Jump to content


Photo

Logfile Help/IE popups?


  • Please log in to reply
7 replies to this topic

#1 Jade_Gryphon

Jade_Gryphon

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 June 2004 - 05:20 AM

I'm currently PLAGUED by Internet Explorer popups, and nothing seems to be helping, not even popup blockers. My final conclusion is that it's adware causing it...I tried numerous adware removal programs, ad aware and spy removal included, but so far, the pop ups are still happening. I downloaded hijack this, but have not been able to make heads or tails of the log file. can anyone help?

I also should mention that XP takes forever to load as well, another thing i think is at fault with adware.

Here's my log.:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\PLAYPL~1\ToolBlah.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AMERIC~1.0\aol.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\aim\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\Communities.com\ThePalace\Palace32.exe
C:\Program Files\SmartPopupBlocker\SmartPopupBlockerTray.exe
C:\WINDOWS\System32\Xchb.exe
C:\WINDOWS\System32\AwjFx8f.exe
C:\Documents and Settings\Kenaikoda\My Documents\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.emachines.com/
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage", "allaboutsearching.com");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Kenaikoda\Application Data\Mozilla\Profiles\default\aot2jm0o.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: enc ooze - {99F88EA1-05C5-7A2B-F831-9B8DD68BEFAC} - C:\PROGRA~1\MEALDE~1\Dash Ford.dll (file missing)
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\GnumBu.exe
O4 - HKLM\..\Run: [cidaermon.exe] C:\WINDOWS\System32\cidaermon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,18/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.c...PlayerAxWin.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2FE97F0-2206-4439-AE60-9FF7B2B35BA2}: NameServer = 198.81.17.4

Edited by Jade_Gryphon, 28 June 2004 - 05:33 AM.


#2 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 28 June 2004 - 07:10 PM

Hello,

You have a Peper infection. Please click here to download the PeperFix tool. Save it to your desktop.

IMPORTANT: Print these instructions so you will be able to follow them when offline.

Next, boot into Safe Mode...

Reboot into safe mode, this way:
Restart the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Now, doubleclick on the PeperFix tool, click "Find and Fix," wait, then reboot if prompted (Safe Mode again). Run it a second time, and reboot.

Click here to download Spybot Search & Destroy - install, update, scan in Safe Mode and fix all RED items it finds. Reboot when done.

Click here to download Ad-Aware and install. Scan in Safe Mode. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives," "Scan active processes," "Scan registry," "Deep scan registry," "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start." Make sure "Activate in-depth scan" is ticked green, then scan your system. When the scan is completed, the screen will tell you if anything has been found. Click "Next." The bad files will be listed; right click the pane and click "Select all objects" - this will put a check mark in the box at the side; click "Next" again and click "OK" at the prompt, "# objects will be removed. Continue?"

Reboot when done.

Run an online virus scan and an online Trojan scan. (See links in my signature below). Allow the programs to remove whatever they may find. Reboot after each scan.

Rescan with HijackThis and post a new log here in this same thread so that we can work on the remaining issues in your log.

#3 Jade_Gryphon

Jade_Gryphon

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 June 2004 - 11:10 PM

Okay, I'll do that...but, Spybot Search and Destroy doesn't work right for me, every time i try to delete stuff it goes "Not Responding". -_-; Is there any alternate spyware removal program that works just as well?

#4 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 29 June 2004 - 12:02 AM

Hello,

You may get a better response from Spybot S&D after you've run the PeperFix tool and gotten rid of that troublesome Trojan. Also, running it in Safe Mode may make a difference. Just try it. Ad-aware is just as good; however, one often catches something that the other misses, so it's best to use both if possible.

#5 Jade_Gryphon

Jade_Gryphon

    Member

  • New Member
  • Pip
  • 4 posts

Posted 29 June 2004 - 08:41 AM

Hmm...okay...tried it. peperfix found nothing, and spybot still froze in safe mode too. >.O Any suggestions? lemme put another revised logfile up...i got rid of like 6 trojans, too. geh. >_o :

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\PLAYPL~1\ToolBlah.exe
C:\Program Files\aim\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AMERIC~1.0\aol.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe
C:\Documents and Settings\Kenaikoda\My Documents\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.emachines.com/
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage", "allaboutsearching.com");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Kenaikoda\Application Data\Mozilla\Profiles\default\aot2jm0o.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: enc ooze - {99F88EA1-05C5-7A2B-F831-9B8DD68BEFAC} - C:\PROGRA~1\MEALDE~1\Dash Ford.dll (file missing)
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [cidaermon.exe] C:\WINDOWS\System32\cidaermon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,18/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.c...PlayerAxWin.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2FE97F0-2206-4439-AE60-9FF7B2B35BA2}: NameServer = 198.81.18.4

Edited by Jade_Gryphon, 29 June 2004 - 09:11 AM.


