Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

Popups even with popup blocker and site redirection

Reply
1 2

Join Date: Jul 2004
Posts: 19
Reputation: Bleach Boy is an unknown quantity at this point 
Solved Threads: 0
Bleach Boy's Avatar
Bleach Boy Bleach Boy is offline Offline
Newbie Poster

Popups even with popup blocker and site redirection

 
0
  #1
Jul 30th, 2004
Every time I open up an Internet Explorer window, I get popups saying that I might have spyware and popups about free screensavers (screensavers.com), poker, and online matchmaking (like Tickle). I also get whole new Internet Explorer windows with some website, the most common one being Sandboxer. There is another that is some other site at first, but it quickly get redirected to another site. I think the name of the second site has About in the name. Also, while I was trying to type this message I got redirected to another site. I clicked Back too soon to see what site it was, but I lost my message.

If anyone could help me, I would greatly appreciate it.

Here is my HijackThis log.

Logfile of HijackThis v1.98.0
Scan saved at 12:46:51 AM, on 7/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
F:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Logitech\MouseWare\System\em_exec.exe
F:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\Khcxyng.exe
C:\WINNT\system32\Sfq88le.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\David L. Curry\Desktop\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [EM_EXEC] C:\Program Files\Logitech\MouseWare\System\em_exec.exe
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ns2.exe] C:\Documents and Settings\David L. Curry\Local Settings\Temp\ns2.exe
O4 - HKLM\..\Run: [256ERWB3NNXBSK] C:\WINNT\system32\Szep85ln.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [win32spl] C:\WINNT\system32\win32spl.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: Mopy Points Collector.lnk = F:\MOPYFISH\GETPOINT.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 19
Reputation: Bleach Boy is an unknown quantity at this point 
Solved Threads: 0
Bleach Boy's Avatar
Bleach Boy Bleach Boy is offline Offline
Newbie Poster

Re: Popups even with popup blocker and site redirection

 
0
  #2
Jul 30th, 2004
I forgot to mention that I have already tried Ad-aware 6.0, SpySubtract
(basic edition), SpyBot Search and Destroy, and Spysweeper, and they have gotten rid of many problems, just not the mentioned ones.
Reply With Quote Quick reply to this message  
Join Date: Aug 2003
Posts: 9,441
Reputation: caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold 
Solved Threads: 476
Team Colleague
caperjack's Avatar
caperjack caperjack is offline Offline
Posting Prodigy

Re: Popups even with popup blocker and site redirection

 
0
  #3
Jul 30th, 2004
Hi, you have a Peper infection

Download the removal tool :

http://downloads.subratam.org/PeperFix.exe

Make sure you are connected to the net and run it. If asked by your firewall for permission to access the net, please grant permission.

Reboot and run it a second time while connected to the net.

then run hijack again and post fresh log
Linux boot cd http://www.knopper.net/knoppix/index-en.html
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 19
Reputation: Bleach Boy is an unknown quantity at this point 
Solved Threads: 0
Bleach Boy's Avatar
Bleach Boy Bleach Boy is offline Offline
Newbie Poster

Re: Popups even with popup blocker and site redirection

 
0
  #4
Jul 30th, 2004
Thankyou very much for the info, the problem seems to have cleared up.

Here is my latest HijackThis log.

Logfile of HijackThis v1.98.0
Scan saved at 7:29:49 AM, on 7/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
F:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Logitech\MouseWare\System\em_exec.exe
F:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\David L. Curry\Desktop\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [EM_EXEC] C:\Program Files\Logitech\MouseWare\System\em_exec.exe
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ns2.exe] C:\Documents and Settings\David L. Curry\Local Settings\Temp\ns2.exe
O4 - HKLM\..\Run: [256ERWB3NNXBSK] C:\WINNT\system32\Szep85ln.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [win32spl] C:\WINNT\system32\win32spl.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: Mopy Points Collector.lnk = F:\MOPYFISH\GETPOINT.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
Reply With Quote Quick reply to this message  
Join Date: Aug 2003
Posts: 9,441
Reputation: caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold 
Solved Threads: 476
Team Colleague
caperjack's Avatar
caperjack caperjack is offline Offline
Posting Prodigy

Re: Popups even with popup blocker and site redirection

 
0
  #5
Jul 30th, 2004
Important: Create a folder on the C: drive called HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

..........................
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

NOTE: Please copy and paste this post into notepad and save to you desktop. or print a copy of these instructions because you will be working with all windows closed except HijackThis.

This one is running from a temp file ,shouldn't be so if you don't know what it is ,fix it.

O4 - HKLM\..\Run: [ns2.exe] C:\Documents and Settings\David L. Curry\Local Settings\Temp\ns2.exe

O4 - HKLM\..\Run: [256ERWB3NNXBSK] C:\WINNT\system32\Szep85ln.exe

These 2 are optional ,but recomended you fix them .
O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE




Now reboot into safe mode and delete the following files and folders if found ."Fix Checked"...Reboot to SAFE mode to delete files ,How to start computer in safe mode

C:\Documents and Settings\David L. Curry\Local Settings\Temp\....empty content of this temp folder .


C:\WINNT\system32\Szep85ln.exe............ delet this file if found

to delete the above files and folder you will need to do the following
go to Show hidden files & folders
"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode
reboot computer and post a new log
Linux boot cd http://www.knopper.net/knoppix/index-en.html
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 19
Reputation: Bleach Boy is an unknown quantity at this point 
Solved Threads: 0
Bleach Boy's Avatar
Bleach Boy Bleach Boy is offline Offline
Newbie Poster

Re: Popups even with popup blocker and site redirection

 
0
  #6
Jul 31st, 2004
I followed your directions. Here is the latest HJT log.

Logfile of HijackThis v1.98.0
Scan saved at 6:05:41 PM, on 7/31/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
F:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Logitech\MouseWare\System\em_exec.exe
F:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\David L. Curry\Desktop\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [EM_EXEC] C:\Program Files\Logitech\MouseWare\System\em_exec.exe
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [win32spl] C:\WINNT\system32\win32spl.exe
O4 - Startup: Mopy Points Collector.lnk = F:\MOPYFISH\GETPOINT.EXE
O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
Reply With Quote Quick reply to this message  
Join Date: Aug 2003
Posts: 9,441
Reputation: caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold 
Solved Threads: 476
Team Colleague
caperjack's Avatar
caperjack caperjack is offline Offline
Posting Prodigy

Re: Popups even with popup blocker and site redirection

 
0
  #7
Aug 1st, 2004
Looka good.
..........

After you get it all fixed and things are working good ,Download and install these 3 programs to help stop Spyware .


Spywareblaster


SpywareGuard



IE-SPYAD


Keep Up-to-Date!
The most important key to maintaining a secure computer is keeping your protection up-to-date.

also check how i got infected in the first place .

http://www.computercops.biz/postlite7736-.html
Linux boot cd http://www.knopper.net/knoppix/index-en.html
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 9,940
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 710
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is online now Online
Spyware Killer

Re: Popups even with popup blocker and site redirection

 
0
  #8
Aug 1st, 2004
Just out of curiousity, can you please go here and have this file scanned.

C:\WINNT\system32\win32spl.exe
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Jul 2004
Posts: 19
Reputation: Bleach Boy is an unknown quantity at this point 
Solved Threads: 0
Bleach Boy's Avatar
Bleach Boy Bleach Boy is offline Offline
Newbie Poster

Re: Popups even with popup blocker and site redirection

 
0
  #9
Aug 1st, 2004
I scanned the file and the scanner said it was clean.
Reply With Quote Quick reply to this message  
Join Date: Aug 2003
Posts: 9,441
Reputation: caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold 
Solved Threads: 476
Team Colleague
caperjack's Avatar
caperjack caperjack is offline Offline
Posting Prodigy

Re: Popups even with popup blocker and site redirection

 
0
  #10
Aug 1st, 2004
Originally Posted by crunchie
Just out of curiousity, can you please go here and have this file scanned.

C:\WINNT\system32\win32spl.exe
My search of that file showed it as being win2000 network printer Releated .

http://www.microsoft.com/windows2000...e_prn_kyef.asp
Linux boot cd http://www.knopper.net/knoppix/index-en.html
Reply With Quote Quick reply to this message  
Reply
1 2

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fake fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC