What's This???

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

stu37

Thread Starter
Joined
Jun 9, 2002
Messages
562
hi, whenever i browse the web, i usually get 2 of these on taskbar, so i click on them and nothing will show on browser, so i right click on them and close them. Anyone know what these urls are and how to block them? Spybot and AdAware doesn't show them and i tried blocking on ie6 and they still show. It only happens on explorer. Anyone know? here's example:

http://media19.fastclick.net/w/safe...4&len=0&c=0&nfcp=1&top=150&left=40&pop=slider
 
Joined
Aug 30, 2003
Messages
1,281
Looks like spyware to me. Do as below and post your results into the security forum and someone who knows more about these things than me will advise you of what you need to do.


Download 'Hijack This!' from http://www.spywareinfo.com/files/hijackthis.zip
Unzip,and run HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a post.

Don't fix anything yet as most of what is in the log will be ok,
Just paste it in here and someone will have a look at it for you.
.
 

stu37

Thread Starter
Joined
Jun 9, 2002
Messages
562
yes i know it is spyware but i've tried all to get rid of them and spyware such as spybot and adaware6 has not caught it. i shall wait and see if someone will transfer this to security or if someone else has any ideas. here is log:

Logfile of HijackThis v1.97.2
Scan saved at 9:21:34 AM, on 9/28/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\MECA\Meca.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\Bob S \Application Data\Mozilla\Profiles\default\qwccdfrf.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Bob s\Application Data\Mozilla\Profiles\default\qwccdfrf.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MECA-IE - {E7DC02F7-A213-4866-B800-FDCB4555FB79} - C:\Program Files\MECA\HBO.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MECA] C:\Program Files\MECA\Meca.exe
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6(2).dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {44EF3799-53A0-4D7A-BD9F-DC103F2FB8D9} (MSN Money QuickList) - http://fdl.msn.com/public/investor/v13/investor.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/143961c897fc9cd59614/netzip/RdxIE601.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.8868402778
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
 
Joined
Mar 20, 2003
Messages
4,823
Restart Hijack This, put a check mark against the following:

O2 - BHO: (no name) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - (no file)
O2 - BHO: MECA-IE - {E7DC02F7-A213-4866-B800-FDCB4555FB79} - C:\Program Files\MECA\HBO.dll
O4 - HKLM\..\Run: [MECA] C:\Program Files\MECA\Meca.exe
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O9 - Extra button: Save (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/143961c897fc9c...ip/RdxIE601.cab

Click Fix checked

Restart your computer

Go to C:\Program Files, find right click and delete the MECA folder
then go to C:\WINDOWS\System32 and delete the msbb.exe file
 

stu37

Thread Starter
Joined
Jun 9, 2002
Messages
562
so is "O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" that's my popup stopper.
Also, is " No Name, MSBB, 09, and 016 ok to check? just want to make sure. Thanks
 
Joined
Jul 26, 2002
Messages
46,331
Run Hijack This and put a check by these. Close all browser windows and "Fix Checked"

O2 - BHO: (no name) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - (no file)

O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/143961c897fc9c...ip/RdxIE601.cab

Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

In Safe Mode delete:

The C:\WINDOWS\System32\msbb.exe file
 

stu37

Thread Starter
Joined
Jun 9, 2002
Messages
562
thanks flrman 1 and everyone else that helped. finished doing and now i will see what happens. thanks again
 
Joined
Jan 9, 2003
Messages
1,058
It's probably a piece of software on your PC which uses spyware to fund it. KaZaA, for example, rather famously uses spyware, much to the annoyance of us techs who have to pick up the pieces. :rolleyes:

Anyway, have you installed any free/shareware on to your PC recently? If so, it could be the cause. Put the name of any apps you think could be up to this into www.spychecker.com and it'll say if it contains any spyware or not.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top