Bullguard Free Antivirus Forum

The original version of this page can be found at : http://forum.bullguard.com/forum/12/Lots-of-popup-adds-and-shortcu_24997.html

Posted By : Richardson Rick - 12-11-2005 3:34

Shortly after I boot up my computer, numerous browser windows open to various unsolicited sites. Shortcuts have been placed on my desktop for things like "free music". Also, when booting up, my hard drive runs a lot longer than it should. After a few minutes, everything locks up and Windows Explorer disappears. I ran Adware, and Microsoft Spyware but that has not fixed the problem. A few days ago, I checked the startup section of MS Spyware and found a program called timessquare.exe. I removed the program but am still having problems. Below is my log. Thanks for the help.

Logfile of HijackThis v1.99.1
Scan saved at 7:44:27 AM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
c:\program files\timbuktu pro\tb2launch.exe
C:\WINDOWS\NetopiaRC\Tb2RCAssist.exe
c:\program files\timbuktu pro\tb2pro.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
c:\program files\timbuktu pro\TNOTIFY.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\91i4e6l2\91i4e6l2.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\msvcmm32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\Program Files\TheBrain\PersonalBrain 3.0\PersonalBrain.exe
C:\Program Files\3M\PSNotes2\Psn2.exe
C:\PROGRA~1\3M\PSNotes2\PSNGive.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\91i4e6l2\82303920.exe
C:\Program Files\91i4e6l2\91i4e6l2.exe
C:\Documents and Settings\Rick Clayton.CAPV\Desktop\MODEL SHIPBIILDING\Ship Pictures\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: 12.6.196.100 kurosawa.capv.com
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [InterBase Server] C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [SetupWizard] D:\SetupWizard.exe reboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [91i4e6l2] C:\Program Files\91i4e6l2\91i4e6l2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: ORiNOCO Client Manager.lnk = ?
O4 - Global Startup: PersonalBrain 2.0.lnk = C:\Program Files\TheBrain\PersonalBrain 3.0\PersonalBrain.exe
O4 - Global Startup: Post-it® Software Notes.lnk = C:\Program Files\3M\PSNotes2\Psn2.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\downloaded program files\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\downloaded program files\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = capv.com
O17 - HKLM\Software\..\Telephony: DomainName = capv.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{19FE59AE-2F14-4136-A349-255837DA8795}: NameServer = 192.168.100.101,192.168.100.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = capv.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{19FE59AE-2F14-4136-A349-255837DA8795}: NameServer = 192.168.100.101,192.168.100.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = capv.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{19FE59AE-2F14-4136-A349-255837DA8795}: NameServer = 192.168.100.101,192.168.100.8
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = capv.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{19FE59AE-2F14-4136-A349-255837DA8795}: NameServer = 192.168.100.101,192.168.100.8
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\hrru0599e.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe
O23 - Service: Timbuktu Remote Control Assistant (Tb2RCAssist) - Netopia, Inc. - C:\WINDOWS\NetopiaRC\Tb2RCAssist.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Posted By : Touch - 12-12-2005 2:45

Hey

Download this scanner – mwav exe mwav

Please download free Ewido: Ewido

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
From the main Ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes, the status bar at the bottom will display "Update successful"

Exit Ewido. DO NOT run a scan yet.

Download this scanner: Dr.Web CureIT
To Desktop

Download Free Trial of Spysweeper

Spysweeper

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)
You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Download, install and run Cleanup

Check 'options' to customize your settings, and then make sure only the following are checked:
Cleanup all user profiles
Delete prefetch files
Empty the recycle bins.
Push CleanUp button
When Cleanup! is finished, it will ask you if want to log off and reboot. Answer NO.

Reboot into Safe Mode by tapping F8 after the BIOS has loaded.
The Windows Advanced Options Menu appears.
If you begin tapping the F8 key too soon, some computers display a "keyboard error" message.
To resolve this, restart the computer and try again.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.

Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".

It will first make a quick scan of your system, let it clean what it find, and when it says "done"

Click on the green screwdriver-

Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete

Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all

Run the mwav scanner:
Put a checkmark in:
Memory, Startup folders, drive, Registry, System folders and Services.
And:
All local drives og Scan all files
Push: Scan Button
This scan can take quite a while to run with many applications installed.

Run Spysweeper:
Click on "Options > Sweep Options" and check "Sweep all Folders on Selected drives". Check "Local Disc C".
Under What to Sweep: check all of the boxes except Sweep Contents of Compressed Files and do not Sweep Systemrestore Folder.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click "Remove". Click "Select All" and then "Next".

Spy Sweeper initially quarantines the spyware it finds on your computer. DO NOT remove items from Quarantine, until after you verify your system still functions properly once spyware has been quarantined. After reboot ensure important programs still work before you remove any items from Quarantine.

Run full scan with Ewido

Click on scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.

Now close ewido security suite.

Then reboot normally.

Post fresh log from hijackthis and log from Ewido

Regards - Touch

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Need Support? Write to:

| Forum Help Manual

Download free trial version of Bullguard