Jump to content


Photo

Popups, I don't know whats wrong


  • Please log in to reply
8 replies to this topic

#1 ineedhelp02

ineedhelp02

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 27 July 2004 - 02:26 PM

:techsupport: The thing is I know I have spy ware but I do not know where it is or what it is, ad-aware can't find it, but I am still getting popups and my computer runs really slow at times, some times my CPU shoots up to 100% and stays there for hours at a time even after I shut all the programs down. Also I have 32 Processes running almost all the time one of which is svchost.exe shows up four times. If you can help without confusing the heck out of my cool, my computer knowledge is limited.

#2 ineedhelp02

ineedhelp02

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 27 July 2004 - 02:44 PM

This thread used to have Ada-ware Log until I read the FAQ

Edited by ineedhelp02, 28 July 2004 - 02:50 AM.


#3 ineedhelp02

ineedhelp02

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 27 July 2004 - 03:14 PM

Can't anyone help?

#4 derelict

derelict

    Member

  • New Member
  • Pip
  • 4 posts

Posted 27 July 2004 - 04:09 PM

Not that I am a godly source on all things computer, but i'd recommend killing everything that's running out of the /temp directory for now.

[
#:23 [kc0dy.exe]
FilePath : C:\documents and settings\joff\local settings\temp\

#:24 [imp.exe]
FilePath : C:\documents and settings\joff\local settings\temp\

#:25 [vib.exe]
FilePath : C:\documents and settings\joff\local settings\temp\
]

Those three in particular. See how things run after you terminate the apps, and check to see if they automatically restart themselves. If you find that it helps, also get in your start menu, go to "Run..." and type msconfig in the box - click the startup tab and uncheck those 3 if you see them. Then, restart and check for them again, if it's spyware, some of the nastier stuff can replace its own privledges at startup...anyway, you'll probably get better help later, but you can use that for now if you want.

-derelict

[EDIT: heh...almost forgot. these people can make better use out of HijackThis logs. get the app (search on google) and make yourself a log to post for them.]

Edited by derelict, 27 July 2004 - 04:11 PM.


#5 ineedhelp02

ineedhelp02

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 27 July 2004 - 05:18 PM

thanks I'll try that

#6 ineedhelp02

ineedhelp02

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 27 July 2004 - 05:24 PM

Also, something else I noticed is the status bar at the bottom of the scream, when ever I go to a new site it always directs it something like this www.ads234.com=www.google.com it still goes to google or what ever site it is I am going to but what does that mean?

#7 ineedhelp02

ineedhelp02

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 27 July 2004 - 05:33 PM

Logfile of HijackThis v1.97.7
Scan saved at 3:31:04 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NVATray.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\rwirror.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\webogcfg.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxPlayer.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaDB.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\Wen1otvK.exe
C:\WINDOWS\System32\Pelur4.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Joff\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Joff\Local Settings\Temp\iv7Kqlq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [kc0dy] C:\documents and settings\joff\local settings\temp\kc0dy.exe
O4 - HKLM\..\Run: [imp] C:\documents and settings\joff\local settings\temp\imp.exe
O4 - HKLM\..\Run: [ViB] C:\documents and settings\joff\local settings\temp\ViB.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [2Q9SLA75GNXSJE] C:\WINDOWS\System32\Ylf3.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ussh39O] rwirror.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [fB3nRViEU] webogcfg.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8001.4572800926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7906F8DF-FFD4-4EF4-96F5-EC9559931EA3}: NameServer = 209.244.0.3 209.244.0.4 :alarm:

#8 derelict

derelict

    Member

  • New Member
  • Pip
  • 4 posts

Posted 28 July 2004 - 12:57 AM

Also, something else I noticed is the status bar at the bottom of the scream, when ever I go to a new site it always directs it something like this www.ads234.com=www.google.com it still goes to google or what ever site it is I am going to but what does that mean?

That's a rather blatant redirect from your web browser software...sounds like something's really gotten in deep in the system. The ads123 thing is probably tracking every link and such that you click, and probably using that to send you tons of popups based on your intrests, or some other crap. If it's gotten that bad, I'd definitely suggest finding a different place to browse the web, or cranking the security settings in your browser, which will end up giving you trouble with cookies, but its better than what you've got now. Can't help with all the details, but just remember that anything you take off will definitely come back if you keep visiting the same places you got it from before. At least until they bring another hotfix to IE, but by that time, there'll be all new adware and spyware out there.

If you have norton utilities, there should be a firewall in there somewhere I think. Symantec's is actually better, in my opinion, because it gives you an instant popup with where your data is going, regardless of wether or not it may be correct, it allows you to block those attempts within certian IP ranges. Of course, that could be some of what is slowing down your system: Adware could possibly hang if it couldn't get a connection to the other end. Anyway, enough of me. Someone with some real know-how will probably come along to help you.

#9 ineedhelp02

ineedhelp02

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 28 July 2004 - 02:47 AM

Thanks I have done that, all the cockies are blocked. It hasn't done much, I have norton professional, Symantec's checks all the emails. I am about to throw this computer out the window
:techsupport:

Edited by ineedhelp02, 28 July 2004 - 02:48 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button