ads234 really sux!!! Make it go away!!!
Justin
Atlanta
Here we go, Adaware, and Spybot have been run more than once today, seems that I keep getting a loading screen that contains whatever ads it feels like while IE links to differnet pages. THis doesn,t happen all the time, but enough to get REally annoying. Sorry for the misetiquite in the post earlier. Please have a look and maybe I can get rid of this.
Logfile of HijackThis v1.98.2
Scan saved at 4:13:12 PM, on 9/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FAXmaker Client\FMSTART.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\justin\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\justin\Local Settings\Temp\EYR0A.dll
O4 - HKLM\..\Run: [FMStart] "C:\Program Files\FAXmaker Client\FMSTART.EXE"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://install.spywarelabs.com/1149040821/WrapperOuter.exe
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://www.swiftview.com/product/current/licensed/svinstall_a_green.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = treyinman.com
O17 - HKLM\Software\..\Telephony: DomainName = treyinman.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0472F739-276A-4ED8-AFDC-5B7EBD5D3FD5}: NameServer = 10.2.51.6,10.1.0.6,10.1.0.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = treyinman.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0472F739-276A-4ED8-AFDC-5B7EBD5D3FD5}: NameServer = 10.2.51.6,10.1.0.6,10.1.0.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = treyinman.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0472F739-276A-4ED8-AFDC-5B7EBD5D3FD5}: NameServer = 10.2.51.6,10.1.0.6,10.1.0.5
Just take a look when you get a chance, no rush. There don't seem to be any other issues with this particular PC but, this is something new...
Logfile of HijackThis v1.98.2
Scan saved at 4:13:12 PM, on 9/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FAXmaker Client\FMSTART.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\justin\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\justin\Local Settings\Temp\EYR0A.dll
O4 - HKLM\..\Run: [FMStart] "C:\Program Files\FAXmaker Client\FMSTART.EXE"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://install.spywarelabs.com/1149040821/WrapperOuter.exe
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://www.swiftview.com/product/current/licensed/svinstall_a_green.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = treyinman.com
O17 - HKLM\Software\..\Telephony: DomainName = treyinman.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0472F739-276A-4ED8-AFDC-5B7EBD5D3FD5}: NameServer = 10.2.51.6,10.1.0.6,10.1.0.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = treyinman.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0472F739-276A-4ED8-AFDC-5B7EBD5D3FD5}: NameServer = 10.2.51.6,10.1.0.6,10.1.0.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = treyinman.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0472F739-276A-4ED8-AFDC-5B7EBD5D3FD5}: NameServer = 10.2.51.6,10.1.0.6,10.1.0.5
Just take a look when you get a chance, no rush. There don't seem to be any other issues with this particular PC but, this is something new...
0
Comments
Justin,
you're a regular here at SM, but let me please point out somthing from our SVT Etiquette Thread:
Can you please add a bit more description to this thread so we know what we are looking at. It really helps us, because when we start to see some of those same symptoms and recognize patterns, it makes us better at solving things
Plus, you have an older version of HJT, please grab the newest version from our Security Downloads page. I think your problem is this entry:
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
But usually when I see that, there is often another problem, which HJT v1.97 does not show. You need version 1.98 to know for sure.
So post a new log from v 1.98 with a better description of the problem, and we'll get you fixed up.
Dexter...
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\justin\Local Settings\Temp\EYR0A.dll
Have HijackThis fix the above entries, then find and Quarentine The Files. Once you've done that post a new HijackThis log.