Jump to content


Photo

hjt log... pop-ups taking over


  • Please log in to reply
3 replies to this topic

#1 ddtcec

ddtcec

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 21 May 2004 - 10:57 AM

Logfile of HijackThis v1.97.7
Scan saved at 11:56:13 AM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\iefeatures.exe
C:\WINDOWS\System32\tftiperf.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\hjt\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (file missing)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26C00EB6-C13C-4E91-9FE0-3B100159E9EF} - C:\WINDOWS\System32\IEEnhancer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [precpop2] "C:\Program Files\Precpop2\starter.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\iefeaturesversion.exe
O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [ss6g3Fg] tftiperf.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: IEEnhancer - http://64.69.90.233/...p/IEPackage.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {0A0E7EAB-0CEA-40E9-B9C8-C8BA31E51A2A} (PrintToPrinterX_NET Control) - http://192.168.100.9...rinterX_NET.ocx
O16 - DPF: {30660755-1DB6-48B4-AB5C-873D511F77AE} (SpoolViewerX_NET Control) - http://192.168.100.9...ViewerX_NET.ocx
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywa...r2501031120.EXE
O16 - DPF: {814F07FE-0957-4FDA-842A-53CF63112D99} - http://64.69.90.233/IEPackage.cab
O16 - DPF: {914CB587-A759-413F-A03F-0DFE8BA003CB} (ScreenPOPX_NET Control) - http://192.168.100.9...eenPOPX_NET.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8069.4353240741
O16 - DPF: {A35A7AE9-7E67-4515-B4DD-B6A66005EF21} (ProgramCatalystX_NET Control) - http://192.168.100.9...talystX_NET.ocx
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AE979D27-DF8D-44F0-AA99-E4DA3354A052} (HPDirectX_NET Control) - http://192.168.100.9...DirectX_NET.ocx
O16 - DPF: {D17CB944-E462-4775-94B5-6D201B71A79C} (CashRegisterInterfaceX_NET Control) - http://192.168.100.9...erfaceX_NET.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {D2F59844-B787-47DF-B9D6-6FA6AD9BCC67} (COMPortInterfaceX_NET Control) - http://192.168.100.9...erfaceX_NET.ocx
O16 - DPF: {E4FD3195-07CB-4963-AEEE-512976902C79} (HPTransactionX_NET Control) - http://192.168.100.9...actionX_NET.ocx

#2 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 21 May 2004 - 08:03 PM

Hi ddtcec,

A coule of thing to do first. Download a Free Trial of Trojan Hunter at http://www.misec.net...rojanHunter.exe first.
Next, take a free Online Virus scan at http://housecall.trendmicro.com or http://www3.ca.com/v.../virusscan.aspx.

Then, Please download Spybot: Search and Destroy from http://www.safer-net...n&page=download
Check for Updates first, download ALL Updates and Do a Scan.
When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

I'd Also Recommend you Download AdAware, Another good Antispyware Program From http://www.lavasoftu...pport/download/.
Install The Program and Run it. Make Sure You Click the "Check for Updates" Button before starting a scan.
Do a scan on AdAware and Remove Everything it suggests.
------------------
Then go to Start, Control Panel, Add/Remove Programs and find:

"Window Search" And "WinTools" and remove (uninstall) them.
You will be given a security code to insert, do so.
And reboot when done.

*If not found run these uninstallers:
1. New_uninstall.exe http://lop.com/new_uninstall.exe
2. Toolbar_uninstall.exe http://lop.com/toolbar_uninstall.exe
----------
Then, while still in Add/Remove Programs, follow this link to remove POP (People OnPage)
http://www.pchell.co...pleonpage.shtml

Also, look for these entry, and remove it also, if there: Golden Palace Casino PT

-------

Then, open HijackThis, click Scan, then put a check next to the following entries:


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (file missing)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {26C00EB6-C13C-4E91-9FE0-3B100159E9EF} - C:\WINDOWS\System32\IEEnhancer.dll

O4 - HKLM\..\Run: [precpop2] "C:\Program Files\Precpop2\starter.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\iefeaturesversion.exe
O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [ss6g3Fg] tftiperf.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe

O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywa...r2501031120.EXE


Then, close all open Windows and browsers (have only HJT open) and click "Fix Checked".

