Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

too many pop-ups slowing down the system.


  • Please log in to reply
1 reply to this topic

#1 mighty

mighty

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 08 April 2005 - 04:14 PM

Hello,

Please take a look at my log files and let me know hoe to cure it.
I've already used ad-aware, spybot, CWshreddar, spyware-search&destroy. It's gotten much better than it was but for the first few minutes I get unlimited pop-ups and when I kill shopOnline cash back.exe, it gets a little better and it keeps coming up after every few minutes.

Hijack this log file:
Logfile of HijackThis v1.99.1
Scan saved at 7:43:14 AM, on 4/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\mysql\bin\mysqld-nt.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\inaama.exe
C:\windows\system32\flbnmpq.exe
C:\windows\system32\packager.exe
C:\Program Files\Navnt\navapw32.exe
C:\mysql\bin\winmysqladmin.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\rtneg.dll
O2 - BHO: (no name) - {A778B742-27DB-0D2B-8F98-72A2DEA868E6} - C:\WINDOWS\System32\dprsz.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msdioo.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [sys01499599133] C:\WINDOWS\sys01499599133.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitewsh32.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Zlwtid.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Yzbxva.exe
O4 - HKLM\..\Run: [hszyvwx] C:\WINDOWS\hszyvwx.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\inaama.exe
O4 - HKLM\..\Run: [flbnmpq] c:\windows\system32\flbnmpq.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [iiwo] C:\PROGRA~1\COMMON~1\iiwo\iiwom.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25c68f413b0a6f...ip/RdxIE601.cab
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe


Start file:
StartupList report, 4/4/2005, 7:52:43 PM
StartupList version: 1.52.2
Started from : C:\DOCUME~1\ravinder\LOCALS~1\Temp\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\mysql\bin\mysqld-nt.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\inaama.exe
C:\windows\system32\flbnmpq.exe
C:\windows\system32\packager.exe
C:\mysql\bin\winmysqladmin.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ravinder\LOCALS~1\Temp\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\ravinder\Start Menu\Programs\Startup]
WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
NPS Event Checker = C:\PROGRA~1\Navnt\npscheck.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SiSPower = Rundll32.exe SiSPower.dll,ModeAgent
winupdtl = C:\WINDOWS\System32\winupdt.exe
AUNPS2 = RUNDLL32 AUNPS2.DLL,_Run@16
msmc = C:\WINDOWS\System32\msdioo.exe
exp.exe = C:\WINDOWS\System32\exp.exe
WinTask driver = C:\WINDOWS\System32\wintask.exe
sys01499599133 = C:\WINDOWS\sys01499599133.exe
etbrun = C:\windows\system32\elitewsh32.exe
version = C:\WINDOWS\System32\Zlwtid.exe
secure = C:\WINDOWS\System32\Yzbxva.exe
hszyvwx = C:\WINDOWS\hszyvwx.exe
{12EE7A5E-0674-42f9-A76B-000000004D00} = rundll32.exe stlb2.dll,DllRunMain
A70F6A1D-0195-42a2-934C-D8AC0F7C08EB = rundll32.exe E6F1873B.DLL,D9EBC318C
KavSvc = C:\WINDOWS\System32\inaama.exe
flbnmpq = c:\windows\system32\flbnmpq.exe
BMan = C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
farmmext = C:\WINDOWS\farmmext.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

sysmonnt = C:\WINDOWS\System32\sysmonnt
iiwo = C:\PROGRA~1\COMMON~1\iiwo\iiwom.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\dlmax.dll - {00000000-59D4-4008-9058-080011001200}
(no name) - C:\Program Files\CxtPls\cxtpls.dll - {016235BE-59D4-4CEB-ADD5-E2378282A1D9}
(no name) - C:\WINDOWS\systb.dll (file missing) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E}
ohb - C:\WINDOWS\System32\rtneg.dll - {999A06FF-10EF-4A29-8640-69E99882C26B}
(no name) - C:\WINDOWS\System32\dprsz.dll (file missing) - {A778B742-27DB-0D2B-8F98-72A2DEA868E6}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Download Program Files:

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.real.com/25c68f413b0a6f...ip/RdxIE601.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/shock...h/ultrashim.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\System32\lkir8l2gm.dll||C:\WINDOWS\70tovmto.exe||c:\documents and settings\ravinder\cookies\ravinder@casalemedia[1].txt||c:\documents and settings\ravinder\cookies\ravinder@oinadserve[1].txt||c:\documents and settings\ravinder\cookies\ravinder@realmedia[2].txt||c:\documents and settings\ravinder\cookies\ravinder@revenue[2].txt||c:\documents and settings\ravinder\cookies\ravinder@server.iad.liveperson[1].txt||c:\documents and settings\ravinder\cookies\ravinder@www.oinadserve[1].txt||c:\documents and settings\ravinder\cookies\ravinder@zedo[1].txt||c:\documents and settings\ravinder\cookies\ravinder@~~local~~[1].txt||c:\program files\autoupdate\autoupdate.exe||c:\program files\autoupdate\libexpat.dll||c:\windows\system32\auto_update_uninstall.exe||c:\windows\system32\auto_update_uninstall.log||C:\WINDOWS\System32\thin-94-1-x-x.exe||C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

kkfjusq.exe = C:\WINDOWS\system\kkfjusq.exe

--------------------------------------------------

End of report, 7,192 bytes
Report generated in 0.070 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Thanks a lot!

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:19 AM

Posted 08 April 2005 - 10:59 PM

Please run two online virus scans:

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
http://housecall.antivirus.com/

Then let us know if its working better and what the scans found and post a new hjt log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users