943,752 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > Popups even with popup blocker and site redirection
Ad:
You are currently viewing page 1 of this multi-page discussion thread
Permalink
Jul 30th, 2004
0

Popups even with popup blocker and site redirection

Expand Post »
Every time I open up an Internet Explorer window, I get popups saying that I might have spyware and popups about free screensavers (screensavers.com), poker, and online matchmaking (like Tickle). I also get whole new Internet Explorer windows with some website, the most common one being Sandboxer. There is another that is some other site at first, but it quickly get redirected to another site. I think the name of the second site has About in the name. Also, while I was trying to type this message I got redirected to another site. I clicked Back too soon to see what site it was, but I lost my message.

If anyone could help me, I would greatly appreciate it.

Here is my HijackThis log.

Logfile of HijackThis v1.98.0
Scan saved at 12:46:51 AM, on 7/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
F:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Logitech\MouseWare\System\em_exec.exe
F:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\Khcxyng.exe
C:\WINNT\system32\Sfq88le.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\David L. Curry\Desktop\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [EM_EXEC] C:\Program Files\Logitech\MouseWare\System\em_exec.exe
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ns2.exe] C:\Documents and Settings\David L. Curry\Local Settings\Temp\ns2.exe
O4 - HKLM\..\Run: [256ERWB3NNXBSK] C:\WINNT\system32\Szep85ln.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [win32spl] C:\WINNT\system32\win32spl.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: Mopy Points Collector.lnk = F:\MOPYFISH\GETPOINT.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Bleach Boy is offline Offline
19 posts
since Jul 2004
Permalink
Jul 30th, 2004
0

Re: Popups even with popup blocker and site redirection

I forgot to mention that I have already tried Ad-aware 6.0, SpySubtract
(basic edition), SpyBot Search and Destroy, and Spysweeper, and they have gotten rid of many problems, just not the mentioned ones.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Bleach Boy is offline Offline
19 posts
since Jul 2004
Permalink
Jul 30th, 2004
0

Re: Popups even with popup blocker and site redirection

Hi, you have a Peper infection

Download the removal tool :

http://downloads.subratam.org/PeperFix.exe

Make sure you are connected to the net and run it. If asked by your firewall for permission to access the net, please grant permission.

Reboot and run it a second time while connected to the net.

then run hijack again and post fresh log
Team Colleague
Reputation Points: 1056
Solved Threads: 792
I hate 20 Questions
caperjack is offline Offline
12,720 posts
since Aug 2003
Permalink
Jul 30th, 2004
0

Re: Popups even with popup blocker and site redirection

Thankyou very much for the info, the problem seems to have cleared up.

Here is my latest HijackThis log.

Logfile of HijackThis v1.98.0
Scan saved at 7:29:49 AM, on 7/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
F:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Logitech\MouseWare\System\em_exec.exe
F:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\David L. Curry\Desktop\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [EM_EXEC] C:\Program Files\Logitech\MouseWare\System\em_exec.exe
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ns2.exe] C:\Documents and Settings\David L. Curry\Local Settings\Temp\ns2.exe
O4 - HKLM\..\Run: [256ERWB3NNXBSK] C:\WINNT\system32\Szep85ln.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [win32spl] C:\WINNT\system32\win32spl.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: Mopy Points Collector.lnk = F:\MOPYFISH\GETPOINT.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Bleach Boy is offline Offline
19 posts
since Jul 2004
Permalink
Jul 30th, 2004
0

Re: Popups even with popup blocker and site redirection

Important: Create a folder on the C: drive called HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

..........................
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

NOTE: Please copy and paste this post into notepad and save to you desktop. or print a copy of these instructions because you will be working with all windows closed except HijackThis.

This one is running from a temp file ,shouldn't be so if you don't know what it is ,fix it.

O4 - HKLM\..\Run: [ns2.exe] C:\Documents and Settings\David L. Curry\Local Settings\Temp\ns2.exe

O4 - HKLM\..\Run: [256ERWB3NNXBSK] C:\WINNT\system32\Szep85ln.exe

These 2 are optional ,but recomended you fix them .
O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE




Now reboot into safe mode and delete the following files and folders if found ."Fix Checked"...Reboot to SAFE mode to delete files ,How to start computer in safe mode

C:\Documents and Settings\David L. Curry\Local Settings\Temp\....empty content of this temp folder .


C:\WINNT\system32\Szep85ln.exe............ delet this file if found

to delete the above files and folder you will need to do the following
go to Show hidden files & folders
"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode
reboot computer and post a new log
Team Colleague
Reputation Points: 1056
Solved Threads: 792
I hate 20 Questions
caperjack is offline Offline
12,720 posts
since Aug 2003
Permalink
Jul 31st, 2004
0

Re: Popups even with popup blocker and site redirection

I followed your directions. Here is the latest HJT log.

Logfile of HijackThis v1.98.0
Scan saved at 6:05:41 PM, on 7/31/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
F:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Logitech\MouseWare\System\em_exec.exe
F:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\David L. Curry\Desktop\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [EM_EXEC] C:\Program Files\Logitech\MouseWare\System\em_exec.exe
O4 - HKLM\..\Run: [vptray] F:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [win32spl] C:\WINNT\system32\win32spl.exe
O4 - Startup: Mopy Points Collector.lnk = F:\MOPYFISH\GETPOINT.EXE
O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Bleach Boy is offline Offline
19 posts
since Jul 2004
Permalink
Aug 1st, 2004
0

Re: Popups even with popup blocker and site redirection

Looka good.
..........

After you get it all fixed and things are working good ,Download and install these 3 programs to help stop Spyware .


Spywareblaster


SpywareGuard



IE-SPYAD


Keep Up-to-Date!
The most important key to maintaining a secure computer is keeping your protection up-to-date.

also check how i got infected in the first place .

http://www.computercops.biz/postlite7736-.html
Team Colleague
Reputation Points: 1056
Solved Threads: 792
I hate 20 Questions
caperjack is offline Offline
12,720 posts
since Aug 2003
Permalink
Aug 1st, 2004
0

Re: Popups even with popup blocker and site redirection

Just out of curiousity, can you please go here and have this file scanned.

C:\WINNT\system32\win32spl.exe
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is offline Offline
12,163 posts
since Feb 2004
Permalink
Aug 1st, 2004
0

Re: Popups even with popup blocker and site redirection

I scanned the file and the scanner said it was clean.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Bleach Boy is offline Offline
19 posts
since Jul 2004
Permalink
Aug 1st, 2004
0

Re: Popups even with popup blocker and site redirection

Quote originally posted by crunchie ...
Just out of curiousity, can you please go here and have this file scanned.

C:\WINNT\system32\win32spl.exe
My search of that file showed it as being win2000 network printer Releated .

http://www.microsoft.com/windows2000...e_prn_kyef.asp
Team Colleague
Reputation Points: 1056
Solved Threads: 792
I hate 20 Questions
caperjack is offline Offline
12,720 posts
since Aug 2003

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Getting blank pages with IE @ W-Update and hotmail with HJT file log
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Best firewall/site blocker





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC