Jump to content


Photo

unwanted pop up


  • Please log in to reply
4 replies to this topic

#1 jevelasquez

jevelasquez

    Member

  • New Member
  • Pip
  • 3 posts

Posted 04 July 2004 - 11:06 AM

I´m getting unwanted pop up when i come to internet.
afther i run ADware 6 and remove some elements it seems to be ok, but if i restar my pc, swhen i come to internet i´m getting again this pop up....
any help how to get out of this.

thank's

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 04 July 2004 - 05:34 PM

We need a closer look at what's happening.
Please download Hijack this
Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 jevelasquez

jevelasquez

    Member

  • New Member
  • Pip
  • 3 posts

Posted 05 July 2004 - 10:10 AM

Thank´s for theresponse..

this is the log file.

As a note this morning just afther dialing to theinternet i get a pop screenn (either before load IE) with a page of ¨Mercado Libre¨.
i hope you ca help me.


Logfile of HijackThis v1.98.0
Scan saved at 10:06:21 AM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Archivos de programa\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\ARCHIV~1\NETFORMX\BIN\OSCMGR4.EXE
C:\ARCHIV~1\NETFORMX\BIN\OSSERVER.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\carpserv.exe
C:\ARCHIV~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\ARCHIV~1\NORTON~1\navapw32.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\WINDOWS\system32\sfpsvr.exe
C:\documents and settings\propietario\configuración local\temp\PmF.exe
C:\Archivos de programa\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\Zig5qx6.exe
C:\WINDOWS\System32\RumB3.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Outlook Express\msimn.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Documents and Settings\Propietario\Configuración local\Temp\Directorio temporal 2 para hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.multitel.com.co/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Archivos de programa\SEP\sep.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Archivos de programa\Common Files\midaddle\midaddle.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Archivos de programa\SEP\sep.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Desktop Zoom] C:\Archivos de programa\HPQ\Desktop Zoom\hpwinadj.exe -s
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Archivos de programa\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Archivos de programa\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\ARCHIV~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Archivos de programa\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NAV Agent] C:\ARCHIV~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\system32\sfpsvr.exe
O4 - HKLM\..\Run: [PmF] C:\documents and settings\propietario\configuración local\temp\PmF.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Wkv9.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [p76X33l] cnelbmsg.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Archivos de programa\Multimedia Card Reader\shwicon2k.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Kodak software updater.lnk = C:\Archivos de programa\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Netformx Updater.lnk = ?
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter...00/SYSsfitb.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E521F3B1-E2C4-4FB6-AB64-F3E747382A4E}: NameServer = 200.13.224.8 200.75.78.78

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 05 July 2004 - 05:02 PM

You have the Peper trojan, which requires special treatment to put it out of your misery!
Please download and run this uninstaller.

Click on the peperfix link, and download the program. Then go off line, and run the program. It will remove the files, leaving one orphaned entry to be cleaned up with Hijack this.

Next, go to the folder C:\Archivos de programa\Common Files\midaddle, and check if there is an uninstaller there. If so, run it.

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm

R3 - Default URLSearchHook is missing

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Archivos de programa\SEP\sep.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Archivos de programa\Common Files\midaddle\midaddle.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Archivos de programa\SEP\sep.dll

O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\system32\sfpsvr.exe
O4 - HKLM\..\Run: [PmF] C:\documents and settings\propietario\configuración local\temp\PmF.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Wkv9.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [p76X33l] cnelbmsg.exe

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab

Reboot and delete

files
C:\WINDOWS\system32\sfpsvr.exe
All files in the C:\documents and settings\propietario\configuración local\temp folder
C:\WINDOWS\Downloaded Program Files\bridge.dll
C:\WINDOWS\System32\Wkv9.exe
C:\WINDOWS\System32\dp-him.exe
cnelbmsg.exe

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 jevelasquez

jevelasquez

    Member

  • New Member
  • Pip
  • 3 posts

Posted 05 July 2004 - 06:45 PM

I´ve tried to follow step by step your instructions, but i ve some questions:
- Afther runing the peperfix, it request me for restar the PC, i Did not.
- Afther runing the unistal program in the C:\Archivos de programa\Common Files\midaddle, it request me to restart the PC again, i did not.

i´ve restarted the PC only when your instructions said it.

Afther restart,
- there was some files i can´t remove from the temp folder it´s 4 files called ¨me_???????
- i cant´find the files:
C:\WINDOWS\System32\Wkv9.exe
C:\WINDOWS\System32\dp-him.exe
cnelbmsg.exe

this is the hitjak This log afther all.

Logfile of HijackThis v1.98.0
Scan saved at 6:32:42 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Archivos de programa\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\ARCHIV~1\NETFORMX\BIN\OSCMGR4.EXE
C:\ARCHIV~1\NETFORMX\BIN\OSSERVER.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\carpserv.exe
C:\ARCHIV~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\ARCHIV~1\NORTON~1\navapw32.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Propietario\Configuración local\Temp\Directorio temporal 1 para hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.multitel.com.co/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Desktop Zoom] C:\Archivos de programa\HPQ\Desktop Zoom\hpwinadj.exe -s
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Archivos de programa\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Archivos de programa\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\ARCHIV~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Archivos de programa\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NAV Agent] C:\ARCHIV~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sunkist2k] C:\Archivos de programa\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Voqw.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Kodak software updater.lnk = C:\Archivos de programa\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Netformx Updater.lnk = ?
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} - http://www.adshooter...00/SYSsfitb.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab

i hope i´ve done all fine.

At least while i´ve been writing this i´ve not get any pop up.

Thank´s




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button