help with pop up virus

Computing.Net > Forums > Security and Virus > help with pop up virus

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

help with pop up virus

Name: cshults
Date: January 21, 2004 at 17:22:37 Pacific
OS: windows
CPU/Ram: amd k6-2

Comment:

Ok, here is the problem guys, everytime I open up IExplorer, my computer starts loading pop ups from huntfly.com and sandboxer.com. And everytime it starts to load, the screen freeze up and I HAVE TO wait for the pop up to load. Then all my writing goes into CAps lock. This has become a real annoyance. Here is my HiJackThis log:
Logfile of HijackThis v1.97.7
Scan saved at 8:24:00 PM, on 1/21/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\CSRSS.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RAM Idle LE\RAM_XP.exe
C:\program files\umsd tools2.33\umsd.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\loadqm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM95\aim.exe
C:\WINNT\System32\ThpSK119.exe
C:\WINNT\System32\Soy734V2.exe
C:\PROGRA~1\ZipIt\zipitfast.exe
C:\DOCUME~1\cody1\LOCALS~1\Temp\ztv8\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {014DA6 - (no file)
O2 - BHO: (no name) - {014DA6C - (no file)
O2 - BHO: (no name) - {06 - (no file)
O2 - BHO: (no name) - {068 - (no file)
O2 - BHO: (no name) - {0684 - (no file)
O2 - BHO: (no name) - {06849 - (no file)
O2 - BHO: (no name) - {06849E - (no file)
O2 - BHO: (no name) - {06849E9 - (no file)
O2 - BHO: (no name) - {06849E9F - (no file)
O2 - BHO: (no name) - {06849E9F- - (no file)
O2 - BHO: (no name) - {06849E9F-C - (no file)
O2 - BHO: (no name) - {06849E9F-C8 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7- - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D5 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59- - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B8 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-78 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6B - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3F0 - (no file)
O2 - BHO: (no name) - {3F07 - (no file)
O2 - BHO: (no name) - {3F070 - (no file)
O2 - BHO: (no name) - {3F0700 - (no file)
O2 - BHO: (no name) - {3F0700C - (no file)
O2 - BHO: (no name) - {3F0700CA - (no file)
O2 - BHO: (no name) - {3F0700CA- - (no file)
O2 - BHO: (no name) - {3F0700CA-4 - (no file)
O2 - BHO: (no name) - {3F0700CA-43 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9- - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-4 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1- - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F2 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21- - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-0 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-04 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-0488 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-04880 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803E - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED6 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED6A - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED6A2 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED6A23 - (no file)
O2 - BHO: (no name) - {6 - (no file)
O2 - BHO: (no name) - {65 - (no file)
O2 - BHO: (no name) - {65C - (no file)
O2 - BHO: (no name) - {65C8 - (no file)
O2 - BHO: (no name) - {65C8C - (no file)
O2 - BHO: (no name) - {65C8C1 - (no file)
O2 - BHO: (no name) - {65C8C1F - (no file)
O2 - BHO: (no name) - {65C8C1F5 - (no file)
O2 - BHO: (no name) - {65C8C1F5- - (no file)
O2 - BHO: (no name) - {65C8C1F5-2 - (no file)
O2 - BHO: (no name) - {65C8C1F5-23 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E- - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4D - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9- - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D- - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F31 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F315 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778 - (no file)
O2 - BHO: (no name) - {6A - (no file)
O2 - BHO: (no name) - {6A6 - (no file)
O2 - BHO: (no name) - {6A61 - (no file)
O2 - BHO: (no name) - {6A615 - (no file)
O2 - BHO: (no name) - {6A615B - (no file)
O2 - BHO: (no name) - {6A615B8 - (no file)
O2 - BHO: (no name) - {6A615B83 - (no file)
O2 - BHO: (no name) - {6A615B83- - (no file)
O2 - BHO: (no name) - {6A615B83-8 - (no file)
O2 - BHO: (no name) - {6A615B83-89 - (no file)
O2 - BHO: (no name) - {6A615B83-899 - (no file)
O2 - BHO: (no name) - {6A615B83-8995 - (no file)
O2 - BHO: (no name) - {6A615B83-8995- - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4F - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3- - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-A - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C- - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F4 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F437 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F4373 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731C - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CF - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CFD - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CFD6 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CFD60 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CFD60A - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - (no file)
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WMLAN54G.exe] C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CSRSS] C:\WINNT\CSRSS.exe
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\System32\Upws.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Bsx3] RunDLL32.exe C:\WINNT\bs3.dll,DllRun
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O8 - Extra context menu item: &Define - C:\WINNT\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search the Web - C:\WINNT\Web\ERS_SRC.HTM
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINNT\Web\ERS_ENC.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} - http://www.spyblast.com/download/SBFull.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
Please help!

Sponsored Link

Ads by Google

Response Number 1

Name: suzi
Date: January 21, 2004 at 19:14:36 Pacific

Reply:

You should run AdAware and/or Spybot Search & Destroy.
Also CWShredder. http://www.spywareinfo.com/~merijn/cwschronicles.html
If problems are still there, then move HijackThis to another location, not a temp folder, run and post new log.

Response Number 2

Name: suzi
Date: January 21, 2004 at 19:20:36 Pacific

Reply:

You also have SpyBlast - not recommended!
See here for more info:
http://www.doxdesk.com/parasite/SpyBlast.html

Response Number 3

Name: Imp
Date: January 21, 2004 at 21:23:49 Pacific

Reply:

Hello,
Download as soon as possible the two following freewares:
1)AdAware 6.0/181
2) SpywareBlaster 2.61
Don't forget to update it as soon as you downloaded them.....

Response Number 4

Name: mark2a
Date: January 21, 2004 at 23:46:36 Pacific

Reply:

Once you have done the above you also have the peper trojan to deal with.
1. Use the uninstall tool - download from:
http://home.comcast.net/~radio104/peperuninst.exe Double click on uninst.exe, let it run and terminate.
2. Delete all the associated files with drpeper - download from http://www.mjc1.com/files/mo/drpeper.html. Double click drpepertobackup, it will self extract to C:. With the text in the box highlighted and the 'overwrite' existing files checked, click start.
3. Go to the file C:\drpeper\Find backup and Delete Peper files.vbs and double click.
4. A box will appear, copy and paste: Soy734V2.exe and hit ok.
5. A second box will appear, copy and paste Upws.exe and hit ok.
6. It will find all the files, delete them and will make backups in the same folder. It'll open a text file (Peper.txt) with the list of all files deleted. Make sure it is saved. Then rescan with HJT, post a new HJT log and the contents of the Peper.txt file - the next stage will be to remove the rest of the bad stuff.

Response Number 5

Name: blender
Date: January 22, 2004 at 00:05:17 Pacific

Reply:

Ok..there is a few things to fix but first lets get rid of peper.
1 Run this uninstaller:
http://homeo1.wxs.nl/~kleyn080/uninst.exe
2 When done, use the following tool to delete the files themselves:
http://www.mjc1.com/files/mo/drpeper.html
3 Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\.
Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.
On the first prompt, copy and paste: Upws.exe
and hit ok.
On the second, paste: Soy734V2.exe and hit ok again.

It will find all the files, delete them and will make backups in the same folder.
It'll open a text file (Peper.txt) with the list of all files deleted. Please save the text file.
Restart your computer-
As suggsted above download spybot S&D and/or ad-aware, update them, and run their scans, allow them to remove what they find.
Reboot after each scan.
Place Hijack this in its own folder because it makes back ups and if we make a mistake entries can be recovered. In the temporary folder recovery is not possible. I typically put hijack in: c:\hijack\hijackthis.exe
Post a fresh hijack log along with peper log. We will see what is left.

opengl 1.4 download microsoft multimedia keyboard 1.0a comcast.net register	c shell exist file check PROFESSIONAL WRITE mouse.com download
See More

Response Number 6

Name: blender
Date: January 22, 2004 at 00:47:49 Pacific

Reply:

Sorry mark2a...we must have crossed posts

Response Number 7

Name: cshults
Date: January 22, 2004 at 16:54:32 Pacific

Reply:

