Popuppers strikes again

Discussion in 'adware, spyware & hijack cleaning' started by rmk, Jul 17, 2004.

Thread Status:
Not open for further replies.
  1. rmk

    rmk Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    2
    I am another victim of popuppers. I ran the uninstall program from www.popuppers.com and it didn't work.

    Here is my HijackThis log:

    Logfile of HijackThis v1.98.0
    Scan saved at 10:38:42 PM, on 7/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\PROGRA~1\NORTON~3\NORTON~1\GHOSTS~2.EXE
    C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
    C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\javaw.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Wt32exe.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Online Backup\OnlineBackup.exe
    C:\WINDOWS\System32\tblmouse.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\irxcljx.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic Agent\Web\SearchBar.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
    O1 - Hosts: 199.94.161.57 blizzard
    O1 - Hosts: 199.94.161.136 beluga
    O1 - Hosts: 199.94.161.128 cuda
    O1 - Hosts: 128.1.9.17 hurricane
    O1 - Hosts: 199.94.161.225 ispy
    O1 - Hosts: 128.1.9.132 milliBolts
    O1 - Hosts: 128.1.9.22 milliStorms
    O1 - Hosts: 128.1.9.103 milliThunder
    O1 - Hosts: 128.1.9.101 monsoon
    O1 - Hosts: 128.1.3.32 odin
    O1 - Hosts: 128.1.4.100 peak
    O1 - Hosts: 199.94.161.121 piranha
    O1 - Hosts: 128.1.7.112 polymer
    O1 - Hosts: 199.94.163.48 riptide
    O1 - Hosts: 199.94.161.83 peptide # Sparc1000 SAP server WT2
    O1 - Hosts: 199.94.163.177 zephyr # Lotus Notes => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.161.20 intranet # intranet => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.161.20 intranet.waters.com # intranet => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.161.83 peptide # obsolete # obsolete => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.161.226 sapdev # obsolete => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.161.204 alumina # alumina obsolete => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.162.50 c.shop.waters.com # cshop obsolete => host_upd @ Tue 8/5/2003 2:25:55 PM
    O1 - Hosts: 199.94.162.50 cshop.waters.com # cshop obsolete => host_upd @ Tue 8/5/2003 2:25:55 PM
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
    O4 - HKLM\..\Run: [@BackupScheduler] C:\Program Files\Online Backup\OnlineBackup.exe
    O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [hcfxfavad] C:\WINDOWS\irxcljx.exe
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
    O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://outside.waters.com/iNotes6.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{ACAD07CE-E47C-4671-A323-75B64DF69B24}: NameServer = 63.240.76.19,204.127.198.19

    Thanks in advance.
     
    Last edited: Jul 17, 2004
  2. rmk

    rmk Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    2
    I figured out what the culprit was on my own:

    O4 - HKLM\..\Run: [hcfxfavad] C:\WINDOWS\irxcljx.exe

    Popuppers is gone!
     
Thread Status:
Not open for further replies.