I hate other peoples computers!

Creep

Ok this is the problem, please help. I'm working on this computer for someone and I keep getting these randowm pop-ups from no where. IE isn't open and they just appear. Flash won't display even tho I have the latest version of it installed. Somehow there is spyware and browser hijacks on here dispite my best efforts to remove them. This is a Windows XP Home machine with multiple users, something I'm not overly familiar with since no one is allowed to look at my machine let alone use it. Is it possible for one of the other users of this computer to have something installed that is allowing this to happen? I have Ad-ware, Spybot, Spyware Gaurd and a Pop up blocker installed and running to no avail. Please help me out here?

csimon

do you have a hijackthis log?

Dexter

If another user accidentally (or unknowingly) installs some adware, yes, it can grant itself global user rights. But the good news is that you can disable it from any profile as well then.

Click the link in my sig to go to our security downloads area, grab Hijack This, unzip to it's own directory (ie - c:\hjt) run the app, generate a log and post it as csimon suggested. If it's in there, our SVT SWAT team will find it for you Creep

Dexter...

gibbonsl

also try turning off the messenger service

in the Administrative Tools under services

edcentric

What are you running for anti-virus?
If they don't have any or it is old.
Either make them pay to update it or dl the free version of AVG.

Creep

No offense but does it say "I'm a retard" under my name or does it say "S-M Vet"? I went through the hijack log and removed everything that isn't required so that's fine. I know the difference between an IE pop-up and a MS MSGr pop-up, which I disabled BEFORE SP1 came out on this computer.... Macfree (Not my choice), completly updated. I'm at a loss with the computer, IE times out on the web pages within less then 2 seconds, the Comcast.net home page wont display flash, but it works for other sites. The only thing left for me to do is blast Macfree and install norton Internet Security unless you guys can come up with SOMETHING better then what's above this.....

muddocktor

Whoa, Creep! No one called you a "retard", they are just posting up an easy way for popups to get on the machine. Since you still haven't posted a HJT log, then all anyone can do is just guess.

Please either post a HJT log or you can work it out yourself as we aren't friggin wizzards around here that can look and see what's on that machine simply by concentrating our will on the offending machine.

primesuspect

I agree with Mudd.. You've been here so long, we're all friends here. We're not trying to make it harder for you, but if you want help, how can we possibly figure out what's going on without a HJT log?

If you don't want help, then why ask?

Creep

Logfile of HijackThis v1.97.7
Scan saved at 10:07:57 PM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Panicware Surf &Pal - {0ADCDFE7-8490-406D-91BF-88F71FD7F8AE} - C:\Program Files\Panicware\Surf Pal\pwicc.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,75/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37884.1977777778
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,17/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Like I said, this was clean..... Now for some unknown reason web pages won't load if you type in the "www" first, I'm really at a lost here. About the only thing I can think of to fix it is "format C:" but there is too much stuff on here that can't be lost so my best option is to fix it.

Kwitko

Try a trojan scan: www.trojanscan.com and failing that, you might have to do a repair install.

Creep

I think that it might just have a virus and macfree blows just hard enough to let something like that get on the PC. Next time I'm over there I'll run that and the symtec one and see what they come up with. I still don't understand the 5 second web page time out tho.

Guyute

FWIW I always found Quicktime pretty pesky...

Also with multiple users you have multiple cookie sites...my wife's cookies were always getting picked up by Ad-Aware, and each user has the settings folder where I have found junk.

primesuspect

I had a full retail copy of McAfee 8 the other day (the latest, I think) and it sucked ass. It didn't stop email viruses from coming through, and it slowed my computer down like crazy. I got rid of that crap like a rotten onion.

Mancabus

For the Flash thing, try deleting the DPF cabs from the Windows\Downloaded Program Files folder then retry the install, I've had success with this and other DPF cabs in the past. Sometimes the install of the cab doesn't go correctly, and that could explain the flash problems.

Dexter

1 - The log file you posted does not contain the running processes section. If you deleted that on purpose, please post those, just so we can rule out any malware masquerading as a legit service. If you didn't delete that, then please check the CONFIG menu of HJT and tell it to include running processes in the log file.

2 - This entry: O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

The Viewpoint software is considered by many to be spyware. It monitors what media files are played back within it's player, and then can report that back to the server. It is usually installed without your knowledge, and is bundled with AOL 9, AIM, and is bundled with some Adobe freeware apps. It is now also pre-installed on off-the-shelf computers made by many leading companies.

Now, because Viewpoint runs as it's own process (ie, OUTSIDE of Internet Explorer) it is capable of generating pop-up messages AT ANY TIME on your system...which is pretty much what you described.

Start here:


http://www.kephyr.com/spywarescanner/library/viewpointmediaplayer/index.phtml

Now, since the Viewpoint application tries to be an "all-in-one" web viewing software, it integrates Flash, and other media formats into HTML pages to be viewed through it's plugin. There have been reports of users having slow Internet Explorer problems after Viewpoint unknowingly got installed on their system by being bundled with something else.

There is a very long and interesting discussion on ViewPoint at the SpywareInfo forum:

http://www.spywareinfo.com/forums/index.php?showtopic=4298&st=0

There are reports from users there who got pop-ups on their system starting very shortly after they installed ViewPoint.

The jury is still out though. Viewpoint is used by a lot of big online companies to provide rich graphic content, in much the same way as Flash does...except Viewpoint can and does track usage and viewing preference info and report it back to the originator and to Viewpoint itself.

Given that you are having trouble with Flash, and with HTML, I would recommend uninstalling Viewpoint, deleting that entry in HJT, rebooting, and trying the internet after that. Do not try to run AIM during this test, because it may re-install Viewpoint without yout knowledge.

///EDIT TO ADD: you may need to re-install Internet Explorer and Flash, as the Viewpoint installed may have overwrote portions of those apps. If simply removing Viewpoint does not work, try a re-install.

Dexter...