Jump to content


Photo

System Cleaned, and still more pop-ups!


  • Please log in to reply
7 replies to this topic

#1 keefe007

keefe007

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 09 June 2004 - 09:45 PM

Alright, I have been working on this one system here for awhile and I cannot stop the massive amount of pop-ups that this system gets.

I have ran updated Ad-aware, Spybot S&D, Trend online virus scan, and Hijack this. All of the Windows updates are completed as well. Ad-aware and Spybot both show that the system is completely clean.

I am still getting pop-ups one sites that I know do not have pop-ups, IE Google.com.

Here is the current Hijack this log ->

Logfile of HijackThis v1.97.7
Scan saved at 9:43:22 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe
C:\WINDOWS\notepad.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra 'Tools' menuitem: Popup Blocker Options (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...or/swdir_nr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7902.6502430556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


Any suggestions?

Keefe

#2 keefe007

keefe007

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 10 June 2004 - 06:54 PM

bump

#3 caruch6392

caruch6392

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 10 June 2004 - 06:58 PM

dont need this:

R3 - Default URLSearchHook is missing

i've never seen a plugin like this:(it might be fishy but who knows) make sure your backing up this stuff before you take this out

O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll

take this out:

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

your log was pretty clean...seems strange that you keep getting pop-ups...try running cwshredder (look in my signature for the link) UPDATE IT if necessary and run it to see if it sees anything (be sure you exit out of all IE windows before doing that but it will remind you anyway)

hope this helps {SoW}Rob
UPDATE and run adaware adware
UPDATE and run spybot spybot search and destroy
UPDATE and run cwshredder cwshredder
update and use spyware blaster spywareblaster
a nifty little program a squared 2 a squared 2
free virus scanner avg anti-virus
another free antivirus Avast!

dont forget to do windows updates windows updates

my pontiac grand prix gt
Posted Image

http://www.cardomain...id/fallen_blade

#4 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 10 June 2004 - 10:19 PM

The R3 needs to be fixed and this is a good one to fix because it is a registration reminder that is not needed and it is thought that it might report back on you to the owner....

O4 - Startup: PowerReg Scheduler.exe

The other options noted are optional and probably won't make a big difference...

Do you have anything disabled in msconfig or set to ignore in HJT??

It is not clear what is causing your popups. Have you disabled Messenger in Services??

I suggest running one or both of the online virus scans in my links and also download and run the trial version of TrojanHunter...

After you finish, reboot and post back a fresh log with answers to the questions I asked...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#5 keefe007

keefe007

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 10 June 2004 - 11:31 PM

I did also run an updated version of CWShredder, but it didn't find anything.

I ran an online Trend Micro virus scan and a system virus scan with Mcafee Virus Scan 2004.

HouseCall Control is a plugin used by the Trend Micro Housecall antivirus and the NPUPano.dll is the pluging Adobe uses to let you view .pdf's within IE.

Nothing it set to ignore in Hijack this, however there might be something disabled in msconfig.

I just noticed that another system that just came in has the same pop-ups. I wonder if its some sort of new spyware that no one has discovered yet.

#6 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 11 June 2004 - 10:01 PM

Since you are not specifying what the popups are, I can't tell if they are a new form or not... They sound like they are probably Windows Messenger popups from what you have said and that is at least as old as WinXP. These exploit Windows Messenger Service which is stupidly and unnecessarily turned on in WinXP to put popups on your system, sometimes when you are not even online... That is why I asked if you have disabled it in WinXP Services... Please let me know...

Also, please run a Normal boot with none of the items disabled in msconfig and post a fresh HJT log from that boot so we can see if there is anything hiding there....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#7 keefe007

keefe007

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 11 June 2004 - 11:28 PM

I didn't know Windows Messaging Service messages were considered pop-ups. In any case, the messenger service has been long disabled. These are not messenger dialogue boxes. These are IE pop-ups that are spawned randomly. From what I have found so far, an initial pop-up opens with the title "New offer for you...." This window spawns new pop-up "offers" every minute or so.

In regards to your suggestion of re-enabling everything on startup and reposting a hijack this log: If something is disabled from starting up, and its not currently a running process, how would it be the cause of these pop-ups?

#8 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 11 June 2004 - 11:35 PM

Sometimes disabling it in msconfig just lets it hide better... You do not have anything showing in your log that is likely to be causing the problem you are having... If we are going to help you fix it, we need more information... To get more information we need your help....

You can run TrojanHunter or any number of other scans and see if that takes care of it... I need to see a HJT log with everything enabled to figure out what the next step is.... Please keep in mind that we are trying to help blind... If I had a few minutes in front of your computer I might be able to figure out what is going on readily, but we don't have the luxury of that kind of direct service....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button