#6 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 29 June 2004 - 01:57 PM

Hi,

PeperFix doesn't tell you what it finds, it just removes the infection, and that's exactly what it's done. Don't worry about Spybot S&D at this point, just use the Ad-aware, configured for a customized scan.

In order to go further with HijackThis, you need to post a full log, including the header at the top, that gives version information as well as information about your operating system.

As of today, there is a NEW VERSION of HijackThis available, 1.98. Please uninstall your old version of HijackThis, and download and install v1.98. (Use the link in my signature below).

Scan with HijackThis and post a fresh log into this same thread.

#7 Jade_Gryphon

Jade_Gryphon

    Member

  • New Member
  • Pip
  • 4 posts

Posted 01 July 2004 - 11:20 PM

It loads faster now, but i still have the evil IE popups...

Recent logfile:

Logfile of HijackThis v1.98.0
Scan saved at 9:19:54 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\PLAYPL~1\ToolBlah.exe
C:\Program Files\aim\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AMERIC~1.0\aol.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.emachines.com/
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage", "allaboutsearching.com");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Kenaikoda\Application Data\Mozilla\Profiles\default\aot2jm0o.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: enc ooze - {99F88EA1-05C5-7A2B-F831-9B8DD68BEFAC} - C:\PROGRA~1\MEALDE~1\Dash Ford.dll (file missing)
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [cidaermon.exe] C:\WINDOWS\System32\cidaermon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,18/mcgdmgr.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.c...PlayerAxWin.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2FE97F0-2206-4439-AE60-9FF7B2B35BA2}: NameServer = 198.81.18.4

#8 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 02 July 2004 - 04:47 AM

Hello,

NOTE: Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

Please put HijackThis in a folder. It's currently in Program Files and that's fine, but it needs to be in a folder. Just navigate to Program Files, right click on a blank space, select "New," select "Folder." Name the new folder something like HJT or HijackThis. Now, right click on HijackThis.exe, select "Cut." Open the new folder, right click on a space, select "Paste." HijackThis is now in its new folder.

Please run HijackThis in Safe Mode.....

Reboot into safe mode, this way:
Restart the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.” Please note that the items in BLUE are optional suggested fixes that will not remove the programs, only keep them from running at start-up, and may have the added benefit of freeing up some of your system’s resources.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...B_PVER}&ar=home

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

O3 - Toolbar: enc ooze - {99F88EA1-05C5-7A2B-F831-9B8DD68BEFAC} - C:\PROGRA~1\MEALDE~1\Dash Ford.dll (file missing)

O4 - HKLM\..\Run: [cidaermon.exe] C:\WINDOWS\System32\cidaermon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


I suggest you uninstall this program in Add/Remove Programs after fixing this next line with HijackThis. You could replace it with something like the Google Toolbar that comes with a very good popup blocker....

O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll

O4 - HKLM\..\Run: [logocake] C:\PROGRA~1\PLAYPL~1\ToolBlah.exe

O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

Enable the ”Show Hidden Files and Folders” option:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now, search for, and delete if found, (some files may not be present after previous steps) the following:

C:\WINDOWS\System32\cidaermon.exe < file

C:\WINDOWS\System32\pdfupd.dll < file

C:\PROGRAM FILES\PLAYPL~1\ < folder NOTE: The name of the folder begins with PLAYPL with ~1 representing the remaining multiple unknown characters in the folder name.

C:\Program Files\KewlBar 5.0\ < folder

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

C:\WINDOWS\Temp\

C:\Temp\

C:\Documents and Settings\username\Local Settings\Temp\

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

Empty your Recycle Bin.

Reboot.

Proceed to the Windows Update site (see link below) download and install [b]ALL
critical updates.

Reboot when finished.

Scan with HijackThis and post a fresh log into this same thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button