I got zipzapped.

bostonz · 1st May 2005

Hi, I too am suffering from pop ups courtesy of zipzappromos!.
I gather this is what I need to post to get some help, which would be thoroughly appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 1:38:32 p.m., on 1/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINDOWS\mslagent\4b_1,0,1,2_mslagent.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [d3dupdate.exe] C:\WINDOWS\System32\bbeagle.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

**noahdfear** · 1st May 2005

Welcome to WindowsBBS bostonz

Please download GetLogXP.zip. Save it to your desktop. If it saves as attachment.php, right click and rename to GetLogXP.zip You may need to enable viewing extensions for known file types to see the zip and php extensions. To do that, open My Computer and click Tools on the menu, then folder options. Click the view tab of the window that opens, uncheck the box to Hide extensions...... and click OK. Now right click the zip and extract the GetLogXP.bat file to your desktop. Double click the file to run it. It will open GetLogXP.txt and place a copy on your desktop. Please post the contents of that log.

BTW, your HijackThis log looks very slim. Did you edit something out?

bostonz · 1st May 2005

Okay. As far as hijackthis log looking slim, I dont think I edited anything out, but here's a new one, just to be safe:

Logfile of HijackThis v1.99.1
Scan saved at 4:38:28 p.m., on 1/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINDOWS\mslagent\4b_1,0,1,2_mslagent.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [d3dupdate.exe] C:\WINDOWS\System32\bbeagle.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binarie...tc32_EN_XP.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binarie...ia32_EN_XP.cab
O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binarie...SS_1057_XP.cab
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binarie...ML_1027_XP.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binarie...51_pack_XP.cab
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binarie...SS_1056_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binarie...SS_1058_XP.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downloadv3.com/binarie...CE_1053_XP.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binarie...pe32_EN_XP.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binarie...lv32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37AB825A-1F2C-4B1A-ACC6-BA2A9324608A}: NameServer = 202.180.64.2 202.180.64.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{37AB825A-1F2C-4B1A-ACC6-BA2A9324608A}: NameServer = 202.180.64.2 202.180.64.9
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

And here's from GetLogXP:

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE REG_SZ C:\WINDOWS\system32\ctfmon.exe
MSMSGS REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background
d3dupdate.exe REG_SZ C:\WINDOWS\System32\bbeagle.exe
Instant Access REG_SZ rundll32.exe EGDACCESS_1058.dll,InstantAccess

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IncrediMail REG_SZ C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c
mntrkuc REG_SZ c:\windows\system32\mntrkuc.exe -start
ccApp REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor REG_SZ C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-Aware SE Professional

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Addr essBook

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adob e Acrobat 5.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adob eESD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bene ath The Sea

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bran ding

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Conn ection Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dire ctAnimation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dire ctDrawEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DotC omToolbarNLDotComToolbarNL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_ Runtime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Font core

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Hija ckThis

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ICW

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4D ata

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5B AKEX

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEDa ta

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Incr ediMail Xe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inst ant Access

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB88 7472

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kitt ens

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Reg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Update

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Micr osoft NetShow Player 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mntr kuc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mobi leOptionPack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPla yer2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MsJa vaVM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetM eeting

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outl ookExpress

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCHe alth

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Safa ri Screen Saver

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sche dulingAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevi nst

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Shoc kwaveFlash

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyb ot - Search & Destroy_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SymS etup.{A93C9E60-29B6-49da-BA21-F70AC6AADE20}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TopC onverting

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinA ce Archiver 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wind ows XP Service Pack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12E 2B9E9-05B1-407d-B0FD-B5F350535125}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{152 6D87C-A955-4FAB-BF18-697BA457E352}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2DA 85B02-13C0-4E6D-9A76-22E6B3DD0CB2}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{350 C97B0-3D7C-4EE8-BAA9-00BCB3D54227}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3B2 9A786-5803-4e9e-9B58-3014A5B4E519}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{449 F3A9E-9903-4a0d-A209-08030D45A935}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{481 85814-A224-447a-81DA-71BD20580E1B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{526 AD5DC-CFC4-4f2a-8442-C84CC91D6C7F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{567 7563D-0CB1-485f-9E18-C5025306BB3F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{777 72678-817F-4401-9301-ED1D01A8DA56}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{902 80409-6000-11D3-8CFE-0050048383C9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A93 C9E60-29B6-49da-BA21-F70AC6AADE20}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B7C 61755-DB48-4003-948F-3D34DB8EAF69}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C6F 5B6CF-609C-428E-876F-CA83176C021B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CA0 A1E54-CE0F-4366-B09C-A87B61DC5633}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D32 7AFC9-7BAA-473A-8319-6EB7A0D40138}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DA4 2FDCA-7C5A-43EF-9A05-CCE148ADF919}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DC3 67608-64A7-4BF7-92F4-8BAA25BA02DB}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E3E FA461-EB83-4C3B-9C47-2C1D58A01555}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E5E E9939-259F-4DE2-8023-5C49E16A4F43}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E85 FA9A1-C241-4698-893B-DD99509B8DB0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F64 306A5-4C32-41bb-B153-53986527FAB4}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC0 8587A-4F01-4188-819F-F55880022917}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC2 C0536-583C-46c0-844A-62CECAE01F22}

Thanks for the help!

**noahdfear** · 1st May 2005

It's been a long day for me, so I'll work up a fix for you in the morning. In the mean-time, I'd like for you to please download MWAV. Save it to your desktop and double click to open. Check the boxes for Memory, Registry, Startup Folders, System Folders, Services, Drive, All Local Drives and Scan All Files, then click scan. When it completes, copy the lower window labled Virus Log Information and post it here.

BTW, the second HijackThis log had what I was looking for.

bostonz · 1st May 2005

Thanks for the help thus far, I have read your last message, thought I'd just mention that the PC I'm posting from now is not the one with the prob, and that it might take me another day until I have time to sit down with the troublemaker and run the virus scan, but I am listening and will get onto it!
Thanks,
Bostonz

**noahdfear** · 1st May 2005

OK. I'd like to wait until you post the MWAV results to work up a fix so that we can get it all in one whack.

bostonz · 4th May 2005

Okay here we go....

File System Found infected by "MyBar Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "mysearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Yekcam!\LOCALS~1\Temp\WebshotsTemp\wssetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\DOCUME~1\Yekcam!\LOCALS~1\Temp\SaveNowInst.exe infected by "not-a-virus:AdWare.SaveNow.aj" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Yekcam!\LOCALS~1\Temp\ImInstaller\IncrediMail\imloader.exe tagged as not-a-virus:RiskWare.Downloader.ImLoader.b. No Action Taken.
File C:\DOCUME~1\Yekcam!\LOCALS~1\TEMPOR~1\Content.IE5\291UJE14\EGDACCESS_1058_X P[1].cab infected by "not-a-virus:****-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temp\IAUninstall\uninstall.exe infected by "not-a-virus:****-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\imloader.exe tagged as not-a-virus:RiskWare.Downloader.ImLoader.b. No Action Taken.
File C:\Documents and Settings\All Users\Desktop\Downloads\safari.zip infected by "not-a-virus:AdWare.SaveNow.aj" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Desktop\Downloads\sheep.exe tagged as not-a-virus:Simulator.Win16.Sheep. No Action Taken.
File C:\Documents and Settings\Yekcam!\Local Settings\Temp\WebshotsTemp\wssetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Yekcam!\Local Settings\Temp\SaveNowInst.exe infected by "not-a-virus:AdWare.SaveNow.aj" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Yekcam!\Local Settings\Temp\ImInstaller\IncrediMail\imloader.exe tagged as not-a-virus:RiskWare.Downloader.ImLoader.b. No Action Taken.
File C:\Documents and Settings\Yekcam!\Local Settings\Temporary Internet Files\Content.IE5\291UJE14\EGDACCESS_1058_XP[1].cab infected by "not-a-virus:****-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\Program Files\EMIMS\SETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F1B1263.dll infected by "not-a-virus:****-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F1E3C5F.dll infected by "not-a-virus:****-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.f" Virus. Action Taken: No Action Taken.
File C:\Program Files\MySearch\bar\1.bin\S42NS.EXE infected by "not-a-virus:AdWare.ToolBar.MyWay.f" Virus. Action Taken: No Action Taken.
File C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP4\A0000042.dll infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP4\A0000047.dll infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP4\A0000048.EXE infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP4\A0000049.dll infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP4\A0000054.dll infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP4\A0000083.EXE infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP8\A0000138.dll infected by "Trojan-Downloader.Win32.Wintrim.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP8\A0000139.dll infected by "Trojan-Downloader.Win32.Wintrim.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP8\A0000140.dll infected by "Trojan-Downloader.Win32.Wintrim.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP8\A0000141.exe infected by "Email-Worm.Win32.Bagle.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP8\A0000142.exe infected by "Trojan-Downloader.Win32.Wintrim.af" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002772.dll infected by "Trojan-Downloader.Win32.Wintrim.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002773.dll infected by "Trojan-Downloader.Win32.Wintrim.w" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002775.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.1050. No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002776.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.1051. No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002777.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.1053. No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002778.dll infected by "Trojan-Spy.Win32.Mslagent" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002779.dll infected by "Trojan-Downloader.Win32.Wintrim.bb" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002780.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.l. No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002781.exe infected by "Trojan.Win32.VB.el" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002782.exe infected by "Trojan-Downloader.Win32.Wintrim.cd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002783.dll infected by "not-a-virus:AdWare.ToolBar.Dotcom.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002784.dll infected by "not-a-virus:AdWare.ToolBar.Dotcom.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002806.exe infected by "not-a-virus:AdWare.EZula.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002807.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002808.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\FOUND.002\FILE0001.CHK infected by "Email-Worm.Win32.Bagle.a" Virus. Action Taken: No Action Taken.
File C:\FOUND.002\FILE0017.CHK infected by "Email-Worm.Win32.Bagle.a" Virus. Action Taken: No Action Taken.
File C:\FOUND.002\FILE0018.CHK infected by "Email-Worm.Win32.Bagle.a" Virus. Action Taken: No Action Taken.
File D:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002471.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\System Volume Information\_restore{860172EA-F4DC-4906-B561-756177AA04DC}\RP9\A0002649.exe tagged as not-a-virus:Simulator.Win16.Sheep. No Action Taken.

**noahdfear** · 5th May 2005

You should print this out and/or save it to text where you can access it in safe mode.

Check for updates to both Spybot and Ad-aware.

Download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

Download the RemInstAccXP.zip file attached to this post. Save it to your desktop. Rename if necessary. Now right click the zip and extract the RemInstAccXP.bat file to your desktop. Note to others.....the attachment was written specifically for this machine. Please do not use if you have zipzap popups too. Start your own thread and someone will gladly assist you.

Download the Symantec W32.Beagle@mm Removal Tool. Save it to your desktop.

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Shut down all other running programs and open windows, disconnect from the internet and run the Symantec tool. When done, reboot and run it again. Then, either reboot and repeatedly tap F8 to enable the start menu, then select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

Double click the RemInstAccXP.bat file to run.

Scan again with HijackThis and place a check next to the following entries if present. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINDOWS\mslagent\4b_1,0,1,2_mslagent.dll (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKCU\..\Run: [d3dupdate.exe] C:\WINDOWS\System32\bbeagle.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binari...dtc32_EN_XP.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binari...tia32_EN_XP.cab
O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binari...ESS_1057_XP.cab
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binari...TML_1027_XP.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binari...051_pack_XP.cab
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binari...ESS_1056_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binari...thv32_EN_XP.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binari...ESS_1058_XP.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downloadv3.com/binari...ICE_1053_XP.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binari...tpe32_EN_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binari...slv32_EN_XP.cab

Open C:\Program Files and delete the folder MySearch.

Search for and delete the following files if present. (likely in C:\Windows\system32)

dtc32.dll
dtc32.inf
EGCOMSERVICE_1053.dll
EGCOMSERVICE.inf
EGCOMSERVICE_1051.dll
EGCOMSERVICE2.dll
EGCOMSERVICE_pack.inf
EGDACCESS_1056.dll
EGDACCESS_1057.dll
EGDACCESS.inf
nethv32.dll
nethv32.inf
netpe32.dll
netpe32.inf
netia32.dll
netia32.inf
netslv32.dll
netslv32.inf

Open Spybot and scan, fixing all it finds.

Open Ad-aware and run in full scan mode. Delete everything it finds.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

If you used msconfig, uncheck the /safeboot box and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log. Let us know if the popups have stopped.

bostonz · 7th May 2005

Followed the steps, but none of the files I was supposed to be deleting were found, im not sure if this is good or bad or my error.
To clarify I only mean the files listed such as EGDACCESS and all the files in that list - the rest of the instructions I followed to the letter.

Here's the results, better but still not perfect it seems...

File System Found infected by "MyBar Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Yekcam!\LOCALS~1\Temp\WebshotsTemp\wssetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\DOCUME~1\Yekcam!\LOCALS~1\Temp\SaveNowInst.exe infected by "not-a-virus:AdWare.SaveNow.aj" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Yekcam!\LOCALS~1\Temp\ImInstaller\IncrediMail\imloader.exe tagged as not-a-virus:RiskWare.Downloader.ImLoader.b. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\imloader.exe tagged as not-a-virus:RiskWare.Downloader.ImLoader.b. No Action Taken.
File C:\Documents and Settings\All Users\Desktop\Downloads\safari.zip infected by "not-a-virus:AdWare.SaveNow.aj" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Desktop\Downloads\sheep.exe tagged as not-a-virus:Simulator.Win16.Sheep. No Action Taken.
File C:\Documents and Settings\Yekcam!\Local Settings\Temp\WebshotsTemp\wssetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Yekcam!\Local Settings\Temp\SaveNowInst.exe infected by "not-a-virus:AdWare.SaveNow.aj" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Yekcam!\Local Settings\Temp\ImInstaller\IncrediMail\imloader.exe tagged as not-a-virus:RiskWare.Downloader.ImLoader.b. No Action Taken.
File C:\Program Files\EMIMS\SETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F1B1263.dll infected by "not-a-virus:****-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F1E3C5F.dll infected by "not-a-virus:****-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.

Hijack to follow

bostonz · 7th May 2005

Logfile of HijackThis v1.99.1
Scan saved at 5:01:34 p.m., on 7/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37AB825A-1F2C-4B1A-ACC6-BA2A9324608A}: NameServer = 202.180.64.2 202.180.64.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{37AB825A-1F2C-4B1A-ACC6-BA2A9324608A}: NameServer = 202.180.64.2 202.180.64.9
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

**noahdfear** · 7th May 2005

Quite alright you found none of those files. They may have already been removed, or not even have gotten into the system. They are the files contained in the Download Program Files cabs that were in your HijackThis log (the 016 entries previously removed), and I had you check for their presence 'just in case'.

Scan again with HijackThis and fix the following.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess

Open C:\DOCUME~1\Yekcam!\LOCALS~1\Temp, select all and delete. There may be one or two files in use and undeleteable, and some may require deleting one-at-a-time. You will also need to show hidden files and folders to see the Local Settings folder.

Do you know what this zip file contains?

C:\Documents and Settings\All Users\Desktop\Downloads\safari.zip

Empty the Norton Quarantine folder.

Please run the RAV online virus scan I linked to above and let us know the results.

Post a new HijackThis log. Have the popups stopped?

bostonz · 7th May 2005

I'll get onto that in the mornin' in the meantime before I forget and get caught up in the task at hand, I really do appreciate the help!

bostonz · 14th May 2005

Ok all done.
No apparent pop ups or nasties so far, here are the results, lets see how they come out!:

Scanned
============================
Objects: 27046
Directories: 1999
Archives: 4356
Size(Kb): 219198
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 592

bostonz · 14th May 2005

Logfile of HijackThis v1.99.1
Scan saved at 2:42:43 p.m., on 14/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncrediMail.exe /c
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37AB825A-1F2C-4B1A-ACC6-BA2A9324608A}: NameServer = 202.180.64.2 202.180.64.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{37AB825A-1F2C-4B1A-ACC6-BA2A9324608A}: NameServer = 202.180.64.2 202.180.64.9
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

**noahdfear** · 14th May 2005

WooHoo!

Looks clean!

What about the Safari.zip? Appears to be a game maybe?? Unless you really like it, dump it. It's bundled with junkware.