Pop Ups when usung IE

Discussion in 'adware, spyware & hijack cleaning' started by aassets, May 17, 2004.

Thread Status:
Not open for further replies.
  1. aassets

    aassets Registered Member

    Joined:
    May 17, 2004
    Posts:
    2
    I had CWS on one of my machines which I removed, and I am still receiving POP Ups in IE after I launch into a new site. I have Run Hijakthis 1.97 and this is the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:13:55, on 17/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
    C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
    C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
    C:\Program Files\Syslogd\Syslogd_Service.exe
    C:\WINDOWS\LogWatNT.exe
    C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
    C:\oracle\817\BIN\TNSLSNR.exe
    c:\oracle\817\bin\ORACLE.EXE
    c:\oracle\817\bin\ORACLE.EXE
    C:\WINDOWS\SYSTEM32\r_server.exe
    C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\PROGRA~1\CA\eTrust\INOCUL~1\realmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\System32\inetsrv\DavCData.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\downloads\SOFTWARE-UTILS\spyware\HijackThis.exe

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\eTrust\INOCUL~1\realmon.exe -s
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.4432523148
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash5/cabs/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4359/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alignedassets
    O17 - HKLM\Software\..\Telephony: DomainName = alignedassets
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A1974877-BDE9-40A5-94B0-9FFF345229AA}: NameServer = 10.0.0.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alignedassets
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alignedassets
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi aassets,

    Fix the following with HijackThis :

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    Restart PC after doing so

    Hope this helps

    Cheers,
     
  3. aassets

    aassets Registered Member

    Joined:
    May 17, 2004
    Posts:
    2
    Hi, Thanks for the help. Seems ok. It is always the one that gets away.

    Cheers.
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Indeed :)

    You're welcome

    Hope all stays well

    Cheers,
     
Thread Status:
Not open for further replies.