Pop ups

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Serb420, May 3, 2004.

  1. Serb420

    Serb420 Private E-2

    I got this problem with pop ups. I have tried all types of things to remove it including Panda Anti virus Norton Anti virus, spybot, adaware, trojan remover and i even have a pop up blocker that doesnt stop em. Also I had n.Case a while back and believe that is somehow related but i dont know whats going on. I tried to follow the directions on the norton site to remove it but it didnt work, Even started in safe mode and deleted all the stuff that norton said needed to go.

    I used hijack this and i got this log

    Logfile of HijackThis v1.97.7
    Scan saved at 6:11:38 PM, on 5/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\System32\CTHELPER.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\CheckIt\86\CheckIt86.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINNT\System32\rundll32.exe
    C:\WINNT\system32\slserv.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Steam\steam.exe
    C:\WINNT\System32\svchost.exe
    C:\Documents and Settings\Owner\Desktop\hix\mirc.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Norton AntiVirus\OPScan.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.teamnaz.tk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://google.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [Task manager] TASKMANGR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [scvhost loader] IXPLORE.EXE
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
    O4 - HKLM\..\RunServices: [scvhost loader] IXPLORE.EXE
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
    O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: PartyPoker.com (HKLM)
    O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Any other info u need i can supply but plz help
     
    Serb420, May 3, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    WOW thats a lot of crap on startup you dont need most likely wasting resources. For example:

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent (big pig)
     
    Major Attitude, May 3, 2004
    #2
  3. G.T.

    G.T. R.I.P February 4, 2007. You will be missed.

    G.T., May 3, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I believe what G.T. meant was for you to delete the following:
    O4 - HKLM\..\RunServices: [scvhost loader] IXPLORE.EXE

    That's what the link supplied was referring too.

    If you repost a HiJaak This log, make sure you shut down all IExplorer sessions first before running HiJaak This.
     
    Last edited: May 3, 2004
    chaslang, May 3, 2004
    #4
  5. Serb420

    Serb420 Private E-2

    Ya i think its that serve.exe

    IXPLORER.EXE should be iexplorer.exe and i think it is after lookin at that.

    Where can i get that program that picks out what stuff to run at start up and what not. I used a program once but im not sure if theres a simpler way to do it.
     
    Serb420, May 3, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No!!! This line needs to be deleted O4 - HKLM\..\RunServices: [scvhost loader] IXPLORE.EXE

    It is a trojan.

    As far as the Startups, what Major was pointing out were items that you do not necessarily need to have load. It is up to you whether or not you want them. None of those items are spyware, trojans...etc. They just eat up system resources and may or may not be required by you.
     
    chaslang, May 4, 2004
    #6
  7. bern

    bern Sergeant

    have a look at blackviper site he has some pretty good advice for startup
     
    bern, May 4, 2004
    #7
  8. alanc

    alanc MajorGeek

    You can use msconfig.exe to selectively enable/disable startup items.

    Have HJT fix these lines:
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
    then reboot to safe mode and delete those last 2 files.

    You definitely have the sdbot-cy trojan, as has been pointed out.

    And you have another trojan spybot-c(h or i), indicated by this line:
    O4 - HKLM\..\Run: [Task manager] TASKMANGR.EXE
    Info:
    http://www.sophos.com/virusinfo/analyses/w32spybotch.html
    http://vil.nai.com/vil/content/v_100940.htm

    Also, this:
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
    is from the Twain-Tech toolbar, assuming it's something you don't want follow the removal instructions here:
    http://www.pestpatrol.com/PestInfo/t/twain-tech.asp


    Is your Norton AV updated to the latest definitions?
    If not, update it.
    If it is, seriously consider switching to an AV that will protect you.

    You should also be running Ad-aware and Spybot S&D regularly, and TDS-3 is the best anti-trojan program but it's not free.
     
    alanc, May 4, 2004
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds