Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

Computer is loaded with pop-ups

This is a discussion on Computer is loaded with pop-ups within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. My laptop is currently being hounded by popups and .exe files running in the background. Such things include my daily


 
 
Thread Tools Search this Thread
Old 09-23-2004, 01:14 PM   #1
Guest
 
Join Date: Sep 2004
Posts: 1
OS:



My laptop is currently being hounded by popups and .exe files running in the background. Such things include my daily horoscope, award anouncements and other advertisements. I have used adaware and spybot search and destroy, but the problems continue. I am posting my hijack this log for review:

Logfile of HijackThis v1.97.7
Scan saved at 3:12:53 PM, on 9/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.11\Inetd\inetd32.exe
C:\Program Files\NavNT\Rtvscan.exe
C:\orant\bin\wdblsnr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\ORiNOCO\ComboCard 11ag\Utility\orinoco.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\AppPatch\cmdhard.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\VVSN\VVSN.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINNT\system32\SahAgent.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
C:\Program Files\iss\BlackICE\blackice.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\500997343\Local Settings\Temporary Internet Files\Content.IE5\B0TRAW6W\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = https://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.begin2search.com/googlesidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://healthcare.home.ge.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://www.begin2search.com/googlesidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Medical Systems
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = https://gems.setpac.ge.com:1533/pac.pac
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 3.184.16.24 globalapp04.ge.com
O1 - Hosts: 3.184.200.15 geshare.ge.com GESHARE.GE.COM
O1 - Hosts: 3.184.16.21 globalapp01.ge.com GLOBALAPP01.GE.COM
O1 - Hosts: 3.184.16.22 sametime01.ge.com SAMETIME01.ge.com
O1 - Hosts: 3.184.124.202 medmeeting01.ge.com MEDMEETING01.GE.COM
O1 - Hosts: 3.184.124.203 medmeeting01c.ge.com MEDMEETING01C.GE.COM
O1 - Hosts: 3.184.112.21 admeeting01.ge.com AEMEETING01.GE.COM
O1 - Hosts: 3.184.156.21 HKSHRPL01RSGE
O1 - Hosts: 3.184.156.22 HKSHSTM01RSGE
O1 - Hosts: 3.184.156.23 HKSHSTC01RSGE
O1 - Hosts: 3.184.160.22 TKSHSTM01RSGE
O1 - Hosts: 3.184.160.23 TKSHSTC01RSGE
O1 - Hosts: 3.184.168.5 UKSHRPL01RSGE
O1 - Hosts: 3.184.168.10 ukmeeting01c UKSHSTC01RSGE
O1 - Hosts: 3.184.168.15 ukmeeting01 UKSHSTM01RSGE
O1 - Hosts: 3.184.168.20 UKSHQPC01RSGE
O1 - Hosts: 3.184.124.171 medquickplace01.ge.com
O1 - Hosts: 3.184.16.24 globalapp04.ge.com
O1 - Hosts: 3.184.200.15 geshare.ge.com GESHARE.GE.COM
O1 - Hosts: 3.184.16.21 globalapp01.ge.com GLOBALAPP01.GE.COM
O1 - Hosts: 3.184.16.22 sametime01.ge.com SAMETIME01.ge.com
O1 - Hosts: 3.184.124.202 medmeeting01.ge.com MEDMEETING01.GE.COM
O1 - Hosts: 3.184.124.203 medmeeting01c.ge.com MEDMEETING01C.GE.COM
O1 - Hosts: 3.184.112.21 admeeting01.ge.com AEMEETING01.GE.COM
O1 - Hosts: 3.184.156.21 HKSHRPL01RSGE
O1 - Hosts: 3.184.156.22 HKSHSTM01RSGE
O1 - Hosts: 3.184.156.23 HKSHSTC01RSGE
O1 - Hosts: 3.184.160.22 TKSHSTM01RSGE
O1 - Hosts: 3.184.160.23 TKSHSTC01RSGE
O1 - Hosts: 3.184.168.5 UKSHRPL01RSGE
O1 - Hosts: 3.184.168.10 ukmeeting01c UKSHSTC01RSGE
O1 - Hosts: 3.184.168.15 ukmeeting01 UKSHSTM01RSGE
O1 - Hosts: 3.184.168.20 UKSHQPC01RSGE
O1 - Hosts: 3.184.124.171 medquickplace01.ge.com
O1 - Hosts: 216.130.185.143 websearch.com216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.websearch.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.websearch.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.websearch.com
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {44E5B409-35A2-4E8D-BF94-344222323A53} - C:\DOCUME~1\500997~1\LOCALS~1\Temp\drahdmc.dat
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINNT\SYSTEM32\winb2s32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll
O2 - BHO: (no name) - {F27E7BA4-A29B-1ECC-D6E3-04D149A9A003} - C:\WINNT\Npkuzzng.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINNT\SYSTEM32\winb2s32.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Search - {ED77EDBA-93B6-211F-CC63-8235E30E27BF} - C:\WINNT\Npkuzzng.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [proxim_orinoco_11ag] C:\Program Files\ORiNOCO\ComboCard 11ag\Utility\orinoco.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [conscorr] C:\Documents and Settings\500997343\Local Settings\Temp\conscorr.exe
O4 - HKLM\..\Run: [*cmdhard] C:\WINNT\AppPatch\cmdhard.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [SAHAgent] C:\WINNT\system32\SahAgent.exe
O4 - HKCU\..\Run: [Sametime Connect] C:\Program Files\Lotus\Sametime Client\Connect.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKLM\..\RunOnce: [*cmdhard] C:\WINNT\AppPatch\cmdhard.exe rerun
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINNT\system32\bkinst.exe ren
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RealSecure Desktop Protector.lnk = ?
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - FTP Prefix:
O16 - DPF: Sametime Meeting Room Client ST25DEV9 - https://medmeeting01.ge.com/sametime/...RoomClient.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://medquickplace01.ge.com/qp2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - https://v4.windowsupdate.microsoft.co...237.7912615741
O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - https://medmeeting01.ge.com/sametime/...TJNILoader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = am.med.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = am.med.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = am.med.ge.com
jbletz is offline  
Sponsored Links
Advertisement
 
Old 09-23-2004, 03:20 PM   #2
Guest
 
Join Date: Sep 2004
Posts: 1
OS:


Might I suggest a GECIS call or similar before posting further CORPORATE logs ;-)

Helpdesk can sort out your problem withhout public exposure

Not being critical but your organisation does have resource to resolve these issues.(I like these forums but this is a work issue and this seems liek overtime!)
bapple is offline  
Old 09-24-2004, 10:30 AM   #3
TSF Team, Emeritus
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,311
OS: Windows 98 & Windows XP Home/Pro

My System

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

Upgrade your browser to version 6.0 if you can. I suggest getting another browser instead (Firefox).

Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download Index.dat Suite to clean out all the temp folders. Do not run it yet.

Reboot into Safe Mode (hit F8 key until menu shows up).

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINNT\system32\SahAgent.exe
C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

MyDailyHoroscope

Check and fix the following in HijackThis if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = https://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://www.begin2search.com/googlesidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://www.begin2search.com/googlesidesearch.html
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)

For all the 01 Entries listed here, are they valid? Your company might have created this. If not, check and fix them also.

O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: (no name) - {44E5B409-35A2-4E8D-BF94-344222323A53} - C:\DOCUME~1\500997~1\LOCALS~1\Temp\drahdmc.dat
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINNT\SYSTEM32\winb2s32.dll
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll
O2 - BHO: (no name) - {F27E7BA4-A29B-1ECC-D6E3-04D149A9A003} - C:\WINNT\Npkuzzng.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: (no name) - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINNT\SYSTEM32\winb2s32.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Search - {ED77EDBA-93B6-211F-CC63-8235E30E27BF} - C:\WINNT\Npkuzzng.dll
O4 - HKLM\..\Run: [conscorr] C:\Documents and Settings\500997343\Local Settings\Temp\conscorr.exe
O4 - HKLM\..\Run: [*cmdhard] C:\WINNT\AppPatch\cmdhard.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINNT\system32\SahAgent.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKLM\..\RunOnce: [*cmdhard] C:\WINNT\AppPatch\cmdhard.exe rerun
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINNT\system32\bkinst.exe ren

O13 - FTP Prefix:

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\system32\SahAgent.exe
C:\PROGRA~1\MYDAIL~1\
C:\WINNT\AppPatch\
C:\Program Files\VVSN\

Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED.

Run Index.dat Suite now and go to Tools->Settings. Then make sure to check the following: Cookies, History, Recent Documents, Swap File (if you have Windows 95/98), Temporary Internet Files and Temp Files. Click Save at the bottom. Then click on the Find button. Let it search. Then click on the second button on the top. This will generate a batch file. Click Next->Next->Next and it will tell you that after the next reboot/restart you the file should run by itself and startup and clean all those files.

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

To help prevent future spyware installations/infections, please read my anti-spyware section and use the tools provided.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:44 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts