1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

InternetPop Up's killing me (help)

Discussion in 'Virus & Other Malware Removal' started by Bud0598, Sep 13, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Bud0598

    Bud0598 Thread Starter

    Joined:
    May 28, 2004
    Messages:
    73
    98 windows system

    pop up's are killing me when on the internet. I have checked settings and ran all sorts of Ad Ware. Is there a stopper ot there that I can try. Thanks
     
  2. junker39

    junker39

    Joined:
    Jun 12, 2004
    Messages:
    1,661
    PopUpStopper Free Edition.
     
  3. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
  4. Bud0598

    Bud0598 Thread Starter

    Joined:
    May 28, 2004
    Messages:
    73
  5. Bud0598

    Bud0598 Thread Starter

    Joined:
    May 28, 2004
    Messages:
    73
    Logfile of HijackThis v1.98.2
    Scan saved at 7:59:51 AM, on 09/13/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\AGRSMMSG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\USBMMKBD.EXE
    C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
    C:\WINDOWS\SYSTEM\IE4SETUP\IEXPLORE.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
    C:\WINDOWS\SYSTEM\IE4SETUP\IEXPLORE.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLWBSPD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
    C:\WINDOWS\SYSTEM\BROWSEUI.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jmzuttrsvzmhfsi.com/IF2NsPk25dBYGXJuL8ajVdyykKINMZTUdDyXTA1iwak.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.lfgzucbyaep.com/IF2NsPk25dAzyjoKdoxsC2uy67DAKq8WlRRU/ldXYR79fqRH7Ix14Bdob75A1hwL.jpg
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://latinascomealive.com/?%20to%20verify%20your%20age?%20(REQUIRED!)WARNING!%20Adult%20pictures%20are%20featured%20in%20this%20site.%20%20Only%20adults%20permitted%20beyond%20this%20point.%20Are%20you%20at%20least%2018%20years%20old
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A08E-8E1CA787AD2D} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~2\ONETOU~4.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
    O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\COMPAQ\Scroll Mouse\gnetmous.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [HIDE SHOW] C:\Program Files\SPAMLIVE\Activelog.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [MoveForkBagsAbout] C:\WINDOWS\Application Data\corn barb move fork\Readme Link.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    http://www.majorgeeks.com/download3155.html

    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
    O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
    O4 - HKCU\..\Run: [BROWSEUI] C:\WINDOWS\SYSTEM\BROWSEUI.EXE
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
    O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - (no file)
    O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - (no file)
    O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
    O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
    O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.8.6.20/holdem/holdem-ob-assets.cab
    O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.8.6.20/worldclass/worldclass-ob-assets.cab
    O16 - DPF: {B33CCD56-0909-42C9-8A88-8976F66B8BF2} (AOL YGP Picture Finder Tool) - http://pak04.pictures.aol.com/ygp/aol/plugin/upload/YGPPicFinder.8.0.3.0.cab
    O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.3.29/canasta/canasta-ob-assets.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  6. Bud0598

    Bud0598 Thread Starter

    Joined:
    May 28, 2004
    Messages:
    73
    Its down there
     
  7. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Your system seems to be infected with spyware, adware and adult contents nasties such as:

    WINTOOLS
    cdlsp.dll

    http://latinascomealive.com/?%20to%20verify%20your%20age?%20(REQUIRED!)WARNING!%20Adult%20pictures%20ar e%20featured%20in%20this%20site.%20%20Only%20adults%20permitted%20beyond%20 this%20point.%20Are%20you%20at%20least%2018%20years%20old


    To clean the computer from these nasties, first go to the Add/Remove Programs icon in the control panel and remove Wintools. Then download and run the following programs:

    CWShreder

    http://www.majorgeeks.com/download4086.html

    Adaware

    http://www.lavasoftusa.com/support/download/

    Vx2 Cleaner (Anti-porn tool for adaware)

    http://www.lavasoftusa.com/software/plugins/vx2cleaner.shtml

    Spybot Search and destroy

    http://spybot.eon.net.au/en/download/index.html

    Eliminate all spyware and adaware found. In regard to the VX2 Cleaner, this should be downloaded after Adaware, and will appear as an Add-on in Adaware. You will be running this program from there.

    After all these programs have been ran and all these nasties have been removed, produce another Hijackthis log and post it here.
     
  8. Katzy

    Katzy

    Joined:
    Nov 9, 2003
    Messages:
    563
    And get Opera. It has a built-in popup stopper that works, perfectly.
     
  9. Bud0598

    Bud0598 Thread Starter

    Joined:
    May 28, 2004
    Messages:
    73
    Logfile of HijackThis v1.98.2
    Scan saved at 7:21:29 PM, on 09/13/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\AGRSMMSG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\USBMMKBD.EXE
    C:\PROGRAM FILES\VISIONEER ONETOUCH\ONETOUCHMON.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\WINDOWS\SYSTEM\IE4SETUP\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\IE4SETUP\IEXPLORE.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\VISIONEER\PAPERPORT\PPWEBCAP.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
    C:\WINDOWS\SYSTEM\BROWSEUI.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jmzuttrsvzmhfsi.com/IF2NsPk25dBYGXJuL8ajVdyykKINMZTUdDyXTA1iwak.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sxjnddqhzxnuwn.com/IF2NsPk25dAzyjoKdoxsC2uy67DAKq8WlRRU/ldXYR5iwrGbqsxCOhdob75A1hwL.asp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A08E-8E1CA787AD2D} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~2\ONETOU~4.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
    O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\COMPAQ\Scroll Mouse\gnetmous.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [HIDE SHOW] C:\Program Files\SPAMLIVE\Activelog.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [MoveForkBagsAbout] C:\WINDOWS\Application Data\corn barb move fork\Readme Link.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRAM FILES\VISIONEER\PAPERPORT\PPWebCap.exe
    O4 - HKCU\..\Run: [Get Connected Install] M:\setup.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4\POPUPSTOPPER.EXE"
    O4 - HKCU\..\Run: [BROWSEUI] C:\WINDOWS\SYSTEM\BROWSEUI.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - (no file)
    O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - (no file)
    O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
    O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
    O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.8.6.20/holdem/holdem-ob-assets.cab
    O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.8.6.20/worldclass/worldclass-ob-assets.cab
    O16 - DPF: {B33CCD56-0909-42C9-8A88-8976F66B8BF2} (AOL YGP Picture Finder Tool) - http://pak04.pictures.aol.com/ygp/aol/plugin/upload/YGPPicFinder.8.0.3.0.cab
    O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.3.29/canasta/canasta-ob-assets.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
     
  10. Bud0598

    Bud0598 Thread Starter

    Joined:
    May 28, 2004
    Messages:
    73
    2nd run is there, tks for your help. Looks better I hope
     
  11. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Much better. Have Hijackthis fix this:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jmzuttrsvzmhfsi.com/IF2N...DyXTA1iwak.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sxjnddqhzxnuwn.com/IF2Ns...hdob75A1hwL.asp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A08E-8E1CA787AD2D} - (no file)


    Download this tool: http://www.cexx.org/LSPFix.exe and save anywhere on your computer. Run it. Tick the box that says "I know what I am doing". Then click on cdlsp.dll , click the >> button so it shows in the box titled "Remove". Click finish.

    Then have Hijackthis fix this:

    O10 - Unknown file in Winsock LSP: c:\windows\system\cdlsp.dll
     
  12. takatomon

    takatomon

    Joined:
    Mar 2, 2004
    Messages:
    188
    i was hoping someone had another popup stopper recommendation. i tried to download the program of the same name, and could only get a 32kb setup file that didn't work. i used to have a working pop up stopper, but can't remember which one (after several non functional ones including the one on my pc powerwash CD) worked. oh well.

    here's a guide for decoding hijack this logs that nitehawk posted when i first used hijack this. this should help you use it some without waiting for replies. ;)

    For practical information, click the section name you need help with:
    R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs
    F0, F1 - Autoloading programs
    N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs
    O1 - Hosts file redirection
    O2 - Browser Helper Objects
    O3 - Internet Explorer toolbars
    O4 - Autoloading programs from Registry
    O5 - IE Options icon not visible in Control Panel
    O6 - IE Options access restricted by Administrator
    O7 - Regedit access restricted by Administrator
    O8 - Extra items in IE right-click menu
    O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
    O10 - Winsock hijacker
    O11 - Extra group in IE 'Advanced Options' window
    O12 - IE plugins
    O13 - IE DefaultPrefix hijack
    O14 - 'Reset Web Settings' hijack
    O15 - Unwanted site in Trusted Zone
    O16 - ActiveX Objects (aka Downloaded Program Files)
    O17 - Lop.com domain hijackers
    O18 - Extra protocols and protocol hijackers
    O19 - User style sheet hijack

    --------------------------------------------------------------------------------

    R0, R1, R2, R3 - IE Start & Search page

    What it looks like:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.google.com/
    R3 - Default URLSearchHook is missing
    What to do:
    If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it.
    For the R3 items, always fix them unless it mentions a program you recognize, like Copernic.
    --------------------------------------------------------------------------------

    F0, F1 - Autoloading programs

    What it looks like:
    F0 - system.ini: Shell=Explorer.exe Openme.exe
    F1 - win.ini: run=hpfsched

    What to do:
    The F0 items are always bad, so fix them.
    The F1 items are usually very old programs that are safe, so you should find some more info on the filename to see if it's good or bad.
    --------------------------------------------------------------------------------

    N1, N2, N3, N4 - Netscape/Mozilla Start & Search page

    What it looks like:
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js)
    What to do:
    Usually the Netscape and Mozilla homepage and search page are safe. They rarely get hijacked. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O1 - Hostsfile redirection

    What it looks like:
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    What to do:
    This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site everytime you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file.
    --------------------------------------------------------------------------------

    O2 - Browser Helper Objects

    What it looks like:
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:\PROGRAM FILES\POPUP ELIMINATOR\AUTODISPLAY401.DLL (file missing)
    O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL
    What to do:
    If you don't directly recognize a Browser Helper Object's name, use TonyK's BHO List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the BHO List, 'X' means spyware and 'L' means safe.

    --------------------------------------------------------------------------------

    O3 - IE toolbars

    What it looks like:
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O3 - Toolbar: Popup Eliminator - {86BCA93E-457B-4054-AFB0-E428DA1563E1} - C:\PROGRAM FILES\POPUP ELIMINATOR\PETOOLBAR401.DLL (file missing)
    O3 - Toolbar: rzillcgthjx - {5996aaf3-5c08-44a9-ac12-1843fd03df0a} - C:\WINDOWS\APPLICATION DATA\CKSTPRLLNQUL.DLL
    What to do:
    If you don't directly recognize a toolbar's name, use TonyK's Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the Toolbar List, 'X' means spyware and 'L' means safe.
    If it's not on the list and the name seems a random string of characters and the file is somewhere in a folder named 'Application Data' (like the last one in the examples above), it's definitely bad, and you should have HijackThis fix it.
    --------------------------------------------------------------------------------

    O4 - Autoloading programs from Registry

    What it looks like:
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    What to do:
    Use PacMan's Startup List to find the entry and see if it's good or bad.
    --------------------------------------------------------------------------------

    O5 - IE Options not visible in Control Panel

    What it looks like:
    O5 - control.ini: inetcpl.cpl=no
    What to do:
    Unless you've knowingly hidden the icon from Control Panel, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O6 - IE Options access restricted by Administrator

    What it looks like:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    What to do:
    Unless you have the Spybot S&D option 'Lock homepage from changes' active, have HijackThis fix this.
    --------------------------------------------------------------------------------

    O7 - Regedit access restricted by Administrator

    What it looks like:
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    What to do:
    Always have HijackThis fix this.
    --------------------------------------------------------------------------------

    O8 - Extra items in IE right-click menu

    What it looks like:
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
    What to do:
    If you don't recognize the name of the item in the right-click menu in IE, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O9 - Extra buttons on main IE toolbar, or extra items in IE 'Tools' menu

    What it looks like:
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    What to do:
    If you don't recognize the name of the button or menuitem, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O10 - Winsock hijackers

    What it looks like:
    O10 - Hijacked Internet access by New.Net
    O10 - Broken Internet access because of LSP provider 'c:\progra~1\common~2\toolbar\cnmib.dll' missing
    O10 - Unknown file in Winsock LSP: c:\program files\newton knows\vmain.dll
    What to do:
    It's best to fix these using LSPFix from Cexx.org, or Spybot S&D from Kolla.de.
    --------------------------------------------------------------------------------

    O11 - Extra group in IE 'Advanced Options' window

    What it looks like:
    O11 - Options group: [CommonName] CommonName
    What to do:
    The only hijacker as of now that adds its own options group to the IE Advanced Options window is CommonName. So you can always have HijackThis fix this.
    --------------------------------------------------------------------------------

    O12 - IE plugins

    What it looks like:
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    What to do:
    Most of the time these are safe. Only OnFlow adds a plugin here that you don't want (.ofb).
    --------------------------------------------------------------------------------

    O13 - IE DefaultPrefix hijack

    What it looks like:
    O13 - DefaultPrefix: <http://www.pixpox.com/cgi-bin/click.pl?url=>
    O13 - WWW Prefix: <http://prolivation.com/cgi-bin/r.cgi?>
    What to do:
    These are always bad. Have HijackThis fix them.
    --------------------------------------------------------------------------------

    O14 - 'Reset Web Settings' hijack

    What it looks like:
    O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com
    What to do:
    If the URL is not the provider of your computer or your ISP, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O15 - Unwanted site in Trusted Zone

    What it looks like:
    O15 - Trusted Zone: <http://free.aol.com>
    What to do:
    So far, only AOL has the tendency to add itself to your Trusted Zone, allowing it to run any ActiveX it wants. Always have HijackThis fix this.
    --------------------------------------------------------------------------------

    O16 - ActiveX Objects (aka Downloaded Program Files)

    What it looks like:
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.co...t/c381/chat.cab <http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab>
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab <http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab>
    What to do:
    If you don't recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like 'dialer', 'casino', 'free_plugin' etc, definitely fix it.
    --------------------------------------------------------------------------------

    O17 - Lop.com domain hijacks

    What it looks like:
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = W21944.find-quick.com
    O17 - HKLM\Software\..\Telephony: DomainName = W21944.find-quick.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com
    What to do:
    If the domain is not from your ISP or company network, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O18 - Extra protocols and protocol hijackers



    What it looks like:
    O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll
    O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}
    O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}
    What to do:
    Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those.
    Other things that show up are either not confirmed safe yet, or are hijacked by spyware. In the last case, have HijackThis fix it.
    --------------------------------------------------------------------------------

    O19 - User style sheet hijack

    What it looks like:
    O19 - User style sheet: c:\WINDOWS\Java\my.css
    What to do:
    In the case of a browser slowdown and frequent popups, have HijackThis fix this item if it shows up in the log.
     
  13. JRSellers

    JRSellers Banned

    Joined:
    Oct 11, 2004
    Messages:
    227
    If you mean this happens while you surf the web, Mozilla Firefox has an excellent built-in pop-up blocker.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - InternetPop Up's killing
  1. hoglie
    Replies:
    10
    Views:
    505
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/273380

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice