# http://adserving.cpxinteractive.com popup problems



## Russmo (Sep 30, 2006)

Whenever i open firefox i get these annoying popups from http://adserving.cpxinteractive.com. I did a virus scan with AVG but it did not fix the problem. Please help, thanks.

Hijack this log (if needed)------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:16:20 PM, on 14/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Documents and Settings\Owner\Desktop\Security stuff\hijackthis1991.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5046
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Program Files\ewido anti-spyware 4.0\guard.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


----------



## Cheeseball81 (Mar 3, 2004)

Download *AVG Anti-Spyware* from *HERE* and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button. The update will start and a progress bar will show the updates being installed.

Once the update has completed, select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
Reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight *Safe Mode* then hit enter.

*IMPORTANT:* Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:

Launch AVG Anti-Spyware by double clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
AVG will now begin the scanning process. Please be patient as this may take a little time.
*Once the scan is complete, do the following:*
If you have any infections you will be prompted. Then select "*Apply all actions.*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*


----------



## Russmo (Sep 30, 2006)

Sorry about the delay, the scans took a while.

here is the AVG report

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
_
_A_V_G_ _A_n_t_i_-_S_p_y_w_a_r_e_ _-_ _S_c_a_n_ _R_e_p_o_r_t_
_
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
_
_
_
_ _+_ _C_r_e_a_t_e_d_ _a_t_:_	_7_:_2_0_:_3_0_ _P_M_ _1_4_/_0_1_/_2_0_0_7_
_
_
_
_ _+_ _S_c_a_n_ _r_e_s_u_l_t_:_	_
_
_
_
_
_
_
_
_C_:_\_W_I_N_D_O_W_S_\_s_y_s_t_e_m_3_2_\_m_n_y_._e_x_e_ _-_>_ _A_d_w_a_r_e_._A_g_e_n_t_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_W_I_N_D_O_W_S_\_s_y_s_t_e_m_3_2_\_Y_i_n_s_t_a_l_l_._e_x_e_ _-_>_ _A_d_w_a_r_e_._P_u_r_i_t_y_S_c_a_n_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_W_I_N_D_O_W_S_\_D_o_w_n_l_o_a_d_e_d_ _P_r_o_g_r_a_m_ _F_i_l_e_s_\_3_1_3_1_3_3_3_5_2_D_2_D_2_D_._e_x_e_ _-_>_ _D_o_w_n_l_o_a_d_e_r_._A_d_l_o_a_d_._e_j_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_W_I_N_D_O_W_S_\_D_o_w_n_l_o_a_d_e_d_ _P_r_o_g_r_a_m_ _F_i_l_e_s_\_s_p_e_e_d_t_e_s_t_2_._d_l_l_ _-_>_ _N_o_t_-_A_-_V_i_r_u_s_._D_o_w_n_l_o_a_d_e_r_._W_i_n_3_2_._I_n_s_T_o_o_l_._a_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_2_o_7_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._2_o_7_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_c_n_e_t_e_u_r_o_p_e_._1_2_2_._2_o_7_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._2_o_7_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_m_s_n_p_o_r_t_a_l_._1_1_2_._2_o_7_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._2_o_7_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_u_s_a_t_o_d_a_y_1_._1_1_2_._2_o_7_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._2_o_7_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_a_d_b_r_i_t_e_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._A_d_b_r_i_t_e_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_a_d_v_e_r_t_i_s_i_n_g_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._A_d_v_e_r_t_i_s_i_n_g_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_a_t_d_m_t_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._A_t_d_m_t_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_w_w_w_._b_u_r_s_t_n_e_t_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._B_u_r_s_t_n_e_t_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_a_s_._c_a_s_a_l_e_m_e_d_i_a_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._C_a_s_a_l_e_m_e_d_i_a_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_c_a_s_a_l_e_m_e_d_i_a_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._C_a_s_a_l_e_m_e_d_i_a_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_c_e_n_t_r_p_o_r_t_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._C_e_n_t_r_p_o_r_t_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_c_l_i_c_k_b_a_n_k_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._C_l_i_c_k_b_a_n_k_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_a_d_1_._c_l_i_c_k_h_y_p_e_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._C_l_i_c_k_h_y_p_e_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_c_o_m_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._C_o_m_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_n_e_w_s_._c_o_m_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._C_o_m_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_d_o_u_b_l_e_c_l_i_c_k_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._D_o_u_b_l_e_c_l_i_c_k_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_a_d_o_p_t_._e_u_r_o_c_l_i_c_k_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._E_u_r_o_c_l_i_c_k_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_a_s_-_e_u_._f_a_l_k_a_g_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._F_a_l_k_a_g_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_f_a_s_t_c_l_i_c_k_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._F_a_s_t_c_l_i_c_k_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_e_h_g_-_g_l_o_b_a_l_g_a_m_i_n_g_l_e_a_g_u_e_._h_i_t_b_o_x_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._H_i_t_b_o_x_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_h_i_t_b_o_x_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._H_i_t_b_o_x_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_i_m_a_g_e_._m_a_s_t_e_r_s_t_a_t_s_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._M_a_s_t_e_r_s_t_a_t_s_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_m_e_d_i_a_p_l_e_x_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._M_e_d_i_a_p_l_e_x_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_p_e_r_f_._o_v_e_r_t_u_r_e_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._O_v_e_r_t_u_r_e_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_a_d_s_._p_o_i_n_t_r_o_l_l_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._P_o_i_n_t_r_o_l_l_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_q_u_e_s_t_i_o_n_m_a_r_k_e_t_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._Q_u_e_s_t_i_o_n_m_a_r_k_e_t_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_b_s_._s_e_r_v_i_n_g_-_s_y_s_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._S_e_r_v_i_n_g_-_s_y_s_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_s_e_r_v_i_n_g_-_s_y_s_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._S_e_r_v_i_n_g_-_s_y_s_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_c_o_u_n_t_e_r_1_2_._s_e_x_t_r_a_c_k_e_r_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._S_e_x_t_r_a_c_k_e_r_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_s_e_x_t_r_a_c_k_e_r_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._S_e_x_t_r_a_c_k_e_r_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_s_t_a_t_c_o_u_n_t_e_r_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._S_t_a_t_c_o_u_n_t_e_r_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_t_a_c_o_d_a_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._T_a_c_o_d_a_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_t_r_i_b_a_l_f_u_s_i_o_n_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._T_r_i_b_a_l_f_u_s_i_o_n_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._3_0_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_F_i_r_e_f_o_x_\_P_r_o_f_i_l_e_s_\_a_o_l_w_9_h_k_e_._d_e_f_a_u_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._Y_i_e_l_d_m_a_n_a_g_e_r_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._3_1_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_F_i_r_e_f_o_x_\_P_r_o_f_i_l_e_s_\_a_o_l_w_9_h_k_e_._d_e_f_a_u_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._Y_i_e_l_d_m_a_n_a_g_e_r_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._3_2_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_F_i_r_e_f_o_x_\_P_r_o_f_i_l_e_s_\_a_o_l_w_9_h_k_e_._d_e_f_a_u_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._Y_i_e_l_d_m_a_n_a_g_e_r_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._3_3_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_F_i_r_e_f_o_x_\_P_r_o_f_i_l_e_s_\_a_o_l_w_9_h_k_e_._d_e_f_a_u_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._Y_i_e_l_d_m_a_n_a_g_e_r_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_a_d_._y_i_e_l_d_m_a_n_a_g_e_r_[_1_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._Y_i_e_l_d_m_a_n_a_g_e_r_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_O_w_n_e_r_\_C_o_o_k_i_e_s_\[email protected]_z_e_d_o_[_2_]_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._Z_e_d_o_ _:_ _C_l_e_a_n_e_d_._
_
_
_
_
_
_:_:_R_e_p_o_r_t_ _e_n_d_

Activescan log

Incident Status Location

Adware:adware/intcodec Not disinfected Windows Registry 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aolw9hke.default\cookies.txt[.atdmt.com/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aolw9hke.default\cookies.txt[.tribalfusion.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aolw9hke.default\cookies.txt[.com.com/] 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aolw9hke.default\cookies.txt[.doubleclick.net/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aolw9hke.default\cookies.txt[.247realmedia.com/] 
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aolw9hke.default\cookies.txt[.adtech.de/] 
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\aolw9hke.default\cookies.txt[.2o7.net/] 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected]iti[1].txt  
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\Security stuff\SmitfraudFix\SmitfraudFix\Process.exe 
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe


----------



## Russmo (Sep 30, 2006)

oh yeah and here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 12:59:46 PM, on 15/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5046
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Program Files\ewido anti-spyware 4.0\guard.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


----------



## Russmo (Sep 30, 2006)

also, just out of curiousity, why is it called "panda" activescan ?


----------



## Russmo (Sep 30, 2006)

hello?


----------



## Cheeseball81 (Mar 3, 2004)

That's just the name. Are you still getting pop ups?


----------



## Russmo (Sep 30, 2006)

I got one a few hours ago but Im pretty sure it was just one of those random ones, so is my computer all clean?


----------



## Cheeseball81 (Mar 3, 2004)

Looks okay. Keep me posted if you have anymore problems.


----------

