Crazy pop up ads

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

mctonto

Thread Starter
Joined
Sep 9, 2003
Messages
2
i've had trouble with pop up ads and have read some of the other threads on this. I've since downloaded spybot and hijack, and here is my log, if you can tell me what to "fix" it would be greatly appreciated.
thanks.

Logfile of HijackThis v1.96.4
Scan saved at 1:24:37 PM, on 09/10/2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
c:\jet95\jshelper.exe
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\JET95\JETSTAT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\WILD FILE\GOBACK\GBPOLL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.EXE
C:\WINDOWS\TVMD.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WILD FILE\GOBACK\GBMENU.EXE
C:\PROGRAM FILES\MSNIA\TRAYCLNT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\ACTALERT.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globaltoolbar.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globaltoolbar.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globaltoolbar.com/ie_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globaltoolbar.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globaltoolbar.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.iwon.com/index.jsp?PG=global&SEC=bnav
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.supret.com/
R3 - URLSearchHook: (no name) - _{D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_7.DLL
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL (file missing)
O2 - BHO: iWon Co-Pilot BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\PROGRAM FILES\IWON\IWONBAR\1.BIN\IWONBAR.DLL
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM213.DLL
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM214.DLL
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - (no file)
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\1.BIN\IWONBAR.DLL
O3 - Toolbar: (no name) - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Internet] C:\WINDOWS\Internet.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PopUpKiller] C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Wild File\GoBack\GBPoll.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: GoBack.lnk = C:\Program Files\Wild File\GoBack\GBMenu.exe
O4 - Startup: MSN Internet Access.lnk = C:\Program Files\MSNIA\TRAYCLNT.EXE
O8 - Extra context menu item: Power Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSIETS.DLL//iemenu
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {8FBFE5FF-5E98-11D3-80AF-00C04FCFBC72} (SurveyCtl35 Class) - http://activex.microsoft.com/controls/mtswizards/sw35.cab
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://aol.ea.com/downloads/games/common/boot_strap/iegils.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37635.3340856481
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_7.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...N=yes&Vehicle_Number_int=1011971&action=media
O16 - DPF: {6ABC861A-31E7-4D91-B43B-D3C98F22A5C0} (SecureWeb Class) - http://secure.goodthinxx.com/(soxcf4454wtxkp55gynzjg45)/secureweb/securewebgt.cab
O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} (iWon Installer Start) - http://i1img.com/images/nocache/copilot/i1initialsetup1.0.0.5.cab
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://usa-scripts.downloadv3.com/binaries/DialHTML/EGDHTML_US_pack.cab
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://pressbox.rtsports.com:443/Java/cs4fs084.cab
 
Joined
Jun 19, 2003
Messages
1,241
Hi mctonto, and welcome to TSG.. :)

Lot's here.. :)

First, please go here http://www.webattack.com/get/cwshredder.shtml and run the Coolwebshredder program. I'm not 100% sure, but it looks as though Global Finder has changed to Global Toolbar (this is more for info to the other techs here) :)

Then please run a new Hijack log, and check to fix all of the items below. Next close all browser windows and click Fix

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globaltoolbar.com/ie_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globaltoolbar.com/ie_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globaltoolbar.com/ie_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globaltoolbar.com/ie_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globaltoolbar.com/ie_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.iwon.com/index.jsp?PG=global&SEC=bnav

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.supret.com/

R3 - URLSearchHook: (no name) - _{D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)

O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL (file missing)

O2 - BHO: iWon Co-Pilot BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\PROGRAM FILES\IWON\IWONBAR\1.BIN\IWONBAR.DLL

O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM213.DLL

O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM214.DLL

O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)

O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - (no file)

O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\1.BIN\IWONBAR.DLL

O3 - Toolbar: (no name) - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - (no file)

O4 - HKLM\..\Run: [Internet] C:\WINDOWS\Internet.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O8 - Extra context menu item: Power Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSIETS.DLL//iemenu

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...mp;action=media

O16 - DPF: {6ABC861A-31E7-4D91-B43B-D3C98F22A5C0} (SecureWeb Class) - http://secure.goodthinxx.com/(soxcf4454wtxkp55gynzjg45)/secureweb/securewebgt.cab

O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} (iWon Installer Start) - http://i1img.com/images/nocache/cop...etup1.0.0.5.cab

O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://usa-scripts.downloadv3.com/b...TML_US_pack.cab


Then reboot and go to Start | Settings | Control Panel | Add/Remove Programs and remove Internet Optimizer. Look also for this program.. Active Alert and remove also if it's there.

Then could you go here and run the online virus scan. This entry..

O4 - HKLM\..\Run: [Internet] C:\WINDOWS\Internet.exe

..shows that you have the I-Shell trojan lurking.

Got to get ready for the evening now, so when you've done all the above, could you post a new log for a final once over.. :)

Cheers

Liam
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top