Jump to content


Photo

Please help a damsel in distress!!


  • Please log in to reply
9 replies to this topic

#1 k3dogs

k3dogs

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 July 2004 - 12:56 PM

Please help this newbie rid herslef of these constant pop-up ad's. They start the minute I boot up my computer. I have read the FAQ's, have tried Ad-Aware, SpyBot S&D, and others to no avail. Here is my log from the most recent scan of HiJack This:

Logfile of HijackThis v1.98.0
Scan saved at 1:46:01 PM, on 7/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\System32\zgzsupv.exe
C:\Program Files\CreataCard\Plus\FMRemind.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\CachemanXP\CachemanXP.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Kerry\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage","about:blank"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [lmfzwmorltxo] C:\WINDOWS\System32\zgzsupv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\System32\BMUpdate.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab

I have a Sony VAIO RS410 PC. Please help!!

Thank you for taking the time to read this messege.
kerry

#2 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 17 July 2004 - 08:36 PM

Hello k3dogs,

You show signs of a Look2Me infection.
A tool has been made by Option^Explicit and freeatlast to find and remove it.

Please download VX2Finder from this link, and save it to your Desktop.

http://downloads.sub...Finder(126).exe

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.

#3 k3dogs

k3dogs

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 July 2004 - 11:19 PM

Here is the log you requested:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---
C:\WINDOWS\System32\spOrder.dll

Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---Guardian
Keys Under Notify---igfxcui
Keys Under Notify---ScCertProp
Keys Under Notify---Schedule
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---termsrv
Keys Under Notify---wlballoon


Guardian Key--- is called:

User Agent String---
{B1663252-16F1-4E3F-85A0-F7B123771A86}


thanks for your response

#4 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 18 July 2004 - 12:00 AM

Hello k3dogs,

The Vx2 (msg126) didn't find any files. Can you download this version, just to double check:
http://download.broa...m/VX2Finder.exe
Run it the same way as you did with (msg126). It may not find any, but I'd just like to see the log.

Then click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"
And see if Twain-Tech is there. If it is, Remove it.
_ _ _ _ _ __ _

Next, go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for this:

zgzsupv.exe

Then close task manager.

_ _ _ _ _ _ _ _ _


Open Hijackthis, click Scan, then put a check next to the following entries:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O4 - HKLM\..\Run: [lmfzwmorltxo] C:\WINDOWS\System32\zgzsupv.exe

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab



Now, Close all open Windows and browsers (have only HJT open) and click "Fix Checked".

Then, reboot to safe mode (tap F8 while restarting) and delete this file:

C:\WINDOWS\System32\zgzsupv.exe
You may have to show hidden files:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Then, reboot normally and please post a new HJT log, and the (msg124) Vx2 log.

#5 k3dogs

k3dogs

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 18 July 2004 - 07:37 PM

Here are the logs you requested. BTW..I just had a pop-up as I was opening explorer to send this messege.

HJT

Logfile of HijackThis v1.98.0
Scan saved at 8:33:06 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\CreataCard\Plus\FMRemind.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\CachemanXP\CachemanXP.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Kerry\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
N3 - Netscape 7: user_pref("browser.startup.homepage","about:blank"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\System32\BMUpdate.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.so...tect/PCInfo.CAB

VX2

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---
C:\WINDOWS\System32\spOrder.dll

Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---Guardian
Keys Under Notify---igfxcui
Keys Under Notify---ScCertProp
Keys Under Notify---Schedule
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---termsrv
Keys Under Notify---wlballoon


Guardian Key--- is called:

User Agent String---
{B1663252-16F1-4E3F-85A0-F7B123771A86}


Thanks for your time and help.
Kerry

#6 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 20 July 2004 - 05:39 AM

Hello Kerry,

You posted the Log for VX2.BetterInternet File Finder (msg126).
Can you download this VX2Finder, it is an earlier version.

http://www.downloads...g/VX2Finder.exe

Run it just as you did the other, then please post the log.

Have your pop-ups diminished?
Do the pop-ups only happen when you're on-line?
What sites do you visit when they appear?
Do you recall what the pop-up was advertising?
When the pop-up comes on again, please right click on it, then go to Properties, then copy and paste the Address (URL) here.

Are you having any other concerns, such as your home page being hijacked?

Some sites have pop-ups. I have gotten some here also when on Internet Explorer.

You might want to consider a pop-up stopper. When I'm on IE, I use EMS Free Surfer mk II
You might want to try using Google's toolbar that also has a pop-up stopper.
I also use Firefox as a browser. It's free and also has a built in pop-up blocker, among other advantages.

#7 k3dogs

k3dogs

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 21 July 2004 - 10:24 AM

Hello, here is the log you wanted:

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---
{B1663252-16F1-4E3F-85A0-F7B123771A86}


The popups seem to be getting worse. They can happen at any time, whether I am actively surfing or not. Since I have DSL, I have an "always on" connection.

The ads run the gammit from satellite dishes to my daily horoscope. No adult stuff though.

Here is the URL from the latest two popups that happened as I typed this:
http://adv1.eblocs.c.../dmedi_002.html
http://www.whenusear...esult=nocontrol

The last one was blank but it wanted me to install something, which of course I didn't.

I have the Google search bar installed and it seems to stop site related popups, but not the random ones.

I have also noticed some shortcuts to links have shown up on my desktop. I deleted them.

Here is also the latest HJT scan log:

Logfile of HijackThis v1.98.0
Scan saved at 11:22:15 AM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CachemanXP\CachemanXP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
C:\Program Files\CreataCard\Plus\FMRemind.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kerry\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\System32\BMUpdate.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.so...tect/PCInfo.CAB

thanks,
kerry

#8 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 21 July 2004 - 05:57 PM

Hello Kerry,

That one link that you posted is from whenusearch.com, which is a bad site.
See if there is a program call WhenUSearch in your Add/Remove Programs:
Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"
Then Remove WhenUSearch, if it's there. Also look for any other programs that you aren't sure of. You can post them here if you are unsure as to what they are.

Then, I know you said that you use Ad-aware, so please make sure that it is set up this way, and that you have the latest version/update:

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image Save the log file when it asks and then click Finish

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Posted Image Reboot your computer.


After you reboot, please run these 2 Free on-line scans:

HouseCall

Panda ActiveScan


Open Hijackthis, click Scan, then put a check next to the following entries:

N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE



Now Close all open Windows and browsers (have only HJT open) and click "Fix Checked".

Then, reboot to safe mode and delete these folders:

c:\program files\support.com\
C:\Program files\MyDailyHoroscope\

Then reboot mormally, please post a new HJT log, and let us know how you made out.

#9 k3dogs

k3dogs

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 21 July 2004 - 10:06 PM

OK, did as you asked and so far, so good. no popups. Time will tell.

Here is the latest HJT log:

Logfile of HijackThis v1.98.0
Scan saved at 11:04:35 PM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CachemanXP\CachemanXP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\CreataCard\Plus\FMRemind.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Documents and Settings\Kerry\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\34uhxv8i.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\System32\BMUpdate.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: CreataCard Plus 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Plus\FMRemind.exe
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.so...tect/PCInfo.CAB

Thanks for all your help. Let's hope it's fixed.
kerry :D

#10 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 22 July 2004 - 05:25 AM

Hello Kerry,

You're welcome!
Give it a day or so, then let us know how you made out.

Here is some free protection you should consider:
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies.

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Check for updates occaisionally.

And also see So how did I get infected in the first place?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button