Popup/Browser Problems

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

veena33

Thread Starter
Joined
Dec 3, 2002
Messages
62
Hi

Lately we have had serious popup issues as well as our web browser has been directed to another site even if we set a default. Not sure what the problem is but I ran the hijackme log and here are my results. What shud i do next? Not sure what to do

Veena

Logfile of HijackThis v1.97.2
Scan saved at 4:25:17 PM, on 9/19/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\CLOCKSYNC\SYNC.EXE
C:\PROGRAM FILES\SPYBLAST\SPYBLAST.EXE
C:\WINDOWS\SYSTEM\WINSERVN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\ULTIMATE POPUP KILLER\POPUPKILLER.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sfux.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchby.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sfux.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sfux.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://sfux.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
N1 - Netscape 4: user_pref("browser.startup.homepage", "sfux.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://sea2fd.sea2.hotmail.msn.com/cgi-bin/HoTMaiL"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yvzaljeq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yvzaljeq.slt\prefs.js)
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {A28C2A31-3AB0-4118-922F-F6B3184F5495} - C:\Program Files\BonziBUDDY Web Compass\WebCompass.dll (file missing)
O2 - BHO: (no name) - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\NETWORK ESSENTIALS\V11\NE.DLL
O2 - BHO: (no name) - {c0a7fc10-93f2-4bef-80f2-92653b15479e} - C:\WINDOWS\APPLICATION DATA\OSHGGLLLUCH.DLL
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\SYSTEM\BHO001.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL
O3 - Toolbar: thstrglxdre - {951f8f89-ce56-4503-a034-b022f5d556b0} - C:\WINDOWS\APPLICATION DATA\OSHGGLLLUCH.DLL
O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} - C:\PROGRA~1\WIN32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [25KD8LX3KXST#7] C:\WINDOWS\SYSTEM\Hcj2s6.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [SpyBlast] C:\Program Files\SpyBlast\SpyBlast.exe /autorun
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\SYSTEM\winservn.exe
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\PROGRAM FILES\ULTIMATE POPUP KILLER\POPUPKILLER.EXE
O4 - HKLM\..\RunOnce: [WU2_RegSvr] C:\WINDOWS\SYSTEM\regsvr32.exe /s C:\WINDOWS\SYSTEM\WUAUPD98.DLL
O4 - HKLM\..\RunOnce: [UpdateHook] C:\WINDOWS\rundll32.exe AUHKNEW.DLL,RenameDll
O4 - HKLM\..\RunOnce: [WU4_RegSvr] C:\WINDOWS\SYSTEM\regsvr32.exe /s C:\WINDOWS\SYSTEM\AUHOOK.DLL
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O8 - Extra context menu item: Allow popups - file://C:\PROGRAM FILES\ULTIMATE POPUP KILLER\POPUPKILLER.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Ebates (HKCU)
O12 - Plugin for .hpb: C:\PROGRA~1\INTERN~1\PLUGINS\nphpipb.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
 
Joined
Mar 25, 2001
Messages
3,334
Hi veena33

You can have HJT fix the following. Close your browser, open HJT and put a check next to the following items and click Fix. Reboot afterwards.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sfux.com/searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchby.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sfux.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sfux.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://sfux.com/searchbar.html


O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch


O2 - BHO: (no name) - {A28C2A31-3AB0-4118-922F-F6B3184F5495} - C:\Program Files\BonziBUDDY Web Compass\WebCompass.dll (file missing)

O2 - BHO: (no name) - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\NETWORK ESSENTIALS\V11\NE.DLL

O2 - BHO: (no name) - {c0a7fc10-93f2-4bef-80f2-92653b15479e} - C:\WINDOWS\APPLICATION DATA\OSHGGLLLUCH.DLL

O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\SYSTEM\BHO001.DLL

O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL

O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL

O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL

O3 - Toolbar: thstrglxdre - {951f8f89-ce56-4503-a034-b022f5d556b0} - C:\WINDOWS\APPLICATION DATA\OSHGGLLLUCH.DLL

O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} - C:\PROGRA~1\WIN32.DLL


O4 - HKLM\..\Run: [25KD8LX3KXST#7] C:\WINDOWS\SYSTEM\Hcj2s6.exe

O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE

O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

O4 - HKCU\..\Run: [SpyBlast] C:\Program Files\SpyBlast\SpyBlast.exe /autorun

O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\SYSTEM\winservn.exe

O4 - HKLM\..\RunOnce: [WU2_RegSvr] C:\WINDOWS\SYSTEM\regsvr32.exe /s C:\WINDOWS\SYSTEM\WUAUPD98.DLL

O4 - HKLM\..\RunOnce: [UpdateHook] C:\WINDOWS\rundll32.exe AUHKNEW.DLL,RenameDll

O4 - HKLM\..\RunOnce: [WU4_RegSvr] C:\WINDOWS\SYSTEM\regsvr32.exe /s C:\WINDOWS\SYSTEM\AUHOOK.DLL

...this last item, if it's not your ISP, then have HJT Fix it too:

O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com


After rebooting, delete the following folders:

C:\PROGRAM FILES\NCASE\

C:\Program Files\SpyBlast\


Afterwards, go here and download Spybot:


http://www.safer-networking.org/index.php?lang=en&page=download

...after installing, have it go on line and download all updates. Have it check your system for any problems. Everything it finds in RED is safe to fix.

:)
 

veena33

Thread Starter
Joined
Dec 3, 2002
Messages
62
Ok did everything u said but when i logged on right now and opened internet explorer about 40 web browser windows popped up and also the web page for internet explorer is still set at http://www.searchby.net/. Not sure whats going on? When i was removing the items from the hijack this-> i couldnt find these:

O4 - HKLM\..\RunOnce: [WU2_RegSvr] C:\WINDOWS\SYSTEM\regsvr32.exe /s C:\WINDOWS\SYSTEM\WUAUPD98.DLL

O4 - HKLM\..\RunOnce: [UpdateHook] C:\WINDOWS\rundll32.exe AUHKNEW.DLL,RenameDll

O4 - HKLM\..\RunOnce: [WU4_RegSvr] C:\WINDOWS\SYSTEM\regsvr32.exe /s C:\WINDOWS\SYSTEM\AUHOOK.DLL

Could that be the problem cuz they're not removed?? Help!!!! I just want a clean computer!

Veena
 
Joined
Dec 28, 2002
Messages
1,983
Get this:

http://spybot.eon.net.au/index.php?...p;page=download and download Spybot - search & destroy.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

taken from flrman1's post :D
 

veena33

Thread Starter
Joined
Dec 3, 2002
Messages
62
Here are the results:

Logfile of HijackThis v1.97.2
Scan saved at 9:56:44 AM, on 9/20/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ULTIMATE POPUP KILLER\POPUPKILLER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\KSOYX.EXE
C:\WINDOWS\SYSTEM\KSOYX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchby.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
N1 - Netscape 4: user_pref("browser.startup.homepage", "sfux.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://sea2fd.sea2.hotmail.msn.com/cgi-bin/HoTMaiL"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yvzaljeq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yvzaljeq.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [25KD8LX3KXST#7] C:\WINDOWS\SYSTEM\Hcj2s6.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\PROGRAM FILES\ULTIMATE POPUP KILLER\POPUPKILLER.EXE
O8 - Extra context menu item: Allow popups - file://C:\PROGRAM FILES\ULTIMATE POPUP KILLER\POPUPKILLER.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .hpb: C:\PROGRA~1\INTERN~1\PLUGINS\nphpipb.dll

Also, im getting this privacy alert dialog box that says allow cookie or block cookie...pops up every time im on a site?

thanks again
 
Joined
Mar 25, 2001
Messages
3,334
Okay, use HJT to remove this entry:

O4 - HKLM\..\Run: [25KD8LX3KXST#7] C:\WINDOWS\SYSTEM\Hcj2s6.exe


As far as pop-up blockers, I've heard good things about this one:

http://www.panicware.com/product_downloads.html

...scroll down to find the free version. You can also do a search on this site for others. This has been a topic in more than one thread.

The cookie message sounds like a security setting in IE. I don't have IE 6, but it's somewhere if you click on Tools > Internet Options > Security or Advance tabs (at least that's where it is on IE 5.5).

:)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top