garmanma

July 5, 2006

Hello garmanma,
I see where your problem lies. I missed a line on a log, my mistake. I'll make a fix now, did you ever change HijackThis.exe to HJT.exe??

July 5, 2006

I'm at home on my computer, but I can tell you what it's doing. When I open I.E. with Ewido running, I'll get an alert about Virtumonde. No matter if I click on ignore or quaratine it will pop right back up. The only way to close the window is to turn off Ewido. Then when I turn off Ewido, the pop-ups start coming. They're for Winantivirus, a spyware scanner, and sometimes a registry cleaner. I don't even have to have I.E. opened. With my browser closed, I click to open "my documents" and I'll get pop-ups

I might also add the last HJT, Ewido, and Panda scans WERE NOT run in safemode. I was in a hurry and forgot

Thanks

Mark

I just got a call from my old boss. I have a favor to do for him tomorrow, I don't know if I'll make it to my daughter's or not on Thurs. Funny, I can fix pc-controlled machines and circutboards all day long but I can't get rid of this garbage

July 5, 2006

Updated July 5

Logfile of HijackThis v1.99.1

Scan saved at 11:54:15 AM, on 7/5/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\Adelphia HSAgent\bin\tgcmd.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Andrea\My Documents\hijack this\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [tgcmd] "c:\Program Files\Adelphia HSAgent\bin\tgcmd.exe" /server /startmonitor /deaf

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119754399165

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Whenever I open Ewido I get an alert for Adware Virtumonde location

C:\WINDOWS\system32\sstqr.dll

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

+ Created at: 12:58:58 PM 7/5/2006

+ Scan result:

C:\WINDOWS\system32\sstqr.dll -> Adware.Virtumonde : No action taken.

C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.

C:\Documents and Settings\Wade\Cookies\wade@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.

C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.

C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Overture : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.

C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.

C:\Documents and Settings\Wade\Cookies\wade@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@zedo[1].txt -> TrackingCookie.Zedo : No action taken.

::Report end

I searched everywhere for uninstall_list.txt, but it is nowhere to be found. Whenever I click on "save report as" HJT closes. I wrote the list to notepad. Thank goodness my daugter can type well

adaware se personal

adelphia high-speed internet

adobe download mgr 2.0 remove only

adobe reader 7.05

aol instant messenger

astonia 3

avg free edition

battle.net

best buy rhapsody

call of duty r2

desktop calendar 0.42b

diablo

empire earth

ewido antispyware 4.0

hijack this 199.1

itunes

j2se runtime enviorment 5.0 update 4

lucas arts balance of power

lucas arts x-wing vs tie fighter

macromedia flash player 8

msn messenger 7.0

openoffice.org 2.0

panda activescan

quicktime

rollercoaster tycoon 3

security update for windows xp kb883939

kb890046

kb893066

kb893756

kb896358

kb896422

kb896423

kb896424

kb896428

kb896688

kb899587

kb899588

kb899589

kb899591

kb900725

kb901017

kb901214

kb902400

kb903235

kb904706

kb905414

kb905749

kb908519

kb911562

kb911567

kb911927

kb912812

kb912919

kb913446

kb913580

kb914389

kb916281

kb917344

kb917753

kb918439

snood for windows version 3.52-w

spybot - search & destroy 1.4

spyware blaster v3.5.1

spywareguard v2.2

star wars galactic battlegrouns: saga

the sims 2

the sims 2 family fun stuff

the sims 2 nightlife

the sims 2 open for business

the sims 2 university

update for windows xp kb894391

kb896727

kb898461

kb900485

kb908531

kb910437

viewpoint manager remove only

viewpoint media player

windows genuine advantage v1.3.0251.0

windows installer 3.1 kb893803

windows media format runtime

windows xp hotfix kb873333

kb873339

kb885250

kb885835

kb885836

kb886185

kb887472

kb887742

kb888113

kb888302

kb890175

kb890859

kb891781

kb893086

yahoo! anti-spy

yahoo! extras

yahoo! install manager

yahoo! internet mail

yahoo! messenger

yahoo! messenger explorer bar

yahoo! toolbar for internet explorer

zonealarm

Active scan report

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andrea\Cookies\andrea@atdmt[1].txt

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Andrea\Cookies\andrea@trafficmp[1].txt

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Wade\Cookies\[email protected][1].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Wade\Cookies\wade@atwola[1].txt

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Wade\Cookies\wade@burstnet[1].txt

Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Wade\Cookies\wade@ccbill[2].txt

Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Wade\Cookies\[email protected][1].txt

July 3, 2006

Here you go:

Incident Status Location

Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Wade\Cookies\[email protected][1].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Wade\Cookies\wade@atwola[1].txt

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Wade\Cookies\wade@burstnet[1].txt

Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Wade\Cookies\wade@ccbill[2].txt

Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Wade\Cookies\[email protected][1].txt

I opened Hijack This>misc. tools>open uninstall manager but when I click on "save list" it just closes the app. I've search the hard drive for "uninstall_list.text" but nothing shows up. ???

Mark

It was just brought to my attention that I used "text" instead of "txt" in my search. I'll look again for it on Wed.

July 2, 2006

hi garmanma
you say youve disabled messenger
but did you disable alerta in services
which is a part of messenger that is where all the popups
come from not from
the actual messenger.
microsoft used elerta to alert users
on different innovations
but some one exploited it and found a way to
send popups to the users
try disabling alerta and see
if that helps
tho,some one suggested highjack investigate that as well
marty

June 30, 2006

Here you go. This is my daughter's machine,

i'm not sure if I'll be back on it until Monday

Thanks

Markwido anti-spyware - Scan Report

---------------------------------------------------------

+ Created at: 5:16:14 PM 6/30/2006

+ Scan result:

C:\WINDOWS\system32\sstqr.dll -> Adware.Virtumonde : No action taken.

HKU\S-1-5-21-823518204-1292428093-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : No action taken.

C:\Documents and Settings\Andrea\Local Settings\Temporary Internet Files\Content.IE5\2Z6B6PYB\WinAntiVirusPro2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@2o7[1].txt -> TrackingCookie.2o7 : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.

C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Addynamix : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Adserver : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Bridgetrack : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : No action taken.

C:\Documents and Settings\Wade\Cookies\wade@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.

C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : No action taken.

C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Overture : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@trafficmp[2].txt -> TrackingCookie.Trafficmp : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Valuead : No action taken.

C:\Documents and Settings\Andrea\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : No action taken.

C:\Documents and Settings\Wade\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.

C:\Documents and Settings\Wade\Cookies\wade@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.

C:\Documents and Settings\Andrea\Cookies\andrea@zedo[1].txt -> TrackingCookie.Zedo : No action taken.

::Report end

Logfile of HijackThis v1.99.1

Scan saved at 5:25:52 PM, on 6/30/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\Adelphia HSAgent\bin\tgcmd.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Documents and Settings\Andrea\My Documents\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com