• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
gmcauley

Adware Returns After 'Removal'

8 posts in this topic

Hello,

 

Here is my problem (I have read the FAQ):

 

How it started:

Several days ago I was browsing with IE and was hit by a flurry of popups. Either in one of the popup windows or in a web page I was hijacked to, it said something like: "if you are getting popup adds from this or that category (eg, porn sites, health sites) you need a spy/adware removal program". The categories of popups that I was getting matched exactly with their description, and I was 'conveniently' redirected to a site selling this software, and my home page was set to this new site I believe. Being blissfully ignorant of spy/adware and upset at the low down marketing, I did not pay attention to the URL - I quickly reset my home page and tried to move on.

 

 

The Real Problem:

Since that time I have been assaulted with popup ads when using IE (sometimes they popup without IE being open, but it is usually quiet when not actually running IE). I have used the Spybot S&D 1.3 with the latest update and it finds many problems. But when I 'fix' them, the same problems come back again later. The longer I wait to check again for problems, the more of the problems come back (eg, Winpup, SeelSeek, BookedSpace). And the popup adds keep coming. :techsupport:

 

My hijackthis Log:

 

Logfile of HijackThis v1.97.7

Scan saved at 2:28:18 PM, on 7/20/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Corel\Smart Graphics\Server\isf.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Winamp\Winampa.exe

C:\WINDOWS\System32\atwtusb.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\bokja.exe

C:\WINDOWS\System32\automove.exe

C:\WINDOWS\System32\TBLMOUSE.EXE

C:\PROGRA~1\AIM95\aim.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\System32\oisen.exe

C:\Program Files\Netscape\Netscp.exe

C:\Documents and Settings\grant\Desktop\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\grant\Application Data\Mozilla\Profiles\default\tmwh8ez6.slt\prefs.js)

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL (disabled by BHODemon)

O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll (disabled by BHODemon)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll (disabled by BHODemon)

O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll (disabled by BHODemon)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [bokja] C:\WINDOWS\bokja.exe

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

O4 - HKLM\..\Run: [oisen] C:\WINDOWS\System32\oisen.exe

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Edit with XML Spy (HKCU)

O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKCU)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...B?38182.5490625

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A2F83C05-D5A6-440E-ACB3-BE39121866D5}: NameServer = xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

 

 

My Plea of Exasperation:

Help!!!!!!!!!!!!!!!

Share this post


Link to post
Share on other sites

gmcauley,

Do an online scan here:

Housecall: http://www.trendmicro.com/en/home/us/enterprise.htm

 

Reboot.

Please run this scan:

Download Ad-aware from here: http://www.computercops.biz/downloads-file-292.html

Install by double-clicking on the downloaded file.

After installing but before running, update Ad-aware by using its Globe icon.

After updating, shutdown and restart Ad-aware.

Ad-aware is ready to scan and clean your system following these steps:

 

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

"Unload recognized processes during scanning."

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

"Let Windows remove files in use after reboot."

Press "Scan Now"

Check option "Use Custom scanning options"

Check option "Activate In-Depth Scan"

Press "Select drives\folders to scan"

Select the active partition which is usually C:

Press "Next" to let Ad-aware scan your drives...

If it finds "bad" files and registry keys, press "Next" again

Right-click in that pane and choose "select all"

Press "next"

When it asks to remove all checked items, Press "OK"

Close Ad-aware, reboot your system and go on to the next step below.

 

Please update your version of HJT to v. 1.98 and post a new log. Thanks.

 

Download HijackThis to its own permanent folder.

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

If that link isn't working, extract from http://www.downloads.subratam.org/hijackthis.zip

To create a folder:

Click My Computer, then C:\

In the menu bar, File->New->Folder.

That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".

Now you have C:\HJT\ folder.

Double-click on the .exe to scan.

Please post a HijackThis log (that's a StartupList). After Scan, the Scan button changes to Save Log. Click that, save it somewhere. Do Ctrl-A to Select all, and then copy and paste it here.

Share this post


Link to post
Share on other sites

Thank you for your reply.

 

Here is the new hijackthis.log:

 

Logfile of HijackThis v1.98.0

Scan saved at 1:59:33 PM, on 7/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Corel\Smart Graphics\Server\isf.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Winamp\Winampa.exe

C:\WINDOWS\System32\atwtusb.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\AIM95\aim.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\System32\TBLMOUSE.EXE

C:\DownLoads\spyware\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\grant\Application Data\Mozilla\Profiles\default\tmwh8ez6.slt\prefs.js)

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe

O4 - HKLM\..\Run: [slmss] C:\Program Files\\Common Files\slmss\slmss.exe

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe

O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)

O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O17 - HKLM\System\CCS\Services\Tcpip\..\{A2F83C05-D5A6-440E-ACB3-BE39121866D5}: NameServer = xx.xx.xx.xx, xx.xx.xx.xx

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =xx.xx.xx.xx, xx.xx.xx.xx

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = xx.xx.xx.xx, xx.xx.xx.xx

 

Thank you for your help, it is much appreciated.

Share this post


Link to post
Share on other sites

Hi, gmcauley,

 

There are still some things to fix.

 

Did you scan with Housecall? It should have fixed more. :mellow:

 

Nevertheless, we shall try it this way:

 

Make sure your computer is configured to show all folders/files

Enable the "Show Hidden Folders" option, like this:

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.

Uncheck the Hide Protected Operating System Files (recommended) option.

Click Yes to confirm.

Click OK.

 

First, end these processes in Task Manager (AlT+Ctrl+Delete) or (Ctrl+shift+Escape) if they are listed:

slmss.exe

mwsvm.exe

id53.exe

 

Please run HJT, with all other windows and browser closed, and have it fix these items:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe

O4 - HKLM\..\Run: [slmss] C:\Program Files\\Common Files\slmss\slmss.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{A2F83C05-D5A6-440E-ACB3-BE39121866D5}: NameServer = xx.xx.xx.xx, xx.xx.xx.xx

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =xx.xx.xx.xx, xx.xx.xx.xx

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = xx.xx.xx.xx, xx.xx.xx.xx

 

Reboot into Safemode this way:

Turn on the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

 

Look for these and delete them if found:

c:\installer\id53.exe <-- entire installer folder with file

C:\WINDOWS\mwsvm.exe<-- just this file

C:\Program Files\\Common Files\slmss\slmss.exe<-- entire slmss folder with file

 

Reboot.

Empty your Temporary Internet Files and history in Internet Options. And clean out your

%Userprofile%\Local Settings\Temp

 

OR: Use the Disk Cleanup Utility to empty all your Temp folders

 

Reboot.

Please run Housecall and Ad-aware scans again to be sure we got everything.

 

Then please post a fresh HJT log, and please let us know if the problems are gone. Thank you.

Share this post


Link to post
Share on other sites

Thank you for your reply. So far all is quiet! Everything looks normal! No more popups! :thumbsup: Thank you so very much for your help. What you (all) are doing is very much appreciated!

 

Here is the latest hJT log file:

 

Logfile of HijackThis v1.98.0

Scan saved at 4:26:22 PM, on 7/23/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Corel\Smart Graphics\Server\isf.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Winamp\Winampa.exe

C:\WINDOWS\System32\atwtusb.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\AIM95\aim.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\System32\TBLMOUSE.EXE

C:\PROGRA~1\MOZILL~1\firefox.exe

C:\DownLoads\spyware\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\grant\Application Data\Mozilla\Profiles\default\tmwh8ez6.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe

O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)

O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O17 - HKLM\System\CCS\Services\Tcpip\..\{A2F83C05-D5A6-440E-ACB3-BE39121866D5}: NameServer = xx.xx.xx.xx, xx.xx.xx.xx

 

I think the last entry is normal. I replaced the IP numbers with x's, before posting. When I removed all three of the similar entries (see the previous log file) as instructed, my DNS settings were wiped out. So I assume when I reset them, the entry above was added.

 

Does this log file look OK?

 

Thanks again :wave:

Share this post


Link to post
Share on other sites

You're welcome.

I wish you had told me before about your replacing those numbers in the IP! When I researched that, of course, it came up with no legitimate identification which is something that should be taken out.

 

The log looks good, however, now that we have removed the malware there are some optionals that can be checked because they use resoruces at Startup and can be opened as needed:

Your choice to fix with HJT ( with all other windows and browser closed):

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

** Note: You might need to close Quicktime and RealUpdate in Task Manager before they can be fixed.

 

After something like this it is a good idea to purge the Restore Points and start fresh.

To flush the XP System Restore Points:

(Using XP, you must be logged in as Administrator to do this.)

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.

On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn Off System Restore.

 

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

 

Here are some simple steps that you can take to reduce the chance of infection in the future.

 

1. Visit Windows Update:

Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

 

2. Adjust your security settings for ActiveX:

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

 

3. Download and install the following free programs:

a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html

Periodically check for updates.

 

4. Keep your antivirus software and firewall software up to date.

Note: Zone Alarm Firewall (Zone Labs)http://www.zonelabs.com/store/content/home.jsp is free.

 

5. Now that you have both Adaware and Spybot, remember to keep them updated.

Check for updates in Adaware frequently as they sometimes can update daily.

I would check for updates in SpyBot once a week or so.

I scan with each at least weekly.

 

I am glad to see that you are also using Firefox.

 

Happy computing, and let us know if we can be of assistance in the future.

Share this post


Link to post
Share on other sites

Thanks again. I have had no more problems. I will go through these further instructions. It is good to know that there is a place to get good information and advise with these thorny problems.

 

Once again, I sincerely thank you for your valuable time.

Share this post


Link to post
Share on other sites

Glad we could help!

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0