1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

pop up ads have taken over...hijack included

Discussion in 'Virus & Other Malware Removal' started by sleemie, Feb 15, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. sleemie

    sleemie Thread Starter

    Joined:
    Jul 18, 2003
    Messages:
    34
    never seen this before. I've run ad-aware, spybot, microsoft's beta spyware cleaner and we've got norton anti-virus corporate edition and STILL the pop ups keep coming. The anti-virus keeps catching a ton of stuff and putting it in quarantine...I clean that out and it catches more stuff. the microsoft caught something called the "peper trojan" but it supposedly cleaned it, but didn't fix the problem. Anyhoo...here's the hijack log..this log was after all of the scans with the aforementioned programs. I did update them before I ran them and also did thorough scans instead of quick scans.


    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\Seagate Software\WCS\pageserver.exe
    C:\Program Files\Seagate Software\WCS\WebCompServer.exe
    C:\Program Files\Seagate Software\WCS\cacheserver.exe
    C:\Program Files\Seagate Software\Enterprise\x86\CrystalAPS.exe
    C:\Program Files\Seagate Software\Enterprise\x86\inputfileserver.exe
    C:\Program Files\Seagate Software\Enterprise\x86\outputfileserver.exe
    C:\Program Files\Seagate Software\WCS\JobServer.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\starter.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\winupdt.exe
    C:\WINNT\system32\Mykbos.exe
    C:\WINNT\system32\Cache\adl_mteststub.exe
    C:\winnt\system32\msnavc32.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\system32\ifmini.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINNT\system32\ctfmon.exe
    C:\WINNT\system32\winbhdk32.exe
    C:\WINNT\system32\sysmonnt.exe
    C:\WINNT\system32\ieaksie.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\MSSQL7\Binn\sqlmangr.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\WINNT\system32\ntvdm.exe
    C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOCUME~1\KWILLI~1\LOCALS~1\Temp\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://199.248.197.173:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = enterprise.sss.gov;datamart1.nbc.gov;wwwdev;www.deb.nbc.gov;
    prismsvr.sss.gov;intra.sss.gov;199.254.201.81:8080;199.254.201.212;
    199.254.201.218;ndcfts01.mcit.com;localhost;127.0.0.1;199.254.201.208
    intra.sss.gov;199.254.201.81:8080;199.254.201.212;enterprise.sss.gov;
    199.254.201.218;datamart1.nbc.gov;wwwdev;www.den.nbc.gov;ndcfts01.mcit.com;
    localhost;127.0.0.1;205.159;199.254.201.208
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
    O4 - HKLM\..\Run: [hfpfzlwj] C:\Program Files\hfpfzlwj\hfpfzlwj.exe
    O4 - HKLM\..\Run: [version] C:\WINNT\system32\Zvbtuq.exe
    O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Mykbos.exe
    O4 - HKLM\..\Run: [vcmpin] C:\WINNT\system32\Cache\adl_mteststub.exe
    O4 - HKLM\..\Run: [wxwiht] c:\winnt\system32\wxwiht.exe
    O4 - HKLM\..\Run: [tfegtc] C:\WINNT\system32\tfegtc.exe
    O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe lee0105
    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
    O4 - HKLM\..\Run: [SystemCheck] C:\WINNT\SysCheckBop32
    O4 - HKLM\..\Run: [RSync] C:\WINNT\system32\netsync.exe
    O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitedbz32.exe
    O4 - HKLM\..\Run: [w3rj38j] ifmini.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
    O4 - HKCU\..\Run: [h00tRUHsT] ieaksie.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwnc.ops.placeware.com/etc/place/NOVEMBER/SCNpws-c2/5.1.6.246/lib/quicksilver.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094828953182
    O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.com/control/launcher/3.0/ebie.cab
    O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/UCSearch.CAB
    O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0011.exe
    O16 - DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} (SiteBuilderEditor Class) - http://stores.hsprofessional.com/storeadmin/utilities/ksbedit.cab
    O23 - Service: Crystal Cache Server - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\cacheserver.exe
    O23 - Service: Crystal APS - Seagate Software, Inc. - C:\Program Files\Seagate Software\Enterprise\x86\CrystalAPS.exe
    O23 - Service: Crystal Input File Repository Server - Seagate Software, Inc. - C:\Program Files\Seagate Software\Enterprise\x86\inputfileserver.exe
    O23 - Service: Crystal Output File Repository Server - Seagate Software, Inc. - C:\Program Files\Seagate Software\Enterprise\x86\outputfileserver.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
    O23 - Service: Crystal Report Job Server - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\JobServer.exe
    O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Crystal Page Server - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe
    O23 - Service: Aelita DMW Migration Agent - Aelita Software Corporation - C:\WINNT\System32\Vmover.exe
    O23 - Service: Crystal Web Component Server - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe
    O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe
     
  2. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    34,072
    Hiya

    Moved to Security as Requested :)

    eddie
     
  3. sleemie

    sleemie Thread Starter

    Joined:
    Jul 18, 2003
    Messages:
    34
    Requested by whom? this is not a security issue, and it's not going to get as many views over here. I posted it yesterday early afternoon and still haven't gotten a response, and moving it here won't help with that.
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi sleemie, Your post was moved here to assist you in removing the infection you have.

    Please go here: http://housecall.trendmicro.com/ and run the free on-line virus scan.

    Download Adaware SE http://lavasoft.element5.com/software/adaware/

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window: Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Reboot.

    You are running hijackthis from a temporary folder. The backups that hijackthis creates can be accidentally deleted when not in a permanent folder. Please do the following;

    Click My Computer, then C:\
    In the menu bar, File->New->Folder.
    That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

    Once you have moved HJT, run the virus scan and Ad-Aware please post another log.
     
  5. VelvetTigres

    VelvetTigres

    Joined:
    Feb 20, 2005
    Messages:
    1
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    VelvetTigres, Thanks for the assistance. There is tons more than that :eek: so I'm waiting for the next log. ;)
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/330943

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice