Newbie
Hello,
I'm having a series of popup ads lately. Spybot, Adaware and Microsoft Anti Spyware Beta 1 have been used. Here is my log. Is there anything on this log that could create future pop-ups?
Thanks,
ninja5
Logfile of HijackThis v1.99.1
Scan saved at 1233 PM, on 6/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\ NFSClient\expserv.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\ Inetd\inetd32.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\ Jconfig\jconfigdnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\ Jconfig\hjavaw.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Java\j2re1.4.1_01\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\daviesr.FOODSVCS\Local Settings\Temporary Internet Files\Content.IE5\SPEBOXA3\hijackthis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roundrockisd.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roundrockisd.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = crock:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = www.roundrockisd.org;222.2.2.47;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitexlz32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?2&04.00.03.15&http://shopping.franklincovey.com/shopping/images/zm/blooms/blooms.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pcs.webex.com/client/v_eureka-mc50/webex/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FOODSVCS
O17 - HKLM\Software\..\Telephony: DomainName = FOODSVCS
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DF2D301-4281-409F-BEF6-C800583AA629}: Domain = RRISD
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DF2D301-4281-409F-BEF6-C800583AA629}: NameServer = 222.2.200.22,100.1.252.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FOODSVCS
O17 - HKLM\System\CS1\Services\Tcpip\..\{6DF2D301-4281-409F-BEF6-C800583AA629}: Domain = RRISD
O17 - HKLM\System\CS1\Services\Tcpip\..\{6DF2D301-4281-409F-BEF6-C800583AA629}: NameServer = 222.2.200.22,100.1.252.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Hummingbird Export (HCLExport) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\ NFSClient\expserv.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\ Inetd\inetd32.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\ Jconfig\jconfigdnt.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm1 2.exe
Full Member
Before we take a look at your Hijack This log...
Internet pop-ups are in the websites that you are visiting. Most of the time, they are not at all malicious, they are just for advertising and to make money. I would start by downloading the Google Toolbar located at http://toolbar.google.com/T3/download. To get the full list of features for the google toolbar, take a look here. The google toolbar will block most pop-ups for you as well as provide you with several other convinient features. Please post back to let me know if it works.
-Jeff
Senior Member
Hello,ninja5 & Welcome
First good idea to do as said by jnadel
& could you please move HijackThis to a folder in C:\Drive like so C:\HJT
now
Download this tool: LQfix.zip
Unzip it to your Desktop.
Don't use it yet!
[b]IMPORTANT! Reboot the computer into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter').
once in Safe Mode
Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, that is normal.
after running LQfix do this here run HijackThis & fix items
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitexlz32.exe
This item here if not put inplace by you or Admins of PC fix it
NOTE some software like Spybot will do this make sure
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pcs.webex.com/client/v_eurek...ex/ieatgpc.cab
Delete the following files\folders IF still present:
C:\windows\system32\elitexlz32.exe<---This file
Reboot into normal mode and scan with HijackThis. Post the new log as a reply to this thread.
HGD
Last edited by HJThis; 24-06-2005 at 03:52 PM.
Newbie
Jeff,Originally Posted by jnadel
The firewall does not allow me to click on the Google weblink. It's good to know that this toolbar is out there. Thanks.
ninja5
Newbie
HGD,Hello,ninja5 & Welcome
First good idea to do as said by jnadel
& could you please move HijackThis to a folder in C:\Drive like so C:\HJT
now
Download this tool: LQfix.zip
Unzip it to your Desktop.
Don't use it yet!
[b]IMPORTANT! Reboot the computer into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter').
once in Safe Mode
Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, that is normal.
after running LQfix do this here run HijackThis & fix items
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitexlz32.exe
This item here if not put inplace by you or Admins of PC fix it
NOTE some software like Spybot will do this make sure
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pcs.webex.com/client/v_eurek...ex/ieatgpc.cab
Delete the following files\folders IF still present:
C:\windows\system32\elitexlz32.exe<---This file
Reboot into normal mode and scan with HijackThis. Post the new log as a reply to this thread.
HGD
Here is my latest log. Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 2:15:42 PM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roundrockisd.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roundrockisd.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = crock:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = www.roundrockisd.org;222.2.2.47;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...ms/blooms.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pcs.webex.com/client/v_eurek...ex/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FOODSVCS
O17 - HKLM\Software\..\Telephony: DomainName = FOODSVCS
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DF2D301-4281-409F-BEF6-C800583AA629}: Domain = RRISD
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DF2D301-4281-409F-BEF6-C800583AA629}: NameServer = 222.2.200.22,100.1.252.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = FOODSVCS
O17 - HKLM\System\CS1\Services\Tcpip\..\{6DF2D301-4281-409F-BEF6-C800583AA629}: Domain = RRISD
O17 - HKLM\System\CS1\Services\Tcpip\..\{6DF2D301-4281-409F-BEF6-C800583AA629}: NameServer = 222.2.200.22,100.1.252.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = FOODSVCS
O17 - HKLM\System\CS2\Services\Tcpip\..\{6DF2D301-4281-409F-BEF6-C800583AA629}: Domain = RRISD
O17 - HKLM\System\CS2\Services\Tcpip\..\{6DF2D301-4281-409F-BEF6-C800583AA629}: NameServer = 222.2.200.22,100.1.252.2
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = FOODSVCS
O17 - HKLM\System\CS3\Services\Tcpip\..\{6DF2D301-4281-409F-BEF6-C800583AA629}: Domain = RRISD
O17 - HKLM\System\CS3\Services\Tcpip\..\{6DF2D301-4281-409F-BEF6-C800583AA629}: NameServer = 222.2.200.22,100.1.252.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Hummingbird Export (HCLExport) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\ NFSClient\expserv.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\ Inetd\inetd32.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\ Jconfig\jconfigdnt.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm1 2.exe
Senior Member
Hi,ninja5
Well i don't see the files how is it running do you
stell have the problem or is all ok.
HGD
Newbie
So far, so good. Thanks alot!!!
ninja5
Senior Member
Hey,ninja5
Good to hear keep us updated on this
HGD
