I am driven mad by the browser popups, please help!!

  1. 13-03-2005  #1
    hatespyware
    hatespyware is offline Newbie

    I am driven mad by the browser popups, please help!!

    IE broswer windows keeps popup every 10 or 20 minutes. Seems go to www.paypopup.com then redirect to serveral web sites.
    I tried Adware, Norton and manual delete the following two dirs:
    D:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    D:\WINDOWS\System32\vmss\vmss.exe
    But they always come back. I have fighting this for two days and almost desparate. Please help me!

    Following is the log:


    Logfile of HijackThis v1.99.1
    Scan saved at 11:55:44 PM, on 3/12/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    D:\WINDOWS\System32\inetsrv\inetinfo.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    D:\WINDOWS\System32\tcpsvcs.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Microsoft IntelliPoint\point32.exe
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    D:\WINDOWS\System32\vmss\vmss.exe
    D:\WINDOWS\System32\ctfmon.exe
    D:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
    D:\Program Files\RealVNC\WinVNC\winvnc.exe
    D:\WINDOWS\system32\rundll32.exe
    F:\Software\hijackthis\HijackThis.exe
    D:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/WebSites/andy/andybookmark.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///F:/WebSites/andy/andybookmark.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [DXM6Patch_981116] D:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [Dvx] D:\WINDOWS\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] D:\WINDOWS\System32\vmss\vmss.exe
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: QuickShelf 2000.lnk = D:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
    O4 - Startup: Run VNC Server.lnk = D:\Program Files\RealVNC\WinVNC\winvnc.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Download by NetAnts - D:\PROGRA~1\NetAnts\NAGet.htm
    O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download &All by NetAnts - D:\PROGRA~1\NetAnts\NAGetAll.htm
    O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - D:\PROGRA~1\NetAnts\NetAnts.exe
    O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - D:\PROGRA~1\NetAnts\NetAnts.exe
    O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - D:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\dolsp.dll
    O10 - Unknown file in Winsock LSP: d:\windows\system32\aklsp.dll
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTS.../popup_3D.html
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A5A02F4E-B4E1-4BF7-9A1F-0F5B5C87E905}: NameServer = 24.153.22.195,24.153.23.66
    O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - D:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
    O20 - Winlogon Notify: MS-DOS Emulation - D:\WINDOWS\system32\ir2ol5f31.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - D:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: OracleOraHome81Agent - Oracle Corporation - D:\oracle\ora81\bin\dbsnmp.exe
    O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
    O23 - Service: OracleOraHome81DataGatherer - Oracle Corporation - D:\oracle\ora81\bin\vppdc.exe
    O23 - Service: OracleOraHome81HTTPServer - Unknown owner - D:\oracle\ora81\Apache\Apache\Apache.exe
    O23 - Service: OracleOraHome81PagingServer - Unknown owner - D:\oracle\ora81/bin/pagntsrv.exe
    O23 - Service: OracleOraHome81TNSListener - Unknown owner - D:\oracle\ora81\BIN\TNSLSNR.exe
    O23 - Service: OracleServiceTEST - Oracle Corporation - d:\oracle\ora81\bin\ORACLE.EXE
    O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

  3. 20-03-2005  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Hello,
    Sorry about the very long response time.

    Please download LSPFix from here. Unzip it and run LSPFix.exe.

    1) When LSPFix has started, put a checkmark in "I know what I am doing"
    2) In the Keep column, select all dolsp.dll and aklsp.dll entries and click the arrow to move them into the remove column.
    3) Click the Finish button to remove them.

    Then Boot into Safe Mode

    Delete the following files:
    d:\windows\system32\dolsp.dll
    d:\windows\system32\aklsp.dll

    Reboot and post a fresh Hijack This log
+ Reply to Thread
« Hijacked By Looking-for.cc Need Help | SpywareBlaster 3.3 has been released! »