Help with Log, Unsolicited Pop-Ups

[Bent137]

Hi. Earlier tonight I received a few unsolicited Pop-Ups. Between 5 and 10. After seeing them while on different websites, and when I hadn't done a thing, I realized there must be a nasty spyware hiding somewhere on my computer. Having been here in the past I had an idea of what to do and tried my best to help you guys as much as possible before posting. I have a firewall, and it isn't a virus. So next I checked SpywareGuard and SpywareBlaster and made sure they were updated and enabled to protect me. Then I used Spybot (found 2 and killed both) and Adware (found 12 and killed all).

Then I did HiJackThis, and here is the log. Please let it be clean.

Logfile of HijackThis v1.99.1
Scan saved at 1:28:12 AM, on 10/16/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WECT FIRST ALERT\FIRSTALERT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\NETGEAR\MA101 USB ADAPTER CONFIGURATION UTILITY\WLANMONITOR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [WECT 6] C:\Program Files\WECT First Alert\FirstAlert.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt2_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab

[MicroBell]

Your log is clean. Are you still getting the popups?

[Bent137]

nope, didn't get a single one yesterday. Thanks :)

[tetonbob]

In that case, please take advantage of this information:

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.

Windows ME reset hidden files
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Windows ME reset System Restore
===============

To turn off System Restore go to Start > Settings > Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check "Disable System Restore". Click OK. Click Yes when you are prompted to restart Windows.

Reboot your system.

To turn on System Restore go to Start > Settings > Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then uncheck "Disable System Restore". Click OK. Click Yes when you are prompted to restart Windows. You will then need to manually create a restore point.

Click Start, point to Programs, point to Accessories, point to System Tools, and then click System Restore. Now create a new Restore Point.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please respond to this thread one more time so we can mark this thread as resolved.

[Bent137]

Okay, I pretty much got all of that. Except problem. I just got two about scanning my system registry. they were manufactured to look like a computer prompt, but were actually a website (I could see that in my toolbar.) If my log is clean what can I do?

EDIT: Another just popped up. I noted the address for you, it's like, http://www.secwave.vo or something and then of course, more info for each individual popup. I just got another! The first one I was mentioning just now was ironic, it was warning me about spyware in my system. Imagine that, spyware warning me about spyware!!!!

The last one wanted me to answer a poll about Bush and get a free ipod.

Is there anyway I can put that http://www.secwave.vo on a banned list so that sites using that address will not display?

[MicroBell]

Well..... If your getting popups..then something is lurking on the system so lets see what we can uncover.....

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

• Ad-Aware® SE Personal Edition
  *Note* For Ad-AwareSE also install the VX2 Addon Cleaner To run this tool once Adaware is updated click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK" , then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
  
• Spybot Search & Destroy
• CWShredder

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
  [X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Please run an online scan at http://www.pandasoftware.com/actives..._principal.htm
Once it has finished save the activescan log. Then post that log in your next post.

Open hijackthis...click...config..misctools. Check the 2 box’s next to "Generate Startup List" and then click "Generate Startup List". Post that log in your next post.

[Bent137]

Okie Dokie. AdAware cleaned some, it's Add-on said it is clean. Spybot cleaned some. CWShredder said it's clean. Used CleanUp (and then was stupidly confused why Yahoo didn't know me when I came to do this). Used Panda Scan, results below:


Incident Status Location

Adware:adware/tvmedia No disinfected C:\WINDOWS\Application Data\tvmknwrd.dll
Adware:adware/coupons No disinfected C:\WINDOWS\cpbrkpie.ocx
Adware:adware/mediatickets No disinfected Windows Registry
Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\loads.exe
Spyware:Spyware/Conducent-TimesinkNo disinfected C:\_RESTORE\ARCHIVE\FS137.CAB[A0046675.CPY]

I still don't quite understand why they didn't disinfect. I hope you can help me with that. Did as you asked for the HJT startup thing:

StartupList report, 10/19/2005, 12:21:11 PM
StartupList version: 1.52.2
Started from : C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WECT FIRST ALERT\FIRSTALERT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\NETGEAR\MA101 USB ADAPTER CONFIGURATION UTILITY\WLANMONITOR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Hidserv = Hidserv.exe run
Service Connection = c:\cpqs\bwtools\sccenter.exe
CountrySelection = pctptt.exe
PCTVOICE = pctvoice.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
WinampAgent = C:\Program Files\Winamp\winampa.exe
InCD = C:\Program Files\Ahead\InCD\InCD.exe
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

WECT 6 = C:\Program Files\WECT First Alert\FirstAlert.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 19/10/2005, 7:7:18)

[rename]
NUL=C:\WINDOWS\Cookies\index.dat

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET TVDUMPFLAGS=8

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}
SpywareGuard Download Protection - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL - {4A368E80-174F-4872-96B5-0B27DDD11DB2}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
FRU Task #Hewlett-Packard#hp psc 1200 series#1081645641.job
Synchronize Time.job
Check E-mail.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.co...086.5147222222

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/downlo...22/wmv9VCM.CAB

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://fpdownload.macromedia.com/pub...sh/swflash.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

[cpbrkpie Control]
InProcServer32 = C:\WINDOWS\CPBRKPIE.OCX
CODEBASE = http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://acs.pandasoftware.com/actives...ree/asinst.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN60.OCX
CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab

[ActiveGS.cab]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN60.OCX
CODEBASE = http://www.virtualapple.com/activegs.cab
OSD = C:\WINDOWS\Downloaded Program Files\OSDA56.OSD

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 7,522 bytes
Report generated in 2.275 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[MicroBell]

Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Now reboot into safe mode. Open add/remove programs and remove TVMedia IF it's listed.

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\Application Data\tvmknwrd.dll
C:\WINDOWS\cpbrkpie.ocx
C:\WINDOWS\loads.exe

Once you reboot...run another Panda scan and post it's log. Let me know of your getting any popups.

[Bent137]

TV Media wasn't listed, and I even went through to try and find it there was something "___ TV Media" that would explain it not being in the T's. I did the KillBox, and the PandaScan and here is the frustrating results:


Incident Status Location

Adware:adware/tvmedia No disinfected C:\WINDOWS\Application Data\tvmcwrd.dll
Adware:Adware/CWS No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\0EUQDV2F\menus[1].js
Spyware:Spyware/AdClicker No disinfected C:\_RESTORE\TEMP\LOADS.0
Spyware:Spyware/Conducent-TimesinkNo disinfected C:\_RESTORE\ARCHIVE\FS137.CAB[A0046675.CPY]


As for popups, so far none I haven't initiated yesterday or today.

[Bent137]

Okay, I just got a pop-up from the same secwave.vo jerks and this time it caused a friggin error in my explorer.

[Ried]

Please download the trial version of Webroot Spysweeper. Once you have downloaded the program, install and update it and do a full system scan.

Are you still getting pop ups?

[Bent137]

I almost don't want to answer this because it seems like every time I say "I haven't had one since..." I get one. But I haven't had one since that last post yesterday.

Now I shall download that program.

[Bent137]

Okay it found 51 things, and it quarentined them all. I haven't had a pop-up today at all. What should I do now? Do you think it's gone or maybe just dormant?

[MicroBell]

Launch SpySweeper again & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply. This is sounding more and more like the Elite infection that runs in memory and I want to see what Spysweeper found.

[Bent137]

