Tech Support Forum - View Single Post - Help with Log, Unsolicited Pop-Ups

Bent137 · 10-19-2005, 10:22 AM

Okie Dokie. AdAware cleaned some, it's Add-on said it is clean. Spybot cleaned some. CWShredder said it's clean. Used CleanUp (and then was stupidly confused why Yahoo didn't know me when I came to do this). Used Panda Scan, results below:

Incident Status Location

Adware:adware/tvmedia No disinfected C:\WINDOWS\Application Data\tvmknwrd.dll
Adware:adware/coupons No disinfected C:\WINDOWS\cpbrkpie.ocx
Adware:adware/mediatickets No disinfected Windows Registry
Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\loads.exe
Spyware:Spyware/Conducent-TimesinkNo disinfected C:\_RESTORE\ARCHIVE\FS137.CAB[A0046675.CPY]

I still don't quite understand why they didn't disinfect. I hope you can help me with that. Did as you asked for the HJT startup thing:

StartupList report, 10/19/2005, 12:21:11 PM
StartupList version: 1.52.2
Started from : C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WECT FIRST ALERT\FIRSTALERT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\NETGEAR\MA101 USB ADAPTER CONFIGURATION UTILITY\WLANMONITOR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Hidserv = Hidserv.exe run
Service Connection = c:\cpqs\bwtools\sccenter.exe
CountrySelection = pctptt.exe
PCTVOICE = pctvoice.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
WinampAgent = C:\Program Files\Winamp\winampa.exe
InCD = C:\Program Files\Ahead\InCD\InCD.exe
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

WECT 6 = C:\Program Files\WECT First Alert\FirstAlert.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 19/10/2005, 7:7:18)

[rename]
NUL=C:\WINDOWS\Cookies\index.dat

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET TVDUMPFLAGS=8

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}
SpywareGuard Download Protection - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL - {4A368E80-174F-4872-96B5-0B27DDD11DB2}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
FRU Task #Hewlett-Packard#hp psc 1200 series#1081645641.job
Synchronize Time.job
Check E-mail.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.co...086.5147222222

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/downlo...22/wmv9VCM.CAB

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://fpdownload.macromedia.com/pub...sh/swflash.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

[cpbrkpie Control]
InProcServer32 = C:\WINDOWS\CPBRKPIE.OCX
CODEBASE = http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://acs.pandasoftware.com/actives...ree/asinst.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN60.OCX
CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab

[ActiveGS.cab]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN60.OCX
CODEBASE = http://www.virtualapple.com/activegs.cab
OSD = C:\WINDOWS\Downloaded Program Files\OSDA56.OSD

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 7,522 bytes
Report generated in 2.275 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

10-19-2005, 10:22 AM	#7 (permalink)
Bent137 Registered User Join Date: Oct 2004 Location: North Carolina Posts: 91 OS: Windows XP (Laptops) and Windows XP(Desktop)	Okie Dokie. AdAware cleaned some, it's Add-on said it is clean. Spybot cleaned some. CWShredder said it's clean. Used CleanUp (and then was stupidly confused why Yahoo didn't know me when I came to do this). Used Panda Scan, results below: Incident Status Location Adware:adware/tvmedia No disinfected C:\WINDOWS\Application Data\tvmknwrd.dll Adware:adware/coupons No disinfected C:\WINDOWS\cpbrkpie.ocx Adware:adware/mediatickets No disinfected Windows Registry Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\loads.exe Spyware:Spyware/Conducent-TimesinkNo disinfected C:\_RESTORE\ARCHIVE\FS137.CAB[A0046675.CPY] I still don't quite understand why they didn't disinfect. I hope you can help me with that. Did as you asked for the HJT startup thing: StartupList report, 10/19/2005, 12:21:11 PM StartupList version: 1.52.2 Started from : C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE Detected: Windows ME (Win9x 4.90.3000) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\CPQS\BWTOOLS\SCCENTER.EXE C:\WINDOWS\PCTVOICE.EXE C:\PROGRAM FILES\WINAMP\WINAMPA.EXE C:\WINDOWS\SYSTEM\HIDSERV.EXE C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\WECT FIRST ALERT\FIRSTALERT.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE C:\PROGRAM FILES\NETGEAR\MA101 USB ADAPTER CONFIGURATION UTILITY\WLANMONITOR.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\WUAUCLT.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE C:\WINDOWS\SYSTEM\HPZIPM12.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\WINDOWS\Start Menu\Programs\StartUp] Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ScanRegistry = C:\WINDOWS\scanregw.exe /autorun TaskMonitor = C:\WINDOWS\taskmon.exe SystemTray = SysTray.Exe LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme Hidserv = Hidserv.exe run Service Connection = c:\cpqs\bwtools\sccenter.exe CountrySelection = pctptt.exe PCTVOICE = pctvoice.exe NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize nwiz = nwiz.exe /install WinampAgent = C:\Program Files\Winamp\winampa.exe InCD = C:\Program Files\Ahead\InCD\InCD.exe Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme SchedulingAgent = mstask.exe StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WECT 6 = C:\Program Files\WECT First Alert\FirstAlert.exe -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce washindex = C:\Program Files\Washer\washidx.exe -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = C:\WINDOWS\NOTEPAD.EXE %1 -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 19/10/2005, 7:7:18) [rename] NUL=C:\WINDOWS\Cookies\index.dat -------------------------------------------------- C:\AUTOEXEC.BAT listing: SET windir=C:\WINDOWS SET winbootdir=C:\WINDOWS SET COMSPEC=C:\WINDOWS\COMMAND.COM SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND SET PROMPT=$p$g SET TEMP=C:\WINDOWS\TEMP SET TMP=C:\WINDOWS\TEMP SET TVDUMPFLAGS=8 -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F} SpywareGuard Download Protection - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL - {4A368E80-174F-4872-96B5-0B27DDD11DB2} -------------------------------------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job PCHealth Scheduler for Data Collection.job FRU Task #Hewlett-Packard#hp psc 1200 series#1081645641.job Synchronize Time.job Check E-mail.job -------------------------------------------------- Enumerating Download Program Files: [Update Class] InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL CODEBASE = http://v4.windowsupdate.microsoft.co...086.5147222222 [{33564D57-0000-0010-8000-00AA00389B71}] CODEBASE = http://download.microsoft.com/downlo...22/wmv9VCM.CAB [QuickTime Object] InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX CODEBASE = http://fpdownload.macromedia.com/pub...sh/swflash.cab [HouseCall Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab [cpbrkpie Control] InProcServer32 = C:\WINDOWS\CPBRKPIE.OCX CODEBASE = http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab [ActiveScan Installer Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL CODEBASE = http://acs.pandasoftware.com/actives...ree/asinst.cab [HouseCall Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN60.OCX CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab [ActiveGS.cab] InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN60.OCX CODEBASE = http://www.virtualapple.com/activegs.cab OSD = C:\WINDOWS\Downloaded Program Files\OSDA56.OSD -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL -------------------------------------------------- End of report, 7,522 bytes Report generated in 2.275 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only __________________ "I'm super smart, last night I watched TeenJeopardy! and I knew almost all the answers."* - a sarcastic Sarah Michelle Gellar on Live with Regis and Kelly, in response to Kelly's telling the audience that Sarah is "like, a genius she's so smart."