• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Jade_Gryphon

Logfile Help/IE popups?

8 posts in this topic

I'm currently PLAGUED by Internet Explorer popups, and nothing seems to be helping, not even popup blockers. My final conclusion is that it's adware causing it...I tried numerous adware removal programs, ad aware and spy removal included, but so far, the pop ups are still happening. I downloaded hijack this, but have not been able to make heads or tails of the log file. can anyone help?

 

I also should mention that XP takes forever to load as well, another thing i think is at fault with adware.

 

Here's my log.:

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\PROGRA~1\AMERIC~1.0\aol.exe

C:\PROGRA~1\AMERIC~1.0\waol.exe

C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe

C:\Program Files\Winamp\winamp.exe

C:\Program Files\aim\aim.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\WinMX\WinMX.exe

C:\Program Files\Communities.com\ThePalace\Palace32.exe

C:\Program Files\SmartPopupBlocker\SmartPopupBlockerTray.exe

C:\WINDOWS\System32\Xchb.exe

C:\WINDOWS\System32\AwjFx8f.exe

C:\Documents and Settings\Kenaikoda\My Documents\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.emachines.com/

R3 - Default URLSearchHook is missing

N2 - Netscape 6: user_pref("browser.startup.homepage", "allaboutsearching.com");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Kenaikoda\Application Data\Mozilla\Profiles\default\aot2jm0o.slt\prefs.js)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: enc ooze - {99F88EA1-05C5-7A2B-F831-9B8DD68BEFAC} - C:\PROGRA~1\MEALDE~1\Dash Ford.dll (file missing)

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\GnumBu.exe

O4 - HKLM\..\Run: [cidaermon.exe] C:\WINDOWS\System32\cidaermon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [spywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...77/mcinsctl.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,18/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B2FE97F0-2206-4439-AE60-9FF7B2B35BA2}: NameServer = 198.81.17.4

Edited by Jade_Gryphon

Share this post


Link to post
Share on other sites

Hello,

 

You have a Peper infection. Please click here to download the PeperFix tool. Save it to your desktop.

 

IMPORTANT: Print these instructions so you will be able to follow them when offline.

 

Next, boot into Safe Mode...

 

Reboot into safe mode, this way:

Restart the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

 

Now, doubleclick on the PeperFix tool, click "Find and Fix," wait, then reboot if prompted (Safe Mode again). Run it a second time, and reboot.

 

Click here to download Spybot Search & Destroy - install, update, scan in Safe Mode and fix all RED items it finds. Reboot when done.

 

Click here to download Ad-Aware and install. Scan in Safe Mode. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

 

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

 

Scanning > activate these: "Scan within archives," "Scan active processes," "Scan registry," "Deep scan registry," "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

 

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

 

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

 

Click "Proceed" to save your settings, then click "Start." Make sure "Activate in-depth scan" is ticked green, then scan your system. When the scan is completed, the screen will tell you if anything has been found. Click "Next." The bad files will be listed; right click the pane and click "Select all objects" - this will put a check mark in the box at the side; click "Next" again and click "OK" at the prompt, "# objects will be removed. Continue?"

 

Reboot when done.

 

Run an online virus scan and an online Trojan scan. (See links in my signature below). Allow the programs to remove whatever they may find. Reboot after each scan.

 

Rescan with HijackThis and post a new log here in this same thread so that we can work on the remaining issues in your log.

Share this post


Link to post
Share on other sites

Okay, I'll do that...but, Spybot Search and Destroy doesn't work right for me, every time i try to delete stuff it goes "Not Responding". -_-; Is there any alternate spyware removal program that works just as well?

Share this post


Link to post
Share on other sites

Hello,

 

You may get a better response from Spybot S&D after you've run the PeperFix tool and gotten rid of that troublesome Trojan. Also, running it in Safe Mode may make a difference. Just try it. Ad-aware is just as good; however, one often catches something that the other misses, so it's best to use both if possible.