Ok, I have done everything you guys have said, and here is what I have in my HijackThis log. Is the trojan or other problems still there?
Logfile of HijackThis v1.97.7
Scan saved at 7:55:37 PM, on 1/22/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\CSRSS.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RAM Idle LE\RAM_XP.exe
C:\program files\umsd tools2.33\umsd.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\loadqm.exe
C:\DOCUME~1\cody1\LOCALS~1\Temp\ztv1\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {014DA6 - (no file)
O2 - BHO: (no name) - {014DA6C - (no file)
O2 - BHO: (no name) - {06 - (no file)
O2 - BHO: (no name) - {068 - (no file)
O2 - BHO: (no name) - {0684 - (no file)
O2 - BHO: (no name) - {06849 - (no file)
O2 - BHO: (no name) - {06849E - (no file)
O2 - BHO: (no name) - {06849E9 - (no file)
O2 - BHO: (no name) - {06849E9F - (no file)
O2 - BHO: (no name) - {06849E9F- - (no file)
O2 - BHO: (no name) - {06849E9F-C - (no file)
O2 - BHO: (no name) - {06849E9F-C8 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7- - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D5 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59- - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B8 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-78 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6B - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3F0 - (no file)
O2 - BHO: (no name) - {3F07 - (no file)
O2 - BHO: (no name) - {3F070 - (no file)
O2 - BHO: (no name) - {3F0700 - (no file)
O2 - BHO: (no name) - {3F0700C - (no file)
O2 - BHO: (no name) - {3F0700CA - (no file)
O2 - BHO: (no name) - {3F0700CA- - (no file)
O2 - BHO: (no name) - {3F0700CA-4 - (no file)
O2 - BHO: (no name) - {3F0700CA-43 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9- - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-4 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1- - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F2 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21- - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-0 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-04 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-0488 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-04880 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803E - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED6 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED6A - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED6A2 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED6A23 - (no file)
O2 - BHO: (no name) - {6 - (no file)
O2 - BHO: (no name) - {65 - (no file)
O2 - BHO: (no name) - {65C - (no file)
O2 - BHO: (no name) - {65C8 - (no file)
O2 - BHO: (no name) - {65C8C - (no file)
O2 - BHO: (no name) - {65C8C1 - (no file)
O2 - BHO: (no name) - {65C8C1F - (no file)
O2 - BHO: (no name) - {65C8C1F5 - (no file)
O2 - BHO: (no name) - {65C8C1F5- - (no file)
O2 - BHO: (no name) - {65C8C1F5-2 - (no file)
O2 - BHO: (no name) - {65C8C1F5-23 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E- - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4D - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9- - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D- - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F31 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F315 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778 - (no file)
O2 - BHO: (no name) - {6A - (no file)
O2 - BHO: (no name) - {6A6 - (no file)
O2 - BHO: (no name) - {6A61 - (no file)
O2 - BHO: (no name) - {6A615 - (no file)
O2 - BHO: (no name) - {6A615B - (no file)
O2 - BHO: (no name) - {6A615B8 - (no file)
O2 - BHO: (no name) - {6A615B83 - (no file)
O2 - BHO: (no name) - {6A615B83- - (no file)
O2 - BHO: (no name) - {6A615B83-8 - (no file)
O2 - BHO: (no name) - {6A615B83-89 - (no file)
O2 - BHO: (no name) - {6A615B83-899 - (no file)
O2 - BHO: (no name) - {6A615B83-8995 - (no file)
O2 - BHO: (no name) - {6A615B83-8995- - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4F - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3- - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-A - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C- - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F4 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F437 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F4373 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731C - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CF - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CFD - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CFD6 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CFD60 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CFD60A - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - (no file)
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WMLAN54G.exe] C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CSRSS] C:\WINNT\CSRSS.exe
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Bsx3] RunDLL32.exe C:\WINNT\bs3.dll,DllRun
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O8 - Extra context menu item: &Define - C:\WINNT\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search the Web - C:\WINNT\Web\ERS_SRC.HTM
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINNT\Web\ERS_ENC.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} - http://www.spyblast.com/download/SBFull.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Response Number 8

Name: blender
Date: January 22, 2004 at 23:11:27 Pacific

Reply:

Hi
Yes it look's like you removed peper sucessfully however we do have several other malware problems to take care of.
The first thing we need to do is place hijack in its own folder c:\hijackthis\hijackthis.exe because it makes backups of
what we remove and if run from the temporary folder recovery is not possible if a mistake is made.
ToPicks is spyware and will track you where you browse online, push ads and popups during browsing sessions.
Go to add/remove programs in the control panel, scroll down the list until you find "ToPicks", click it and click the
remove button.
Start HijackThis and check the following items, close all browser windows and explorer windows, click "fix checked"
All 02 items ending in -(no file)

O3 - Toolbar: (no name) - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - (no file)
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe (if still present)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} - http://www.spyblast.com/download/SBFull.cab
Reboot the computer and delete the following:
c:\program files\ToPicks <-this folder
Post a new log to this thread.
There is still some work to do, I am researching the best procedures for the rest of the cleanup.

Response Number 9

Name: mark2a
Date: January 22, 2004 at 23:21:28 Pacific

Reply:

Still some cleaning required.
The first thing we need to do is extract Hijackthis to it's own folder, C:\Hijackthis,then run it from that folder without doing this we have no means of recovery should a mistake occur.
Close all browser and explorer windows and have Hijackthis fix the following by putting a tick in the box next to them and hitting the 'Fix Checked' button.
O2 - BHO: (no name) - {014DA6 - (no file)
O2 - BHO: (no name) - {014DA6C - (no file)
O2 - BHO: (no name) - {06 - (no file)
O2 - BHO: (no name) - {068 - (no file)
O2 - BHO: (no name) - {0684 - (no file)
O2 - BHO: (no name) - {06849 - (no file)
O2 - BHO: (no name) - {06849E - (no file)
O2 - BHO: (no name) - {06849E9 - (no file)
O2 - BHO: (no name) - {06849E9F - (no file)
O2 - BHO: (no name) - {06849E9F- - (no file)
O2 - BHO: (no name) - {06849E9F-C - (no file)
O2 - BHO: (no name) - {06849E9F-C8 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7- - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D5 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59- - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B8 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-78 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6B - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3 - (no file)
O2 - BHO: (no name) - {3F0 - (no file)
O2 - BHO: (no name) - {3F07 - (no file)
O2 - BHO: (no name) - {3F070 - (no file)
O2 - BHO: (no name) - {3F0700 - (no file)
O2 - BHO: (no name) - {3F0700C - (no file)
O2 - BHO: (no name) - {3F0700CA - (no file)
O2 - BHO: (no name) - {3F0700CA- - (no file)
O2 - BHO: (no name) - {3F0700CA-4 - (no file)
O2 - BHO: (no name) - {3F0700CA-43 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9- - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-4 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1- - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F2 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21- - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-0 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-04 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-0488 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-04880 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803E - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED6 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED6A - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED6A2 - (no file)
O2 - BHO: (no name) - {3F0700CA-43D9-45C1-8F21-048803ED6A23 - (no file)
O2 - BHO: (no name) - {6 - (no file)
O2 - BHO: (no name) - {65 - (no file)
O2 - BHO: (no name) - {65C - (no file)
O2 - BHO: (no name) - {65C8 - (no file)
O2 - BHO: (no name) - {65C8C - (no file)
O2 - BHO: (no name) - {65C8C1 - (no file)
O2 - BHO: (no name) - {65C8C1F - (no file)
O2 - BHO: (no name) - {65C8C1F5 - (no file)
O2 - BHO: (no name) - {65C8C1F5- - (no file)
O2 - BHO: (no name) - {65C8C1F5-2 - (no file)
O2 - BHO: (no name) - {65C8C1F5-23 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E- - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4D - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9- - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D- - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F31 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F315 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778 - (no file)
O2 - BHO: (no name) - {6A - (no file)
O2 - BHO: (no name) - {6A6 - (no file)
O2 - BHO: (no name) - {6A61 - (no file)
O2 - BHO: (no name) - {6A615 - (no file)
O2 - BHO: (no name) - {6A615B - (no file)
O2 - BHO: (no name) - {6A615B8 - (no file)
O2 - BHO: (no name) - {6A615B83 - (no file)
O2 - BHO: (no name) - {6A615B83- - (no file)
O2 - BHO: (no name) - {6A615B83-8 - (no file)
O2 - BHO: (no name) - {6A615B83-89 - (no file)
O2 - BHO: (no name) - {6A615B83-899 - (no file)
O2 - BHO: (no name) - {6A615B83-8995 - (no file)
O2 - BHO: (no name) - {6A615B83-8995- - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4F - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3- - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-A - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C- - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F4 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F437 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F4373 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731C - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CF - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CFD - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CFD6 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CFD60 - (no file)
O2 - BHO: (no name) - {6A615B83-8995-4FD3-AD5C-F43731CFD60A - (no file)
O3 - Toolbar: (no name) - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - (no file)
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O4 - HKLM\..\Run: [CSRSS] C:\WINNT\CSRSS.exe
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} - http://www.spyblast.com/download/SBFull.cab
reboot then find and delete these files and folders
C:\Program Files\ ToPicks <----folder
C:\WINNT\ CSRSS.exe <-----file

Then post a fresh Hijackthis log.

Response Number 10

Name: mark2a
Date: January 23, 2004 at 00:04:05 Pacific

Reply:

my turn to apologise, blender.
:-(

Response Number 11

Name: blender
Date: January 23, 2004 at 11:04:02 Pacific

Reply:

Thats ok mark2a...I see you got the one I was not sure on how to handle...the:
c:\winnt\csrss.exe
Thanks!

Response Number 12

Name: cshults
Date: January 24, 2004 at 12:58:45 Pacific

Reply:

Ok, here is the new log. Everything seems to be running really good now. Am I able to delete all the back ups I made from HiJackThis? Thanks.
Logfile of HijackThis v1.97.7
Scan saved at 4:00:23 PM, on 1/24/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\RAM Idle LE\RAM_XP.exe
C:\program files\umsd tools2.33\umsd.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\loadqm.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WMLAN54G.exe] C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Bsx3] RunDLL32.exe C:\WINNT\bs3.dll,DllRun
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O8 - Extra context menu item: &Define - C:\WINNT\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search the Web - C:\WINNT\Web\ERS_SRC.HTM
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINNT\Web\ERS_ENC.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Response Number 13

Name: mark2a
Date: January 24, 2004 at 13:05:26 Pacific

Reply:

You can clear the backups now if you want, personally, I'd leave it for a few days for safety once sure everything is running correctly, I'd then delete them.
Visit http://forums.net-integration.net/index.php?showtopic=3051 to find out how to help prevent further problems.
Happy surfing. :-)

Response Number 14

Name: SaraP
Date: January 31, 2004 at 08:15:17 Pacific

Reply:

My friend accidentally installed this thing while I was sleeping.
Now that I'm trying to pick up the pieces, it says that Soy734V2.exe and Upws.exe don't exist.
Help!!

Sponsored Link

Ads by Google

Trojan/Virus?? Unwanted d...

Just be curious here.

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: help with pop up virus

pop-up virus?

Summary

www.computing.net/answers/security/popup-virus/5718.html

Need Help With Pop-Ups

Summary

www.computing.net/answers/security/need-help-with-popups/21166.html

HElp me ....pop ups slow computer

Summary

www.computing.net/answers/security/help-me-pop-ups-slow-computer/7106.html

From the Geek Dictionary
noobageddon - when a whole swarm of noobs swarmp mmorpg,games and/or forums....

Ask a Question!

Weekly Poll
Did you go shopping on Black Friday?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
Error on booting

installing Weblogic

Windows Can't Log Onto User Accounts/Shutdown

Graphics card malfunctioning

lan card not instaling

All Awaiting Reply

Tom's News
Next Generation iPhone Spotted by Developers

Black Friday Brawls: Plenty Fought, No One Died

Couple Gets Married at Best Buy on Black Friday

Office 2010 Ships in 2010, Beta Now

Duke Nukem: D-Day Teased Not DNF

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE