Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another machine with Pop-ups


  • This topic is locked This topic is locked
3 replies to this topic

#1 Masonite

Masonite

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Florida
  • Local time:06:55 PM

Posted 07 July 2004 - 02:13 PM

I have another machine I ran Spybot and Adware (latest versions for both) and there is still pop-ups, less than before and they don't point anywhere just give an error not to find the page. Here is the Hijacklog:

Logfile of HijackThis v1.98.0
Scan saved at 2:59:43 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Intuit\Track-It!\ChannelDeploy.sys
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\HPConfig.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\Intuit\Track-It!\PRISMXL.SYS
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\Program Files\Track-It! Deploy\Client\PTClient.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\dtucker\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Masonite International IT
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.premdor.com:80
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [Prism Deploy Client] "C:\Program Files\Track-It! Deploy\Client\PTClient.exe" /Subscriber
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uobt] C:\Documents and Settings\dtucker\Application Data\rort.exe
O4 - HKCU\..\Run: [WTSI] C:\WINDOWS\System32\wapisvit.exe
O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\dtucker\Local Settings\Temp\ms81.tmp"
O4 - HKCU\..\Run: [K0psRkb2R] apcrinit.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A95FE4A-0CD3-4698-A0F4-D2264C6E7046} (HPActiveChat Class) - http://isupport4.hp.com/awebui/jsp/answerw...EActiveChat.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Masonite.com
O17 - HKLM\Software\..\Telephony: DomainName = masonite.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Masonite.com
O18 - Protocol: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\progra~1\common~1\sapsha~1\system\saphtmlp.dll
O18 - Protocol: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\progra~1\common~1\sapsha~1\system\saphtmlp.dll


I appreciate your time thanks

Edited by Masonite, 07 July 2004 - 02:14 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:55 PM

Posted 07 July 2004 - 03:31 PM

You are currently using hijackthis from a temp directory. This can cause problems. Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory. Run the program from that directory from now on.

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

R3 - Default URLSearchHook is missing
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKCU\..\Run: [Uobt] C:\Documents and Settings\dtucker\Application Data\rort.exe
O4 - HKCU\..\Run: [WTSI] C:\WINDOWS\System32\wapisvit.exe
O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\dtucker\Local Settings\Temp\ms81.tmp"
O4 - HKCU\..\Run: [K0psRkb2R] apcrinit.exe

Reboot your computer into Safe Mode and delete the following files:

Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\System32\SWin32.dll
C:\WINDOWS\System32\automove.exe
C:\Documents and Settings\dtucker\Application Data\rort.exe
C:\WINDOWS\System32\wapisvit.exe
C:\Documents and Settings\dtucker\Local Settings\Temp\ms81.tmp
c:\windows\apcrinit.exe or c:\windows\system32\apcrinit.exe

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#3 Masonite

Masonite
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:Florida
  • Local time:06:55 PM

Posted 08 July 2004 - 09:13 AM

Done and so far no pop ups. Here is the Hijackthis log.

Logfile of HijackThis v1.98.0
Scan saved at 10:04:20 AM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Intuit\Track-It!\ChannelDeploy.sys
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\HPConfig.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\Intuit\Track-It!\PRISMXL.SYS
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\Program Files\Track-It! Deploy\Client\PTClient.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Documents and Settings\dtucker\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Masonite International IT
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.premdor.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [Prism Deploy Client] "C:\Program Files\Track-It! Deploy\Client\PTClient.exe" /Subscriber
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A95FE4A-0CD3-4698-A0F4-D2264C6E7046} (HPActiveChat Class) - http://isupport4.hp.com/awebui/jsp/answerw...EActiveChat.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Masonite.com
O17 - HKLM\Software\..\Telephony: DomainName = masonite.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Masonite.com
O18 - Protocol: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\progra~1\common~1\sapsha~1\system\saphtmlp.dll
O18 - Protocol: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\progra~1\common~1\sapsha~1\system\saphtmlp.dll

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:55 PM

Posted 08 July 2004 - 10:13 AM

Looks good to me! Great job




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users