Jump to content


Photo

Pop-ups won't go away!


  • Please log in to reply
3 replies to this topic

#1 milos

milos

    Member

  • New Member
  • Pip
  • 2 posts

Posted 12 June 2004 - 12:35 AM

:scratchhead: One of the users on our enterprise network has managed to get his laptop badly infected. I was able to remove a bunch of malware etc. with a combination of Spybot, Adaware, SpySweeper, SpywareBlaster, MRU Blaster, SpywareGuard, CWShredder, and Hijack This. Unfortunately, the PC continues to have heavy pop-ups even when IE is closed. They usually start a minute or two after logon. Disconnecting from the network is the only sure relief.

I'm no expert, but the HJT log looks clean to me except for maybe: O4 - HKLM\..\Run: [gzzblr] C:\WINNT\aeiotyp.exe
I couldn't find anything for that on Pacman's startup list.

I sure would appreciate it if anyone out there can help with this. I'd like to give this guy a clean PC on Monday morning. Thanks!
Here is the HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 3:14:37 PM, on 6/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshiba.my.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME2\TMESRV2.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINNT\myCIO\Agent\myAgtTry.Exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINNT\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [gzzblr] C:\WINNT\aeiotyp.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap...in/myCioAgt.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd.../C...6225347222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...oc...wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = olivehain.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = olivehain.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = olivehain.com

#2 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 12 June 2004 - 08:08 AM

I am with you on this one, the only thing I can see in your log that shouldn't be there is this line

O4 - HKLM\..\Run: [gzzblr] C:\WINNT\aeiotyp.exe

Fix it with hijackthis... making sure all other browsers and windows are close first, then reboot and find and delete this file

C:\WINNT\aeiotyp.exe

#3 milos

milos

    Member

  • New Member
  • Pip
  • 2 posts

Posted 12 June 2004 - 07:17 PM

Thanks for the support Nellie2. I'll give it a try and see what happens.

#4 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 13 June 2004 - 06:57 AM

Post back if you are still having problems! :wave:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button