I have tried every spyware program I can think of and I am still getting popus from ad.freeadsolutions.com
Here is my hijack this profile: (I ran this in safe mode)
Logfile of HijackThis v1.99.1
Scan saved at 5:52:29 PM, on 7/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\svchos
t.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Downloads\HijackThis.ex
e
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Wi
ndows\Curr
entVersion
\Internet Settings,ProxyServer = http=127.0.0.1:83
R3 - URLSearchHook: (no name) - _{A5213F06-A3C6-FA14-9F49-
FFBAAA3F1C
95} - (no file)
R3 - URLSearchHook: (no name) - {A5213F06-A3C6-FA14-9F49-F
FBAAA3F1C9
5} - (no file)
O2 - BHO: (no name) - {019D40E7-CB54-41E0-8093-0
66575FCE86
C} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {915D9B36-F039-4DC1-97C5-B
21AFD83291
9} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O2 - BHO: (no name) - {A62E6DAB-820F-4183-9A68-E
F29DC8624A
7} - C:\Program Files\ComPlus Applications\hosecu.dll (file missing)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMAN
T~1\vptray
.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr
ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin
\jusched.e
xe"
O4 - HKLM\..\Run: [sys0370825826-20] C:\WINDOWS\sys0370825826-2
0.exe
O4 - HKLM\..\Run: [sys11-2070825826] C:\WINDOWS\sys11-207082582
6.exe
O4 - HKLM\..\Run: [ckpsdr] C:\WINDOWS\system32\dslbdt
.exe reg_run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
.exe
O4 - HKCU\..\Run: [VSL13.exe] C:\WINDOWS\system32\VSL13.
exe
O4 - HKCU\..\Run: [1201.exe] C:\Documents and Settings\Marion's\Applicat
ion Data\System Restore\1201.exe
O4 - HKCU\..\Run: [yhwte] C:\WINDOWS\system32\dslbdt
.exe reg_run
O4 - Startup: Navigator.lnk = C:\Program Files\DIRECWAY\BIN\dpcnav.
exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
\Office10\
EXCEL.EXE/
3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\Program Files\Java\jre1.5.0_06\bin
\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\Program Files\Java\jre1.5.0_06\bin
\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
0B0D0A1DE4
5} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone:
http://*.update.windowsupdate.com
O15 - Trusted Zone:
http://update.windowsupdate.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D
00330E511D
3} (StagingUI Object) -
http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B
5388FFDD0D
8} (ZoneBuddy Class) -
http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-2
99867E0875
3} -
http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-9
17ABDD035B
3} (ZonePAChat Object) -
http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6
A1E6D7663F
6} (Groove Control) -
http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {886DDE35-E955-11D0-A707-0
0000088195
8} -
http://69.56.176.75/webplugin.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F
8C8BE74846
3} (ZPA_HRTZ Object) -
http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab40641.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
2031317559
2} (ZoneIntro Class) -
http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C
771BB36993
7} (StadiumProxy Class) -
http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-9
7E826C8482
2} (HeartbeatCtl Class) -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4
709194C2AD
3} (ZPA_Backgammon Object) -
http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab40641.cab
O17 - HKLM\System\CCS\Services\T
cpip\..\{0
25EE287-97
62-4422-A9
80-A087E44
D3A7F}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\T
cpip\..\{0
25EE287-97
62-4422-A9
80-A087E44
D3A7F}: NameServer = 66.82.4.8,68.87.77.130
O17 - HKLM\System\CS1\Services\T
cpip\..\{0
25EE287-97
62-4422-A9
80-A087E44
D3A7F}: Domain = direcway.com
O17 - HKLM\System\CS1\Services\T
cpip\..\{0
25EE287-97
62-4422-A9
80-A087E44
D3A7F}: NameServer = 66.82.4.8,68.87.77.130
O17 - HKLM\System\CS2\Services\T
cpip\..\{0
25EE287-97
62-4422-A9
80-A087E44
D3A7F}: Domain = direcway.com
O17 - HKLM\System\CS2\Services\T
cpip\..\{0
25EE287-97
62-4422-A9
80-A087E44
D3A7F}: NameServer = 66.82.4.8,68.87.77.130
O20 - AppInit_DLLs: taskmgr.dll C:\WINDOWS\system32\svchos
t.dll C:\WINDOWS\system32\taskmg
r.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogo
nNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Secu
rity\Syman
tec AntiVirus\DefWatch.exe
O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - C:\PROGRA~1\DIRECWAY\bin\d
pcproxy.ex
e
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro
.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid
.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Secu
rity\Syman
tec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService)
- Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Those files that Avenger didn't find means they're not there and they're just the registry entries left showing in the hijackthis log.
Can you please scan with Ewido and show us the log? the log might me helpful too.
Try these scanners:
1. Try ATFCleaner to clean your tem folders.
ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
Reboot your computer into Safe Mode.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
2. The is just in case it is wareout.
You must have an active Internet connection when running this fix, in order to download the Brute Force Uninstaller (BFU) from Merijn's page.
If you have problems with your connection:
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
3. And these to look for hidden files or rootkit like.
Download and save blacklight to your desktop.
https://europe.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.
You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
or:
Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.