HIJACKTHIS-pcSTILLpopsUPads=ANNOYING

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jaymon, May 28, 2004.

  1. jaymon

    jaymon Private E-2

    I have a system that keeps popping up annoying ads. i have updated and run Spybot and Adaware, and even updated system w/ Windows Update. Thanks to all who help! Here is the Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:10:36 AM, on 5/28/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\PROGRA~1\Navnt\alertsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\CAPM1RSK.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\myrsshy.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
    C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
    C:\Program Files\Navnt\navapw32.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\hijackthis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.2.0.6:8080
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-EEFD-ED6DB186CE4D} - C:\WINNT\DOWNLO~1\404SEA~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {60E8EF80-E0C3-488C-AD59-FC3AD83D2285} - C:\WINNT\gxqff.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [xstp] C:\WINNT\myrsshy.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [DealHelperDown] "C:\WINNT\Download.exe"
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe
    O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38085.6350347222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4_0_2_10.cab
    O16 - DPF: {FD9D0FC7-D96B-11D3-B9D5-00A0CC349308} (mtplayer) - file://C:\Documents and Settings\dss_sharon\Local Settings\Temp\MasteryNetInstall\mtplayer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D451C204-4698-48BC-811F-822B69A2CFDA}: NameServer = 10.2.0.2
     
    jaymon, May 28, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    First, are the popups the small grey windows? If so, or if your not sure, go to control panel, administrative tools, services. Look for Messenger, stop and disable. If its running and auto, that was your problem.
     
    Major Attitude, May 28, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Shut down all un-necessary applications expecially Windows Explorer and Internet Explorer and run HiJaak This again. Place check marks on the items below (as appropriate! See my questions.) and have HiJaak fix them:

    Do you need this next line with the ProxyServer for you ChainCastPlayer?
    Or are you working through a Proxy Server? If so leave it alone. Otherwise have HiJaak This fix it.

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.2.0.6:8080


    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-EEFD-ED6DB186CE4D} - C:\WINNT\DOWNLO~1\404SEA~1.DLL
    O2 - BHO: (no name) - {60E8EF80-E0C3-488C-AD59-FC3AD83D2285} - C:\WINNT\gxqff.dll
    O4 - HKLM\..\Run: [xstp] C:\WINNT\myrsshy.exe
    O4 - HKCU\..\Run: [DealHelperDown] "C:\WINNT\Download.exe"


    Unless a System Administrator has specifically put the two below restrictions on you computer, fix these two lines:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


    Do you recognice this IP address (similar to above R1 setting)? Is this really part of your network or ISP? If not I would think the the following line should be fixed too:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{D451C204-4698-48BC-811F-822B69A2CFDA}: NameServer = 10.2.0.2


    Reboot in safe mode and remove the following files:

    C:\WINNT\myrsshy.exe

    Also unless you know what the below are for, I would expect they need to be removed.
    C:\WINNT\system32\CAPM1RSK.EXE
    C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE
    C:\WINNT\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
     
    chaslang, May 28, 2004
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds