PDA

View Full Version : Popup problem - please help (log)

Kattis
30 Aug 2004, 2:16pm
Hi, I have popup problems :rarr:
I've run a 'zillion' spyware programs, and the popups have decreased, but I still get them. It seems like they are now only from http://bannerfarm.ace.advertising.com/bannerfarm and http://ilead.itrack.it/clients.
I've also installed the latest version of SpywareBlaster and activated protection for Internet Explorer (without luck).

Here is my log - can someone nice please have look at it :)
PS: zzz = censored servername

Logfile of HijackThis v1.98.2
Scan saved at 10:54:10, on 2004-08-30
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\CatPC\CatSVC\CatService.exe
C:\Program Files\CAT Bulletin Board\CBBS.exe
C:\WINNT\system32\ircomm2k.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\VitalSuite\VitalAgent\Program\VtlAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINNT\Explorer.EXE
C:\Program Files\OfficeScan NT\ofcdog.exe
C:\Program Files\OfficeScan NT\PCCNTMON.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\CAT Bulletin Board\CBB.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\system32\pvlejz.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINNT\system32\proquota.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1053\nt\MAPISP32.EXE
C:\WINNT\system32\lezx.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\haakka13\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = msn
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.zzz.se/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = int-proxy1.zzz.se:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.zzz.se;*.zzz.net;*.zzz.de;*.zzz.fi;*.zzz.com;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=CatUInit
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4CF96626-9517-75C2-8603-625508DC7038} - C:\WINNT\system32\acqiiqi.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Java Profiles Fix] C:\Program Files\Java\Profile Fix\Java_Profile.exe
O4 - HKLM\..\Run: [JavaProfileFix2] C:\Program Files\Java\Profile Fix\Java_Profile_2.exe
O4 - HKLM\..\Run: [cryptoex] C:\WINNT\system32\wscript.exe "C:\Program Files\CryptoEx Security Suite\PolicyUpdate.vbs"
O4 - HKLM\..\Run: [DirXconnect settings] C:\PROGRA~1\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AUTOPCC] "\\Server\Share\OSCAN\SchUpd.exe"
O4 - HKLM\..\Run: [udrirxtrchzf] C:\WINNT\system32\pvlejz.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [CatUserRun] wscript.exe "C:\Program Files\CatPC\CatLogon\CatUserRun.vbe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.com
O15 - Trusted Zone: *.sap-ag.de
O15 - Trusted Zone: *.sap.com
O15 - Trusted Zone: *.sap.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zzz.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zzz.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = zzz.net
SpywareShooter
30 Aug 2004, 10:55pm
Welcome to Short Media forums.

Before doing the following, please Set your computer to show hidden files and folders (http://www.short-media.com/forum/showpost.php?p=172588&postcount=3), Disable System Restore (http://www.short-media.com/forum/showpost.php?p=172591&postcount=4), and Reboot in Safe Mode (http://www.short-media.com/forum/showpost.php?p=175908&postcount=6).

Once you have done that, Run HijackThis and have it fix the following:


R3 - Default URLSearchHook is missing
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: (no name) - {4CF96626-9517-75C2-8603-625508DC7038} - C:\WINNT\system32\acqiiqi.dll
O4 - HKLM\..\Run: [udrirxtrchzf] C:\WINNT\system32\pvlejz.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.sap-ag.de
O15 - Trusted Zone: *.sap.com
O15 - Trusted Zone: *.sap.com


Then find and locate the files listed above and Quarentine Them (http://www.short-media.com/forum/showpost.php?p=173532&postcount=5).

Once you have done that, reboot, scan with HiijackThis again, and post a new log.
Kattis
31 Aug 2004, 9:53am
Thanx for the help - so far no more popups (fingers crossed). :thumbsup: