spyware prob: hijackthis log included

Discussion in 'adware, spyware & hijack cleaning' started by Knight, Jun 1, 2004.

Thread Status:
Not open for further replies.
  1. Knight

    Knight Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1
    i didnt got help on another forum and someone told me to try here so i hope i get some help here
    the following scans didnt found anything
    - housecall
    - norton
    - ad aware
    - the cleaner
    - spybot

    all updated versions

    i still get an annoying popup even when doing nothing (but then i dont notice it)
    when i m chatting or working in windows i notice this popup because it pulls away attention of what i m doing
    so if i m typing in msn and the popup occurs then i dont have the msn box selected anymore and anything i type wont show up. so i gotta click the msn window again and continue working
    now when i m playing games in full screen almost every game minimizes to my windows bar at the bottom of my screen when the popup happens
    BUT, the popup NEVER shows up in that same bar
    however i can see its explorer icon when i m alt tabbing trough my running applications.
    it comes from 'http://www.popuppers.com/popsn12.php?firstd=20040331&aff=home&c={C02806D5-52FB-4C95-8AB8-45C513DFBE2E}&mybo=1&netpal=1&netop=1&loader=1&unstal=1&survey2=1&mybo=1&unstal=1&wsi20=1&oldmybo=1&oldwsi20=1&oldhanse=1&oldmyexe=1'

    i cant see the entire link while alt tabbing but if i open an explorer window and start entering www.popuppers.com it autofills that entire path.

    so basically: scanners wont find it and it seriously messes up my working and gaming which is extremely annoying when playing competitions or working on important files and i get disturbed by something like that every time

    here is my hijackthis log of today and hopefully someone finds some dirty little piece of spyware in there that can be removed

    tnx a lot in advance



    Logfile of HijackThis v1.97.7
    Scan saved at 13:05:51, on 1/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\Explorer.EXE
    C:\Telemeter 3.0\telemeter3.exe
    C:\Winamp\winampa.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\D-Tools\daemon.exe
    C:\QuickTime\qttask.exe
    C:\WINDOWS\ohao.exe
    C:\NORTON~1\NORTON~1\navapw32.exe
    C:\NORTON~1\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\steam\steam.exe
    C:\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
    C:\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
    C:\Program Files\DV Series\Console\Watch.exe
    C:\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\ABC\ABC.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Eigenaar.KNIGHT.002\Bureaublad\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.shopnav.com/search/9886/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9886&s=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.telenet.be/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9886&s=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shopnav.com/search/9886/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.pandora.be:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {5E63FC6F-41EB-45D7-95D8-7B04D5CA2E96} - C:\WINDOWS\kvwrqddpw.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Telemeter 3.0] "C:\Telemeter 3.0\telemeter3.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [doete] C:\WINDOWS\ohao.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\NORTON~1\NORTON~1\Cfgwiz.exe
    O4 - HKLM\..\Run: [WFXSwtch] C:\NORTON~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Steam] "c:\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\OpenOffice.org1.0.1\program\quickstart.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
    O4 - Global Startup: Watch.lnk = C:\Program Files\DV Series\Console\Watch.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
    O9 - Extra button: Research (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38069.1727546296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Knight,

    Before you start, please move hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These will now end up on your desktop.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.shopnav.com/search/9886/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9886&s=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9886&s=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shopnav.com/search/9886/search.html

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {5E63FC6F-41EB-45D7-95D8-7B04D5CA2E96} - C:\WINDOWS\kvwrqddpw.dll

    O4 - HKLM\..\Run: [doete] C:\WINDOWS\ohao.exe

    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab

    Then reboot into safe mode and delete:
    C:\Program Files\Common files\updater <= entire folder

    Could you send a copy of this file:
    C:\WINDOWS\ohao.exe
    to the address in my profile, preferably zipped up.

    Kind of curious what that is, but probably up to no good.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.