Jump to content


Photo

Bombarded with popups


  • This topic is locked This topic is locked
5 replies to this topic

#1 lilly1

lilly1

    Member

  • New Member
  • Pip
  • 4 posts

Posted 10 June 2004 - 11:52 PM

I have run the latest spybot, adaware, and spysweeper programs and keep getting numerous popup ads. Do I need a separate popup blocker software? Also I have run hijack this with below file log. Which items can be deleted. Thank you.

ogfile of HijackThis v1.97.7
Scan saved at 11:14:21 PM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Windows\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\documents and settings\administrator\local settings\temp\QEUQ.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\PROGRA~1\FILTER~1\filtergate.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Windows\dhbrwsr.exe
C:\Windows\TimeSynchronize.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Windows\bsrxtwxd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Wast.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
C:\Program Files\Common files\WinTools\WSup.exe
C:\Windows\dhsvr.exe
C:\Windows\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com...DT/0409/bl7.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O1 - Hosts: 66.197.73.38 www.smutserver.com
O1 - Hosts: 66.197.73.38 www1.smutserver.com
O1 - Hosts: 66.197.73.38 www2.smutserver.com
O1 - Hosts: 66.197.73.38 www3.smutserver.com
O1 - Hosts: 66.197.73.38 www4.smutserver.com
O1 - Hosts: 66.197.73.38 www5.smutserver.com
O1 - Hosts: 66.197.73.38 www6.smutserver.com
O1 - Hosts: 66.197.73.38 www7.smutserver.com
O1 - Hosts: 66.197.73.38 www8.smutserver.com
O1 - Hosts: 66.197.73.38 www9.smutserver.com
O1 - Hosts: 66.197.73.38 www10.smutserver.com
O1 - Hosts: 66.197.73.38 www11.smutserver.com
O1 - Hosts: 66.197.73.38 www12.smutserver.com
O1 - Hosts: 66.197.73.38 www13.smutserver.com
O1 - Hosts: 66.197.73.38 www14.smutserver.com
O1 - Hosts: 66.197.73.38 www15.smutserver.com
O1 - Hosts: 66.197.73.38 www16.smutserver.com
O1 - Hosts: 66.197.73.38 www17.smutserver.com
O1 - Hosts: 66.197.73.38 www18.smutserver.com
O1 - Hosts: 66.197.73.38 www19.smutserver.com
O1 - Hosts: 66.197.73.38 www20.smutserver.com
O1 - Hosts: 66.197.73.38 www21.smutserver.com
O1 - Hosts: 66.197.73.38 www22.smutserver.com
O1 - Hosts: 66.197.73.38 www23.smutserver.com
O1 - Hosts: 66.197.73.38 www24.smutserver.com
O1 - Hosts: 66.197.73.38 www25.smutserver.com
O1 - Hosts: 66.197.73.38 www26.smutserver.com
O1 - Hosts: 66.197.73.38 www27.smutserver.com
O1 - Hosts: 66.197.73.38 www28.smutserver.com
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\Windows\System32\mskhhe.dll
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\Windows\System32\msibkd.dll
O2 - BHO: (no name) - {4730681F-C5D9-4015-B4B5-4E8A64C3A214} - C:\Windows\System32\imcm32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\Windows\System32\msjfbl.dll
O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O2 - BHO: (no name) - {C1208FBF-9187-4418-A19B-C75B6BC61060} - C:\Windows\kasvbzaoy.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\Windows\System32\PDF554e.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\Windows\dealhlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {898E166D-4759-49CA-AEFB-D92CB75CF197} - (no file)
O3 - Toolbar: (no name) - {1DC54167-0BAA-4FF8-8F2B-74947B7B2E58} - (no file)
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\Windows\dealhlpr.dll
O3 - Toolbar: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PopupBlock] C:\Program Files\planetscott.ca\PopupBlock\PopupBlock.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [P2P Networking] C:\Windows\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\Windows\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\Windows\System32\pdfupd.dll
O4 - HKLM\..\Run: [SysUpd] C:\Windows\sysupd.exe
O4 - HKLM\..\Run: [QEUQ] C:\documents and settings\administrator\local settings\temp\QEUQ.exe
O4 - HKLM\..\Run: [ezgladyt] C:\WINDOWS\ezgladyt.exe
O4 - HKLM\..\Run: [FilterGate] C:\PROGRA~1\FILTER~1\filtergate.exe /ASK
O4 - HKLM\..\Run: [DealHelperUpdate] C:\Windows\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\Windows\dhbrwsr.exe
O4 - HKLM\..\Run: [TimeSyncApp] C:\Windows\TimeSynchronize.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [baoyib] C:\Windows\bsrxtwxd.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\Wast
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\Windows\System32\PDF554e.dll
O4 - HKLM\..\Run: [spotyzct] C:\WINDOWS\spotyzct.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebws400_script0.htm
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab

#2 lilly1

lilly1

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2004 - 03:05 PM

I have updated the logfile of Hijack This as shown below. Some of the entries such as R3-URL Searchook and O4 Wintools keep coming back even after I hit the Fixed Checked button on Hijack This. Still getting constant popups. Please advise.


Logfile of HijackThis v1.97.7
Scan saved at 3:04:51 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\documents and settings\administrator\local settings\temp\QEUQ.exe
C:\Windows\TimeSynchronize.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Windows\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com...DT/0409/bl7.asp
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4730681F-C5D9-4015-B4B5-4E8A64C3A214} - C:\Windows\System32\imcm32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {C1208FBF-9187-4418-A19B-C75B6BC61060} - C:\Windows\kasvbzaoy.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {898E166D-4759-49CA-AEFB-D92CB75CF197} - (no file)
O3 - Toolbar: (no name) - {1DC54167-0BAA-4FF8-8F2B-74947B7B2E58} - (no file)
O3 - Toolbar: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O3 - Toolbar: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SysUpd] C:\Windows\sysupd.exe
O4 - HKLM\..\Run: [QEUQ] C:\documents and settings\administrator\local settings\temp\QEUQ.exe
O4 - HKLM\..\Run: [ezgladyt] C:\WINDOWS\ezgladyt.exe
O4 - HKLM\..\Run: [TimeSyncApp] C:\Windows\TimeSynchronize.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [P2P Networking] C:\Windows\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akama...iTunesSetup.exe

#3 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 12 June 2004 - 04:42 PM

Click here to download Spybot Search & Destroy - install, update, scan and fix all RED items it finds. Reboot when done.

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done. Rescan with HJT and post a new log here so that any remnants can be removed manually.
Posted Image

#4 lilly1

lilly1

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2004 - 05:00 PM

I had already run the latest adaware and spybot before my last posted logfile. I am having a problem removing several of the items manually using Hijack This. For example, R3-URLSearchHook keeps coming back even after I run the Fixed Checked Button. I believe I have everything closed except Hijack This while attempting. Also, I have copied Hijack This to a separate folder for launching.

#5 lilly1

lilly1

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2004 - 10:14 PM

Was able to remove the problems by going into safe mode and deleting TV media files and wintools. No further assistance needed. Thank you.

#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 13 June 2004 - 03:27 AM

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button