• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
ddtcec

hjt log... pop-ups taking over

4 posts in this topic

Logfile of HijackThis v1.97.7

Scan saved at 11:56:13 AM, on 5/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\ImageMate CompactFlash USB\SandIcon.Exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\iefeatures.exe

C:\WINDOWS\System32\tftiperf.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Nikon\NkView5\NkvMon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\hjt\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchnav.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (file missing)

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {26C00EB6-C13C-4E91-9FE0-3B100159E9EF} - C:\WINDOWS\System32\IEEnhancer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [sandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [precpop2] "C:\Program Files\Precpop2\starter.exe"

O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\iefeaturesversion.exe

O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [ss6g3Fg] tftiperf.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: IEEnhancer - http://64.69.90.233/adlapp/IEPackage.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {0A0E7EAB-0CEA-40E9-B9C8-C8BA31E51A2A} (PrintToPrinterX_NET Control) - http://192.168.100.99/webify/ActiveX/PrintToPrinterX_NET.ocx

O16 - DPF: {30660755-1DB6-48B4-AB5C-873D511F77AE} (SpoolViewerX_NET Control) - http://192.168.100.99/webify/ActiveX/SpoolViewerX_NET.ocx

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501...r2501031120.EXE

O16 - DPF: {814F07FE-0957-4FDA-842A-53CF63112D99} - http://64.69.90.233/IEPackage.cab

O16 - DPF: {914CB587-A759-413F-A03F-0DFE8BA003CB} (ScreenPOPX_NET Control) - http://192.168.100.99/webify/ActiveX/ScreenPOPX_NET.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8069.4353240741

O16 - DPF: {A35A7AE9-7E67-4515-B4DD-B6A66005EF21} (ProgramCatalystX_NET Control) - http://192.168.100.99/webify/ActiveX/Progr...talystX_NET.ocx

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {AE979D27-DF8D-44F0-AA99-E4DA3354A052} (HPDirectX_NET Control) - http://192.168.100.99/webify/WebUtil/HPDirectX_NET.ocx

O16 - DPF: {D17CB944-E462-4775-94B5-6D201B71A79C} (CashRegisterInterfaceX_NET Control) - http://192.168.100.99/webify/ActiveX/CashR...erfaceX_NET.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {D2F59844-B787-47DF-B9D6-6FA6AD9BCC67} (COMPortInterfaceX_NET Control) - http://192.168.100.99/webify/ActiveX/COMPo...erfaceX_NET.ocx

O16 - DPF: {E4FD3195-07CB-4963-AEEE-512976902C79} (HPTransactionX_NET Control) - http://192.168.100.99/webify/ActiveX/HPTransactionX_NET.ocx

Share this post


Link to post
Share on other sites

Hi ddtcec,

 

A coule of thing to do first. Download a Free Trial of Trojan Hunter at http://www.misec.net/products/TrojanHunter.exe first.

Next, take a free Online Virus scan at http://housecall.trendmicro.com or http://www3.ca.com/virusinfo/virusscan.aspx.

 

Then, Please download Spybot: Search and Destroy from http://www.safer-networking.org/index.php?...n&page=download

Check for Updates first, download ALL Updates and Do a Scan.

When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

 

I'd Also Recommend you Download AdAware, Another good Antispyware Program From http://www.lavasoftusa.com/support/download/.

Install The Program and Run it. Make Sure You Click the "Check for Updates" Button before starting a scan.

Do a scan on AdAware and Remove Everything it suggests.

------------------

Then go to Start, Control Panel, Add/Remove Programs and find:

 

"Window Search" And "WinTools" and remove (uninstall) them.

You will be given a security code to insert, do so.

And reboot when done.

 

*If not found run these uninstallers:

1. New_uninstall.exe http://lop.com/new_uninstall.exe

2. Toolbar_uninstall.exe http://lop.com/toolbar_uninstall.exe

----------

Then, while still in Add/Remove Programs, follow this link to remove POP (People OnPage)

http://www.pchell.com/support/peopleonpage.shtml

 

Also, look for these entry, and remove it also, if there: Golden Palace Casino PT

 

-------

 

Then, open HijackThis, click Scan, then put a check next to the following entries:

 

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchnav.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

 

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (file missing)

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {26C00EB6-C13C-4E91-9FE0-3B100159E9EF} - C:\WINDOWS\System32\IEEnhancer.dll

 

O4 - HKLM\..\Run: [precpop2] "C:\Program Files\Precpop2\starter.exe"

O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe

O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\iefeaturesversion.exe

O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [ss6g3Fg] tftiperf.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe

 

O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501...r2501031120.EXE

 

 

Then, close all open Windows and browsers (have only HJT open) and click "Fix Checked".

 

Then, boot to safe mode (tap F8 while restarting) and delete these Folders:

 

C:\Program Files\Precpop2\

C:\Program Files\AutoUpdate\

C:\Program Files\Common files\WinTools\

 

And these Files:

 

C:\WINDOWS\System32\manage.exe

C:\WINDOWS\System32\iefeaturesversion.exe

C:\WINDOWS\System32\iefeatures.exe

C:\WINDOWS\alchem.exe

C:\WINDOWS\System32\Adstartup.exe

 

You may have to show hidden files:

 

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

Then, (after you're system is clean) you should disable System Restore.

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

the re-enable it, to make sure the virus isn't in your restore points.

 

After you do the above, please post a new HijackThis log.

Share this post


Link to post
Share on other sites

OK, I did all of that... new log.

 

Logfile of HijackThis v1.97.7

Scan saved at 10:45:42 AM, on 5/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\ImageMate CompactFlash USB\SandIcon.Exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Nikon\NkView5\NkvMon.exe

C:\WINDOWS\System32\svchost.exe

C:\hjt\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [sandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: IEEnhancer - http://64.69.90.233/adlapp/IEPackage.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {0A0E7EAB-0CEA-40E9-B9C8-C8BA31E51A2A} (PrintToPrinterX_NET Control) - http://192.168.100.99/webify/ActiveX/PrintToPrinterX_NET.ocx

O16 - DPF: {30660755-1DB6-48B4-AB5C-873D511F77AE} (SpoolViewerX_NET Control) - http://192.168.100.99/webify/ActiveX/SpoolViewerX_NET.ocx

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae0...all/xscan53.cab

O16 - DPF: {814F07FE-0957-4FDA-842A-53CF63112D99} - http://64.69.90.233/IEPackage.cab

O16 - DPF: {914CB587-A759-413F-A03F-0DFE8BA003CB} (ScreenPOPX_NET Control) - http://192.168.100.99/webify/ActiveX/ScreenPOPX_NET.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8069.4353240741

O16 - DPF: {A35A7AE9-7E67-4515-B4DD-B6A66005EF21} (ProgramCatalystX_NET Control) - http://192.168.100.99/webify/ActiveX/Progr...talystX_NET.ocx

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {AE979D27-DF8D-44F0-AA99-E4DA3354A052} (HPDirectX_NET Control) - http://192.168.100.99/webify/WebUtil/HPDirectX_NET.ocx

O16 - DPF: {D17CB944-E462-4775-94B5-6D201B71A79C} (CashRegisterInterfaceX_NET Control) - http://192.168.100.99/webify/ActiveX/CashR...erfaceX_NET.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {D2F59844-B787-47DF-B9D6-6FA6AD9BCC67} (COMPortInterfaceX_NET Control) - http://192.168.100.99/webify/ActiveX/COMPo...erfaceX_NET.ocx

O16 - DPF: {E4FD3195-07CB-4963-AEEE-512976902C79} (HPTransactionX_NET Control) - http://192.168.100.99/webify/ActiveX/HPTransactionX_NET.ocx

Share this post


Link to post
Share on other sites

I would uninstall Spykiller in Add/Remove Programs, and use Spybot & Adaware.

 

 

Unless you know what these are, Fix these in HijackThis:

 

O16 - DPF: IEEnhancer - http://64.69.90.233/adlapp/IEPackage.cab

O16 - DPF: {0A0E7EAB-0CEA-40E9-B9C8-C8BA31E51A2A} (PrintToPrinterX_NET Control) - http://192.168.100.99/webify/ActiveX/PrintToPrinterX_NET.ocx

O16 - DPF: {30660755-1DB6-48B4-AB5C-873D511F77AE} (SpoolViewerX_NET Control) - http://192.168.100.99/webify/ActiveX/SpoolViewerX_NET.ocx

O16 - DPF: {814F07FE-0957-4FDA-842A-53CF63112D99} - http://64.69.90.233/IEPackage.cab

O16 - DPF: {914CB587-A759-413F-A03F-0DFE8BA003CB} (ScreenPOPX_NET Control) - http://192.168.100.99/webify/ActiveX/ScreenPOPX_NET.ocx

O16 - DPF: {A35A7AE9-7E67-4515-B4DD-B6A66005EF21} (ProgramCatalystX_NET Control) - http://192.168.100.99/webify/ActiveX/Progr...talystX_NET.ocx

O16 - DPF: {AE979D27-DF8D-44F0-AA99-E4DA3354A052} (HPDirectX_NET Control) - http://192.168.100.99/webify/WebUtil/HPDirectX_NET.ocx

O16 - DPF: {D17CB944-E462-4775-94B5-6D201B71A79C} (CashRegisterInterfaceX_NET Control) - http://192.168.100.99/webify/ActiveX/CashR...erfaceX_NET.ocx

O16 - DPF: {D2F59844-B787-47DF-B9D6-6FA6AD9BCC67} (COMPortInterfaceX_NET Control) - http://192.168.100.99/webify/ActiveX/COMPo...erfaceX_NET.ocx

O16 - DPF: {E4FD3195-07CB-4963-AEEE-512976902C79} (HPTransactionX_NET Control) - http://192.168.100.99/webify/ActiveX/HPTransactionX_NET.ocx

 

Other than that your log looks good.

 

 

Here is some free protection you should consider:

Download and install:

 

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

 

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

 

Check for updates occaisionally.

 

 

And also see

So how did I get infected in the first place?

http://forums.net-integration.net/index.php?showtopic=3051

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0