Sooo many popups and Adware/spybot isn't doing its job!!!

I have deleted the windows media player file on the F drive, but i don't seem to have the TFTP folders on the C drive.

However, so far so good, i am all updated and have NO pop-ups so far.... system seems to be moving quicker too!!!!

 

The 'compress old files' piece can take a long time (several hours in some cases) to run the first time but gets quicker each time until after about your 5th cleanup, it runs in seconds.

There has been discussion on here about it not being needed or doing anything useful. Dave/noahdfear always suggests not checking it as part of a cleanup. I do run it but only because it's quick and certainly a harmless part of my cleanup.

O15 - Trusted Zone: http://*.63.219.181.7
O15 - Trusted Zone: http://*.search-soft.net
Do you know exactly what those two sites are and why you need to have them in your trusted zone (so they can do pretty much whatever they please)?

 

Please download this SSH.txt file, saving it to the desktop. Right click the file and rename, changing only the txt extension to reg. Double click the SSH.reg file and click yes to merge the information to the registry. This will reset the registry to show super hidden files on the drive.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcfg.dll (file missing)
O4 - HKLM\..\Run: [Yahoo Update] Yahoo.exe
O4 - HKCU\..\Run: [Yahoo Update] Yahoo.exe
O15 - Trusted Zone: http://*.63.219.181.7
O15 - Trusted Zone: http://*.search-soft.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} -
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} -
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} -



Go to msconfig and again check the /safeboot box. Then click the startup tab, check all boxes and close. Choose to restart.


Open C:\WINDOWS\System32 and look for the files TFTP1832 and TFTP4368. Delete if found.

Were you able to locate the Yahoo.exe file? If not, Open a search window and do a search of the C: drive for it. Make sure to do an advanced search, including hidden files and folders. Delete if found.

Empty the recycle bin.

Uncheck the /safeboot box and reboot.


Surf a bit then run another HJT scan and post the log.

Your log still does not reflect having done any Windows Updates.

 

Hi Again,

I have done all of the above, located the TFTP files, and deleted the selected two. I have also deleted Yahoo.exe

I ran windows update and downloaded 21 new updates, but i may have posted the last log before i did the scan.

Here is the NEW HJT log.

(No pop ups at the mo! )

Logfile of HijackThis v1.98.2
Scan saved at 17:02:41, on 10/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rob\Desktop\HJT\HijackThis.exe

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo Update] Yahoo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC4D1E0C-0E38-429C-A97B-B24FAC9728D3}: NameServer = 194.74.65.85 194.72.9.44

 

I have got no idea what these sites are, but soft-search.net related to some of the pop ups i used to get.....

 

Please download Ms4Hd.txt, saving to the desktop, and again ,change the extension to reg.

Reboot to safe mode and double click the reg file to merge it to the registry. Scan again with HJT and fix the following.

O4 - HKCU\..\Run: [Yahoo Update] Yahoo.exe

Search the drive for the Yahoo.exe again and delete all found. Let me know if it's in the same location as when deleted before. Reboot back to Windows and do another HJT scan and post the log. See if Yahoo.exe was recreated again after reboot and let me know also. If it is recreated and/or still shows up in the HJT scan as a run entry, please do the following.

Download and install Process Explorer, unzip and open, then click file>save as and save the log to your desktop. Open and copy/paste it here.

The HJT log still does not reflect installing Windows Updates. Did you install them also, or just download them? This, MSIE: Internet Explorer v6.00 (6.00.2600.0000), should at the very least should show as (6.00.2800.1106), but would be even higher after installing SP2, which should be offered as a critical update.