pop up problems

im having problems getting rid of pop64, dmvlite, & bridge. I use xoftspy newest version updated on 2/25/05. I ran hijackthis and the log file is below.

Logfile of HijackThis v1.99.1
Scan saved at 11:28:10 PM, on 2/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system32\lSAcgOx.exe
C:\WINDOWS\system32\lSAcgOx.exe
C:\WINDOWS\system32\Itf4V.exe
C:\WINDOWS\system32\Itf4V.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Rhonda\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Comcast.net/chsi.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Comcast.net/chsi.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref( "browser.startup.homepage ", "http://www.comcast.net/chsi.html "); (C:\Documents and Settings\Rhonda\Application Data\Mozilla\Profiles\default\8gkcaytd.slt\prefs.js)
N2 - Netscape 6: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Rhonda\Application Data\Mozilla\Profiles\default\8gkcaytd.slt\prefs.js)
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {334DEDEC-7605-248E-2DE4-0795BED680CC} - C:\WINDOWS\system32\hkw.dll
O2 - BHO: (no name) - {7BD803C1-08C8-AAAC-A9F6-2B5378189A7D} - C:\WINDOWS\system32\lsqhhcdb.dll
O2 - BHO: (no name) - {89F62FF4-5FAC-12CE-11E5-C7AE04A10524} - C:\WINDOWS\system32\kytqtscv.dll
O2 - BHO: (no name) - {A7D7F224-6C98-631B-BFDF-146471AB1897} - C:\WINDOWS\system32\rwhzekac.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: (no name) - {F7F82522-A46C-B516-2488-126C6746A22A} - C:\WINDOWS\system32\jwdbcmmc.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [lSAcgOx.exe] c:\windows\system32\lSAcgOx.exe
O4 - HKLM\..\Run: [popuppers65] C:\WINDOWS\a65d.exe
O4 - HKLM\..\Run: [lyifyc] c:\windows\system32\lyifyc.exe
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\system32\Boi5X.exe
O4 - HKLM\..\Run: [zujitzfj] C:\WINDOWS\system32\zujitzfj.exe
O4 - HKLM\..\Run: [XevCjuLX] C:\documents and settings\jonathan\local settings\temp\XevCjuLX.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe "
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [pegtisgiagx] C:\WINDOWS\System32\lyifyc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [mER9Eel] C:\windows\system32\mER9Eel.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: C:\windows\system32\b.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [6b6deb007bb5] C:\WINDOWS\system32\catsrvps.exe
O4 - HKLM\..\Run: [033759ddf10c] C:\WINDOWS\system32\browser1.exe
O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe "
O4 - HKCU\..\Run: [Bwjisjh] C:\WINDOWS\system32\?hkdsk.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Rhonda\Application Data\othb.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {1756312E-5CB1-4640-A57B-F7808722E41A} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097799257277
O23 - Service: gluemjgxxtgb (hszaeewj6) - Unknown owner - C:\WINDOWS\system32\mapiaajy6.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\system32\angelex.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

Welcome to WindowsBBS jonathan_collin Sorry for the delay.

Save this to text where you can access it in safe mode.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R3 - Default URLSearchHook is missing
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {334DEDEC-7605-248E-2DE4-0795BED680CC} - C:\WINDOWS\system32\hkw.dll
O2 - BHO: (no name) - {7BD803C1-08C8-AAAC-A9F6-2B5378189A7D} - C:\WINDOWS\system32\lsqhhcdb.dll
O2 - BHO: (no name) - {89F62FF4-5FAC-12CE-11E5-C7AE04A10524} - C:\WINDOWS\system32\kytqtscv.dll
O2 - BHO: (no name) - {A7D7F224-6C98-631B-BFDF-146471AB1897} - C:\WINDOWS\system32\rwhzekac.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: (no name) - {F7F82522-A46C-B516-2488-126C6746A22A} - C:\WINDOWS\system32\jwdbcmmc.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [lSAcgOx.exe] c:\windows\system32\lSAcgOx.exe
O4 - HKLM\..\Run: [popuppers65] C:\WINDOWS\a65d.exe
O4 - HKLM\..\Run: [lyifyc] c:\windows\system32\lyifyc.exe
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\system32\Boi5X.exe
O4 - HKLM\..\Run: [zujitzfj] C:\WINDOWS\system32\zujitzfj.exe
O4 - HKLM\..\Run: [XevCjuLX] C:\documents and settings\jonathan\local settings\temp\XevCjuLX.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [pegtisgiagx] C:\WINDOWS\System32\lyifyc.exe
O4 - HKLM\..\Run: [mER9Eel] C:\windows\system32\mER9Eel.exe
O4 - HKLM\..\Run: [b} C:\windows\system32\b.exe
O4 - HKLM\..\Run: [6b6deb007bb5] C:\WINDOWS\system32\catsrvps.exe
O4 - HKLM\..\Run: [033759ddf10c] C:\WINDOWS\system32\browser1.exe
O4 - HKCU\..\Run: [Bwjisjh] C:\WINDOWS\system32\?hkdsk.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Rhonda\Application Data\othb.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O23 - Service: gluemjgxxtgb (hszaeewj6) - Unknown owner - C:\WINDOWS\system32\mapiaajy6.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\system32\angelex.exe (file missing)



Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\lSAcgOx.exe

Check the box to delete on reboot and click the red X to the right. Click OK, then NO to reboot now. Copy the next filepath and paste it in the box, and repeat the above steps. When all of the below filepaths are done, close the Killbox.

C:\WINDOWS\System32\Itf4V.exe
C:\WINDOWS\System32\lyifyc.exe
C:\WINDOWS\System32\Boi5X.exe
C:\WINDOWS\System32\zujitzfj.exe
C:\WINDOWS\System32\mER9Eel.exe
C:\WINDOWS\System32\b.exe
C:\WINDOWS\system32\catsrvps.exe
C:\WINDOWS\system32\browser1.exe
C:\WINDOWS\system32\?hkdsk.exe
C:\WINDOWS\system32\mapiaajy6.exe
C:\WINDOWS\a65d.exe


Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click Yes to restart. This will restart your computer in safe mode. Logon to your user account.

Now in safe mode, you will need to show hidden files and folders, as well as system files and extensions for known file types.

Open C:\Documents and Settings\Rhonda\Application Data and delete the file othb.exe
Open C:\Program Files and delete the folders Ebates_MoeMoneyMaker and eSyndicate if present.
Open C:\WINDOWS\system32 and delete the folder vmss.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content. Click the Security tab, then highlight Trusted Sites and click the Sites button. If *.media-motor.net and *.popuppers.com are present, remove them. Close Internet Options.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Suggest you download an Anti-Virus and Firewall, install and update. Some of the freebies available listed below.

Firewall
Zone Alarm
Sygate
Kerio

Anti-Virus
AVG
avast
AntiVir PE

Run another HijackThis scan and post the log.