Something has to be wrong here

Discussion in 'adware, spyware & hijack cleaning' started by Slovak, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    Have I been hijacked?

    Funny how everything is updated, including spywareguard and spywareblaster and I still get pop-ups. o_O

    Logfile of HijackThis v1.97.7
    Scan saved at 9:38:51 AM, on 6/3/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\system32\CTsvcCDA.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    C:\WINNT\system32\CTHELPER.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
    C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINNT\msagent\AgentSvr.exe
    C:\WINNT\system32\oodag.exe
    C:\Program Files\Soft4Ever\looknstop\looknstop.exe
    C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [outpost_uninst] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_uninstop.exe /u
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
    O4 - HKLM\..\Run: [TDS3] C:\Program Files\TDS3\TDS-3.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
    O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38098.360775463
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Re: Have I been hijacked?

    Hi Slovak,

    There is something in your, otherwise exemplary, log that I don't understand:
    O4 - HKLM\..\Run: [outpost_uninst] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_uninstop.exe /u
    I also see looknstop running.

    Did you uninstall Outpost and not reboot before you installed LookNstop?

    Regards,

    Pieter
     
  3. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    Re: Have I been hijacked?

    I don't remember, I might have. Should I remove that entry?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Re: Have I been hijacked?

    Not sure if it that entry necessary to remove something at reboot.
    Might have to ask at the Outpost forum to find out.

    Best course of action, I think, would be to reboot see if it is still there, then remove it, since it's probably meant as a RunOnce.

    If there are still components present the firewalls could be conflicting and let stuff in.

    "Stuff" is me getting technical about firewalls. :D :D

    Regards,

    Pieter
     
  5. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    Re: Have I been hijacked?

    Ok, I will reboot once done with my college work on this computer.
     
  6. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    I posted yesterday and was told my log looks good, but something has to be wrong as I am still getting a few pop-ups, spybot s&d, adaware, spywareguard, and spywareblaster all up to date too.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:04:32 AM, on 6/4/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\system32\CTsvcCDA.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINNT\system32\oodag.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    C:\WINNT\system32\CTHELPER.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Soft4Ever\looknstop\looknstop.exe
    C:\Program Files\TDS3\TDS-3.exe
    C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
    C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\msagent\AgentSvr.exe
    C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [outpost_uninst] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_uninstop.exe /u
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
    O4 - HKLM\..\Run: [TDS3] C:\Program Files\TDS3\TDS-3.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
    O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38098.360775463
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    I merged your threads so we have all the information in one place.

    Can you rightclick one of these popups and tell us the properties?

    I noticed you still have the outpost related entry. Did you find out anything about that?

    Regards,

    Pieter
     
  8. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    I have not found out about the outpost entry yet, and next time I get the pop-up I will right click it and get the properties and post it here.
     
  9. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    I just got a pop-up, when I right-click it there is no option for properties, but it does have zoom, rewind, etc., and about macromedia flash player. What gives with this? It happens more frequently when I visit warp2search.net
     
  10. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    o_O
    C:\WINDOWS\System32\oodag.exe
     
  11. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    O&O Defrag
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
  13. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    Done, as soon as I get some results I will post them here.
     
  14. Slovak

    Slovak Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    515
    Location:
    Medina, Ohio
    Results are in already, as soon as I visited a page that required flash player to view it properly, it asked me if I wanted to install and run flashplayer. I guess I need it then. Now if only someone can figure out how to just block flashplayer pop-ups.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.