popups - system slow - materialsing

Macdude · 07-02-2004, 02:20 AM

yo all - having the pop up nightmare that everyone seems to get.

also system slow then materialising in front of me - then only a reboot helps...

ran hijack and killed automove and the eircon one...

heres the log - cheers!!

Logfile of HijackThis v1.97.7
Scan saved at 09:57:43, on 02/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\system32\lclmyx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\pierre\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ukexplorer.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UKexplorer
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\system32\SWin32.dll
O2 - BHO: Core Library - {6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} - C:\WINNT\system32\sfg15d5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\PayyaTec\PopupKiller\PopupKiller.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SafeGuard Popup Blocker Updater (required)] regsvr32 /s C:\WINNT\system32\sfg15d5.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [rawcjsi] C:\WINNT\system32\lclmyx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O9 - Extra button: Popup Killer Options (HKLM)
O9 - Extra 'Tools' menuitem: Popup Killer (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...126.3502893519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup144.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ukexplorer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ukexplorer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ukexplorer.com

greyknight17 · 07-02-2004, 05:46 AM

Do an online virus scan at TrendMicro or RAV Antivirus.

Download and install CWShredder and Fix any variants of CWS it finds. If it asks you if you want to delete a file, choose No and post that filename here. Make sure to check for an update before running the fix.

End the following processes:

lclmyx.exe

Check and fix the following:

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\system32\SWin32.dll
O2 - BHO: Core Library - {6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} - C:\WINNT\system32\sfg15d5.dll
O4 - HKLM\..\Run: [SafeGuard Popup Blocker Updater (required)] regsvr32 /s C:\WINNT\system32\sfg15d5.dll
O4 - HKLM\..\Run: [rawcjsi] C:\WINNT\system32\lclmyx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup144.cab

If this is not your ISP or anything you recognize, fix them also:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ukexplorer.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UKexplorer
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ukexplorer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ukexplorer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ukexplorer.com

Reboot into Safe Mode (hit F8 key until menu shows up). Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Do a search for the following and delete them if they exist:

mxTarget.dll
SWin32.dll
sfg15d5.dll
lclmyx.exe

Reboot and go back into HJT->Config->Misc. Tools->Check for update online. Then post a new HJT log file.

Macdude · 07-02-2004, 07:32 AM

Cheers Mate,

seems to be all sweet now :bandit:

the ukexplorer lines are from my workplace so are ok

thanx a mill

heres the new log file in case any nasties still lurk

Logfile of HijackThis v1.97.7
Scan saved at 15:22:42, on 02/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\system32\svchost.exe
C:\Documents and Settings\pierre\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ukexplorer.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UKexplorer
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\PayyaTec\PopupKiller\PopupKiller.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O9 - Extra button: Popup Killer Options (HKLM)
O9 - Extra 'Tools' menuitem: Popup Killer (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...126.3502893519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ukexplorer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ukexplorer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ukexplorer.com

again muchos gracias (obrigadao!!!!)

greyknight17 · 07-02-2004, 07:40 AM

No problem Macdude. You just need to fix one more entry:

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

Reboot and go back into HJT->Config->Misc. Tools->Check for update online to get a newer version. Then post a new HJT log file to make sure it's clean.

Macdude · 07-02-2004, 07:47 AM

All done - got that one

also got latest HJT

obrigado de novo - thanx again

any ideas on keepin those nasty things out ?

cheers..

Logfile of HijackThis v1.98.0
Scan saved at 15:44:51, on 02/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pierre\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ukexplorer.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UKexplorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\PayyaTec\PopupKiller\PopupKiller.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O9 - Extra button: Popup Killer Options - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\PayyaTec\PopupKiller\PopupKiller.dll
O9 - Extra 'Tools' menuitem: Popup Killer - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\PayyaTec\PopupKiller\PopupKiller.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ukexplorer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ukexplorer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ukexplorer.com

greyknight17 · 07-02-2004, 08:05 AM

Your file looks clean.

Yes, you can have programs to prevent them from installing spyware in the first place. One program I recommend using is SpywareBlaster. Download it and it should help prevent most future spyware installations. Just make sure to update it if there are updates available.

07-02-2004, 02:20 AM	#1 (permalink)
Macdude Registered User Join Date: Jul 2004 Posts: 4 OS: win 2000	popups - system slow - materialsing yo all - having the pop up nightmare that everyone seems to get. also system slow then materialising in front of me - then only a reboot helps... ran hijack and killed automove and the eircon one... heres the log - cheers!! Logfile of HijackThis v1.97.7 Scan saved at 09:57:43, on 02/07/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\NORTON~1\navapw32.exe C:\WINNT\system32\lclmyx.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\Documents and Settings\pierre\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ukexplorer.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UKexplorer O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\system32\SWin32.dll O2 - BHO: Core Library - {6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} - C:\WINNT\system32\sfg15d5.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\PayyaTec\PopupKiller\PopupKiller.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [SafeGuard Popup Blocker Updater (required)] regsvr32 /s C:\WINNT\system32\sfg15d5.dll O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [rawcjsi] C:\WINNT\system32\lclmyx.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE O9 - Extra button: Popup Killer Options (HKLM) O9 - Extra 'Tools' menuitem: Popup Killer (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...126.3502893519 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup144.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ukexplorer.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ukexplorer.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ukexplorer.com

07-02-2004, 07:32 AM	#3 (permalink)
Macdude Registered User Join Date: Jul 2004 Posts: 4 OS: win 2000	Cheers Mr Knight Cheers Mate, seems to be all sweet now :bandit: the ukexplorer lines are from my workplace so are ok thanx a mill heres the new log file in case any nasties still lurk Logfile of HijackThis v1.97.7 Scan saved at 15:22:42, on 02/07/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\mspmspsv.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\WINNT\system32\svchost.exe C:\Documents and Settings\pierre\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ukexplorer.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UKexplorer O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\PayyaTec\PopupKiller\PopupKiller.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE O9 - Extra button: Popup Killer Options (HKLM) O9 - Extra 'Tools' menuitem: Popup Killer (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...126.3502893519 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ukexplorer.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ukexplorer.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ukexplorer.com again muchos gracias (obrigadao!!!!)

07-02-2004, 07:47 AM	#5 (permalink)
Macdude Registered User Join Date: Jul 2004 Posts: 4 OS: win 2000	Done All done - got that one also got latest HJT obrigado de novo - thanx again any ideas on keepin those nasty things out ? cheers.. Logfile of HijackThis v1.98.0 Scan saved at 15:44:51, on 02/07/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\mspmspsv.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\WINNT\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\pierre\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ukexplorer.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UKexplorer O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\PayyaTec\PopupKiller\PopupKiller.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE O9 - Extra button: Popup Killer Options - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\PayyaTec\PopupKiller\PopupKiller.dll O9 - Extra 'Tools' menuitem: Popup Killer - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\PayyaTec\PopupKiller\PopupKiller.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ukexplorer.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ukexplorer.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ukexplorer.com

07-02-2004, 05:46 AM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,259 OS: Windows 98 & Windows XP Home/Pro My System	Do an online virus scan at TrendMicro or RAV Antivirus. Download and install CWShredder and Fix any variants of CWS it finds. If it asks you if you want to delete a file, choose No and post that filename here. Make sure to check for an update before running the fix. End the following processes: lclmyx.exe Check and fix the following: O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\system32\SWin32.dll O2 - BHO: Core Library - {6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} - C:\WINNT\system32\sfg15d5.dll O4 - HKLM\..\Run: [SafeGuard Popup Blocker Updater (required)] regsvr32 /s C:\WINNT\system32\sfg15d5.dll O4 - HKLM\..\Run: [rawcjsi] C:\WINNT\system32\lclmyx.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup144.cab If this is not your ISP or anything you recognize, fix them also: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ukexplorer.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UKexplorer O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ukexplorer.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ukexplorer.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ukexplorer.com Reboot into Safe Mode (hit F8 key until menu shows up). Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Do a search for the following and delete them if they exist: mxTarget.dll SWin32.dll sfg15d5.dll lclmyx.exe Reboot and go back into HJT->Config->Misc. Tools->Check for update online. Then post a new HJT log file.

07-02-2004, 07:40 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,259 OS: Windows 98 & Windows XP Home/Pro My System	No problem Macdude. You just need to fix one more entry: O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file) Reboot and go back into HJT->Config->Misc. Tools->Check for update online to get a newer version. Then post a new HJT log file to make sure it's clean.

07-02-2004, 08:05 AM	#6 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,259 OS: Windows 98 & Windows XP Home/Pro My System	Your file looks clean. Yes, you can have programs to prevent them from installing spyware in the first place. One program I recommend using is SpywareBlaster. Download it and it should help prevent most future spyware installations. Just make sure to update it if there are updates available.