User Tag List

Informational! Informational!:  0
Likes Likes:  0
Page 4 of 6 FirstFirst 123456 LastLast
Results 25 to 32 of 43

Thread: HELP! POPUPS!

  1. #25
    Stay chooned in for more! Clint's Avatar
    Join Date
    Apr 2003
    Location
    Metro Atlanta Area
    Posts
    9,681
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok. i downloaded lspfix from cexx.com. that got rid of the 010 ones. heres my new log.


    Logfile of HijackThis v1.99.1
    Scan saved at 7:10:17 AM, on 7/23/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\MSAgentXP.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Documents and Settings\Ted\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wxyeb.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,hsgimfe.exe
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
    O4 - HKCU\..\Run: [MSAgentXP] C:\WINDOWS\system32\MSAgentXP.exe
    O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\dnr2019oe.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\



    if i restart my computer it'll probably show that it got rid of more of them. i'll restart later and repost my log. you guys have been a huge help and i already notice a decrease in number and frequency of popups.

  2. #26
    Stay chooned in for more! Clint's Avatar
    Join Date
    Apr 2003
    Location
    Metro Atlanta Area
    Posts
    9,681
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    oh yeah. almost half my popups say "powered by Zedo" and then more come up.

  3. #27
    War. War never changes. Est's Avatar
    Join Date
    Apr 2004
    Location
    Champaign, IL
    Posts
    3,935
    Mentioned
    3 Post(s)
    Tagged
    1 Thread(s)
    Things overlooked or to add:

    C:\WINDOWS\system32\MSAgentXP.exe (you may need to use killbox for this'n.)

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wxyeb.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,hsgimfe.exe

    (the above two are unknowns, as far as I'm concerned, unknowns have no place in your sys32 folder or your registry.)

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

    O4 - HKCU\..\Run: [MSAgentXP] C:\WINDOWS\system32\MSAgentXP.exe

    O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
    (yet another trojan horse...)

    OOOOH! Something just hit me: kill all traces of Windows Messanger, that'll help.

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    (part of windows messanger)


    Alright give that a shot. MAN oh MAN does norton antivirus add a LOT of crap to that list. It does the same with your hard drive, just makes random folders and files all over the freaking place. If you don't format you'll be finding vestages of that program for all eternity. You don't have to get rid of it, but I prefer AVG free. Let us know hos things look after you kill these things; the problem may be rooted in a Windows Messanger exploit (that is, its existance.)
    \(_o)/ ಠ_ಠ
    My Growlist
    NASC Website Come join in on the fun!

  4. #28
    Stay chooned in for more! Clint's Avatar
    Join Date
    Apr 2003
    Location
    Metro Atlanta Area
    Posts
    9,681
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    how do i delete C:\WINDOWS\system32\MSAgentXP.exe? it's not on the list of things to delete. it starts at f2

  5. #29
    Stay chooned in for more! Clint's Avatar
    Join Date
    Apr 2003
    Location
    Metro Atlanta Area
    Posts
    9,681
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i downloaded killbox. heres a list of processes. they all end in .exe and i'm lazy so i wont type that part

    smss
    services
    lsass
    CCPROXY
    CCSETMGR
    ISSVC
    SNDSrvc
    SPBBCS
    CCEVTMGR
    spoolsv
    AluSchedulerSvc
    NAVAPSVC
    svchost
    symlcsvc
    wdfmgr
    alg
    csrss
    winlogon
    goiaba
    explorer
    wxyeb
    apdproxy
    qttasik
    CCAPP
    rundll32
    firefox
    msmgs
    OPSCAN
    killBox

  6. #30
    War. War never changes. Est's Avatar
    Join Date
    Apr 2004
    Location
    Champaign, IL
    Posts
    3,935
    Mentioned
    3 Post(s)
    Tagged
    1 Thread(s)
    You can kill just about anything will killbox. If it isn't listed as a running process, you do the following, we'll use MSagentXP.exe as an example.

    C:\WINDOWS\system32\MSAgentXP.exe
    Tells us that the executable "MSAgentXP" is located in the system32 folder of your windows folder on your C drive.
    Open up kill box and cut and paste the location (C:\WINDOWS\system32\) and the item you wish to kill (MSAgentXP.exe) in tot he box labeled "full path of fil to delete."

    From the things you listed, you want to do a google search on the items you don't recognize (just type in the name of the file and the extension "EG smss.exe") From here you should eaily be able to determine if the proccess is legit or not. I'd suggest killing the things that I suggested from Hijackthis before doing so. If there's something hijackthis can't delete, keep its name in mind so you can delete it with killbox.
    \(_o)/ ಠ_ಠ
    My Growlist
    NASC Website Come join in on the fun!

  7. #31

    Join Date
    Sep 2001
    Location
    United Kingdom
    Posts
    2,005
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cheers for your help Est. You sound like you know a lot more than me, so carry on
    Alexis Vallance, U.K.
    Plant gallery
    Grow list

  8. #32
    War. War never changes. Est's Avatar
    Join Date
    Apr 2004
    Location
    Champaign, IL
    Posts
    3,935
    Mentioned
    3 Post(s)
    Tagged
    1 Thread(s)
    I can't really take much credit. A lot of it is checking on google and knowing the tools. And thank you for getting the ball rolling on this one.
    \(_o)/ ಠ_ಠ
    My Growlist
    NASC Website Come join in on the fun!

Page 4 of 6 FirstFirst 123456 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •