Need help with spyware - hijack log attached

[kegank]

I have been getting a large amount of pop-ups on my PC. Here is my hjt log I created using the Hijackthis analyzer. If someone could give me a hand deleting the items that shouldn't be there, it would be appreciated.

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 1/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Norton AntiVirus\navapsvc.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 10:14:14 PM, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MediaPipe\MPTray.exe
C:\Program Files\AltPayments\AltPayments.exe
C:\Program Files\MediaPipe\DownloadManager.exe
C:\PROGRA~1\P2PNET~1\P2PNET~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MediaPipe] "C:\Program Files\MediaPipe\MediaPipe.exe" /H
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [MediaPipeTrayIcon] "C:\Program Files\MediaPipe\MPTray.exe" /H
O4 - HKLM\..\Run: [AltPayments] "C:\Program Files\AltPayments\AltPayments.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (HKCU)
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://www.contentwatch.com/cleanup/...anup3Proj1.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-12.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.fujifilm.net/add/XUpload.ocx


End of HijackThis Analyzer Log.
===========================================================================================================================

[sUBs]

You are using an outdated version of HiJackThis. Please click on the link below to download the latest version:

• HiJackThis_sfx.exe

1. Delete your current HiJackThis.exe file
2. Double-click on the file you just downloaded.
3. Click on the "Unzip" button to install the newer version.
4. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

I require your next HJT log to be from this newer version


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Download Ewido Security Suite

• Install Ewido Security Suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Next, please reboot your computer in SafeMode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


** Please disable all other antivirus programs before proceeding.**

Run Ewido:

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files
• With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click OK
• Once finished, click the Save report button
• Save the report to your desktop

Close Ewido
* Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


Post the Ewido report & a new HJT log

[kegank]

Thanks - will run this tonight and post the new log files.

[kegank]

New hijack this log

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Norton AntiVirus\navapsvc.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:11:37 PM, on 10/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MediaPipe\MPTray.exe
C:\Program Files\AltPayments\AltPayments.exe
C:\PROGRA~1\P2PNET~1\P2PNET~1.EXE
C:\Program Files\MediaPipe\DownloadManager.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MediaPipe] "C:\Program Files\MediaPipe\MediaPipe.exe" /H
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [MediaPipeTrayIcon] "C:\Program Files\MediaPipe\MPTray.exe" /H
O4 - HKLM\..\Run: [AltPayments] "C:\Program Files\AltPayments\AltPayments.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (HKCU)
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://www.contentwatch.com/cleanup/...anup3Proj1.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-12.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.fujifilm.net/add/XUpload.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


End of KRC HijackThis Analyzer Log.
====================================================================


Ewido Report


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:07:31 PM, 10/13/2005
+ Report-Checksum: CF43C173

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{9603A736-05B9-4D78-BDD5-BDCB0914E522} -> Spyware.WurldMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9603A736-05B9-4D78-BDD5-BDCB0914E522}\TypeLib\\ -> Spyware.WurldMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC12B055-C9F5-407D-9B66-1851973F32AF} -> Spyware.WurldMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC12B055-C9F5-407D-9B66-1851973F32AF}\TypeLib\\ -> Spyware.WurldMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\S-1-5-21-3590106186-1880443773-830551868-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-C1EC-0345-6EC2-4D0300000000} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-3590106186-1880443773-830551868-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-F09C-02B4-6EC2-AD0300000000} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-3590106186-1880443773-830551868-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000020DD-C72E-4113-AF77-DD56626C6C42} -> Spyware.TwainTech : Cleaned with backup
HKU\S-1-5-21-3590106186-1880443773-830551868-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3590106186-1880443773-830551868-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKU\S-1-5-21-3590106186-1880443773-830551868-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6685509E-B47B-4F47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@cnn.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@programs.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@www.burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Local Settings\Temp\btgupg.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Local Settings\Temp\THI16E2.tmp\wupdt.exe -> TrojanDownloader.OneClickNetSearch.h : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Local Settings\Temp\THI67FB.tmp\wupdt.exe -> TrojanDownloader.OneClickNetSearch.h : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Local Settings\Temp\THI6AF9.tmp\polall1b.exe -> TrojanDropper.Small.pv : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Local Settings\Temporary Internet Files\Content.IE5\C08J16PN\jar[1].jar/Counter.class -> Trojan.Femad : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Local Settings\Temporary Internet Files\Content.IE5\C08J16PN\jar[1].jar/Gummy.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Local Settings\Temporary Internet Files\Content.IE5\C08J16PN\jar[1].jar/VerifierBug.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Local Settings\Temporary Internet Files\Content.IE5\C08J16PN\jar[1].jar/web.exe -> Trojan.LowZones.cu : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Local Settings\Temporary Internet Files\Content.IE5\C08J16PN\jar[1].jar/Worker.class -> Trojan.Femad : Cleaned with backup
C:\Documents and Settings\Ken Kegan\Local Settings\Temporary Internet Files\Content.IE5\C08J16PN\jar[1].jar/Xeyond.class -> Trojan.Java.Femad : Cleaned with backup
C:\Program Files\MediaPipe\insdl.dll -> Spyware.MetaDirect : Cleaned with backup
C:\Program Files\MediaPipe\register.dll -> Spyware.MetaDirect : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14.tmp -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2F.tmp -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq49.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B.tmp -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73.tmp -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq74.tmp -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq75.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq76.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq77.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF.tmp -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc102.txt -> Spyware.Cookie.Com : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc109.txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc115.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc152.txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc155.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc163.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc181.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc242.txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc70.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc84.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc89.txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc91.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc93.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc94.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-3590106186-1880443773-830551868-1006\Dc98.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP152\A0004698.dll -> Spyware.BiSpy : Cleaned with backup
C:\WINDOWS\systb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\wupdsnff.exe -> TrojanDropper.Agent.ch : Cleaned with backup


::Report End

[sUBs]

Download DelO15Domains.inf - Right click on this & choose "Save As..." DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

Download Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host


Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

• Tick on the checkbox - Turn off System Restore on all drives
• Click Apply

Turn it back 'On' by unticking the same checkbox & click OK


Uninstall this program from add/Remove programs - ViewPoint


Fix these entries using HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe



Delete this folder - C:\Program Files\Viewpoint


Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)

1. Select Drive C: & click the 'OK' button
2. Select the following options:
   • Temporary Internet Files
   • Recycle Bin
   • Temporary Files
3. Click the 'OK' button

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report

Post the contents of the report in your next reply along with a new HJT log

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


Also describe the pop ups that youhave been getting. Does it come from any particular site?

[kegank]

Thanks - will run these and post logs.

I've been getting a few pop-ups from I think it's called mediafast or something like that. The one bad one I get everytime I log on is a full screen ad from something called movieworld that I can only knockdown by doing ctl/alt/del and hitting end task.

[kegank]

The pop-up ad I keep getting is something called MovieWorld or MovieWurld

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:03:40 PM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MediaPipe\MPTray.exe
C:\PROGRA~1\P2PNET~1\P2PNET~1.EXE
C:\Program Files\MediaPipe\DownloadManager.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: PKØ6J3ÉôF?Ï1
tMHOSTS¬<msÛ¸Ñß;ÓÿÀ©¿]KÚ–�KžûòŒü;×8ñùê§ñxn@¢��’å_ß]$E„<צ7¹w±X,ö€ Ž‚‡SÁÝ?îÁí×ÅÃ"X2NøD‚¥¤4HÅ¶à‚¤ð_"ÿ%èþýùOGÁªªÊ_Ž�·Ûm”oJ™oY±¢¼œ�œÌŽƒ‰?zðý£U¿ÕŠ±[E%°JUPˆ*�ø*p]9 úK*vy,xoð?E$¤À¬h°µ`�8˜ª¿dY
9$}Ô*k�ý”תú)ˆ©F[2©ª€³‚þœÎÞG'ð¿S=‚‹„ð•¨üÓü£‡£?¿•), …YOBøçäÝþüç3_•d ÝœÈ5Mƒ-«VÁ=‘D1Ÿ�Áƒ?Pž"ÏiQ©@*DÍS»fRÉIãX¡Åõ©ù´
O1 - Hosts: ®_J.$ÈúU0AK ¾‹‚F�´*†9µK¶£¢U•;”ä�þé*Y/Vß²[‘4P”ÈdEb0—
O1 - Hosts: žW í¸®€—ð‹(…Ê„.V í9gk
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MediaPipe] "C:\Program Files\MediaPipe\MediaPipe.exe" /H
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [MediaPipeTrayIcon] "C:\Program Files\MediaPipe\MPTray.exe" /H
O4 - HKLM\..\Run: [AltPayments] "C:\Program Files\AltPayments\AltPayments.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (HKCU)
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://www.contentwatch.com/cleanup/...anup3Proj1.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-12.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.fujifilm.net/add/XUpload.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe



Panda log:

Incident Status Location

Adware:adware/ipinsight Reported C:\WINDOWS\INF\alchem.inf
Adware:adware/gator Reported C:\GatorPatch.log
Adware:adware/twain-tech Reported C:\WINDOWS\satmat.ini
Adware:adware/shoppingcommunityReported Windows Registry
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@2o7[2].txt
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@ads.pointroll[1].txt
Spyware:Cookie/Falkag Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@as-us.falkag[1].txt
Spyware:Cookie/Ask Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@ask[1].txt
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@atdmt[2].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@ath.belnk[1].txt
Spyware:Cookie/Azjmp Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@azjmp[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@belnk[2].txt
Spyware:Cookie/BurstNet Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@burstnet[1].txt
Spyware:Cookie/Enhance Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@c.enhance[1].txt
Spyware:Cookie/GoClick Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@c.goclick[2].txt
Spyware:Cookie/Ccbill Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@ccbill[1].txt
Spyware:Cookie/CentrPort Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@centrport[1].txt
Spyware:Cookie/360i Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@ct.360i[1].txt
Spyware:Cookie/Coremetrics Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@data.coremetrics[1].txt
Spyware:Cookie/did-it Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@did-it[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@dist.belnk[1].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@doubleclick[1].txt
Spyware:Cookie/empnads Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@empnads[2].txt
Spyware:Cookie/FastClick Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@fastclick[1].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@go[2].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@hitbox[2].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@mediaplex[1].txt
Spyware:Cookie/Overture Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@questionmarket[1].txt
Spyware:Cookie/Rn11 Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@rn11[2].txt
Spyware:Cookie/Searchportal Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@searchportal.information[1].txt
Spyware:Cookie/Server.iad.LivepersonReported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@serving-sys[1].txt
Spyware:Cookie/Target Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@target[2].txt
Spyware:Cookie/Traffic MarketplaceReported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@www.burstbeacon[1].txt
Spyware:Cookie/web-stat Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@www.web-stat[2].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Jennifer Kegan\Cookies\jennifer kegan@go[1].txt
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@2o7[2].txt
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@ads.pointroll[1].txt
Spyware:Cookie/Falkag Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@as-us.falkag[1].txt
Spyware:Cookie/Ask Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@ask[1].txt
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@atdmt[2].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@ath.belnk[1].txt
Spyware:Cookie/Azjmp Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@azjmp[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@belnk[2].txt
Spyware:Cookie/BurstNet Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@burstnet[1].txt
Spyware:Cookie/Enhance Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@c.enhance[1].txt
Spyware:Cookie/GoClick Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@c.goclick[2].txt
Spyware:Cookie/Ccbill Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@ccbill[1].txt
Spyware:Cookie/CentrPort Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@centrport[1].txt
Spyware:Cookie/360i Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@ct.360i[1].txt
Spyware:Cookie/Coremetrics Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@data.coremetrics[1].txt
Spyware:Cookie/did-it Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@did-it[1].txt
Spyware:Cookie/Belnk Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@dist.belnk[1].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@doubleclick[1].txt
Spyware:Cookie/empnads Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@empnads[2].txt
Spyware:Cookie/FastClick Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@fastclick[1].txt
Spyware:Cookie/go Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@go[2].txt
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@hitbox[2].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@mediaplex[1].txt
Spyware:Cookie/Overture Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@questionmarket[1].txt
Spyware:Cookie/Rn11 Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@rn11[2].txt
Spyware:Cookie/Searchportal Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@searchportal.information[1].txt
Spyware:Cookie/Server.iad.LivepersonReported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@serving-sys[1].txt
Spyware:Cookie/Target Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@target[2].txt
Spyware:Cookie/Traffic MarketplaceReported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@www.burstbeacon[1].txt
Spyware:Cookie/web-stat Reported C:\Documents and Settings\Ken Kegan\Cookies\ken kegan@www.web-stat[2].txt
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\a.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\b.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\ba.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bb.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bc.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bd.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\be.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\bf.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bg.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\bh.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bi.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bj.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\bk.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bl.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bm.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bn.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\bo.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\bp.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bq.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\br.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bs.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bt.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bu.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bv.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bw.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bx.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\by.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\bz.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\c.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\ca.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cb.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cc.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cd.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\ce.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cf.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cg.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\ch.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\ci.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cj.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\ck.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cl.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cm.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cn.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\co.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cp.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\cq.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\cr.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cs.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\ct.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cu.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cv.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\cx.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\cz.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\d.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\da.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\db.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\dc.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\dd.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\de.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\df.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\di.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\dl.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\dn.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\dp.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\dr.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\ds.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\dt.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\du.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\dv.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\dw.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\dy.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\dz.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\ed.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\f.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\h.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\i.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\j.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\l.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\m.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\Main.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\n.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\p.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\q.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\r.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\s.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\t.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\u.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\w.class
Adware:Adware/TopMoxie Reported C:\Program Files\UpromiseRemindU\System\Code\x.class
Adware:Adware/MoeMoney Reported C:\Program Files\UpromiseRemindU\System\Code\y.class
Adware:Adware/ShoppingCommunityReported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq109.tmp
Adware:Adware/ShoppingCommunityReported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10A.tmp
Spyware:Cookie/DomainSponsor Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp
Spyware:Cookie/RealMedia Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp
Spyware:Cookie/Zedo Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp
Spyware:Spyware/BetterInet Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp
Spyware:Cookie/RealMedia Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4A.tmp
Adware:Adware/MSView Reported C:\Program Files\Yahoo!\YPSR\Quarantine\ppqFF.tmp
Adware:Adware/IPInsight Reported C:\WINDOWS\INF\alchem.inf
Adware:Adware/Transponder Reported C:\WINDOWS\INF\polall1r.inf
Spyware:Spyware/BetterInet Reported C:\WINDOWS\INF\satmat.inf
Adware:Adware/IPInsight Reported C:\WINDOWS\satmat.ini
Adware:Adware/WurldMedia Reported C:\WINDOWS\SYSTEM32\winbpupd.exe

[sUBs]

My last response to you was Oct 14. If I took as long as you did to respond to you, we'll never be able to get your computer clean. Malware has a habit of drawing more malware into your computer.

Are you just getting these Movie World pop ups from just one particular website or does it happen randomly?


Please uninstall these programs:

AltPayments
UpromiseRemindU



Have HijackThis fix these:

O1 - Hosts: PKØ6J3ÉôF?Ï1
tMHOSTS¬<msÛ¸Ñß;ÓÿÀ©¿]KÚ–�KžûòŒü;×8ñùê§ñxn@¢��’å_ß]$E„<צ7¹w±X,ö€Ž‚‡SÁÝ ?îÁí×ÅÃ"X2NøD‚¥¤4HÅ¶à‚¤ð_"ÿ%èþýùOGÁªªÊ_Ž�·Ûm”oJ™oY±¢¼œ�œÌŽƒ‰?zðý£U¿ÕŠ±[E%°JUPˆ*�ø*p]9úK*vy,xoð? E$¤À¬h°µ`�8˜ª¿dY
9$}Ô*k�ý”תú)ˆ©F[2©ª€³‚þœÎÞG'ð¿S=‚‹„ð•¨üÓü£‡£?¿•), …YOBøçäÝþüç3_•d ÝœÈ5Mƒ-«VÁ=‘D1Ÿ�Áƒ?Pž"ÏiQ©@*DÍS»fRÉIãX¡Åõ©ù´
O1 - Hosts: ®_J.$ÈúU0AK ¾‹‚F�´*†9µK¶£¢U•;”ä�þé*Y/Vß²[‘4P”ÈdEb0—
O1 - Hosts: žW í¸®€—ð‹(…Ê„.V í9gk
O4 - HKLM\..\Run: [AltPayments] "C:\Program Files\AltPayments\AltPayments.exe"
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0 .htm
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0 .htm (HKCU)



Locate & delete these files/folders:(let me know if there's any that you fail to delete)

C:\Program Files\AltPayments\
C:\Program Files\UpromiseRemindU\
C:\WINDOWS\INF\alchem.inf
C:\WINDOWS\INF\polall1r.inf
C:\WINDOWS\INF\satmat.inf
C:\WINDOWS\satmat.ini
C:\WINDOWS\SYSTEM32\winbpupd.exe
C:\WINDOWS\INF\alchem.inf
C:\GatorPatch.log




Download & install this program - CleanUp.exe

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


Reboot & post a new HJT log
Tell me how your machine is behaving now.

[kegank]

I've been away for business (and at the same time letting my PC still have issues!). These MovieWorld popups were happening every time I re-booted my PC and opened up IE. After this new re-boot and posting, it hasn't come up. Hopefully this clean-out fixed the problem. Let me know if you see anything else fishy. Thanks again for your help!

Here's my new HJT log:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Norton AntiVirus\navapsvc.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:41:31 PM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MediaPipe\MPTray.exe
C:\PROGRA~1\P2PNET~1\P2PNET~1.EXE
C:\Program Files\MediaPipe\DownloadManager.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [MediaPipe] "C:\Program Files\MediaPipe\MediaPipe.exe" /H
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [MediaPipeTrayIcon] "C:\Program Files\MediaPipe\MPTray.exe" /H
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://www.contentwatch.com/cleanup/...anup3Proj1.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-12.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.fujifilm.net/add/XUpload.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


End of KRC HijackThis Analyzer Log.
====================================================================

[sUBs]

Sorry about that. I sometimes see cases where prolonged the disinfection process lead to more infections till the computer is beyond repair.

Your system is clean. Please follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE
   Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   Go to Start >> Run - type control inetcpl.cpl,,1 & press Enter
   • Click once on the Internet icon so it becomes highlighted.
   • Select Custom Level .
     • Change 'Download signed ActiveX controls' to Prompt
     • Change 'Download unsigned ActiveX controls' to Disable
     • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
     • Change 'Installation of desktop items' to Prompt
     • Change 'Launching programs and files in an IFRAME' to Prompt
     • Change 'Navigate sub-frames across different domains' to Prompt
     • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
6. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
    
    
    
11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[kegank]

Thanks for your help. I haven't gotten anymore of those annoying pop-ups. I will need to install and run these items at another time - will this post be killed or just archived into another folder?

[sUBs]

This thread would be moved to the Resolved HJT Logs section.

Please bookmark it so that you may be able to locate it for future reference.