Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant Popups


  • Please log in to reply
1 reply to this topic

#1 mkelnerct

mkelnerct

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 02 October 2006 - 05:25 PM

After running multiple adware/spyware/malware checkers, I still get constant popups even without changing web pages.


Logfile of HijackThis v1.99.1
Scan saved at 6:12:51 PM, on 10/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINNT\explorer.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 6 .0\Distillr\acrotray.exe
C:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Latasha\LOCALS~1\Temp\Rar$EX00.937\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\Latasha\LOCALS~1\Temp\1E4.tmp5120.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: DesktopX.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6 .0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.jud2.state.ct.us/webforms/Codebase/FormCtl.cab
O16 - DPF: {224F7DEA-B7C1-11D3-AB40-00902712A5C9} (PLSAddin Class) - http://www.jud2.state.ct.us/webforms/codebase/plsspeller.cab
O16 - DPF: {2D3502EE-9D6D-11D1-86CC-080009B6ACE6} (Adobe Barcode Control) - http://www.jud2.state.ct.us/webforms/codebase/jfbarcode.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.jud2.state.ct.us/webforms/codeb...ntinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Bergman.LawOffice
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C823CD9-961E-4EB9-A98A-293A7078FDCD}: NameServer = 192.168.1.202,192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Bergman.LawOffice
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Bergman.LawOffice
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: xmm13g - xmm13g.dll (file missing)
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: GuiHook - Unknown owner - C:\PROGRA~1\NETSUP~1\guihook.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 04 October 2006 - 12:20 PM

Hi mkelnerct and Welcome to the Bleeping Computer!


Please place HijackThis in a permanent folder,to do this.

Right Click the Desktop and Select "New"--> "Folder"--> Name it whatever you like

Now locate the original Zip folder that HijackThis came in and place it in the New Folder--> Once in the New Folder Right Click and Select "Extract All"



Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Reboot into SAFE MODE(Tap F8 when restarting)


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: Shell=explorer.exe

O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE

O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\Latasha\LOCALS~1\Temp\1E4.tmp5120.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Run the ATF Cleaner once more please and then restart back in Normal Mode.


Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread along with a fresh HijackThis log.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users