Problem with Popups

CrazyJoeCrazyJoe Winter Springs, FL Icrontian
edited May 2004 in Spyware & Virus Removal
I am getting a large amount of pop ups lately and my popup blocker is working overtime it seems. I never see them but it's still annoying. Also it seems that something is making me tab out of text boxes whenever I try to type stuff in text boxes in IE. I have to click back in the text box many times as I type a long post or something. I have Adaware and Spybot and they're not able to find anything wrong... As I look at the log of the popups blocked they're all coming from http:/ / jsandboxer.cjt1.net/ Anyone know of something other than Adaware or Spybot I can use to fix these problems (they might be related, I'm not sure?)

Comments

  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited April 2004
    Question: By tab out of text boxes, do you mean use the tab key to exit, or to move from field to field in a form??? Tab is normal for IE in current service packs and fro field moves in an online form, especially with Active Server Page sites.

    As to message entry here, IE in latest service pack and security patches sees it as a form. Subject text enter, tab, message enter without tabs (tabs will get parsed out of entry as it posts, the PHP code translates them to single spaces instead of keeping tabs), and let it word wrap, then tab out to exit entry box. Your alternative is to scroll down your IE window when done and then click the Preview... or Submit... button when done typing in your post.

    As to popups, there are hijackers that can spawn ad popups, and there are also lots of cookie fed popups. Look at your cookies cache in Internet Options in IE and clear the cookies that contain "ad" as part of string, and anything with "doubleclick.net" in it. Clear cookies that you do not know aht they are and do not match sites you go to. Clear them all, you will get maybe to reenter passwords to login. I write down my passwords and put in a rolodex that gets put ina secure place when not in use, so if I clear cookies I can refer to the rolodex. A password manager software can also help here, but will make things complex as all of that kind of software emans that the password manager software has to work also for passwords to get kept and used after IE's password cookies are cleared.

    Adaware, SpyBot S&D and HijackThis all depend on definitions some. You need to update defs, as there are new defs released intermittently. You also need the latest version of each to start with. All these have def sets released in April of this year, some have versions released in April also. HijackThis finds and can kill things that Adaware and SpyBot S&D do not understand and therefore cannot kill, and all these have been compromised in old versions. SpyBot S&D specifically was patched to fix the problem of being disabled by one specific family of malware, for instance. Old versions of it can be disabled by that malware.

    One trick is to NOT surf while cleaning your box of things. Take it offline as far as the web is concerned. Then restart Windows when done cleaning.

    Before you do this taking box offline job, get the latest versions and def updates. Then take box offline as to web and then scan, then restart XP, then rescan.

    John D.
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    It is very likely that you have some "adware" running on your computer that is enabling the pop-ups. Adware basically sends messages to a server that says "Hello, live computer here, feed me some annoying advertising!" Adware can be eitehr a program on it's on, or be combined with a hijacker as Ageek mentioned in his post. By removing the adware, you cut down the pop-ups.

    Can you please download Hijack This from our Downloads - Security section:

    http://www.short-media.com/download.php?dc=69

    Run HJT and post the log here. One of our many knowledgeable members will be happy to help you check it over.

    Dexter...
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited April 2004
    A quick fix to use until we analyze your HiJackThis log is to add a few entries to your hosts file. If you're using WinNT/2K/XP, it's located in %WINDIR%\system32\drivers\etc, where %WINDIR% is the folder where Windows is installed. For Win9x, it's in c:\windows. Open hosts with a text editor and add the following lines: 
    127.0.0.1 jsandboxer.cjt1.net
127.0.0.1 cjt1.net

    Save, then restart your browser. That should stem the tide for a while.
  • CrazyJoeCrazyJoe Winter Springs, FL Icrontian
    edited April 2004
    Logfile of HijackThis v1.97.7
    Scan saved at 9:52:51 PM, on 4/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\NortonAntiVirus\defwatch.exe
    C:\NortonAntiVirus\rtvscan.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\NortonAntiVirus\vptray.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Winamp\winampa.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Rewards Network\brntray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Rewards Network\brndisp.exe
    C:\AIM\aim.exe
    C:\Documents and Settings\Joe\Desktop\Programs\FreeRAM XP Pro 1.40.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Lexmark X125\LEX125SU.exe
    C:\Folding@Home\winFAH.exe
    C:\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Yahoo!\Messenger\YPager.exe
    C:\WINDOWS\System32\Uqd9R6.exe
    C:\WINDOWS\System32\RrrIB2R.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Folding@Home\FahCore_65.exe
    C:\MailWasher\MailWasher.exe
    C:\Documents and Settings\Joe\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sports.espn.go.com/mlb/scoreboard
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - Default URLSearchHook is missing
    O1 - Hosts: comments (such as these) may be inserted on individual
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_11_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_11_0.dll
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [vptray] C:\NortonAntiVirus\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [ASUS Probe] C:\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
    O4 - HKLM\..\Run: [g465] C:\docume~1\joe\locals~1\temp\g465.exe
    O4 - HKLM\..\Run: [5N9B6SD4C@A9KM] C:\WINDOWS\System32\Ntb7i0h.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Joe\Desktop\Programs\FreeRAM XP Pro 1.40.exe" -win
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisu.exe
    O4 - Startup: Folding@home 3.24.lnk = ?
    O4 - Global Startup: APC UPS Status.lnk = C:\APC\APC PowerChute Personal Edition\Display.exe
    O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0453adf272fb46194d20/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37954.8342361111
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
  • CrazyJoeCrazyJoe Winter Springs, FL Icrontian
    edited April 2004
    Oh and as far as the tab goes it was happening as I type the cursor wouldn't be in the text box anymore and I would be typing in the address bar, or opening menus on the tool bar like I had hit tab to get out of the active text box I was typing in.
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    A couple of items to delete (after starting in Safe Mode, of course.)


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    A genericly named toolbar in your search hooks...toast it.


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost


    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

    Same bit and pieces likely left behind by Adaware searches

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    See first comment.


    R3 - Default URLSearchHook is missing


    O1 - Hosts: comments (such as these) may be inserted on individual


    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

    See second comment.


    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background

    Digital Distribution Channel from Wild Tangent - adware


    O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe

    Anything that says "rewards" or "network" smells like adware. This says both. It could be legit, if you have ever signed up to some reward network for anything...but I suspect it is crap. If you don't remember ever installing Rewards Network software - toast it.


    O4 - HKLM\..\Run: [g465] C:\docume~1\joe\locals~1\temp\g465.exe

    Files in your Temp directory don't get added to your global startup by accident. Toast this.


    O4 - HKLM\..\Run: [5N9B6SD4C@A9KM] C:\WINDOWS\System32\Ntb7i0h.exe

    No matching results on Google, likely a random file name. Toast.

    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

    Backweb can be a legit appplication, but often is installed with adware. Toast it. If anoteh app is in need of it, it will let you know and you can reinstall.

    O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisu.exe

    Some research indicates this is adware, and some of the posts I found with this the users reported similar symptoms to you. I'd toast it.

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0453adf272fb46194d20/netzip/RdxIE601.cab

    Adware installer, I believe.

    Besides toasting all the entries above, please manually quarantine the actual files that those entries reference. Just stick them in a folder labelled Quarantine so that they do not run at boot. If you do need them for something else, you can replace them easily.

    Dexter...
  • CrazyJoeCrazyJoe Winter Springs, FL Icrontian
    edited April 2004
    Dexter wrote:
    A couple of items to delete (after starting in Safe Mode, of course.)

    Besides toasting all the entries above, please manually quarantine the actual files that those entries reference. Just stick them in a folder labelled Quarantine so that they do not run at boot. If you do need them for something else, you can replace them easily.

    Dexter...

    What do I have to do to find these files to quarantine? I know that sounds like a stupid question, but it's early and I can't think straight right now due to lack of sleep and I'm still getting these problems after toasting the entries while in safe mode...
  • DexterDexter Vancouver, BC Canada
    edited April 2004
    Reboot in safe mode.

    For any of the entries above that have file names in them, ie:

    O4 - HKLM\..\Run: [5N9B6SD4C@A9KM] C:\WINDOWS\System32\Ntb7i0h.exe

    Go and find the file that is pointing to:

    C:\WINDOWS\System32\Ntb7i0h.exe

    Rename the file to Ntb7i0h.xxxexe

    Then remove it from that directory, and place it in a new folder:

    C:\Quarantine

    Rinse and repeat for each other entry with a filename. For .DLL files call them *.xxxdlll

    By quarantining, you disable the file from starting at boot-up, but you still have them handy if you find that you do need them for something after all.

    Dexter...
  • CrazyJoeCrazyJoe Winter Springs, FL Icrontian
    edited May 2004
    So I did all this and removed the files and put them in quarantine and I'm still getting popups from http://jsandboxer.cjt1.net/... Any thoughts?
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Add the site to your hosts file. It's located in %WINDIR%\system32\drivers\etc, where %WINDIR% is the folder where Windows is installed. Open hosts with a text editor and add the following lines: 
    127.0.0.1 jsandboxer.cjt1.net
127.0.0.1 cjt1.net

    Save, then restart your browser.
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited May 2004
    Mr. Kwitko wrote:
    Add the site to your hosts file. It's located in %WINDIR%\system32\drivers\etc, where %WINDIR% is the folder where Windows is installed. Open hosts with a text editor and add the following lines: 
    127.0.0.1 jsandboxer.cjt1.net
127.0.0.1 cjt1.net

    Save, then restart your browser.

    I LOVE that trick of rerouting DNS locally to NIC loopback test IP for sites you want to prevent DNS spoofing for.... :D

    John D.
  • CrazyJoeCrazyJoe Winter Springs, FL Icrontian
    edited May 2004
    OK, I tried that. Let's see if that works. Oh and in that directory there were two files named hosts. On just said type 'file' and another said it was an 'iCalendar' file. The first one said it was read only so I couldn't edit that one so I added to the second one. Is that correct?
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    There were 2 hosts files in c:\windows\system32\drivers\etc? Strange. Was one of them "hosts.sam"? You want to add them to the one that is just file type "file". If it was read-only, change the attributes to remove the read-only, add the lines as I specified, then change it back to read only.
  • CrazyJoeCrazyJoe Winter Springs, FL Icrontian
    edited May 2004
    I did that. Hopefully it will work.
  • CrazyJoeCrazyJoe Winter Springs, FL Icrontian
    edited May 2004
    Just curious but why does this work at blocking the site.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Here's a good site explaining what a hosts file does and why that works.
  • CrazyJoeCrazyJoe Winter Springs, FL Icrontian
    edited May 2004
    I fixed the problems as suggested earlier from my HijackThis log. Now something is causing it to still deactivate the active window when IE is open. Adaware and Spybot S&D are both coming up clean. Here is a new HijackThis Log.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:42:32 PM, on 5/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\NortonAntiVirus\defwatch.exe
    C:\NortonAntiVirus\rtvscan.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\NortonAntiVirus\vptray.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Winamp\winampa.exe
    C:\WINDOWS\System32\sstray.exe
    C:\ASUS\Probe\AsusProb.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\AIM\aim.exe
    C:\Documents and Settings\Joe\Desktop\Programs\FreeRAM XP Pro 1.40.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Lexmark X125\LEX125SU.exe
    C:\Folding@Home\winFAH.exe
    C:\Yahoo!\Messenger\ymsgr_tray.exe
    C:\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\WINDOWS\System32\Fpq9U5uE.exe
    C:\WINDOWS\System32\UktBUA.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Folding@Home\FahCore_78.exe
    C:\MailWasher\MailWasher.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Microsoft Office\Office10\WINWORD.EXE
    C:\Winamp\studio.exe
    C:\Documents and Settings\Joe\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sports.espn.go.com/mlb/scoreboard
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_11_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_11_0.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [vptray] C:\NortonAntiVirus\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [ASUS Probe] C:\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
    O4 - HKLM\..\Run: [5N9B6SD4C@A9KM] C:\WINDOWS\System32\AmxKR.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Joe\Desktop\Programs\FreeRAM XP Pro 1.40.exe" -win
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Startup: Folding@home 3.24.lnk = ?
    O4 - Global Startup: APC UPS Status.lnk = C:\APC\APC PowerChute Personal Edition\Display.exe
    O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37954.8342361111
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

    Any ideas?
  • CrazyJoeCrazyJoe Winter Springs, FL Icrontian
    edited May 2004
    Also any time I go to a new page in IE I get a message box that says "Spybot reports that you want to download "Avenue A, Inc." This is a known threat. Do you want to BLOCK this download? I say yes everytime of course but it still comes up every time I go to a new page... It's very annoying.
  • CrazyJoeCrazyJoe Winter Springs, FL Icrontian
    edited May 2004
    Anyone? Bueller? Bueller?
  • GHoosdumGHoosdum Icrontian
    edited May 2004
    I've seen Joe's PC doing this. The strange part is that nothing comes up on Adaware or Spybot S&D, even with the latest updates. It's not a permanent affliction (doesn't happen in games or Word or anything), it's very much browser related.

    Although I must say, Yahoo! toolbar is spyware in and of itself, and I see that in your HJT results. That's a lot of crap on your PC there. My HJT results were about 5 lines long...
  • CrazyJoeCrazyJoe Winter Springs, FL Icrontian
    edited May 2004
    Oh yea, I and I just wanted to say thanks for everything you guys have done in the past, I didn't mean my Bueller post as anything mean or anything, just my sarcastic wit. See ya all in a few days!!
  • ThraxThrax 🐌 Austin, TX Icrontian
    edited May 2004
    CrazyJoe0813 wrote:
    O4 - HKLM\..\Run: [5N9B6SD4C@A9KM] C:\WINDOWS\System32\AmxKR.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe <b>DELETE THIS DIRECTORY after killing the windows task</b>

    Unless you don't want yahoo, this is all I found suspicious and/or a plausible cause of your problems.
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    This entry:

    O4 - HKLM\..\Run: [5N9B6SD4C@A9KM] C:\WINDOWS\System32\AmxKR.exe

    is entirely too random looking to me. It also has one Google match: this post on SM. Coincidence? I think not. Reboot in SAFE MODE, run HJT, and kill that item. Then create a new System Restore point. Then reboot normally.

    Hopefully that does the trick for you.

    By the way, that entry was NOT in your first HJT log, which means that this guy entered your system after the last time I gave you HJT log advice. This tells me that either:

    a - you have a random-naming silent re-installer running on your system; or

    b - you are practising some unsafe browser habits such as surfing for free porn in unwise places, or looking for warez, serialz and crackz, etc, or you are downloading same from P2P apps.

    If option "b" is true, perhaps you need to either rethink your browsing habits, or switch to a Mozilla based browser which is less susceptible to hijacks.

    Dexter...
  • GHoosdumGHoosdum Icrontian
    edited May 2004
    Dexter wrote:
    switch to a Mozilla based browser which is less susceptible to hijacks.

    And the tabs are really handy, too!
Sign In or Register to comment.