Popup problem - please help (log)
Hi, I have popup problems 
I've run a 'zillion' spyware programs, and the popups have decreased, but I still get them. It seems like they are now only from http://bannerfarm.ace.advertising.com/bannerfarm and http://ilead.itrack.it/clients.
I've also installed the latest version of SpywareBlaster and activated protection for Internet Explorer (without luck).
Here is my log - can someone nice please have look at it
PS: zzz = censored servername
Logfile of HijackThis v1.98.2
Scan saved at 10:54:10, on 2004-08-30
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\CatPC\CatSVC\CatService.exe
C:\Program Files\CAT Bulletin Board\CBBS.exe
C:\WINNT\system32\ircomm2k.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\VitalSuite\VitalAgent\Program\VtlAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINNT\Explorer.EXE
C:\Program Files\OfficeScan NT\ofcdog.exe
C:\Program Files\OfficeScan NT\PCCNTMON.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\CAT Bulletin Board\CBB.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\system32\pvlejz.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINNT\system32\proquota.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1053\nt\MAPISP32.EXE
C:\WINNT\system32\lezx.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\haakka13\LOCALS~1\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = msn
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.zzz.se/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = int-proxy1.zzz.se:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.zzz.se;*.zzz.net;*.zzz.de;*.zzz.fi;*.zzz.com;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=CatUInit
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4CF96626-9517-75C2-8603-625508DC7038} - C:\WINNT\system32\acqiiqi.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Java Profiles Fix] C:\Program Files\Java\Profile Fix\Java_Profile.exe
O4 - HKLM\..\Run: [JavaProfileFix2] C:\Program Files\Java\Profile Fix\Java_Profile_2.exe
O4 - HKLM\..\Run: [cryptoex] C:\WINNT\system32\wscript.exe "C:\Program Files\CryptoEx Security Suite\PolicyUpdate.vbs"
O4 - HKLM\..\Run: [DirXconnect settings] C:\PROGRA~1\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AUTOPCC] "\\Server\Share\OSCAN\SchUpd.exe"
O4 - HKLM\..\Run: [udrirxtrchzf] C:\WINNT\system32\pvlejz.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [CatUserRun] wscript.exe "C:\Program Files\CatPC\CatLogon\CatUserRun.vbe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.com
O15 - Trusted Zone: *.sap-ag.de
O15 - Trusted Zone: *.sap.com
O15 - Trusted Zone: *.sap.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zzz.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zzz.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = zzz.net
I've run a 'zillion' spyware programs, and the popups have decreased, but I still get them. It seems like they are now only from http://bannerfarm.ace.advertising.com/bannerfarm and http://ilead.itrack.it/clients.
I've also installed the latest version of SpywareBlaster and activated protection for Internet Explorer (without luck).
Here is my log - can someone nice please have look at it
PS: zzz = censored servername
Logfile of HijackThis v1.98.2
Scan saved at 10:54:10, on 2004-08-30
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\CatPC\CatSVC\CatService.exe
C:\Program Files\CAT Bulletin Board\CBBS.exe
C:\WINNT\system32\ircomm2k.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\VitalSuite\VitalAgent\Program\VtlAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINNT\Explorer.EXE
C:\Program Files\OfficeScan NT\ofcdog.exe
C:\Program Files\OfficeScan NT\PCCNTMON.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\CAT Bulletin Board\CBB.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\system32\pvlejz.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINNT\system32\proquota.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1053\nt\MAPISP32.EXE
C:\WINNT\system32\lezx.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\haakka13\LOCALS~1\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = msn
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad.zzz.se/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = int-proxy1.zzz.se:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.zzz.se;*.zzz.net;*.zzz.de;*.zzz.fi;*.zzz.com;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=CatUInit
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4CF96626-9517-75C2-8603-625508DC7038} - C:\WINNT\system32\acqiiqi.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Java Profiles Fix] C:\Program Files\Java\Profile Fix\Java_Profile.exe
O4 - HKLM\..\Run: [JavaProfileFix2] C:\Program Files\Java\Profile Fix\Java_Profile_2.exe
O4 - HKLM\..\Run: [cryptoex] C:\WINNT\system32\wscript.exe "C:\Program Files\CryptoEx Security Suite\PolicyUpdate.vbs"
O4 - HKLM\..\Run: [DirXconnect settings] C:\PROGRA~1\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AUTOPCC] "\\Server\Share\OSCAN\SchUpd.exe"
O4 - HKLM\..\Run: [udrirxtrchzf] C:\WINNT\system32\pvlejz.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [CatUserRun] wscript.exe "C:\Program Files\CatPC\CatLogon\CatUserRun.vbe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.com
O15 - Trusted Zone: *.sap-ag.de
O15 - Trusted Zone: *.sap.com
O15 - Trusted Zone: *.sap.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zzz.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zzz.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = zzz.net
0
This discussion has been closed.
Comments
Before doing the following, please Set your computer to show hidden files and folders, Disable System Restore, and Reboot in Safe Mode.
Once you have done that, Run HijackThis and have it fix the following:
R3 - Default URLSearchHook is missing
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: (no name) - {4CF96626-9517-75C2-8603-625508DC7038} - C:\WINNT\system32\acqiiqi.dll
O4 - HKLM\..\Run: [udrirxtrchzf] C:\WINNT\system32\pvlejz.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.sap-ag.de
O15 - Trusted Zone: *.sap.com
O15 - Trusted Zone: *.sap.com
Then find and locate the files listed above and Quarentine Them.
Once you have done that, reboot, scan with HiijackThis again, and post a new log.