Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

mr_interlocutor

4 Posts

4977

March 8th, 2004 23:00

Pop-up Problem/HJT


An annoying popup ad has been appearing on my computer screen,
for about three weeks, both when I am online or offline. If I close the/a
browser (IE 5.5), the ad window will popup. When I am online and I
close a browser, live ads pop up, one after the other, --in the same
window. When working offline, every time I close an HTML document,
a canned ad will pop up . The source code says it came from
undergroundlair.net. Also, about one in three boots results in something
trying to dialup to the internet .


Spybot S&D, NAV, and CWShredder find nothing. Any advice re: my
HJT log is much appreciated.


Logfile of HijackThis v1.97.7
Scan saved at 2:50:50 PM, on 3/7/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)


Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
D:\UTILITIES\DRIVERS\LOGITECH_CORDLESS\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\WINDOWSUPD4.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\PCMQCLR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\PROGRAMS\ICQ2003B\ICQ\ICQ.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\PROGRAMS2\HIJACKTHIS\HIJACKTHIS.EXE


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.erols.com/


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.rcn.com/home/


O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll


O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMS\ADOBE READER6\READER\ACTIVEX\ACROIEHELPER.DLL


O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll


O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX


O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun


O4 - HKLM\..\Run: [SystemTray] SysTray.Exe


O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme


O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE


O4 - HKLM\..\Run: [NAV Agent] D:\UTILIT~1\NORTON~1\NORTON~1\NAVAPW32.EXE


O4 - HKLM\..\Run: [NPROTECT] D:\utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE


O4 - HKLM\..\Run: [Mirabilis ICQ] D:\PROGRAMS\ICQ2003B\ICQ\ICQNet.exe


O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WINDOWSUPD4.EXE


O4 - HKLM\..\Run: [PCMQCLR] C:\WINDOWS\SYSTEM\PCMQCLR.exe


O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme


O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg


O4 - HKLM\..\RunServices: [CSINJECT.EXE] D:\utilities\NortonSystemWorks\Norton CleanSweep\CSINJECT.EXE


O4 - HKLM\..\RunServices: [NPROTECT] D:\utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE


O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"


O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY


O9 - Extra button: Related (HKLM)


O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)


O9 - Extra button: ICQ Pro (HKLM)


O9 - Extra 'Tools' menuitem: ICQ (HKLM)


O14 - IERESET.INF: START_PAGE_URL=http://start.rcn.com/home/


O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37926.2488425926


O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab


O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab


 


 


 

ChrisRLG

2 Intern

 • 

3.9K Posts

March 9th, 2004 11:00

Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WINDOWSUPD4.EXE

The following have randomly named file names, and as such are normally malware, UNLESS you know what they are, and they are from a safe source, please check for removal.

O4 - HKLM\..\Run: [PCMQCLR] C:\WINDOWS\SYSTEM\PCMQCLR.exe

Then Reboot to safe mode (F8 on boot) and delete the following files:-

C:\WINDOWS\WINDOWSUPD4.EXE
C:\WINDOWS\SYSTEM\PCMQCLR.exe (If checked above)

Then Reboot and post a fresh log for me to check.

mr_interlocutor

4 Posts

March 11th, 2004 20:00

Regarding the following, I posted this on March 8: http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=6252
I ran HJ twice, each time checking and telling it to 'fix' the Windowsupd4.exe file and both times it still appeared. I then restarted the computer in safe mode, and deleted it manually from the Windows folder. On rebooting the computer, and again running HT, Windowsupd4.exe still appeared on the list. However, regarding that file with the randomly generated name, I simply unchecked it in startup and it seems gone for good. And those annoying popup ads, when I close a browser window, also have disappeared. But that sneaky Windows update file is still there. The following is my latest HijackThis log.



Logfile of HijackThis v1.97.7
Scan saved at 7:27:55 PM, on 3/10/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\UTILITIES\DRIVERS\LOGITECH_CORDLESS\MOUSEWARE\SYSTEM\EM_EXEC.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
D:\PROGRAMS\ICQ2003B\ICQ\ICQNET.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\PROGRAMS2\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.erols.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.rcn.com/home/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMS\ADOBE READER6\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [NAV Agent] D:\UTILIT~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] D:\utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\PROGRAMS\ICQ2003B\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WINDOWSUPD4.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] D:\utilities\NortonSystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] D:\utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://start.rcn.com/home/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37926.2488425926
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

BBlackie

426 Posts

March 11th, 2004 20:00

This line is a problem too, but let ChrisRLG tell you what to do:

C:\WINDOWS\RunDLL.exe  <---used by a backdoor

ChrisRLG

2 Intern

 • 

3.9K Posts

March 11th, 2004 21:00

Hi BBlackie.

Try this link for that line

http://www.sysinfo.org/startuplist.php?filter=deskcp16.dll&count=&type=

although a virus does use that name, this seems to be the legit line.

------------------------------------
mr_interlocutor

The windowsupd4.exe is no longer running, so one more fix should remove it from your log.

Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WINDOWSUPD4.EXE

Then Reboot to safe mode (F8 on boot) and delete the following files/folders:-

File > > C:\WINDOWS\WINDOWSUPD4.EXE (But it is probably already deleted.)

Then Reboot and post a fresh log for me to check.

Message Edited by ChrisRLG on 03-11-2004 11:53 PM

BBlackie

426 Posts

March 11th, 2004 21:00

Really hard to say with the current configuration, but I'll accept your expertise.

mr_interlocutor

4 Posts

March 14th, 2004 14:00

I believe that the pop-up problem has been solved, with your help.


Here is the latest log:



Logfile of HijackThis v1.97.7
Scan saved at 8:59:14 AM, on 3/14/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)


Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
D:\UTILITIES\DRIVERS\LOGITECH_CORDLESS\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\PROGRAMS2\HIJACKTHIS\HIJACKTHIS.EXE


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.erols.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.rcn.com/home/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMS\ADOBE READER6\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [NAV Agent] D:\UTILIT~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://start.rcn.com/home/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37926.2488425926
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab


 

ChrisRLG

2 Intern

 • 

3.9K Posts

March 14th, 2004 19:00

This is my normal post for when you are clear - which you now are:-
------------------------
How on earth did I get infected with all that spyware in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051
Also available from here :- http://www.computercops.biz/postlite7736-.html or http://boards.cexx.org/viewtopic.php?t=957
--------------
Look at the info on my website regarding malware (Link below). Some things you can do to stop getting infected again:-

Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.

Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.

Also ie-spyad (Link on my site), puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.

All those with links from my site. Do remember just like Anti-Virus they need to be updated regularly, I do mine weekly, Anti-Virus hourly.

With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.

 

Was this post helpful?

View All

0 events found

No Events found!

Top