Jump to content


Photo

annoying pop-up problem


  • Please log in to reply
7 replies to this topic

#1 shlock

shlock

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 01:54 PM

I would like to thank anyone who can help in advance. I realize that your hard work is done voluntarily here. Recently my pc was hijacked by pop-up advertisements and usually my IE homepage is changed to zestyfind.com. Mostly the pop-ups are pc clean up software, real-estate and insurance ads, etc... and spawn through this main address... c.azjmp.com... nothing pornographic, thank goodness. I have the latest versions of Ad-Aware and Spybot which I use frequently. I also downloaded HiJackThis, followed the do-it-yourself walkthrough and deleted some spyware that was found. However, I am still plagued with random pop-ups and am at a loss as to how to go about getting rid of this spyware once and for all. There must be a hidden program somewhere that niether Ad-Aware or Spybot can't get to.. or there are multiple programs that initiate one another. Below is the latest HiJackThis log.

Logfile of HijackThis v1.97.7
Scan saved at 11:48:53 AM, on 7/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Documents and Settings\Shlock\My Documents\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\tgtsoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Research (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7887.4871412037
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Thanks again for your assistance...

Shlock

#2 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 01 July 2004 - 04:52 PM

Hello shlock,

Let's take a look for a Look2Me/Vx2 infection.
A tool has been made by Option^Explicit and freeatlast to find and remove it.

Please download VX2Finder from this link, and save it to your Desktop.

http://www.downloads...g/VX2Finder.exe

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.

#3 shlock

shlock

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 07:33 PM

Thank you for your quick response Autodad. Here it is...

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\3eFX32VS.DLL
C:\WINDOWS\System32\3ffxOGL.dll
C:\WINDOWS\System32\abaamon.dll
C:\WINDOWS\System32\abctres.dll
C:\WINDOWS\System32\ansmsext.dll


Guardian Key--- is called:

User Agent String---
{ED366DD7-FF20-4941-9EEC-C540396F8BC5}


Shlock

#4 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 01 July 2004 - 07:41 PM

Hi shlock,

Please follow these suggestions:


( You might want to print this part, because you will not be on the internet to perform these steps)


Sign off and stay off the internet until the entire procedure is complete.

Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

Then select the *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)

-----------------
Once back in Windows:

Open VX2Finder again and click on these buttons in the right pane:

user agent,
Guardian.reg,
restore policy

Exit and reboot.

Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Then, please post it here with a fresh HijackThis log.

______

(Before posting a new HJT log, please put Hijackthis.exe in a Permanent Folder)

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
This will allow backups to be made and saved By hijackthis in case something goes wrong
Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.

#5 shlock

shlock

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 01 July 2004 - 08:23 PM

Thanks again Autodad... here are the logs...

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---


Logfile of HijackThis v1.97.7
Scan saved at 6:22:29 PM, on 7/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Shlock\My Documents\HijackThis.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\tgtsoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Research (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7887.4871412037
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


Shlock

#6 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 01 July 2004 - 08:54 PM

You're welcome shlock!

Your logs looks clean.

Here is some free protection you should consider:
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies.

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Check for updates occaisionally.

And also see So how did I get infected in the first place?

#7 shlock

shlock

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 02 July 2004 - 01:37 AM

Wow! What a relief! Thank you Autodad!

I would like to thank all those that donate their time so generously on this site to helping those afflicted with spyware. Your work is truly appreciated. I have been moved to make a donation to this worthy cause.

I noticed after I posted my last log that I did not correctly transfer HiJackThis to the folder that I created in the main hard drive directory. I just wanted you to know that I didn't ignore your advice on this matter, I just simply screwed up... hehe. Also, I downloaded Spywareblaster and it us up and running. I can't thank you enough.

Oh... one more thing Autodad... I meant to tell you this earlier... your avatar is awesome!


Shlock

Edited by shlock, 02 July 2004 - 01:38 AM.


#8 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 02 July 2004 - 05:20 AM

Hi shlock,

Thanks for the kind words! :D

The credit needs to go to Option^Explicit and freeatlast, for making an awesome tool, that finds and fixes this infection with just a few mouse clicks.

As for the permanent folder, we didn't have to go into your log to fix this infection, so no big deal.
If you should ever get infected again, remember to put HJT in permanent folder before fixing anything with it.

I know this site really appreciates your donation.
Thank you very much!

Stay safe. :wave:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button