1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

popcorn.net spyware

Discussion in 'Virus & Other Malware Removal' started by petecaf, Jul 10, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. petecaf

    petecaf Thread Starter

    Joined:
    May 18, 2004
    Messages:
    47
    GOt some spyware popcorn.net
    any help would be appreciated.
    thank you

    Logfile of HijackThis v1.99.1
    Scan saved at 9:28:56 AM, on 7/10/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
    C:\Program Files\License_Manager\license_manager.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Documents and Settings\rollo tomasi\Desktop\Antivirus\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
    O4 - HKLM\..\Run: [d3nk.exe] C:\WINDOWS\d3nk.exe
    O4 - HKLM\..\Run: [F2.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\F2.tmp.exe
    O4 - HKLM\..\Run: [F3.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\F3.tmp.exe
    O4 - HKLM\..\Run: [F3.tmp.exe] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\F3.tmp.exe
    O4 - HKLM\..\Run: [FA.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\FA.tmp.exe
    O4 - HKLM\..\Run: [F2.tmp.exe] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\F2.tmp.exe
    O4 - HKLM\..\Run: [FA.tmp.exe] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\FA.tmp.exe
    O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\6.tmp.exe
    O4 - HKLM\..\Run: [11.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\11.tmp.exe
    O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\6.tmp.exe
    O4 - HKLM\..\Run: [11.tmp.exe] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\11.tmp.exe
    O4 - HKLM\..\Run: [28.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\28.tmp.exe
    O4 - HKLM\..\Run: [D.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\D.tmp.exe
    O4 - HKLM\..\Run: [28.tmp.exe] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\28.tmp.exe
    O4 - HKLM\..\Run: [D.tmp.exe] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\D.tmp.exe
    O4 - HKLM\..\Run: [17.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\17.tmp.exe
    O4 - HKLM\..\Run: [17.tmp.exe] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\17.tmp.exe
    O4 - HKLM\..\Run: [24.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\24.tmp.exe
    O4 - HKLM\..\Run: [24.tmp.exe] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\24.tmp.exe
    O4 - HKLM\..\Run: [38.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\38.tmp.exe
    O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\8.tmp.exe
    O4 - HKLM\..\Run: [9.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\9.tmp.exe
    O4 - HKLM\..\Run: [8.tmp.exe] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\8.tmp.exe
    O4 - HKLM\..\Run: [F.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\F.tmp.exe
    O4 - HKLM\..\Run: [9.tmp.exe] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\9.tmp.exe
    O4 - HKLM\..\Run: [F.tmp.exe] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\F.tmp.exe
    O4 - HKLM\..\Run: [14.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\14.tmp.exe
    O4 - HKLM\..\Run: [14.tmp.exe] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\14.tmp.exe
    O4 - HKLM\..\Run: [1E.tmp] C:\DOCUME~1\ROLLOT~1\LOCALS~1\Temp\1E.tmp.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKCU\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /M "Stylus CX3800" /EF "HKCU"
    O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.


    Reboot to safe mode and run Ewido, save the log and post that back here with a new HJT log.
     
  3. petecaf

    petecaf Thread Starter

    Joined:
    May 18, 2004
    Messages:
    47
    I still get the popcorn.net popup that wont go away


    Logfile of HijackThis v1.99.1
    Scan saved at 11:55:50 AM, on 7/10/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
    C:\Program Files\License_Manager\license_manager.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\rollo tomasi\Desktop\Antivirus\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKCU\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /M "Stylus CX3800" /EF "HKCU"
    O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You have MoviePass also, do you want to remove that?
     
  5. strwbrryanng

    strwbrryanng

    Joined:
    Aug 16, 2003
    Messages:
    120
    this is the exact popup that prompted me to check my HJT as well. I looked into it, it says there is a 4 step process and user agreement, etc. but no-one was on my computer on the date they say it was downloaded...strange. I have my own thread...
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    What thread?
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent

    Close all applications and browser windows before you click "fix checked".



    Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:

    Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
    Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
    If you have any infections you will prompted, then select "Apply all actions"
    Next select the "Reports" icon at the top.
    Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    Close ewido.


    Still in Safemode continue...

    Go to Add/Remove Programs via the Control Panel and remove any of these that you find:
    P2PNetworks
    AltPayments
    Download Manager
    Media Pipe
    My Access Media
    Notify (there may also be numbers as part of the filename.)
    Notification Utility
    License Manager


    Navigate to your Program files and delete these folders if they exist:

    Movieland or Moviepass
    AltPayments
    Download Manager
    Media Pipe
    My Access Media
    Notify
    Notifier
    Notification
    Notification Utility
    ITBills
    License Manager


    Reboot normally.


    Please post a fresh Hijackthis log and your log from Ewido.
     
  8. strwbrryanng

    strwbrryanng

    Joined:
    Aug 16, 2003
    Messages:
    120
    the one you are working on with me...
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    These don't look like the same machines... so I'm :confused:


    Anyway did you do post #7?

    If so please post a new HJT log.
     
  10. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Thanks MFD I did see the other thread, just confused with the machine or is it machines? ;)
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - popcorn spyware
  1. jennys95
    Replies:
    1
    Views:
    700
  2. rjay13
    Replies:
    0
    Views:
    306
  3. dano_61
    Replies:
    14
    Views:
    942
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/481969

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice