i have this stupid (well, pretty intelligent really) spyware on my computer, have run Adaware. Have run HijackThis, logfile below, if anyone can shed any light on this, it would be appreciated.


Logfile of HijackThis v1.99.1
Scan saved at 8:10:53 PM, on 4/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
F:\Program Files\Real\RealPlayer\RealPlay.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
F:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
F:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\WINDOWS\System32\ctfmon.exe
F:\WINDOWS\System32\rundll32.exe
F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
F:\Program Files\LimeWire\LimeWire.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\ewido anti-malware\ewidoguard.exe
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\Program Files\WinRAR\WinRAR.exe
F:\DOCUME~1\Me\LOCALS~1\Temp\Rar$EX00.906\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LVCOMS] F:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [RealTray] F:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200 (Copy 1)] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P28 "EPSON Stylus CX3200 (Copy 1)" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [WINSCHEDULER] F:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
O4 - HKLM\..\Run: [BlockChecker] F:\Program Files\Block Checker\block-checker.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1052.dll,InstantAccess
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: Climate Change Experiment Manager.lnk = F:\Program Files\Climate Change Experiment\cpdnbbcmgr.exe
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - F:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143127577031
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E49A9FCB-FAA9-4C1F-A1C1-54920DA2CCA4} - http://es6-scripts.dlv4.com/binaries/egauth4/egauth4_1052_EN_XP.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - F:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe

P.S. i am stupid, please explain as simply as possible:)

thanks

Mushroom

Hello and welcome to the forum. You have a nasty dialer, before we start, HJT is running from a TEMP folder. This is not safe as we will have no backups if we need them.. I prefer you put it here: C:\HJT\HijackThis.exe. If you need more instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

Thanks to Metallica and any others who helped with this fix

Download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip).
Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE (http://metallica.geekstogo.com/EGDACCESS.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU)

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Restart the computer and post a new HJT log, stay in this same topic.

Thanks...pskelley
Safer Networking Forums

Still with us ninja_mushroom?

Logfile of HijackThis v1.99.1
Scan saved at 3:45:44 PM, on 5/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
F:\Program Files\Real\RealPlayer\RealPlay.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
F:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
F:\Program Files\LimeWire\LimeWire.exe
F:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\Program Files\ewido anti-malware\ewidoguard.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LVCOMS] F:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [RealTray] F:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200 (Copy 1)] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P28 "EPSON Stylus CX3200 (Copy 1)" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [WINSCHEDULER] F:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
O4 - HKLM\..\Run: [BlockChecker] F:\Program Files\Block Checker\block-checker.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Climate Change Experiment Manager.lnk = F:\Program Files\Climate Change Experiment\cpdnbbcmgr.exe
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - F:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143127577031
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E49A9FCB-FAA9-4C1F-A1C1-54920DA2CCA4} - http://es6-scripts.dlv4.com/binaries/egauth4/egauth4_1052_EN_XP.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - F:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe


there we go, sorry about taking so long, peace

Thanks, it got the dialer and it's a nasty one. Let's proceed and clean you up good, like this:

1) Limewire: see this >>> http://www3.cai.com/securityadvisor/pest/Pest.aspx?id=453088059 and this: http://www.spywareinfo.com/articles/p2p/

Limewire (The most current version of Limewire is reported to include spyware. LimeWire 4.9.28 is clean. Older and newer version may not be.)
If you did not purchase the product, chances are it is a problem. I suggest you use Add Remove programs to uninstall it, and look on the list in the link for safe programs. I will proceed assuming you did this.
While you are in Add Remove programs, uninstall BlockChecker if there and any programs you know do not belong there. If you are not sure, let me know and I will look.

2) You have ewido onboard, open the program and choose update, allow time for it to finish. Now click scanner then complete system scan. Allow ewido to remove anything it locates unless you know it is not bad. Save that scan report, I must see it.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: F:\Program Files\Block Checker\block-checker.exe
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bej...ploader_v6.cab
O16 - DPF: {E49A9FCB-FAA9-4C1F-A1C1-54920DA2CCA4} - http://es6-scripts.dlv4.com/binaries...1052_EN_XP.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

F:\Program Files\Block Checker\ >>> folder

F:\Program Files\LimeWire\ >>> folder

F:\Windows\Prefetch\ >>> delete the contents ([B]NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, a new HJT log and any comments you think will help.

Thanks...Phil

okay, this is the Ewido scan report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:09:44 PM, 5/4/2006
+ Report-Checksum: F48C98FC

+ Scan result:

F:\Documents and Settings\Me\Cookies\me@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@banner.clubdicecasino[2].txt -> TrackingCookie.Clubdicecasino : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@bilbo.counted[2].txt -> TrackingCookie.Counted : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@casinotropez[2].txt -> TrackingCookie.Casinotropez : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@clubdicecasino[2].txt -> TrackingCookie.Clubdicecasino : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@com[1].txt -> TrackingCookie.Com : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@e-2dj6wfkiclajghq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@e-2dj6wfkosjajslp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@e-2dj6wjk4giajsco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@e-2dj6wjkyupdpako.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@e-2dj6wjl4ulcpgcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@e-2dj6wjlislc5eeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@sel.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
F:\Documents and Settings\Me\Cookies\me@www.casinotropez[1].txt -> TrackingCookie.Casinotropez : Cleaned with backup


::Report End


main thing I noticed about these is that these are the only pop-ups I recieve if that`s any relevance.

and here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:27:30 PM, on 5/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
F:\Program Files\ewido anti-malware\ewidoctrl.exe
F:\Program Files\ewido anti-malware\ewidoguard.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
F:\Program Files\Real\RealPlayer\RealPlay.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
F:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
F:\Program Files\Climate Change Experiment\cpdnbbcmgr.exe
F:\Program Files\Climate Change Experiment\boinc.exe
F:\Program Files\Climate Change Experiment\projects\bbc.cpdn.org\hadcm3trans_5.08_windows_intelx86.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Climate Change Experiment\projects\bbc.cpdn.org\hadcm3transum_5.08_windows_intelx86.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\DOCUME~1\Me\LOCALS~1\Temp\Rar$EX00.563\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LVCOMS] F:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [RealTray] F:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200 (Copy 1)] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P28 "EPSON Stylus CX3200 (Copy 1)" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [WINSCHEDULER] F:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Climate Change Experiment Manager.lnk = F:\Program Files\Climate Change Experiment\cpdnbbcmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - F:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143127577031
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "F:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - F:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe


also, you said about removing Blockchecker.exe, I remember having problems with this back in December and removing it then, and it didn't show up in the add/remove programs window, or in a search. so why or how that was showing up in the last HJT log, I dont know (then again, I don't know much)

peace

First thing I notice is this: F:\DOCUME~1\Me\LOCALS~1\Temp\Rar$EX00.563\HijackThis.exe
It appears you are running HJT from two places because your last log showed it here: C:\HJT\HijackThis.exe You need to follow the pathway to that Temp folder and delete the contents. I will highlite the folder in red. Do no delete the folder, just the contents.

Besides that you HJT log looks fine. You said this:

main thing I noticed about these is that these are the only pop-ups I recieve if that`s any relevance.
are you saying the cookies ewido deleted, that those are the sites the popups are coming from?
This information will help you stop those cookies, I doubt they can create a popup if the can't install on your computer.
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
I also suggest you avoid sites that put cookies that make popups on your computer, if no one goes there, they will stop the practive.

I also suggest a good pop blocker and this is the best: http://toolbar.google.com/ Now Google would like you to download a bunch of bells and whistles and resource wasters. If you use this toolbar, I suggest you download only the very basic toolbar and blocker.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Safe surfing...:bigthumb: tashi will close you up in a few days.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

you guys are legends, donation of gratitude commin straight from the UK

peace

the eagle may soar majestically, but the weasle doesnt get sucked into a jet engine

are you saying the cookies ewido deleted, that those are the sites the popups are coming from?

yeah, the casinotropez and the clubdicecasino are the main pop-ups i get (got),

peace

Looks like you got your problems resolved :)

I'll go ahead and archive & close this thread. If you should need it reopened for any reason, please feel free to PM me or one of the Forum Leaders