Jump to content


Photo

Popups out of control


  • Please log in to reply
1 reply to this topic

#1 mikebaum

mikebaum

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 18 June 2004 - 01:50 PM

I run Spybot S&D and it helps but something must be reinstalling. Anything obvious on this HT file? Thx, Mike



Logfile of HijackThis v1.97.7
Scan saved at 6:22:34 AM, on 6/17/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\svchost.exe
C:\Apple\Library\System\machd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\invoker.exe
C:\WINNT\system32\regsvc.exe
C:\Apple\OpenBase\bin\openexec.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Apple\Library\Frameworks\Foundation.framework\Resources\pgroup.exe
C:\Apple\OpenBase\bin\openinfo.exe
C:\Apple\Library\WebObjects\JavaApplications\wotaskd.woa\WOTaskDService.exe
C:\Apple\Library\System\nmserver.exe
C:\WINNT\system32\java.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Apple\Library\Frameworks\Foundation.framework\Resources\pgroup.exe
C:\Apple\OpenBase\bin\OpenBase.exe
C:\Apple\Library\Frameworks\Foundation.framework\Resources\pgroup.exe
C:\Apple\OpenBase\bin\OpenBase.exe
C:\Apple\Library\Frameworks\Foundation.framework\Resources\pgroup.exe
C:\Apple\OpenBase\bin\OpenBase.exe
C:\Apple\Library\Frameworks\Foundation.framework\Resources\pgroup.exe
C:\Apple\OpenBase\bin\OpenBase.exe
C:\Apple\Library\Frameworks\Foundation.framework\Resources\pgroup.exe
C:\Apple\OpenBase\bin\OpenBase.exe
C:\Apple\Library\Frameworks\Foundation.framework\Resources\pgroup.exe
C:\Apple\OpenBase\bin\OpenBase.exe
C:\Apple\Library\Frameworks\Foundation.framework\Resources\pgroup.exe
C:\Apple\OpenBase\bin\OpenBase.exe
C:\Apple\Library\Frameworks\Foundation.framework\Resources\pgroup.exe
C:\Apple\OpenBase\bin\OpenBase.exe
C:\Apple\Library\Frameworks\Foundation.framework\Resources\pgroup.exe
C:\Apple\OpenBase\bin\OpenBase.exe
C:\Apple\Library\Frameworks\Foundation.framework\Resources\pgroup.exe
C:\Apple\OpenBase\bin\OpenBase.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINNT\loadqm.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\ctfmon.exe
C:\Apple\Library\Frameworks\AppKit.framework\Resources\pbs.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Apple\Library\System\WindowServer.exe
C:\WINNT\System32\nwsarta.exe
C:\WINNT\System32\objilib.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Documents and Settings\Pat\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pop.popuptoas...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020se...d=shnv9901PCID= -1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://pop.popuptoas...rch/search.html
O1 - Hosts: 216.168.57.8 snowdog.pragmatyxs.com
O1 - Hosts: 216.168.57.8 snowdog
O1 - Hosts: 216.168.57.9 superconductor.pragmatyxs.com
O1 - Hosts: 216.168.57.7 staging.pragmatyxs.com
O1 - Hosts: 216.168.60.44 bytor.pragmatyxs.com
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [rsEQ3Fe] nwsarta.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [aBx4RPKqQ] objilib.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pasteboard Server.lnk = C:\Apple\Library\Frameworks\AppKit.framework\Resources\pbs.exe
O4 - Global Startup: Pasteboard Server.lnk.disabled
O4 - Global Startup: Service Manager.lnk.disabled
O4 - Global Startup: stamp.dat
O4 - Global Startup: Window Server.lnk = C:\Apple\Library\System\WindowServer.exe
O4 - Global Startup: Window Server.lnk.disabled
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &IE Toolbar search - res://C:\Program Files\Internet Explorer\Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\xmlspy\spy.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: IE Addon (HKLM)
O9 - Extra 'Tools' menuitem: IE Addon (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Edit with XML Spy (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...alls/yinstc.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7959.6030902778
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai...layer5AxWin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.c...abs/budicon.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

#2 mikebaum

mikebaum

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 26 June 2004 - 09:52 PM

Not having heard anything from anyone here for seven days I reposted a new topic with an updated HT log in a new thread. After rereading pinned instructions I decided I needed to run ad-aware on the machine. I was surprised to pick up so many new items. I quarantined them and rebooted with Ad-Aware running at startup. It picked up more. I quarantined. Then things started heading south.

The machine was running desperately slow. At times hanging. After multiple reboots I decided I needed to restore the quarantined items. First restored group didn't change things. Second caused a critical failure and all further attempts to load W2K OS failed. I tried to do a repair and again failed. I ended up reinstalling W2K. With the prospect of reinstalling a lot of software, my wife's work stuff alone would require half a day if things go well, we opted to buy a new computer.

So obviously you can continue to disregard my requests for help. I still applaud what you are doing here. Perhaps an increased awareness of the risks and consequences might prove worthwhile. I don't know.

I do know that it is the writers of the crapware that I was trying to remove who are ultimately to blame. If I were king I would go after them with a vengeance.

Good day, Mike




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button