Jump to content


Photo

I can't get rid of 680180.net Pop ups!!!


  • This topic is locked This topic is locked
3 replies to this topic

#1 liquid_slap

liquid_slap

    Member

  • New Member
  • Pip
  • 1 posts

Posted 29 July 2004 - 04:20 PM

:grrr:
Logfile of HijackThis v1.98.0
Scan saved at 5:15:31 PM, on 7/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
c:\winnt\system32\suss.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\goidr.exe
C:\WINNT\beqltnh.exe
C:\WINNT\vrnsbcu..exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
\ifaafs4dept\infosys\tivoli\sai502\winase32\kml.exe
C:\Program Files\Notes\NLNOTES.EXE
C:\Program Files\Notes\nNOTESMM.EXE
C:\Program Files\Notes\nwrdaemn.EXE
C:\Program Files\Notes\nupdate.EXE
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jspeight\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.altavista.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://usscifweb02.sfb.na.abnamro.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://currency.na.abnamro.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.na.abnamro.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.na.abnamro.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {D25F261C-4BA5-41A9-824B-9BD1D6C4F4C6} - C:\WINNT\system32\rmiwf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [rmiwfc] C:\WINNT\system32\rmiwfc.exe
O4 - HKLM\..\Run: [goidr] C:\WINNT\goidr.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\manage.exe
O4 - HKLM\..\Run: [nssysconf] C:\WINNT\beqltnh.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\vrnsbcu..exe
O4 - HKLM\..\Run: [000hpdllhost] C:\WINNT\system32\hpdllhost.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://currency.na.abnamro.com
O16 - DPF: {689ff870-2ac0-11d5-b634-00c04faedb18} - http://mupit.sfb.na....iator/jinit.exe
O18 - Protocol: smscrd - {FA3F5003-93D4-11D2-8E48-00A0C98BD8C3} - c:\smsadmin\bin\i386\sms_mcrd.dll
O20 - AppInit_DLLs: FHook.dll

#2 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 03 August 2004 - 02:51 PM

Hello Liquid_slap

Just so that you know you are not being ignored - I will handle this case for you but
I need to ask for your patience while I review the log.
Please keep an eye on this message for a resolution.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 03 August 2004 - 08:47 PM

Hello liquid_slap,

Print a copy of this topic to make it easier for you to follow the instructions and complete all of the necessary steps.

Please get the new 1.98.1 Version of Hijackthis.
href='http://www.spywareinfo.com/~merijn/files/HijackThis.exe

I would like you to change the location of HijackThis.exe.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong and will prevent the tool placing shortcuts on your Desktop.

Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the .exe file in it.
*
1 - Close all open Explorer windows and browsers
2 - Run HijackThis
3 - Click on the Scan button and when complete
4 - Put a check beside all of the items listed below
5 - Click on the "Fix Checked" button
6 - When complete and all files removed, close the application

O2 - BHO: SDWin32 Class - {D25F261C-4BA5-41A9-824B-9BD1D6C4F4C6} - C:\WINNT\system32\rmiwf.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [rmiwfc] C:\WINNT\system32\rmiwfc.exe
O4 - HKLM\..\Run: [goidr] C:\WINNT\goidr.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\manage.exe
O4 - HKLM\..\Run: [nssysconf] C:\WINNT\beqltnh.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\vrnsbcu..exe
O4 - HKLM\..\Run: [000hpdllhost] C:\WINNT\system32\hpdllhost.exe


If you did not place restrictions on your control panel, fix these.
You may have set them this you installed Spybot.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

*
Reconfigure Windows Explorer to show Hidden Files:
Show Hidden Files and Folders

Then reboot, on restart, restart in "Safe Mode".

How to:
http://service1.syma...src=sec_doc_nam

Remove all files in BOLD if still present.

C:\WINNT\beqltnh.exe <-- File only
C:\WINNT\goidr.exe <-- File only
C:\WINNT\beqltnh.exe <-- File only
C:\WINNT\vrnsbcu..exe <-- File only
C:\WINNT\goidr.exe <-- File only
C:\WINNT\system32\rmiwf.dll <-- File only
C:\WINNT\system32\rmiwfc.exe <-- File only
C:\WINNT\system32\manage.exe <-- File only
C:\WINNT\system32\hpdllhost.exe <-- File only
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe <-- Folder/Sub Folder and all files in them.
*
While still in safe move

1 - Run your Virus protection software. Make sure you have the latest definition files.
2 - Run your copy of Spybot.
  • Click on "Search for Updates".
  • If any updates are found, place a check mark next to each and click on "Download Updates".
  • Click on "Immunize" and once it detect what has or has not been blocked, block all remaining items by clicking on the green plus sign next to immunize at the top.
  • Click on "Search & Destroy" => "Check for Problems".
  • If any problems are found, be sure to click on "Fix Selected Problems."
Reboot in normal mode.
*
Here are some suggestions to reduce the potential for spyware infection in the future. I strongly recommend installing the following :
  • SpywareBlaster - It will prevent most spyware from ever being installed.
  • SpywareGuard - It offers realtime protection from spyware installation attempts.
  • IE-Spyad - IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
I also recommend reading this article.
How did I get infected in the first place?
http://forums.net-in...?showtopic=3051
*
Run HijackThis and post a fresh log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 25 September 2004 - 07:17 AM

Due to lack of response by the poster this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button