41 PM



Tracking Cookie Object recognized!
Type : File
Data : owner@tribalfusion[1].txt
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 2/19/2004 8:07:58 PM
Last accessed : 2/19/2004 8:07:58 PM
Last modified : 2/19/2004 8:07:58 PM



Tracking Cookie Object recognized!
Type : File
Data : owner@z1.adserver[1].txt
Object : C:\Documents and Settings\Owner\Cookies\

Created on : 2/19/2004 8:02:40 PM
Last accessed : 2/19/2004 8:02:41 PM
Last modified : 2/19/2004 8:02:41 PM


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

MySearch Object recognized!
Type : Folder
Object : c:\program files\MySearch


Gigatech Superbar Object recognized!
Type : Folder
Object : c:\program files\SuperBar


Gigatech Superbar Object recognized!
Type : File
Data : superbar.dll
Object : c:\program files\superbar\
FileSize : 228 KB
FileVersion : 3,0,0,1
ProductVersion : 3,0,0,1
Copyright : Copyright (C) 2002-2003, Gigatech Software
FileDescription : SuperBar Dynamic Link Library
InternalName : SuperBar IE Plugin
OriginalFilename : SuperBar.dll
ProductName : SuperBar Dynamic Link Library
Created on : 10/31/2003 8:09:24 AM
Last accessed : 2/19/2004 7:53:36 PM
Last modified : 10/31/2003 8:09:24 AM



istbar Object recognized!
Type : Folder
Object : c:\program files\ISTsvc


istbar Object recognized!
Type : File
Data : istsvc.exe
Object : c:\program files\istsvc\
FileSize : 8 KB
Created on : 1/6/2004 7:16:36 PM
Last accessed : 2/19/2004 7:53:35 PM
Last modified : 1/22/2004 8:06:12 PM



Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 5
Objects found so far: 11


2:20:47 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:00:56:719
Objects scanned :38674
Objects identified :11
Objects ignored :0
New objects :11

 

ok sorry been sorting through your log man its fully loaded

that log file is from ad-aware delete all it found then run spybot search and destroy and delete everything it finds
btw ive just looked re-run ad-aware and click the check for updates box and download the newest reference file then scan again make sure you check for and download updates with spybot search and destroy, also download and run this
http://www.majorgeeks.com/download4086.html
when youve done all this re-run hijack this and paste your new log and we can guide you through the finishing touches as i can see at least two trojans in there

dont worry m8 were getting there

 

Okay, here I go! thank you I know that was painful to read!

 

ok ive got to go so ill post this any entries i show that are on your new hijack this log check the boxes to fix and make sure you close all browser windows before fixing
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Save\Save.exe
C:\Program Files\SuperBar\sbhc.exe
C:\WINNT\uptodate.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINNT\System32\IEDriver\IEDriver.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\WINNT\System32\KvgNbTS.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\AproposClient\Apropos.exe
C:\WINNT\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\sb.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=133666
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netspry.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=133666
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\Program Files\SuperBar\SuperBar.Dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\System32\stlbdist.DLL
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem216.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem214.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINNT\System32\stlbdist.DLL
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: SuperBar - {50E929B9-A2DE-4670-8849-90E2DEA9A2E4} - C:\Program Files\SuperBar\SuperBar.Dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\NuzK63G.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [IEDriver] C:\WINNT\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O9 - Extra button: Ebates (HKCU)

ok after fixing thoose reboot into safe mode and use the search from the start menu to look for any of these
APROPOS
DPI
DELFIN
ISTSV (ALSO TRY WITH.EXE EXTENSION)
INTERNET OPTIMIZER
BARGAIN BUDDY
EBATES MONEYMAKER
delete any files you find

also go to start-run and type msconfig then go to the start-up tab and make sure none of the items i posted in 04 run heres an example
4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
are listed if they are disable them

then reboot into windows make sure your anti-virus is updated with the latest files then run a full system scan and just to make sure go to the online scan i linked in an earlier post and see what comes up
also make sure youve got all the latest windows updates

post a final log after doing all the above and if noone has dropped by and had a look ill be back tomorrow

good luck

 

Major question: I am in search and destroy, it plainly says "at your own risk" it found 27 items and you want me to delete all? you are going to hate me but here they are.
AdBreak: Typelib ( (Core 1.0 Type Library)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Typelib\{4116AE6F-C376-42E7-9E15-EE109055FC8E}

Alexa Related: What's related link (Replace file, nothing done)
C:\WINNT\Web\related.htm

Bargain Buddy: Program directory (Directory, nothing done)
C:\Program Files\Bargain Buddy

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3680505674-1894449136-668733768-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

eBates MoneyMaker: Program directory (Directory, nothing done)
C:\Program Files\EbatesMoeMoneyMaker

eZula HotText: Program directory (Directory, nothing done)
C:\Program Files\eZula

MS Works: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Works Update Detection

MS Works: Program file (File, nothing done)
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

n-Case: Program directory (Directory, nothing done)
C:\Program Files\n-Case

TurboDownload: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEDriver

TurboDownload: Program directory (Directory, nothing done)
C:\WINNT\System32\IEDriver

TurboDownload: Program file (File, nothing done)
C:\WINNT\System32\IEDriver\IEDriver.exe

TurboDownload: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BC3BBF86-E4EC-4412-9676-8355468B3B05}

WildTangent: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcmdmgr

WildTangent: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\WildTangent

WildTangent: Personal user ID (File, nothing done)
C:\WINNT\wt\info.txt

WildTangent: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wcmdmgr.exe

WildTangent: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wtwebdriver

WildTangent: Updater directory (Directory, nothing done)
C:\WINNT\wt\updater

WildTangent: Updates directory (Directory, nothing done)
C:\WINNT\wt\wtupdates

WildTangent: Web driver (File, nothing done)
C:\WINNT\wt\webdriver.dll

WildTangent: Web driver directory (Directory, nothing done)
C:\WINNT\wt\webdriver

Xupiter.Sqwire: Executable (File, nothing done)
C:\WINNT\Downloaded Program Files\SQInstaller.exe


--- Spybot-S&D version: 1.2 ---
2003-03-16 Includes\Cookies.sbi
2003-03-16 Includes\Dialer.sbi
2003-03-16 Includes\Hijackers.sbi
2003-03-16 Includes\Keyloggers.sbi
2003-03-16 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-03-16 Includes\Security.sbi
2003-03-16 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-03-16 Includes\Tracks.uti
2003-03-16 Includes\Trojans.sbi

 

no problem m8

DELETE THEM ALL

edit: got a reprieve wifes busy so ill stick around for a bit

 

Die die die die die!!!

Ahem, tell us how you get on

 

Good day to you guys, I have just completed the list of things you gave me and deleted everything and held my breath when I rebooted I will send along another log, I would also like to know where all these programs I deleted came from. and I guess I should go into my data keeper and do same thing? thank you guys so much for all your help.

 

ok well have a look at your new log and see how it is

i notice some of your stuff was linked to file sharing apps so some trojans etc can be hidden on files from there or recieved in e-mail attachments

spyware can be picked up when surfing dubious sites and when you are prompted to install stuff otherwise the video or whatever will not load
also a lot of so called free programs will have these attached its mentioned in the install agreement but they know most ppl dont bother to read them one example you had was a pop-up blocker i would reccomend the google toolbar for this

 

I hope I did this right! Logfile of HijackThis v1.97.7
Scan saved at 10:50:37 AM, on 2/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\pcs\pcsvc.exe
C:\Program Files\SpyBlocker Software\spyblocker.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jucheck.exe
C:\WINNT\System32\Wjwi.exe
C:\WINNT\System32\Wjwi.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Corel\WordPerfect Office 2002\Programs\QPW.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Fya24V.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot4_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/games/clients/y/dt0_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

 

ok were almost there couple of things to sort out but im trying to play chess with my son so first things first you need to follow these instructions then come back and hopefully i will have posted the rest
http://www.pestpatrol.com/PestInfo/d/delfin_media_viewer.asp

 

C:\WINNT\System32\wuauclt.exe

this is a virus disguised as a windows me updater and as your on xp not to clever to kill this start regedit (start button-run-type regedit)
and locate this key and delete it if it exists
under HKEY_LOCAL_MACHINE

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft auto update = WUAUCLT.EXE

now if you followed those steps already posted and this you should be looking good so far one more to go youve got the peper virus which will also generate pop-ups
right follow this exactly
download this program and run it
http://home01.wxs.nl/~kleyn080/uninst.exe

then download this
http://www.mjc1.com/files/mo/drpepertobackup.exe
save it to disk, and doubleclick the file; it will self extract to c:\.
Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.
A box will appear, copy and paste:Wjwi.exe press ok

another box appears copy and paste:Fya24V.exe press ok


It will find all the files, delete them and will make backups in the same folder.
It'll open a text file (Peper.txt) with the list of all files deleted.
post that text file here and ill check it

this assumes you havent rebooted since you posted this log because the virus changes the name of the exe files every time you reboot

so if youve rebooted you will have to post another log and make sure you dont reboot and ill tell you what files to delete

 

Oh my gosh! this is a full time job! but I'll do it! another question, should I check all the machines on network?

 

I did not find WUAUCLT.exe but when Ifound the drpeper stuff my anti virus popped up and stole the file and now I cant even look for th Fya24V.exe one!

 

ok dont panic first of all you say you found peper virus but then it got snatched now either your av deleted the virus files(good) or it deleted the removal tool because it was using vbs in which case temporarily disable your anti-virus while you go through the removal routine

as for WUAUCLT.exe thats good it means its not currently active sending out any info
when youve finished dealing with peper reboot into safe mode and use search to look for it you will need to search in hidden files and folders as well
to do this in a normal window click the tools tab in the top taskbar then folder options--view--check the show hidden folders box--and uncheck the box hide protected system files-apply and ok
you may have to trace it manually
C:\WINNT\System32\wuauclt.exe once you find that bugger delete it

this may seem a lot of work for you but well worth it in the long run your machine will run better for it and your personal info will no longer be comprimised i would advise changing any passwords you may have

 

okay, here I go! ha thanks a lot and have a good weekend if I don't get a chance to get back until monday.