Popuppers strikes again

Discussion in 'adware, spyware & hijack cleaning' started by rmk, Jul 17, 2004.

Thread Status:
Not open for further replies.
  1. rmk

    rmk Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    2
    I am another victim of popuppers. I ran the uninstall program from www.popuppers.com and it didn't work.

    Here is my HijackThis log:

    Logfile of HijackThis v1.98.0
    Scan saved at 10:38:42 PM, on 7/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\PROGRA~1\NORTON~3\NORTON~1\GHOSTS~2.EXE
    C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
    C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\javaw.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Wt32exe.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Online Backup\OnlineBackup.exe
    C:\WINDOWS\System32\tblmouse.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\irxcljx.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic Agent\Web\SearchBar.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
    O1 - Hosts: 199.94.161.57 blizzard
    O1 - Hosts: 199.94.161.136 beluga
    O1 - Hosts: 199.94.161.128 cuda
    O1 - Hosts: 128.1.9.17 hurricane
    O1 - Hosts: 199.94.161.225 ispy
    O1 - Hosts: 128.1.9.132 milliBolts
    O1 - Hosts: 128.1.9.22 milliStorms
    O1 - Hosts: 128.1.9.103 milliThunder
    O1 - Hosts: 128.1.9.101 monsoon
    O1 - Hosts: 128.1.3.32 odin
    O1 - Hosts: 128.1.4.100 peak
    O1 - Hosts: 199.94.161.121 piranha
    O1 - Hosts: 128.1.7.112 polymer
    O1 - Hosts: 199.94.163.48 riptide
    O1 - Hosts: 199.94.161.83 peptide # Sparc1000 SAP server WT2
    O1 - Hosts: 199.94.163.177 zephyr # Lotus Notes => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.161.20 intranet # intranet => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.161.20 intranet.waters.com # intranet => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.161.83 peptide # obsolete # obsolete => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.161.226 sapdev # obsolete => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.161.204 alumina # alumina obsolete => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.162.50 c.shop.waters.com # cshop obsolete => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.162.50 cshop.waters.com # cshop obsolete => host_upd @ Tue 8/5/2003 2:25:55 PM
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
    O4 - HKLM\..\Run: [@BackupScheduler] C:\Program Files\Online Backup\OnlineBackup.exe
    O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [hcfxfavad] C:\WINDOWS\irxcljx.exe
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
    O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://outside.waters.com/iNotes6.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{ACAD07CE-E47C-4671-A323-75B64DF69B24}: NameServer = 63.240.76.19,204.127.198.19

    Thanks in advance.
     
    Last edited: Jul 17, 2004
    rmk, Jul 17, 2004
    #1
  2. rmk

    rmk Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    2
    I figured out what the culprit was on my own:

    O4 - HKLM\..\Run: [hcfxfavad] C:\WINDOWS\irxcljx.exe

    Popuppers is gone!
     
    rmk, Jul 17, 2004
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...