Jump to content


Photo

Unwanted Popups


  • This topic is locked This topic is locked
6 replies to this topic

#1 skinsfan87

skinsfan87

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 20 July 2004 - 04:19 PM

:alarm: I have posted 4 times and recieved no reply what so ever. Once again, here is my hijack this log:

Logfile of HijackThis v1.98.0
Scan saved at 5:16:48 PM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\htpoatb.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\winipcfgs.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\WindUpdates\WinKA.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Owner.HOME-HUE1X2N8VG\Desktop\Samir's Folder\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.veri...e.htm?ver=6842
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Microsoft Update Machine] htpoatb.exe
O4 - HKLM\..\Run: [hpiltlr] C:\WINDOWS\vgpojcbkq.exe
O4 - HKLM\..\Run: [nwhfwxes] C:\WINDOWS\ouaarap.exe
O4 - HKLM\..\Run: [KEI] C:\documents and settings\owner.home-hue1x2n8vg\local settings\temp\KEI.exe
O4 - HKLM\..\Run: [zquawlc] C:\WINDOWS\uvjmacdwa.exe
O4 - HKLM\..\Run: [IPTable Configuration] winipcfgs.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [E6CB4DB8] C:\WINDOWS\System32\bhsfcbhjxyeji.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [wprmsoovszu] C:\WINDOWS\System32\nuynny.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [pqjzpjgi] C:\WINDOWS\mwzqoi.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] htpoatb.exe
O4 - HKLM\..\RunServices: [IPTable Configuration] winipcfgs.exe
O4 - HKLM\..\RunServices: [726F1345] C:\WINDOWS\System32\bhsfcbhjxyeji.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] htpoatb.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKCU\..\Run: [Microsoft Update Debugger] wincfg32.exe
O4 - HKCU\..\Run: [Virtual System Monitor] pkqfda.exe
O4 - HKCU\..\Run: [Micro Process] dosprmwin.exe
O4 - HKCU\..\Run: [IPTable Configuration] winipcfgs.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...13a53a5c9e3a54a
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...69/QDow_AS2.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - https://cs7b.instant...erxsigned42.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F0648E8-D53B-478A-91DC-9725A4A8F600}: NameServer = 199.45.32.38 199.45.32.43

these popups are really making me angry. :grrr: :rant:

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 20 July 2004 - 04:56 PM

Hello skinsfan87 ,Welcome to SWI.
Your system is very infected.
Print out these instructions so you can read them while you clean your system.

Now close all open windows AND browsers and check these items for HJT to fix:

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O4 - HKLM\..\Run: [Microsoft Update Machine] htpoatb.exe
O4 - HKLM\..\Run: [hpiltlr] C:\WINDOWS\vgpojcbkq.exe
O4 - HKLM\..\Run: [nwhfwxes] C:\WINDOWS\ouaarap.exe
O4 - HKLM\..\Run: [KEI] C:\documents and settings\owner.home-hue1x2n8vg\local settings\temp\KEI.exe
O4 - HKLM\..\Run: [zquawlc] C:\WINDOWS\uvjmacdwa.exe
O4 - HKLM\..\Run: [IPTable Configuration] winipcfgs.exe
O4 - HKLM\..\Run: [E6CB4DB8] C:\WINDOWS\System32\bhsfcbhjxyeji.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [wprmsoovszu] C:\WINDOWS\System32\nuynny.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [pqjzpjgi] C:\WINDOWS\mwzqoi.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] htpoatb.exe
O4 - HKLM\..\RunServices: [IPTable Configuration] winipcfgs.exe
O4 - HKLM\..\RunServices: [726F1345] C:\WINDOWS\System32\bhsfcbhjxyeji.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] htpoatb.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKCU\..\Run: [Microsoft Update Debugger] wincfg32.exe
O4 - HKCU\..\Run: [Virtual System Monitor] pkqfda.exe
O4 - HKCU\..\Run: [Micro Process] dosprmwin.exe
O4 - HKCU\..\Run: [IPTable Configuration] winipcfgs.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...13a53a5c9e3a54a
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...69/QDow_AS2.cab


Please reboot into safe mode - How do I boot into "Safe" mode?


Go to Add/Remove Programs and uninstall:
WindUpdates
Web_Rebates
WindowsSA

if listed.

Now, we can proceed to delete these directories:

C:\Program Files\WindUpdates
C:\Program Files\Web_Rebates
C:\Program Files\WindowsSA


Delete these files:
C:\WINDOWS\System32\wsaupdater.exe
C:\WINDOWS\vgpojcbkq.exe
C:\WINDOWS\ouaarap.exe
C:\documents and settings\owner.home-hue1x2n8vg\local settings\temp\KEI.exe
C:\WINDOWS\uvjmacdwa.exe
C:\WINDOWS\System32\bhsfcbhjxyeji.exe
C:\WINDOWS\System32\nuynny.exe
C:\WINDOWS\mwzqoi.exe

Search (f3) for these files and delete them:
htpoatb.exe
winipcfgs.exe
MSlti16.exe
wincfg32.exe
pkqfda.exe
dosprmwin.exe


You may need to show hidden files to delete them.How to show all hidden and system files

The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.
* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet
content including cookies. This is recommended and strongly suggested.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Then disable your system restore

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot into normal mode enable System Restore and post a fresh log in this thread to give you further recommendations.

#3 skinsfan87

skinsfan87

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 20 July 2004 - 07:34 PM

thanks, heres a new hijack this log after i followed your directions:
Logfile of HijackThis v1.98.0
Scan saved at 8:32:37 PM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Owner.HOME-HUE1X2N8VG\Desktop\Samir's Folder\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.veri...e.htm?ver=6842
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - https://cs7b.instant...erxsigned42.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F0648E8-D53B-478A-91DC-9725A4A8F600}: NameServer = 199.45.32.38 199.45.32.43

#4 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 20 July 2004 - 07:57 PM

Good job!
Your log looks clean now.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
So how did I get infected in the first place?

#5 skinsfan87

skinsfan87

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 20 July 2004 - 08:44 PM

thanks alot guys, you guys are doing a great thing for us people that arent as experienced with computers.

#6 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 21 July 2004 - 08:31 AM

Glad we could help :D

#7 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 21 July 2004 - 06:11 PM

Glad we could help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button