Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Extreme Problem With Pop Ups


  • This topic is locked This topic is locked
2 replies to this topic

#1 oberacla

oberacla

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 28 February 2006 - 10:26 PM

can't get rid of pop ups even ones with uninstaller such as best offer



Logfile of HijackThis v1.99.1
Scan saved at 10:17:32 PM, on 2/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\INSIGHT\TOOLS\Aiclient.EXE
c:\interSOC\ids\blackd.exe
C:\INSIGHT\TOOLS\AICR.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\RegSrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\System32\1XConfig.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Program Files\Apoint\Apntex.exe
C:\INSIGHT\TOOLS\AISOFTMN.EXE
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\WINNT\system32\sms_msn40.exe
C:\WINNT\system32\sms_msn.exe
C:\WINNT\system32\ehczrw312.exe
C:\WINNT\system32\etmt2.exe
C:\WINNT\system32\?ti2evxx.exe
D:\DOCUME~2\OberacLa\MYDOCU~1\CROSOF~1.NET\svchost.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\WINNT\system32\ngpw40.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\O2KSTD\PFiles\MSOffice\Office\1033\msoffice.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PokerStars\PokerStars.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://neword.com/adw.html?s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insideapp.ps.ge.com/int234/site/salesportal/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Energy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http-proxy.geps.ge.com:80;gopher=http-proxy.geps.ge.com:80;http=http-proxy.geps.ge.com:80;https=https-proxy.geps.ge.com:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {E4FB256E-E087-B420-A4AC-E0CB299F5CC9} - C:\WINNT\system32\gxgfqsfl.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ngsh35.clsIS - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - C:\WINNT\system32\ngsh35.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5E0C936F-5580-0474-F7EF-06D58C51E3ED} - (no file)
O2 - BHO: (no name) - {74C4A279-64CD-3A1E-B813-6D2366C59E99} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7D1AC574-34DA-6CD4-9021-70FB11BCE545} - C:\WINNT\phylfsds.dll
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O2 - BHO: (no name) - {889E0CE8-930B-CDD5-2C70-CB896F0031CB} - (no file)
O2 - BHO: Glitch - {C3F699FD-5F86-451B-8150-81979857047E} - C:\WINNT\system32\nss13.dll
O2 - BHO: (no name) - {E4FB256E-E087-B420-A4AC-E0CB299F5CC9} - C:\WINNT\system32\gxgfqsfl.dll
O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll
O2 - BHO: Yvakt Class - {FCB4A92A-E8A4-42E8-A1EC-BA31DD462DDE} - C:\WINNT\system32\gngkop.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINNT\system32\SCTOOL~1.DLL
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
O3 - Toolbar: Search - {FDE985C6-979A-25BC-B75C-8DF4FB8479A5} - C:\WINNT\phylfsds.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [RUNCIS] C:\Program Files\1E\CIS\\RUNCIS.EXE
O4 - HKLM\..\Run: [Asset Insight SUM] C:\INSIGHT\TOOLS\AISOFTMN.EXE -B
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKLM\..\Run: [sms_msn40] C:\WINNT\system32\sms_msn40.exe
O4 - HKLM\..\Run: [sms_msn] C:\WINNT\system32\sms_msn.exe
O4 - HKLM\..\Run: [0kg00xc4.dll] RUNDLL32.EXE 0kg00xc4.dll,b 40952676
O4 - HKLM\..\Run: [HmjDyiW0] "C:\WINNT\system32\ehczrw312.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINNT\dinst.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\waciqa.exe reg_run
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKCU\..\Run: [Zdrdxogh] C:\WINNT\system32\?ti2evxx.exe
O4 - HKCU\..\Run: [Etbh] "D:\DOCUME~2\OberacLa\MYDOCU~1\CROSOF~1.NET\svchost.exe" -vt tzt
O4 - HKCU\..\Run: [Registry Defender] "C:\Program Files\Registry Defender Trial\RegClean.exe"
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\O2KSTD\PFiles\MSOffice\Office\OSA9.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: Adult - http://listdating.com/se/se10.htm
O8 - Extra context menu item: Business - http://listdating.com/se/se5.htm
O8 - Extra context menu item: Car Insurance - http://listdating.com/se/se3.htm
