Re: pop up

No_at_SpaM
Date: 06/28/04

• Next message: LuckyStrike: "Re: can't open separate window"
• Previous message: Don Varnau: "Re: can't open separate window"
• In reply to: Wendy: "Re: pop up"
• Next in thread: Shenan Stanley: "Re: pop up"
• Messages sorted by: [ date ] [ thread ]

---

Date: Sun, 27 Jun 2004 20:53:59 -0400

They won't read you log here. You need to post it at one of the Forums.
You have several problems and running Ad-aware is a great start. Its an
excelant program, BUT it will not fix everything. Read the reply from
Shenan Stanley. Its lengthy, but the few extra minutes it takes to read
will likely save you hours/days or weeks in the future.

First go ahead an post your log then proceed with following through on
everything else.
Here are some Forums you can post your log to:

*Important* before you post download HJT to its own folder NOT in your Temp
Folder. This one is in a TEMP Folder.

FORUMS
http://forums.tomcoyote.org/
http://forums.spywareinfo.com/
http://computercops.biz/forums.html
http://boards.cexx.org/
http://www.techsupportforums.com/
http://forums.techguy.org/
http://forums.net-integration.net/index.php

They have links, advice, ect. too you should follow.

"Wendy" <anonymous@discussions.microsoft.com> wrote in message
news:2251d01c45ca5$80e75520$a001280a@phx.gbl...
> Thank you for your help. I downloaded Adaware and ran a
> scan. It did detect many things, all of which I
> quarantined, but when I restarted my computer, the same
> thing happened. I downloaded HijackThis, and below is a
> copy of the log:
> Logfile of HijackThis v1.97.7
> Scan saved at 8:15:57 PM, on 6/27/2004
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\WINDOWS\Explorer.EXE
> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
> C:\Program Files\Common Files\Microsoft
> Shared\VS7Debug\mdm.exe
> C:\windows\system\hpsysdrv.exe
> C:\Program Files\Hewlett-Packard\Digital
> Imaging\Unload\hpqcmon.exe
> C:\HP\KBD\KBD.EXE
> C:\Program Files\Norton SystemWorks\Norton
> AntiVirus\navapsvc.exe
> C:\WINDOWS\system32\dla\tfswctrl.exe
> C:\WINDOWS\System32\igfxtray.exe
> C:\WINDOWS\System32\hkcmd.exe
> C:\Program Files\Norton SystemWorks\Norton
> Utilities\NPROTECT.EXE
> C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
> C:\Program Files\Browser Mouse\Browser Mouse\1.0
> \lwbwheel.exe
> C:\Program Files\Common Files\Real\Update_OB\realsched.exe
> C:\WINDOWS\System32\ezSP_Px.exe
> C:\WINDOWS\System32\uwrhhn.exe
> C:\WINDOWS\svchost.exe
> C:\Program Files\Web_Rebates\WebRebates0.exe
> C:\Program Files\WindowsSA\omniscient.exe
> C:\WINDOWS\System32\ctfmon.exe
> C:\Program Files\AWS\WeatherBug\Weather.exe
> C:\Program Files\Yahoo!\Messenger\ypager.exe
> C:\Program Files\Messenger\msmsgs.exe
> C:\Program Files\CheckIt\86\CheckIt86.exe
> C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
> C:\QUICKENW\QWDLLS.EXE
> C:\Program Files\DropChute\DChute.exe
> C:\Program Files\Web_Rebates\WebRebates1.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\Documents and Settings\Owner\Local Settings\Temporary
> Internet Files\Content.IE5\W92FS9IR\HijackThis[1].exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL
> = http://www.the-huns-yellow-pages.com/sp.html
> R1 - HKCU\Software\Microsoft\Internet
> Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
> R1 - HKCU\Software\Microsoft\Internet
> Explorer\Main,Default_Search_URL = http://srch-
> us6.hpwis.com/
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
> Page = http://us6.hpwis.com/
> R1 - HKLM\Software\Microsoft\Internet
> Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
> F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32
> \netdc.exe
> F2 - REG:system.ini: Shell=explorer.exe
> C:\WINDOWS\System32\netdc.exe
> F2 - REG:system.ini: UserInit=C:\Windows\System32
> \wsaupdater.exe,
> O1 - Hosts: 216.93.168.167 auto.search.msn.com
> O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
> O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-
> 216055BF9918} - (no file)
> O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
> 784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
> \Reader\ActiveX\AcroIEHelper.ocx
> O2 - BHO: (no name) - {82DF1118-9B92-45d8-B78F-
> 1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
> O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
> CF10577473F7} - c:\program files\google\googletoolbar1.dll
> O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-
> FADC6B084872} - C:\Program Files\Norton
> SystemWorks\Norton AntiVirus\NavShExt.dll
> O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-
> 05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
> O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
> 7859DF00B1D6} - C:\Program Files\Norton
> SystemWorks\Norton AntiVirus\NavShExt.dll
> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
> 00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
> 009027A5CD4F} - c:\program files\google\googletoolbar1.dll
> O4 - HKLM\..\Run: [hpsysdrv]
> c:\windows\system\hpsysdrv.exe
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
> NvQTwk,NvCplDaemon initialize
> O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
> O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-
> Packard\Digital Imaging\Unload\hpqcmon.exe
> O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
> O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32
> \dla\tfswctrl.exe
> O4 - HKLM\..\Run: [Recguard]
> C:\WINDOWS\SMINST\RECGUARD.EXE
> O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32
> \igfxtray.exe
> O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
> \hkcmd.exe
> O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
> O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
> C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
> Files\Symantec Shared\ccApp.exe"
> O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common
> Files\Symantec Shared\ccRegVfy.exe"
> O4 - HKLM\..\Run: [StorageGuard] "C:\Program
> Files\VERITAS Software\Update Manager\sgtray.exe" /r
> O4 - HKLM\..\Run: [workflo] E:\install\workflow.exe
> O4 - HKLM\..\Run: [IntelliType] "C:\Program
> Files\Microsoft Hardware\Keyboard\type32.exe"
> O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser
> Mouse\Browser Mouse\1.0\lwbwheel.exe
> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
> Files\Real\Update_OB\realsched.exe" -osboot
> O4 - HKLM\..\Run: [ezShieldProtector for Px]
> C:\WINDOWS\System32\ezSP_Px.exe
> O4 - HKLM\..\Run: [Users System] C:\WINDOWS\svchost.exe
> O4 - HKLM\..\Run: [avpxbavqad] C:\WINDOWS\System32
> \uwrhhn.exe
> O4 - HKLM\..\Run: [Setup experation]
> C:\WINDOWS\svchost.exe
> O4 - HKLM\..\Run: [WebRebates0] "C:\Program
> Files\Web_Rebates\WebRebates0.exe"
> O4 - HKLM\..\Run: [Windows SA] C:\Program
> Files\WindowsSA\omniscient.exe
> O4 - HKLM\..\RunServices: [Users System]
> C:\WINDOWS\svchost.exe
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32
> \ctfmon.exe
> O4 - HKCU\..\Run: [Weather] C:\Program
> Files\AWS\WeatherBug\Weather.exe 1
> O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!
> \Messenger\ypager.exe -quiet
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program
> Files\Messenger\msmsgs.exe" /background
> O4 - Startup: DCStart.lnk = C:\Program
> Files\DropChute\DChute.exe
> O4 - Global Startup: CheckIt 86.lnk = C:\Program
> Files\CheckIt\86\CheckIt86.exe
> O4 - Global Startup: Microsoft Office.lnk = C:\Program
> Files\Microsoft Office\Office10\OSA.EXE
> O4 - Global Startup: Quicken Startup.lnk =
> C:\QUICKENW\QWDLLS.EXE
> O8 - Extra context menu item: &Search -
> http://bar.mywebsearch.com/menusearch.html?p=ZS
> O8 - Extra context menu item: Add To CheckIt &86 Trust
> List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
> O8 - Extra context menu item: Web Rebates -
> file://C:\Program Files\Web_Rebates\Sy1150\Tp1150
> \scri1150a.htm
> O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
> O9 - Extra button: Messenger (HKLM)
> O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
> O9 - Extra button: Real.com (HKLM)
> O9 - Extra button: Messenger (HKLM)
> O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
> O12 - Plugin for .spop: C:\Program Files\Internet
> Explorer\Plugins\NPDocBox.dll
> O16 - DPF: JT's Blocks -
> http://download.games.yahoo.com/games/clients/y/blt1_x.cab
> O16 - DPF: Yahoo! Dice -
> http://download.games.yahoo.com/games/clients/y/dct2_x.cab
> O16 - DPF: Yahoo! Dots -
> http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
> O16 - DPF: Yahoo! Exploder -
> http://download.games.yahoo.com/games/clients/y/vtk_x.cab
> O16 - DPF: Yahoo! Pyramids -
> http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
> O16 - DPF: Yahoo! Spelldown -
> http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
> O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
> (Shockwave ActiveX Control) -
> http://download.macromedia.com/pub/shockwave/cabs/director
> /sw.cab
> O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
> http://ak.imgfarm.com/images/nocache/funwebproducts/ei/Smi
> leyCentralInitialSetup1.0.0.8.cab
> O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo!
> Audio Conferencing) -
> http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yac
> scom.cab
> O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
> (YInstStarter Class) -
> http://download.yahoo.com/dl/installs/yinst0401.cab
> O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
> Class) -
> http://207.188.7.150/180c0eb55a5634560006/netzip/RdxIE601.
> cab
> O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349}
> (Pixami/Snapfish Upload UI Control) -
> http://www.snapfish.com/SnapfishUploader.cab
> O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo!
> Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
> O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4}
> (ZoneAxRcMgr Class) -
> http://zone.msn.com/binGame/ZAxRcMgr.cab
> O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} -
> http://wdownload.weatherbug.com/minibug/tricklers/AWS/mini
> buginstaller.cab
> O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0}
> (Hangman Control) -
> http://mirror.worldwinner.com/games/v40/hangman/hangman.ca
> b
> O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999}
> (YAddBook Class) -
> http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suit
> e/autocomplete.cab
> O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE}
> (Symantec RuFSI Registry Information Class) -
> http://security.symantec.com/SSC/SharedContent/common/bin/
> cabsa.cab
> O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
> (Shockwave Flash Object) -
> http://download.macromedia.com/pub/shockwave/cabs/flash/sw
> flash.cab
> O16 - DPF: {D7107300-E42A-4C1C-84EB-4D783E58B88D}
> (DNInstallerOCX Class) -
> https://www.speechmachines.org/Installer/InstallerOCX.cab
> O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
> (PopCapLoader Object) -
> http://zone.msn.com/bingame/zuma/default/popcaploader_v5.c
> ab
> O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live
> Collaboration) -
> http://liveca04.rightnowtech.com/sonystyle/sonystyle/rnt/r
> nl/java/RntX.cab
> O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN
> Chat Control 4.5) -
> http://fdl.msn.com/public/chat/msnchat45.cab
>
> I will do as you asked and wait for you to look over.
> Thanks again for all your help. I have spent about 6
> hours trying to figure this thing out today!!!
>
> >-----Original Message-----
> >The gambling website has hijacked your IE.
> >
> >1. Use the following scanners to find and remove the
> website.
> >
> >SpyBot S&D searches your harddisk for so-called spy- or
> adbots;
> >http://security.kolla.de/
> >or
> >Adaware
> >http://www.lavasoftusa.com/software/adaware/
> >or
> >CoolWebShredder
> >http://www.spychecker.com/program/coolwebshredder.html
> >
> >2. Some porn websites redirects links to their websites
> using your HOSTS
> >file. Do a search for the HOSTS (without extension) file
> and remove the
> >entry.
> >
> >3. If still no joy, download HijackThis from Spywareinfo
> download page
> >
> >http://www.spywareinfo.com/program/hijackthis.html
> >
> >Run the program and you will find many entries. Most are
> OK. Post the log. I
> >will find the problem for you.
> >
> >4. If still no joy, look for the website in your
> system.ini, win.ini and
> >registry and delete it.
> >
> >
> >--
> >Warren
> >For additional help, post in
> >http://groups.msn.com/HelpforInternetExplorerorWindowsME/
> homepage
> >
> >"Wendy" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:21ee501c45c94$513ffe00$a301280a@phx.gbl...
> >> I keep getting the same pop up come on everytime i log
> on
> >> my computer. It is an application shortcut that has
> >> attached itself to Internet Explorer in the target
> >> setting. I have tried to delete it, but it keeps
> coming
> >> back, and i cannot find the source file. It is an
> online
> >> gambling web site, which I have never gone on. How do
> I
> >> get this slug to unattach from my IE?
> >
> >
> >.
> >

---

• Next message: LuckyStrike: "Re: can't open separate window"
• Previous message: Don Varnau: "Re: can't open separate window"
• In reply to: Wendy: "Re: pop up"
• Next in thread: Shenan Stanley: "Re: pop up"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.inetexplorer.ie6.browser  > 2004-06