• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
elw

browser starts by itself?

5 posts in this topic

Initial FAQ/instructions read. Spybot S&D and Ad-aware have been run. Spybot has never found any problems - Ad-aware seems to find suspicious items everytime its run.

 

Symptoms are that computer has slow spells and starts up browser by itself bringing up unwanted ads (various in nature). User (an employee), of course, has no knowledge of ever downloading anything he shouldn't have. Several months back MSIE was bombarded with pop-up ads to the extent that you couldn't even use it, however the software referenced above seemed to fix the problem completely. So, I don't know whether this is a related problem or something new.

 

Thanks in advance for your advice! HiJack log is pasted below:

 

Logfile of HijackThis v1.98.0

Scan saved at 9:52:25 AM, on 7/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\spoolsv.exe

C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Windows\System32\PROMon.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE

C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\Program Files\QuickTime\qttask.exe

C:\windows\temp\GyHT.exe

C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE

C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe

C:\COMPAQ\ACLIENT\ACLIENT.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

C:\Windows\Cpqdiag\Cpqdfwag.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

C:\Windows\System32\NMSSvc.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\System32\FrnZ6Q.exe

C:\Windows\System32\FrnZ6Q.exe

C:\Documents and Settings\Administrator\Desktop\spyware removers\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rose.net/

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)

R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D}_ - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE

O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

O4 - HKLM\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [GyHT.exe] C:\windows\temp\GyHT.exe

O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\Windows\System32\Gxf524W7.exe

O4 - HKLM\..\Run: [AutoLoaderoF4y1ITTWIaW] "C:\Windows\System32\newap.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [osnO36O] nwsemui.exe

O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1CA0F888-B5B8-471B-AFDD-6B42C750D99D}: NameServer = 172.17.1.10,172.17.1.17

O17 - HKLM\System\CS1\Services\Tcpip\..\{1CA0F888-B5B8-471B-AFDD-6B42C750D99D}: NameServer = 172.17.1.10,172.17.1.17

Share this post


Link to post
Share on other sites

Found a new update (today's) to Ad-aware and changed to custom level scanning with all memory & registry items checked. Found & deleted 100+ items, too soon to tell if problem completely fixed...

 

New Hijack log pasted below:

 

Logfile of HijackThis v1.98.0

Scan saved at 11:54:52 AM, on 7/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\spoolsv.exe

C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Windows\System32\PROMon.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE

C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\Program Files\QuickTime\qttask.exe

C:\windows\temp\GyHT.exe

C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE

C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe

C:\Windows\System32\FrnZ6Q.exe

C:\COMPAQ\ACLIENT\ACLIENT.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\Windows\System32\ZzhGa.exe

C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

C:\Windows\Cpqdiag\Cpqdfwag.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Documents and Settings\Administrator\Desktop\spyware removers\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rose.net/

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)

R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D}_ - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE

O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

O4 - HKLM\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [GyHT.exe] C:\windows\temp\GyHT.exe

O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\Windows\System32\Gxf524W7.exe

O4 - HKLM\..\Run: [AutoLoaderoF4y1ITTWIaW] "C:\Windows\System32\newap.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [osnO36O] nwsemui.exe

O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1CA0F888-B5B8-471B-AFDD-6B42C750D99D}: NameServer = 172.17.1.10,172.17.1.17

O17 - HKLM\System\CS1\Services\Tcpip\..\{1CA0F888-B5B8-471B-AFDD-6B42C750D99D}: NameServer = 172.17.1.10,172.17.1.17

Share this post


Link to post
Share on other sites

You have the Peper trojan, which requires special treatment to put it out of your misery!

Please download and run this uninstaller.

 

Click on the peperfix link, and download the program. Then go off line, and run the program. It will remove the files, leaving one orphaned entry to be cleaned up with Hijack this.

 

Next, using Windows Explorer, open the folder C:\Program Files\Common Files\midaddle, and check if there is an uninstaller there. If theree is, run it, and then delete the folder C:\Program Files\Common Files\midaddle

 

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)

R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D}_ - (no file)

 

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (file missing)

 

O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

 

O4 - HKLM\..\Run: [GyHT.exe] C:\windows\temp\GyHT.exe

O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\Windows\System32\Gxf524W7.exe

O4 - HKLM\..\Run: [AutoLoaderoF4y1ITTWIaW] "C:\Windows\System32\newap.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [osnO36O] nwsemui.exe

Reboot and delete

 

files

All files in the C:\windows\temp folder

C:\Windows\System32\Gxf524W7.exe

C:\Windows\System32\newap.exe

nwsemui.exe

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

Thanks so much for your help!

 

Everything was done as you suggested. Under the "delete files" part at the bottom of your message there were many files and various folders under the C:\Windows\Temp subdirectory, so I deleted them all - hope that was okay? Then the files you listed under the C:\Windows\System32 subdirectory could not be found. I did make sure to display hidden files - still no luck? Anyway, everything else was done just as requested and the computer seems to be fine so far...

 

Again, thanks for your help and the hijack log is pasted below:

 

Logfile of HijackThis v1.98.0

Scan saved at 5:22:42 PM, on 7/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\spoolsv.exe

C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Windows\System32\PROMon.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE

C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE

C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe

C:\COMPAQ\ACLIENT\ACLIENT.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

C:\Windows\Cpqdiag\Cpqdfwag.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe

C:\Windows\System32\NMSSvc.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Documents and Settings\Administrator\Desktop\spyware removers\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rose.net/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE

O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

O4 - HKLM\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1CA0F888-B5B8-471B-AFDD-6B42C750D99D}: NameServer = 172.17.1.10,172.17.1.17

O17 - HKLM\System\CS1\Services\Tcpip\..\{1CA0F888-B5B8-471B-AFDD-6B42C750D99D}: NameServer = 172.17.1.10,172.17.1.17

Share this post


Link to post
Share on other sites

Clean log! Well done.

 

Glad to help!

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0