Options

Pop-Up Nitemare

Unknown
edited July 2006 in Spyware & Virus Removal
I'm getting constant pop-ups and don't know why. At first i couldn't even start windows but i managed to fix that with spybot and adaware. Now i'm just getting pop-ups 3 or more at a time. Here is my hijack this log. Someone help me please!!!!


Logfile of HijackThis v1.99.1
Scan saved at 4:37:06 PM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
D:\D-Tools\daemon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\DOCUME~1\Jill\LOCALS~1\Temp\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jill\Desktop\Cleaner\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Jill\LOCALS~1\Temp\svchost.exe 1
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [mfku] C:\PROGRA~1\COMMON~1\mfku\mfkum.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/clients/y/gst1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094419640961
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/grab/CLOActiveXInstallerProj1.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://media.grab.com/media/35f4a8/games/files/1147/axhost.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AB1AB4F8-C30F-4FB4-A030-1C9F5513831F} (LREGameLoaderCtrl Class) - http://media.grab.com/media/6364d3/games/files/669/lregameloader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://media.grab.com/media/fbd793/games/files/209/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/d82c8d/games/files/662/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\fpj4031qe.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\r4p80e7ueh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Comments

  • jmoney3457jmoney3457 Maine
    edited July 2006
    hi scott, please do a system only scan w/ HJT & fixing the following lines-->
    R3 - Default URLSearchHook is missing
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
    reboot then Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
    & a new HJT log please:thumbup
  • scott2000d
    edited July 2006
    Should I delete those party poker ones even thought I actually play on party poker??
  • jmoney3457jmoney3457 Maine
    edited July 2006
    scott2000d wrote:
    Should I delete those party poker ones even thought I actually play on party poker??
    oops, sorry scott i forgot to ask you if you played partypoker or not, but seeing as you just said you do then no go ahead and leave them and just fix the R3 - Default URLSearchHook is missing line and go ahead w/ the panda and new HJT log after :D
  • scott2000d
    edited July 2006
    I did what you said and here's what came back:

    Panda's Activescan Results:


    Incident Status Location

    Virus:Trj/Agent.BZF Disinfected Operating system
    Adware:adware/commad Not disinfected c:\MTE3NDI6ODoxNg.exe
    Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
    Adware:adware/savenow Not disinfected Windows Registry
    Adware:adware/dyfuca Not disinfected Windows Registry
    Adware:adware/sqwire Not disinfected Windows Registry
    Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Jill\Local Settings\Temp\Cookies\jill@did-it[1].txt
    Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Jill\Cookies\jill@rightmedia[2].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jill\Cookies\jill@atwola[1].txt
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jill\Cookies\jill@atdmt[2].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jill\Cookies\jill@gamearena.com[1].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jill\Cookies\jill@atwola[2].txt
    Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Jill\Cookies\jill@webpower[2].txt
    Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Jill\Cookies\jill@www.advnt01[2].txt
    Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Jill\Cookies\jill@azjmp[1].txt
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jill\Cookies\jill@ad.yieldmanager[2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jill\Cookies\jill@dist.belnk[2].txt
    Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Jill\Cookies\jill@adultfriendfinder[2].txt
    Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Jill\Cookies\jill@www.advnt01[1].txt
    Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Jill\Cookies\jill@rightmedia[3].txt
    Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Jill\Cookies\jill@webpower[1].txt
    Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Jill\Cookies\jill@gostats[2].txt
    Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Jill\Cookies\jill@c2.gostats[2].txt
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Jill\Cookies\jill@xiti[1].txt
    Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Jill\Cookies\jill@banner[1].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jill\Cookies\jill@ad.sensismediasmart.com[1].txt
    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Jill\Cookies\jill@adopt.hbmediapro[1].txt
    Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Jill\Cookies\jill@rn11[3].txt
    Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Jill\Cookies\jill@www.affiliatefuel[1].txt
    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Jill\Cookies\jill@adopt.hbmediapro[2].txt
    Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Jill\Cookies\jill@i.screensavers[4].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jill\Cookies\jill@ccbill[2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jill\Cookies\jill@belnk[1].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jill\Cookies\jill@ccbill[1].txt
    Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Jill\Cookies\jill@i.screensavers[2].txt
    Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Jill\Cookies\jill@toplist[1].txt
    Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Jill\Cookies\jill@webpower[4].txt
    Spyware:Cookie/TeensForCash Not disinfected C:\Documents and Settings\Jill\Cookies\jill@teensforcash[2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jill\Cookies\jill@dist.belnk[3].txt
    Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\Jill\Cookies\jill@c.fsx[1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jill\Cookies\jill@dist.belnk[4].txt
    Spyware:Cookie/GangbangSquad Not disinfected C:\Documents and Settings\Jill\Cookies\jill@gangbangsquad[2].txt
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Jill\Cookies\jill@xiti[2].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jill\Cookies\jill@atwola[3].txt
    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Jill\Cookies\jill@adopt.hbmediapro[4].txt
    Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jill\Cookies\jill@searchportal.information[1].txt
    Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Jill\Cookies\jill@toplist[2].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jill\Cookies\jill@atwola[4].txt
    Spyware:Cookie/TeensForCash Not disinfected C:\Documents and Settings\Jill\Cookies\jill@teensforcash[3].txt
    Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Jill\Cookies\jill@toplist[3].txt
    Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Jill\Cookies\jill@i.screensavers[1].txt
    Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Jill\Cookies\jill@banner[3].txt
    Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Jill\Cookies\jill@did-it[1].txt
    Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\Jill\Cookies\jill@www.seeq[1].txt
    Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Jill\Cookies\jill@www48.seeq[1].txt
    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Jill\Cookies\jill@adopt.hbmediapro[5].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jill\Cookies\jill@ccbill[3].txt
    Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Jill\Cookies\jill@xmts[1].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jill\Cookies\jill@atwola[5].txt
    Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Jill\Cookies\jill@kinghost[1].txt
    Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jill\Cookies\jill@searchportal.information[2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jill\Cookies\jill@dist.belnk[5].txt
    Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Jill\Cookies\jill@rn11[2].txt
    Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Jill\Cookies\jill@club.cdfreaks[2].txt
    Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Jill\Cookies\jill@cdfreaks[2].txt
    Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jill\Cookies\jill@searchportal.information[3].txt
    Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Jill\Cookies\jill@888[1].txt
    Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Jill\Cookies\jill@toplist[4].txt
    Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Jill\Cookies\jill@gostats[3].txt
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Jill\Cookies\jill@go[1].txt
    Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Jill\Cookies\jill@webpower[5].txt
    Spyware:Cookie/Powerscan Not disinfected C:\Documents and Settings\Jill\Cookies\jill@gammae[2].txt
    Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Jill\Cookies\jill@cassava[1].txt
    Virus:Trj/Agent.BZF Disinfected C:\My Downloads\Partition.Magic.8.0 with serial number.ZIP[Setup.exe]
    Virus:Trj/Agent.BZF Disinfected C:\My Downloads\PC-Games - Zoo Tycoon (Full Game).zip[Setup.exe]
    Virus:Trj/Agent.BZF Disinfected C:\My Downloads\big.fish.games.mystic.inn.1.0.3.cracked-icu updated-fixed 04-2006.zip[Setup.exe]
    Virus:Trj/Agent.BZF Disinfected C:\My Downloads\==big.fish.games.mystic.inn.1.0.3.cracked-icu.zip[Setup.exe]
    Virus:Trj/Agent.BZF Disinfected C:\My Downloads\(cracked) teddy factory 01.zip[Setup.exe]
    HJT Log:



    Logfile of HijackThis v1.99.1
    Scan saved at 6:43:16 PM, on 7/14/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\acs.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    D:\D-Tools\daemon.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jill\Desktop\Cleaner\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
    O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [mfku] C:\PROGRA~1\COMMON~1\mfku\mfkum.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ACS.lnk = ?
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
    O4 - Global Startup: D-Link REG Utility.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
    O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
    O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/clients/y/gst1_x.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab
    O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094419640961
    O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/grab/CLOActiveXInstallerProj1.cab
    O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://media.grab.com/media/35f4a8/games/files/1147/axhost.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AB1AB4F8-C30F-4FB4-A030-1C9F5513831F} (LREGameLoaderCtrl Class) - http://media.grab.com/media/6364d3/games/files/669/lregameloader.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://media.grab.com/media/fbd793/games/files/209/SproutLauncher.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/d82c8d/games/files/662/popcaploader_v6.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
  • jmoney3457jmoney3457 Maine
    edited July 2006
    First download ewido anti-spyware from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    2. Once the setup is complete you will need run ewido and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
    1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
      IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
    2. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    4. ewido will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    5. If you have any infections you will prompted, then select "Apply all actions"
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    8. Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
    & also a new HJT log please
Sign In or Register to comment.