Uncontrolable Pop-ups

Discussion in 'privacy problems' started by JC, Nov 1, 2003.

Thread Status:
Not open for further replies.
  1. JC

    JC Guest

    I usually get tonloads of popups once i start surfing the web but now, im also getting lots of Pop ups even tho im not surfing.. o_O
     
  2. JC

    JC Guest

    Logfile of HijackThis v1.97.3
    Scan saved at 7:29:40 PM, on 11/1/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINDOWS\System32\wjview.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
    C:\WINDOWS\uptodate.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\rundll16.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hotbar\bin\4.3.6.0\HbInst.exe
    C:\WINDOWS\System32\SahAgent.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\WINDOWS\System32\WScript.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\AIM95\aim.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\LimeShop\LimeShop.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hotbar\bin\4.3.6.0\HbSrv.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchandclick.com/metasearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stop-sign.com/support/homepage.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchwww.com/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\Toolbar\cnbabe.dll
    O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - C:\WINDOWS\System32\stlbupdt.DLL
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll
    O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.6.0\HbHostIE.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: The RSS Toolbar - {D4D58236-A2D2-4437-99DD-69CE72014919} - C:\WINDOWS\RSSToolbar.dll
    O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
    O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
    O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.6.0\HbHostIE.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: Related Site Search - {D7258ABE-571F-4DC2-ABD1-8393B13B1269} - C:\WINDOWS\RSSToolbar.dll
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - C:\WINDOWS\System32\stlbupdt.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AutoPlay] C:\HP\BIN\AUTOPLAY.EXE
    O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
    O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [RSS] rundll32 RSSToolbar.dll,DllRunMain
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NE9F09~1.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [Dialer] c:\Program Files\Instant Access\Dialer.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.3.6.0\HbInst.exe /Upgrade
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: Search.vbs
    O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
    O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
    O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Browser Pal Toolbar (HKLM)
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
    O11 - Options group: [CommonName] CommonName
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50017/btiein.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.8153472222
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You have a humongous amount of spyware and other baddies.

    I suggest you do the following:
    Download Spybot - Search & Destroy

    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds.

    Subsequently restart your computer.
    That ought to get rid of much of your spyware.

    When you've done all that, run Hijack This once more, repost to this forum thread, and show us a fresh log.
     
  4. JC

    JC Guest

    Here is my New Scan..
    Btw, Thanks :)

    Logfile of HijackThis v1.97.3
    Scan saved at 12:48:01 AM, on 11/2/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Steam\Steam.exe
    C:\WINDOWS\System32\WScript.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchandclick.com/metasearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stop-sign.com/support/homepage.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchwww.com/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - (no file)
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: The RSS Toolbar - {D4D58236-A2D2-4437-99DD-69CE72014919} - C:\WINDOWS\RSSToolbar.dll
    O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll
    O3 - Toolbar: Related Site Search - {D7258ABE-571F-4DC2-ABD1-8393B13B1269} - C:\WINDOWS\RSSToolbar.dll
    O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AutoPlay] C:\HP\BIN\AUTOPLAY.EXE
    O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RSS] rundll32 RSSToolbar.dll,DllRunMain
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
    O4 - HKLM\..\Run: [Dialer] c:\Program Files\Instant Access\Dialer.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O4 - Global Startup: Search.vbs
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Browser Pal Toolbar (HKLM)
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.8153472222
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    In Hijack This, check all of the following items, then close all browser windows, and press "Fix Checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchandclick.com/metasearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stop-sign.com/support/homepage.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchwww.com/bar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - (no file)
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: The RSS Toolbar - {D4D58236-A2D2-4437-99DD-69CE72014919} - C:\WINDOWS\RSSToolbar.dll

    O3 - Toolbar: Related Site Search - {D7258ABE-571F-4DC2-ABD1-8393B13B1269} - C:\WINDOWS\RSSToolbar.dll
    O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - (no file)
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKLM\..\Run: [RSS] rundll32 RSSToolbar.dll,DllRunMain
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
    O4 - HKLM\..\Run: [Dialer] c:\Program Files\Instant Access\Dialer.exe
    O4 - Global Startup: Search.vbs

    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

    O9 - Extra button: Browser Pal Toolbar (HKLM)
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)

    O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab


    Now restart your computer, and delete:

    The C:\Program Files\Toolbar folder
    The C:\Program Files\Instant Access folder

    Good luck,
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    BTW, could I ask you, BEFORE using Hijack This to fix those items, to please send the contents of that C:\Program Files\Toolbar folder to this e-mail addy for analysis?

    We know it's a Huntbar varaint, but we're in fact still looking for copies of those files.

    We'd appreciate it hugely! :)
     
  7. JC

    JC Guest

    Heres my new HJT Scan, Does everything look fine now? o_O

    Logfile of HijackThis v1.97.3
    Scan saved at 8:35:09 AM, on 11/2/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AutoPlay] C:\HP\BIN\AUTOPLAY.EXE
    O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.8153472222
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  9. JC

    JC Guest

    Whew! thanks, I don't seem to be getting those pop-ups anymore and my Internet has gotten faster. Another poor soul helped by u guys :D Thanks! :)
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Glad to hear we were able to help! :)
     
Loading...
Similar Threads
  1. compleo
    Replies:
    5
    Views:
    436
Thread Status:
Not open for further replies.