Then, boot to safe mode (tap F8 while restarting) and delete these Folders:

C:\Program Files\Precpop2\
C:\Program Files\AutoUpdate\
C:\Program Files\Common files\WinTools\

And these Files:

C:\WINDOWS\System32\manage.exe
C:\WINDOWS\System32\iefeaturesversion.exe
C:\WINDOWS\System32\iefeatures.exe
C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\Adstartup.exe

You may have to show hidden files:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Then, (after you're system is clean) you should disable System Restore.
http://service1.syma...src=sec_doc_nam
the re-enable it, to make sure the virus isn't in your restore points.

After you do the above, please post a new HijackThis log.

#3 ddtcec

ddtcec

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 24 May 2004 - 09:47 AM

OK, I did all of that... new log.

Logfile of HijackThis v1.97.7
Scan saved at 10:45:42 AM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\hjt\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: IEEnhancer - http://64.69.90.233/...p/IEPackage.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {0A0E7EAB-0CEA-40E9-B9C8-C8BA31E51A2A} (PrintToPrinterX_NET Control) - http://192.168.100.9...rinterX_NET.ocx
O16 - DPF: {30660755-1DB6-48B4-AB5C-873D511F77AE} (SpoolViewerX_NET Control) - http://192.168.100.9...ViewerX_NET.ocx
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {814F07FE-0957-4FDA-842A-53CF63112D99} - http://64.69.90.233/IEPackage.cab
O16 - DPF: {914CB587-A759-413F-A03F-0DFE8BA003CB} (ScreenPOPX_NET Control) - http://192.168.100.9...eenPOPX_NET.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8069.4353240741
O16 - DPF: {A35A7AE9-7E67-4515-B4DD-B6A66005EF21} (ProgramCatalystX_NET Control) - http://192.168.100.9...talystX_NET.ocx
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AE979D27-DF8D-44F0-AA99-E4DA3354A052} (HPDirectX_NET Control) - http://192.168.100.9...DirectX_NET.ocx
O16 - DPF: {D17CB944-E462-4775-94B5-6D201B71A79C} (CashRegisterInterfaceX_NET Control) - http://192.168.100.9...erfaceX_NET.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {D2F59844-B787-47DF-B9D6-6FA6AD9BCC67} (COMPortInterfaceX_NET Control) - http://192.168.100.9...erfaceX_NET.ocx
O16 - DPF: {E4FD3195-07CB-4963-AEEE-512976902C79} (HPTransactionX_NET Control) - http://192.168.100.9...actionX_NET.ocx

#4 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 24 May 2004 - 05:24 PM

I would uninstall Spykiller in Add/Remove Programs, and use Spybot & Adaware.


Unless you know what these are, Fix these in HijackThis:

O16 - DPF: IEEnhancer - http://64.69.90.233/...p/IEPackage.cab
O16 - DPF: {0A0E7EAB-0CEA-40E9-B9C8-C8BA31E51A2A} (PrintToPrinterX_NET Control) - http://192.168.100.9...rinterX_NET.ocx
O16 - DPF: {30660755-1DB6-48B4-AB5C-873D511F77AE} (SpoolViewerX_NET Control) - http://192.168.100.9...ViewerX_NET.ocx
O16 - DPF: {814F07FE-0957-4FDA-842A-53CF63112D99} - http://64.69.90.233/IEPackage.cab
O16 - DPF: {914CB587-A759-413F-A03F-0DFE8BA003CB} (ScreenPOPX_NET Control) - http://192.168.100.9...eenPOPX_NET.ocx
O16 - DPF: {A35A7AE9-7E67-4515-B4DD-B6A66005EF21} (ProgramCatalystX_NET Control) - http://192.168.100.9...talystX_NET.ocx
O16 - DPF: {AE979D27-DF8D-44F0-AA99-E4DA3354A052} (HPDirectX_NET Control) - http://192.168.100.9...DirectX_NET.ocx
O16 - DPF: {D17CB944-E462-4775-94B5-6D201B71A79C} (CashRegisterInterfaceX_NET Control) - http://192.168.100.9...erfaceX_NET.ocx
O16 - DPF: {D2F59844-B787-47DF-B9D6-6FA6AD9BCC67} (COMPortInterfaceX_NET Control) - http://192.168.100.9...erfaceX_NET.ocx
O16 - DPF: {E4FD3195-07CB-4963-AEEE-512976902C79} (HPTransactionX_NET Control) - http://192.168.100.9...actionX_NET.ocx

Other than that your log looks good.


Here is some free protection you should consider:
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Check for updates occaisionally.


And also see
So how did I get infected in the first place?
http://forums.net-in...?showtopic=3051




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button