O8 - Extra context menu item: Escorts - http://listdating.com/se/se9.htm
O8 - Extra context menu item: Finance - http://listdating.com/se/se6.htm
O8 - Extra context menu item: Games - http://listdating.com/se/se12.htm
O8 - Extra context menu item: Health Insurance - http://listdating.com/se/se4.htm
O8 - Extra context menu item: Loans - http://listdating.com/se/se7.htm
O8 - Extra context menu item: Online Casino - http://listdating.com/se/se2.htm
O8 - Extra context menu item: Porn - http://listdating.com/se/se11.htm
O8 - Extra context menu item: Sport Betting - http://listdating.com/se/se1.htm
O8 - Extra context menu item: Viagra - http://listdating.com/se/se8.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm238YYUS
O8 - Extra context menu item: >> DATING >> - http://listdating.com/dt.htm
O8 - Extra context menu item: >> SEARCH >> - http://listdating.com/se.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: IESideBar - {DFEFF09F-785E-4191-8E5D-A7650A1C4F9A} - shdocvw.dll (file missing)
O9 - Extra 'Tools' menuitem: IESideBar - {DFEFF09F-785E-4191-8E5D-A7650A1C4F9A} - shdocvw.dll (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.filesharingaccess.com
O15 - Trusted Zone: *.gimmycash.com
O15 - Trusted Zone: *.gimmysmileys.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.kabum.pl
O15 - Trusted Zone: *.kazaa-forum.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.traffic-stats.org
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.yoursitebar.com
O15 - Trusted Zone: *.crosskirknet.com (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.filesharingaccess.com (HKLM)
O15 - Trusted Zone: *.gimmycash.com (HKLM)
O15 - Trusted Zone: *.gimmysmileys.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.kabum.pl (HKLM)
O15 - Trusted Zone: *.kazaa-forum.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.traffic-stats.org (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.yoursitebar.com (HKLM)
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://psquickplace03.ge.com/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - http://psmeeting01c.ge.com/sametime/STMeet...STJNILoader.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins005.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://cms.ps.ge.com/sales_enu/18361/apple...Integration.cab
O16 - DPF: {8E1D5504-1000-4E27-8AAB-02EF929CF0C9} (Siebel High Interactivity Framework) - http://cms.ps.ge.com/sales_enu/18361/apple...x_HI_Client.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Dwf Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {AA2E6C1A-5AAF-4C2A-8814-734EE73266F4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://cms.ps.ge.com/sales_enu/18361/apple...tBound_mail.cab
O16 - DPF: {B4C95A1C-E2EF-4868-ABFC-6D648AECFC68} (Siebel High Interactivity Framework) - http://cms.ps.ge.com/sales_enu/18361/apple...x_HI_Client.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://gepower.webconferencecenter.com/cli...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = psamer.ps.ge.com
O18 - Filter: text/html - {F977ADDC-8F15-42CF-A4D0-16A59026826E} - C:\WINNT\system32\gngkop.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O23 - Service: Asset Insight Client (AICLIENT) - Unknown owner - C:\INSIGHT\TOOLS\Aiclient.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - c:\interSOC\ids\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - c:\interSOC\ids\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: SAVRoam - symantec - C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:06 PM

Posted 01 March 2006 - 12:51 PM

Hello and welcome.. :thumbsup:

==

RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)

==

Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Close Ewido Anti-malware.

==

Reboot back into Normal mode, post back with the Ewido log aswell as a fresh HijackThis log. :flowers:
Hi there, stranger!

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:06 AM

Posted 09 March 2006 - 09:20 PM

Due to lack of resposne this topic is closed. If the original poster needs it reopened, please shoot me a PM.

Everyone else start a new topic.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users