HijackThis Log - Popup Hell after using free program

Discussion in 'adware, spyware & hijack cleaning' started by HandsOff, Apr 20, 2004.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Back with more trouble. Earlier today i tried installing Suns Java for IE-6, and as usually, it seems to suck. It also automatically loads an auto-update into the autostart of windows XP. (i realize i can switch it off in the java options, i left it on for now for the scan.
    ... but the pop-ups started when i clicked on "online documentation" for the "help menue" of a program called Encspot. I thought it was a free program with an optional for pay upgrade, but it would seem i am already paying for it, like it or not. It is used to analyse MP3 files...very interesting program, actually....except that it possibly drops malware on you. I will attempt to restrain from rushing to judgement...i will maintain a moderate pace to judgement.

    okay, ran spybots and ad-aware....both are current and nothing came up.

    One of the scummy pop-ups was:

    www.buydomains.com/comparison.pop.jsp

    i will post my log, but what may help is that i ran hijack this two days ago and saved the log, so now i can compare and see what is different. for instance,

    one 04 entry is new
    all four of the 09 are new
    two of the four 016 entries are new

    I marked them with ** preceding the entries. I wont include the two days old log unless you really want to see it.

    Thanks in advance,
    HandsOff

    ++++++++++++++++++++++++++

    Logfile of HijackThis v1.97.7
    Scan saved at 11:18:29 PM, on 4/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\SpywareGuard v2.2\sgmain.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\SpywareGuard v2.2\sgbhp.exe
    c:\Program Files\PestPatrol\ppcontrol.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
    C:\Program Files\HiJackThis v19707\HijackThis 19707.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\J.G. Deva\Application Data\Mozilla\Profiles\default\gfuw9qgc.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\J.G. Deva\Application Data\Mozilla\Profiles\default\gfuw9qgc.slt\prefs.js)
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll__SpybotSDDisabled (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard v2.2\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    **O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard v2.2\sgmain.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    **O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    **O9 - Extra button: Help (HKCU)
    **O9 - Extra button: Support (HKCU)
    **O9 - Extra button: ComcastHSI (HKCU)
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    **O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38009.3756828704
    **O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    nothing obvious in that log, all entries are legitimate entries, unless something has infected the netscape preferences

    are the pop ups in Netscape or IE
     
  3. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    in IE....i even thought one popped up after I closed IE only maybe i got faked out and closed a pop up instead

    Thanks for checking.
    - HandsOff


    i wonder if running Meaya popup program would give any added protection. I think i have it covered pretty well though. I guess i am not careful enough about where i look on the internet, but that has always been the attraction. finding new sources of info. I added the suspect domains to my hosts and to my norton list and to IE blocked sites. and blocked cookies too. perhaps it we hold me until i can remove it.
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    there are a few baddies that are sucsessfully hiding from a hjt log so if the pop ups continue please post back and we have a few other ideas
     
  5. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    okay, thanks. One benefit gained from using hosts, and kill bits, and spywareguard, and adwatch is that in many cases even if i do have adware executing sometimes i their effects are blocked. it is still bad, but i feel so long as (like by using netscape like i am now) i don't have to look at their treacherous sites the contest is a draw.

    *Newbie Note: I was surprised and pleased that I am able to retreave and send mail with Netscape 7.1, even though my isp is comcast, and their software uses IE 6. I know that is probably elementary to 99% of people here but i like having a choice.
     
Thread Status:
Not open for further replies.