• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
k3dogs

Please help a damsel in distress!!

10 posts in this topic

Please help this newbie rid herslef of these constant pop-up ad's. They start the minute I boot up my computer. I have read the FAQ's, have tried Ad-Aware, SpyBot S&D, and others to no avail. Here is my log from the most recent scan of HiJack This:

 

Logfile of HijackThis v1.98.0

Scan saved at 1:46:01 PM, on 7/17/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton Internet Security\NISUM.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\program files\support.com\client\bin\tgcmd.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\WINDOWS\System32\zgzsupv.exe

C:\Program Files\CreataCard\Plus\FMRemind.exe

C:\Program Files\Sierra\Planner\PLNRnote.exe

C:\Program Files\CachemanXP\CachemanXP.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Kerry\My Documents\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

N3 - Netscape 7: user_pref("browser.startup.homepage","about:blank"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)

O1 - Hosts: 207.36.196.189 auto.search.msn.com

O1 - Hosts: 207.36.196.189 search.netscape.com

O1 - Hosts: 207.36.196.189 ieautosearch

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe

O4 - HKLM\..\Run: [lmfzwmorltxo] C:\WINDOWS\System32\zgzsupv.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [bMUpdate] C:\WINDOWS\System32\BMUpdate.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe

O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe

O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe

O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

 

I have a Sony VAIO RS410 PC. Please help!!

 

Thank you for taking the time to read this messege.

kerry

Share this post


Link to post
Share on other sites

Hello k3dogs,

 

You show signs of a Look2Me infection.

A tool has been made by Option^Explicit and freeatlast to find and remove it.

 

Please download VX2Finder from this link, and save it to your Desktop.

 

http://downloads.subratam.org/VX2Finder(126).exe

 

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

 

Copy and paste the contents of the log into your next reply here.

Share this post


Link to post
Share on other sites

Here is the log you requested:

 

Log for VX2.BetterInternet File Finder (msg126)

 

Files Found---

 

Additional Files---

C:\WINDOWS\System32\spOrder.dll

 

Keys Under Notify---crypt32chain

Keys Under Notify---cryptnet

Keys Under Notify---cscdll

Keys Under Notify---Guardian

Keys Under Notify---igfxcui

Keys Under Notify---ScCertProp

Keys Under Notify---Schedule

Keys Under Notify---sclgntfy

Keys Under Notify---SensLogn

Keys Under Notify---termsrv

Keys Under Notify---wlballoon

 

 

Guardian Key--- is called:

 

User Agent String---

{B1663252-16F1-4E3F-85A0-F7B123771A86}

 

 

thanks for your response

Share this post


Link to post
Share on other sites

Hello k3dogs,

 

The Vx2 (msg126) didn't find any files. Can you download this version, just to double check:

http://download.broadbandmedic.com/VX2Finder.exe

Run it the same way as you did with (msg126). It may not find any, but I'd just like to see the log.

 

Then click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"

And see if Twain-Tech is there. If it is, Remove it.

_ _ _ _ _ __ _

 

Next, go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for this:

 

zgzsupv.exe

 

Then close task manager.

 

_ _ _ _ _ _ _ _ _

 

 

Open Hijackthis, click Scan, then put a check next to the following entries:

 

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

 

O1 - Hosts: 207.36.196.189 auto.search.msn.com

O1 - Hosts: 207.36.196.189 search.netscape.com

O1 - Hosts: 207.36.196.189 ieautosearch

 

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

 

O4 - HKLM\..\Run: [lmfzwmorltxo] C:\WINDOWS\System32\zgzsupv.exe

 

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

 

 

Now, Close all open Windows and browsers (have only HJT open) and click "Fix Checked".

 

Then, reboot to safe mode (tap F8 while restarting) and delete this file:

 

C:\WINDOWS\System32\zgzsupv.exe

You may have to show hidden files:

 

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

Then, reboot normally and please post a new HJT log, and the (msg124) Vx2 log.

Share this post


Link to post
Share on other sites

Here are the logs you requested. BTW..I just had a pop-up as I was opening explorer to send this messege.

 

HJT

 

Logfile of HijackThis v1.98.0

Scan saved at 8:33:06 PM, on 7/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Norton Internet Security\NISUM.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\program files\support.com\client\bin\tgcmd.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\Program Files\CreataCard\Plus\FMRemind.exe

C:\Program Files\Sierra\Planner\PLNRnote.exe

C:\Program Files\CachemanXP\CachemanXP.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Kerry\My Documents\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople

N3 - Netscape 7: user_pref("browser.startup.homepage","about:blank"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [bMUpdate] C:\WINDOWS\System32\BMUpdate.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe

O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe

O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe

O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/pops/mdldetect/PCInfo.CAB

 

VX2

 

Log for VX2.BetterInternet File Finder (msg126)

 

Files Found---

 

Additional Files---

C:\WINDOWS\System32\spOrder.dll

 

Keys Under Notify---crypt32chain

Keys Under Notify---cryptnet

Keys Under Notify---cscdll

Keys Under Notify---Guardian

Keys Under Notify---igfxcui

Keys Under Notify---ScCertProp

Keys Under Notify---Schedule

Keys Under Notify---sclgntfy

Keys Under Notify---SensLogn

Keys Under Notify---termsrv

Keys Under Notify---wlballoon

 

 

Guardian Key--- is called:

 

User Agent String---

{B1663252-16F1-4E3F-85A0-F7B123771A86}

 

 

Thanks for your time and help.

