Jump to content


Photo

Popup AD, can't find the probelm


  • Please log in to reply
3 replies to this topic

#1 joejoe1978

joejoe1978

    Member

  • New Member
  • Pip
  • 3 posts

Posted 09 June 2004 - 11:11 AM

The AD pop up even I don't open any program.
The O4 in the log of "wintools.exe" and "CASTDRAW.exe"
directories don't exist.
suspect it's the problem from
O4 - Startup: plugin131_04.trace
please help and thanks
Logfile of HijackThis v1.97.7
Scan saved at 12:00:26, on 2004-6-9
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummbird\inetd32.exe
E:\software\KAV2003\KAVSvc.EXE
C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARUpld32.exe
C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARMon32a.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
E:\Program Files\Network Associates\VirusScan\Mcshield.exe
E:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\VerizonOnlineDSL\WinPoET\WrOS.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\conime.exe
E:\Program Files\Web2Pop\Web2pop.exe
C:\WINNT\system32\ctfmon.exe
C:\tools\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\jb6ovpqe.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\jb6ovpqe.slt\prefs.js)
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Soap] C:\PROGRA~1\ONCEKI~1\CASTDRAW.exe
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: plugin131_04.trace
O4 - Startup: gsview32.ini
O4 - Global Startup: ntuser.pol
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Deskshop (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7601.3108449074
O16 - DPF: {A0777FF1-23AC-11D5-BA9B-00C04F753F09} (BridgeChannel) - http://channel.bridg...bc_bridge_i.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.co...file=stamps.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DA984A6D-508E-11D6-AA49-0050FF3C628D} (Ravonline) - http://download.risi...ll/rsonline.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\system32\mshtml.dll

#2 joejoe1978

joejoe1978

    Member

  • New Member
  • Pip
  • 3 posts

Posted 09 June 2004 - 11:30 AM

anyone knows what's plugin131_04.trace
It's running and I can't stop it
Just find it's java plugin
can anyone help to read the log?
thanks a lot. It's really anoy and it pops up every minute

Edited by joejoe1978, 09 June 2004 - 11:37 AM.


#3 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 09 June 2004 - 12:09 PM

Hello ,

Download Spybot S & D

Ad-Aware

press ctrl, alt and del and end task

C:\WINNT\system32\conime.exe

Now fix the following entries in HijackThis,

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Soap] C:\PROGRA~1\ONCEKI~1\CASTDRAW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {A0777FF1-23AC-11D5-BA9B-00C04F753F09} (BridgeChannel) - http://channel.bridg...bc_bridge_i.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.co...file=stamps.cab

Reboot in SAFE MODE and Show Hidden Files/Folders and delete if found,

C:\PROGRA~1\ONCEKI~1

Reboot and check for updates for Spybot and run full scan. Reboot and do same for Ad-aware.

Reboot in normal mode and post a fresh log

Regards
http://blog.emsisoft.com
www.Emsisoft.com

#4 joejoe1978

joejoe1978

    Member

  • New Member
  • Pip
  • 3 posts

Posted 10 June 2004 - 10:55 AM

hi,Sup,I always use spybot and ad-aware. I already update to the latest version
and follow your instruction. But I cant stop them. I hate ADs.
here it's the new log.
the wintools and C:\PROGRA~1\ONCEKI~1 directories don't exist on my computer.
please help. :weep:

Logfile of HijackThis v1.97.7
Scan saved at 11:20:40, on 2004-6-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummbird\inetd32.exe
E:\software\KAV2003\KAVSvc.EXE
C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARUpld32.exe
C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARMon32a.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
E:\Program Files\Network Associates\VirusScan\Mcshield.exe
E:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\VerizonOnlineDSL\WinPoET\WrOS.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\tools\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\jb6ovpqe.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Joe\Application Data\Mozilla\Profiles\default\jb6ovpqe.slt\prefs.js)
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Soap] C:\PROGRA~1\ONCEKI~1\CASTDRAW.exe
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: plugin131_04.trace
O4 - Startup: gsview32.ini
O4 - Global Startup: ntuser.pol
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Deskshop (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7601.3108449074
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DA984A6D-508E-11D6-AA49-0050FF3C628D} (Ravonline) - http://download.risi...ll/rsonline.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button