Share this post


Link to post
Share on other sites

Hmm...okay...tried it. peperfix found nothing, and spybot still froze in safe mode too. >.O Any suggestions? lemme put another revised logfile up...i got rid of like 6 trojans, too. geh. >_o :

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

C:\Program Files\aim\aim.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\PROGRA~1\AMERIC~1.0\aol.exe

C:\PROGRA~1\AMERIC~1.0\waol.exe

C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe

C:\Documents and Settings\Kenaikoda\My Documents\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.emachines.com/

R3 - Default URLSearchHook is missing

N2 - Netscape 6: user_pref("browser.startup.homepage", "allaboutsearching.com");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Kenaikoda\Application Data\Mozilla\Profiles\default\aot2jm0o.slt\prefs.js)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: enc ooze - {99F88EA1-05C5-7A2B-F831-9B8DD68BEFAC} - C:\PROGRA~1\MEALDE~1\Dash Ford.dll (file missing)

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [cidaermon.exe] C:\WINDOWS\System32\cidaermon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [spywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...77/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,18/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B2FE97F0-2206-4439-AE60-9FF7B2B35BA2}: NameServer = 198.81.18.4

Edited by Jade_Gryphon

Share this post


Link to post
Share on other sites

Hi,

 

PeperFix doesn't tell you what it finds, it just removes the infection, and that's exactly what it's done. Don't worry about Spybot S&D at this point, just use the Ad-aware, configured for a customized scan.

 

In order to go further with HijackThis, you need to post a full log, including the header at the top, that gives version information as well as information about your operating system.

 

As of today, there is a NEW VERSION of HijackThis available, 1.98. Please uninstall your old version of HijackThis, and download and install v1.98. (Use the link in my signature below).

 

Scan with HijackThis and post a fresh log into this same thread.

Share this post


Link to post
Share on other sites

It loads faster now, but i still have the evil IE popups...

 

Recent logfile:

 

Logfile of HijackThis v1.98.0

Scan saved at 9:19:54 PM, on 7/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

C:\Program Files\aim\aim.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRA~1\AMERIC~1.0\aol.exe

C:\PROGRA~1\AMERIC~1.0\waol.exe

C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe

C:\Program Files\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/i...B_PVER}&ar=home

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.emachines.com/

R3 - Default URLSearchHook is missing

N2 - Netscape 6: user_pref("browser.startup.homepage", "allaboutsearching.com");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Kenaikoda\Application Data\Mozilla\Profiles\default\aot2jm0o.slt\prefs.js)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: enc ooze - {99F88EA1-05C5-7A2B-F831-9B8DD68BEFAC} - C:\PROGRA~1\MEALDE~1\Dash Ford.dll (file missing)

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [cidaermon.exe] C:\WINDOWS\System32\cidaermon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [spywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...77/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,18/mcgdmgr.cab

O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B2FE97F0-2206-4439-AE60-9FF7B2B35BA2}: NameServer = 198.81.18.4

Share this post


Link to post
Share on other sites

Hello,

 

NOTE: Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

 

Please put HijackThis in a folder. It's currently in Program Files and that's fine, but it needs to be in a folder. Just navigate to Program Files, right click on a blank space, select "New," select "Folder." Name the new folder something like HJT or HijackThis. Now, right click on HijackThis.exe, select "Cut." Open the new folder, right click on a space, select "Paste." HijackThis is now in its new folder.

 

Please run HijackThis in Safe Mode.....

 

Reboot into safe mode, this way:

Restart the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

 

Place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.” Please note that the items in BLUE are optional suggested fixes that will not remove the programs, only keep them from running at start-up, and may have the added benefit of freeing up some of your system’s resources.

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/i...B_PVER}&ar=home

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

 

R3 - Default URLSearchHook is missing

 

O3 - Toolbar: enc ooze - {99F88EA1-05C5-7A2B-F831-9B8DD68BEFAC} - C:\PROGRA~1\MEALDE~1\Dash Ford.dll (file missing)

 

O4 - HKLM\..\Run: [cidaermon.exe] C:\WINDOWS\System32\cidaermon.exe

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

 

I suggest you uninstall this program in Add/Remove Programs after fixing this next line with HijackThis. You could replace it with something like the Google Toolbar that comes with a very good popup blocker....

 

O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll

 

O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

 

O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML

 

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

 

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

 

Enable the ”Show Hidden Files and Folders” option:

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

Now, search for, and delete if found, (some files may not be present after previous steps) the following:

 

C:\WINDOWS\System32\cidaermon.exe < file

 

C:\WINDOWS\System32\pdfupd.dll < file

 

C:\PROGRAM FILES\PLAYPL~1\ < folder NOTE: The name of the folder begins with PLAYPL with ~1 representing the remaining multiple unknown characters in the folder name.

 

C:\Program Files\KewlBar 5.0\ < folder

 

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

 

C:\WINDOWS\Temp\

 

C:\Temp\

 

C:\Documents and Settings\username\Local Settings\Temp\

 

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

 

Empty your Recycle Bin.

 

Reboot.

 

Proceed to the Windows Update site (see link below) download and install ALL critical updates.

 

Reboot when finished.

 

Scan with HijackThis and post a fresh log into this same thread.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0