Kerry

Share this post


Link to post
Share on other sites

Hello Kerry,

 

You posted the Log for VX2.BetterInternet File Finder (msg126).

Can you download this VX2Finder, it is an earlier version.

 

http://www.downloads.subratam.org/VX2Finder.exe

 

Run it just as you did the other, then please post the log.

 

Have your pop-ups diminished?

Do the pop-ups only happen when you're on-line?

What sites do you visit when they appear?

Do you recall what the pop-up was advertising?

When the pop-up comes on again, please right click on it, then go to Properties, then copy and paste the Address (URL) here.

 

Are you having any other concerns, such as your home page being hijacked?

 

Some sites have pop-ups. I have gotten some here also when on Internet Explorer.

 

You might want to consider a pop-up stopper. When I'm on IE, I use EMS Free Surfer mk II

You might want to try using Google's toolbar that also has a pop-up stopper.

I also use Firefox as a browser. It's free and also has a built in pop-up blocker, among other advantages.

Share this post


Link to post
Share on other sites

Hello, here is the log you wanted:

 

Log for VX2.BetterInternet File Finder

 

Files Found---

 

 

Guardian Key--- is called:

 

User Agent String---

{B1663252-16F1-4E3F-85A0-F7B123771A86}

 

 

The popups seem to be getting worse. They can happen at any time, whether I am actively surfing or not. Since I have DSL, I have an "always on" connection.

 

The ads run the gammit from satellite dishes to my daily horoscope. No adult stuff though.

 

Here is the URL from the latest two popups that happened as I typed this:

http://adv1.eblocs.com/spyblocs/adv/dmedi_002.html

http://www.whenusearch.com/ws_close.html?s...esult=nocontrol

 

The last one was blank but it wanted me to install something, which of course I didn't.

 

I have the Google search bar installed and it seems to stop site related popups, but not the random ones.

 

I have also noticed some shortcuts to links have shown up on my desktop. I deleted them.

 

Here is also the latest HJT scan log:

 

Logfile of HijackThis v1.98.0

Scan saved at 11:22:15 AM, on 7/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CachemanXP\CachemanXP.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\program files\support.com\client\bin\tgcmd.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE

C:\Program Files\CreataCard\Plus\FMRemind.exe

C:\Program Files\Sierra\Planner\PLNRnote.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Kerry\My Documents\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople

N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe

O4 - HKCU\..\Run: [bMUpdate] C:\WINDOWS\System32\BMUpdate.exe

O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe

O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe

O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe

O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/pops/mdldetect/PCInfo.CAB

 

thanks,

kerry

Share this post


Link to post
Share on other sites

Hello Kerry,

 

That one link that you posted is from whenusearch.com, which is a bad site.

See if there is a program call WhenUSearch in your Add/Remove Programs:

Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"

Then Remove WhenUSearch, if it's there. Also look for any other programs that you aren't sure of. You can post them here if you are unsure as to what they are.

 

Then, I know you said that you use Ad-aware, so please make sure that it is set up this way, and that you have the latest version/update:

 

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

 

Install the program and launch it.

 

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

 

Next, we need to configure Ad-aware for a full scan.

 

icon11.gif Click on the Gear icon (second from the left) to access the preferences/settings window

 

1. In the General window make sure the following are selected:

  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives

icon11.gif Click on the Advanced button on the left and select:

  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details

icon11.gif Click the Tweak button and select:

  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile

    [*]Under the Cleaning Engine:

    • Let Windows remove files in use at next reboot

icon11.gif Click on Proceed to save the settings.

 

icon11.gif Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

  • Use Custom Scanning Options

icon11.gif Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

 

icon11.gif Save the log file when it asks and then click Finish

 

icon11.gif When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

 

icon11.gifReboot your computer.

 

 

After you reboot, please run these 2 Free on-line scans:

 

HouseCall

 

Panda ActiveScan

 

 

Open Hijackthis, click Scan, then put a check next to the following entries:

 

N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)

 

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

 

O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server

O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE

 

 

Now Close all open Windows and browsers (have only HJT open) and click "Fix Checked".

 

Then, reboot to safe mode and delete these folders:

 

c:\program files\support.com\

C:\Program files\MyDailyHoroscope\

 

Then reboot mormally, please post a new HJT log, and let us know how you made out.

Share this post


Link to post
Share on other sites

OK, did as you asked and so far, so good. no popups. Time will tell.

 

Here is the latest HJT log:

 

Logfile of HijackThis v1.98.0

Scan saved at 11:04:35 PM, on 7/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CachemanXP\CachemanXP.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\PROGRA~1\VISION~1\ONETOU~2.EXE

C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\Program Files\CreataCard\Plus\FMRemind.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\Program Files\Sierra\Planner\PLNRnote.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\Documents and Settings\Kerry\My Documents\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE

O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe

O4 - HKCU\..\Run: [bMUpdate] C:\WINDOWS\System32\BMUpdate.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe

O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe

O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe

O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/pops/mdldetect/PCInfo.CAB

 

Thanks for all your help. Let's hope it's fixed.

kerry :D

Share this post


Link to post
Share on other sites

Hello Kerry,

 

You're welcome!

Give it a day or so, then let us know how you made out.

 

Here is some free protection you should consider:

Download and install:

 

SpywareBlaster will block bad ActiveX and malevolent cookies.

 

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

 

Check for updates occaisionally.

 

And also see So how did I get infected in the first place?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0