Help !! Browser Hijacked? Pop-up on open & Close ** Hijack Log Added **

Discussion in 'adware, spyware & hijack cleaning' started by unholyone, Feb 2, 2004.

Thread Status:
Not open for further replies.
  1. unholyone

    unholyone Registered Member

    Joined:
    Jan 30, 2004
    Posts:
    28
    Help!

    I have no idea what is causing this.

    About every 3rd time or so I open my browser a 1/4 window pops-up for EBay or some email-animations.

    The same thing happens when I close my browser a 1/4 window pops-up for EBay or some email-animations.

    Apprently it's been hijacked some how to do this.

    How can I find this and stop it?

    Any help would be appreciated.

    Thanks

    Woody
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Re:Help !! Browser Hijacked? Pop-up on open & Close

    hey unHolyone,

    Hoping you have gone through instructions , helps are on their way...

    take it simple(post your log here or just wait... coz some mod or admin would move your thread to the said place for better review.

    thx
     
  3. unholyone

    unholyone Registered Member

    Joined:
    Jan 30, 2004
    Posts:
    28
    Heres the Hijack this log.

    I used spybot to eliminate any spyware.

    Below is the log from Hijack This

    Any help will be appreciated.

    Thanks Woody

    Logfile of HijackThis v1.97.7
    Scan saved at 2:06:41 PM, on 2/2/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\EVIDENCE ELIMINATOR\EE.EXE
    C:\WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP\ECEC.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\CRYPTAINER\CRYPTAINER.EXE
    C:\WINDOWS\SYSTEM\APRXYL.EXE
    C:\- D\SOFTWARE\SECURITY\HIJACK THIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://worldnetdaily.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX (disabled by BHODemon)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [aprxyl] C:\WINDOWS\SYSTEM\aprxyl.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Evidence Eliminator] C:\PROGRAM FILES\EVIDENCE ELIMINATOR\ee.exe /m
    O4 - HKCU\..\Run: [AccountLogon] C:\PROGRAM FILES\ACCOUNT LOGON\ACCOUNTLOGON.exe /regserver
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Global Startup: ECEC.EXE
    O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-user.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Researcher (HKLM)
    O9 - Extra button: BitmapEx (HKLM)
    O9 - Extra 'Tools' menuitem: &BitmapEx (HKLM)
    O9 - Extra button: AccountLogon (HKCU)
    O9 - Extra 'Tools' menuitem: AccountLogon (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37923.5788310185
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 24.234.0.71
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Re:Help !! Browser Hijacked? Pop-up on open & Close ** Hijack Log Added **

    Hi unholyone,

    Welcome aboard :)

    The only thing that pop's out is this entry :

    O4 - HKLM\..\Run: [aprxyl] C:\WINDOWS\SYSTEM\aprxyl.exe

    Can you first send that file to me please? (click on my profile for the email), thnx!

    After doing so have HijackThis fix that line, restart the PC and remove it from your system, unless you are absolutely sure you recognise it.

    Let us know whether that helped

    Thanks!

    Cheers,
     
  5. unholyone

    unholyone Registered Member

    Joined:
    Jan 30, 2004
    Posts:
    28
    It Worked !!!!

    Thanks for the help.

    After watching the file you mentioned it changed its name 5 times on each time I booted-up as follows in order.

    O4 - HKLM\..\Run: [aprxyl] C:\WINDOWS\SYSTEM\aprxyl.exe

    O4 - HKLM\..\Run: [IAFMV] C:\WINDOWS\SYSTEM\IAFMV.exe

    O4 - HKLM\..\Run: [ETUPAPIS] C:\WINDOWS\SYSTEM\ETUPAPIS.exe

    O4 - HKLM\..\Run: [SNP32M] C:\WINDOWS\SYSTEM\SNP32M.exe

    O4 - HKLM\..\Run: [TDOLE2S] C:\WINDOWS\SYSTEM\TDOLE2S.exe


    I finally deleted it with HijackThis and re-booted as you said. It has not done it again.

    I have uploaded a pic of what the file actually looks like. (If I did it right it should show)

    Thanks so much for the help.

    This is my first time in a forum like this.

    How did you fugure it out?

    Woody
     

    Attached Files:

  6. whoops-its-broked

    whoops-its-broked Registered Member

    Joined:
    Feb 4, 2004
    Posts:
    1
    I dont know if were supposed to support wilders or any company but hey thats not me so what the hey i use spybot and spyware blaster to protect and also adaware pro is the best i have found so far also you might want to test avg from grisoft dot com i have found it to pick up were others leave off but thats just me and the repairs i do daily on people porn pcs and other broken pcs brought to me that every one says has to be reloaded those and nortan sys works saves houres and reloads
     
Thread Status:
Not open for further replies.