Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ie pop-ups, need some help!


  • Please log in to reply
1 reply to this topic

#1 generalkelly

generalkelly

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 30 August 2005 - 05:23 AM

Hi, I can't get rid of ie pop-ups that seem to be related to istsvc.exe.

I've included the hijack this logfile below, would really appreciate some help on this!

Logfile of HijackThis v1.99.1
Scan saved at 11:17:38, on 30/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\System32\MPB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC

Card\PRISMSVR.EXE
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\rgexqw.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC

Card\Monitor.exe
\General-mew\d drive on desktop\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.medion.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

10.0.0.30:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

localhost;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program

Files\SideFind\sfbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [MPB] C:\WINDOWS\System32\MPB.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless

Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [dOgaa] C:\WINDOWS\rgexqw.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: 3Com Wireless 11g PC Card.lnk = C:\Program Files\3Com\3Com

OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program

Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program

Files\SideFind\sidefind.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Medion-UK - {836B0E44-C229-4F25-ACC9-31410D6349CD} -

http://www.medion.co.uk (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) -

https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDBA4DD2-8204-4D52-B4EF-1E636237003F}: NameServer =

212.159.13.49,212.159.13.50
O17 - HKLM\System\CS1\Services\Tcpip\..\{BDBA4DD2-8204-4D52-B4EF-1E636237003F}: NameServer =

212.159.13.49,212.159.13.50
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program

Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program

Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common

Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION -

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program

Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program

Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:22 PM

Posted 01 September 2005 - 11:55 AM

Hello generalkelly and welcome to the BC HijackThis forum. Let's see if we can't get a log posted that we can read.

Boot normally, start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. If it is in anything other than Notepad then close that program nad open the log in Notepad. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log when it comes in.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users