********
12:59 PM: |··· Start of Session, Friday, October 21, 2005 ···|
12:59 PM: Spy Sweeper started
12:59 PM: Sweep initiated using definitions version 559
12:59 PM: Starting Memory Sweep
1:00 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MSGSRV32.EXE
1:00 PM: Warning: Failed to load image: C:\WINDOWS\SYSTEM\MMTASK.TSK
1:08 PM: Memory Sweep Complete, Elapsed Time: 00:09:16
1:08 PM: Starting Registry Sweep
1:11 PM: Found Adware: homepage protector
1:11 PM: HKCR\interface\{e39f03b3-5532-460b-b70b-cdb68e0c72f7}\ (8 subtraces) (ID = 127182)
1:11 PM: HKLM\software\classes\interface\{e39f03b3-5532-460b-b70b-cdb68e0c72f7}\ (8 subtraces) (ID = 127186)
1:12 PM: Found Adware: purityscan
1:12 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137986)
1:12 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
1:12 PM: Found Adware: media-motor
1:12 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm20.ocx\ (2 subtraces) (ID = 140171)
1:12 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mm20.ocx (ID = 140200)
1:13 PM: Found Adware: winad
1:13 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/winadx.dll\ (2 subtraces) (ID = 147198)
1:13 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\winadx.dll (ID = 147226)
1:13 PM: HKLM\software\winad client\ (5 subtraces) (ID = 147237)
1:13 PM: Registry Sweep Complete, Elapsed Time:00:05:04
1:13 PM: Starting Cookie Sweep
1:13 PM: Found Spy Cookie: ask cookie
1:13 PM: default@ask[1].txt (ID = 2245)
1:13 PM: Found Spy Cookie: domainsponsor cookie
1:13 PM: default@landing.domainsponsor[1].txt (ID = 2535)
1:13 PM: Found Spy Cookie: bravenet cookie
1:13 PM: default@bravenet[1].txt (ID = 2322)
1:13 PM: Found Spy Cookie: specificclick.com cookie
1:13 PM: default@adopt.specificclick[2].txt (ID = 3400)
1:13 PM: Found Spy Cookie: server.iad.liveperson cookie
1:13 PM: default@server.iad.liveperson[2].txt (ID = 3341)
1:13 PM: Found Spy Cookie: xiti cookie
1:13 PM: default@xiti[1].txt (ID = 3717)
1:13 PM: Found Spy Cookie: maxserving cookie
1:13 PM: default@maxserving[1].txt (ID = 2966)
1:13 PM: Found Spy Cookie: atwola cookie
1:13 PM: default@atwola[1].txt (ID = 2255)
1:13 PM: Found Spy Cookie: yieldmanager cookie
1:13 PM: default@ad.yieldmanager[1].txt (ID = 3751)
1:13 PM: Found Spy Cookie: reunion cookie
1:13 PM: default@reunion[2].txt (ID = 3255)
1:13 PM: Found Spy Cookie: weborama cookie
1:13 PM: default@weborama[1].txt (ID = 3658)
1:13 PM: Found Spy Cookie: revenue.net cookie
1:13 PM: default@revenue[2].txt (ID = 3257)
1:13 PM: Found Spy Cookie: realmedia cookie
1:13 PM: default@realmedia[2].txt (ID = 3235)
1:13 PM: Found Spy Cookie: adknowledge cookie
1:13 PM: default@adknowledge[1].txt (ID = 2072)
1:13 PM: Cookie Sweep Complete, Elapsed Time: 00:00:08
1:13 PM: Starting File Sweep
1:14 PM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because it is being used by another process
1:25 PM: Found Adware: exact cashback/bargain buddy
1:25 PM: bbi802~1.exe (ID = 50556)
1:37 PM: File Sweep Complete, Elapsed Time: 00:23:07
1:37 PM: Full Sweep has completed. Elapsed time 00:37:53
1:37 PM: Traces Found: 51
2:12 PM: Removal process initiated
2:12 PM: Quarantining All Traces: homepage protector
2:12 PM: Quarantining All Traces: purityscan
2:12 PM: Quarantining All Traces: media-motor
2:12 PM: Quarantining All Traces: winad
2:12 PM: Quarantining All Traces: ask cookie
2:12 PM: Quarantining All Traces: domainsponsor cookie
2:12 PM: Quarantining All Traces: bravenet cookie
2:12 PM: Quarantining All Traces: specificclick.com cookie
2:12 PM: Quarantining All Traces: server.iad.liveperson cookie
2:12 PM: Quarantining All Traces: xiti cookie
2:12 PM: Quarantining All Traces: maxserving cookie
2:12 PM: Quarantining All Traces: atwola cookie
2:12 PM: Quarantining All Traces: yieldmanager cookie
2:12 PM: Quarantining All Traces: reunion cookie
2:12 PM: Quarantining All Traces: weborama cookie
2:12 PM: Quarantining All Traces: revenue.net cookie
2:12 PM: Quarantining All Traces: realmedia cookie
2:12 PM: Quarantining All Traces: adknowledge cookie
2:12 PM: Quarantining All Traces: exact cashback/bargain buddy
2:12 PM: Removal process completed. Elapsed time 00:00:19
********
12:55 PM: |··· Start of Session, Friday, October 21, 2005 ···|
12:55 PM: Spy Sweeper started
12:59 PM: |··· End of Session, Friday, October 21, 2005 ···|

[MicroBell]

Are you still getting popups?

If so...download and run this tool...http://www.simplytech.it/ETRemover/

After that is done....I need a set of the following logs...



Download WinPFInd http://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!


Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log

[Bent137]

I haven't had one since Thursday. Do you think maybe we managed to get it somehow?

[MicroBell]

Maybe. Your last logs were clean. Give it a few days...but in the meantime follow these instructions...

We still have a few more items to address so please follow the instructions below.


Reset hidden/system files and folders

Windows XP
===============

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Windows 2000
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Select the Advanced settings box option.
• Select the Hidden files Folders.
• Deselect the Show all files option.
• Click Yes to confirm.
• Click OK.

Windows ME
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Windows 95/98/98SE
===============

• Open My Computer.
• Select the View
• Select the Folder Options option.
• Select the View tab. option.
• Select the Advance Advanced settings box option.
• Select the Hidden files folder.
• Deselect the Show all files option
• Click Apply to confirm.
• Click OK.

Create a new System Restore point

Windows XP
===============

• Click Start >> Run - type SYSDM.CPL & press Enter
• Select the System Restore Tab
• Tick on the checkbox - "Turn off System Restore on all drives"
• Click Apply
• Then untick the same checkbox & click OK
• This deletes ALL restore points that had the infection and creates a clean one

Windows ME
===============

• Click the Start tab.
• Select the Settings option.
• Select the Control Panel option.
• Double Click the System icon Performance tab option.
• Select File System
• Select the Troubleshooting tab
• Check the Disable System Restore box
• Click Apply to confirm.
• Click OK.

Reboot the PC and repeat the above procedure again
When you get to this option

• Uncheck the Disable System Restore box

For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below.

• Click the Start button.
• Point to Programs, point to Accessories, point to System Tools, and then click System Restore.
• Choose Create a restore point, and then click Next.
• In the Restore point description box, type a name for your restore point, and then click Next.
  Click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• Tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system.


Recommended Protection Programs

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
• WinPatrol to monitor any changes that programs make to the registry.

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Sygate Personal Firewall
• Kerio Personal Firewall
• OutPost Firewall

In today’s world you MUST have an Antivirus program. If you do not have one, here are 3 FREE ones available for personal use:

• Grisoft AVG Anti-Virus System
• Alwil Avast 4 Home Edition
• Softwin BitDefender Free Edition Version 7

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place.

[Bent137]

Okay, so I did ask asked, files and protected operating systems programs were all ready protected. I created a new sytem restore point and the Windows update automatically thing was already selected. I'm up-to-date at the Windows Update website. I have SpywareGuard, Spyware Blaster, and Zone Alarm.

I'm downloading IE-SpyAd and WinPatrol. I was wondering which of the recommended virus programs (because I hate Norton and I don't want to keep paying for it) is easiest to use in that once it's done scanning it pretty much talks you through quarentining or deleting the infections?

[Ried]

Hi,

They're all pretty similar in regard to procedures for quarantining/cleaning infections. However, Norton is a resource hog. If you're looking for a good free antivirus, AVG is very good. I've been using it along with ZoneAlarm Firewall, as well as the programs mentioned by Microbell (above) for about a year now with no problems.

Please download AVG Free at Grisoft http://free.grisoft.com/freeweb.php. Install it and make sure to check for updates.

Also be sure to download a Firewall. Please download ZoneAlarm Free at ZoneAlarm http://www.zonelabs.com.