|
-
June 14th, 2004, 08:16 PM
#1
*^&%$$# popups
So I have a WinXP Toshiba laptop which is all fine and dandy except the continual popups, even when I'm not surfing the net. I have a firewall engaged as well as a popup blocker. All that's left is to assume there's still some spyware crap that my Spyhunter and Spybot can't find.
Here's my hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 9:13:27 PM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TDispVol.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\documents and settings\lil\local settings\temp\Aiso.exe
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINDOWS\System32\wgifej.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wnstssv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LiveJournal\LiveJournal.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\PROGRA~1\NORTON~1\QServer.exe
C:\WINDOWS\system32\winmine.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lil\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 05
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadGolfCourses] C:\Program Files\Mini-Golf\LoadGolfCourses.exe
O4 - HKLM\..\Run: [Aiso] C:\documents and settings\lil\local settings\temp\Aiso.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [dpcproxy] C:\WINDOWS\System32\dpcproxy.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [bmzhdonlfaxzs] C:\WINDOWS\System32\wgifej.exe
O4 - HKLM\..\Run: [kzkfgjwn] C:\WINDOWS\kzkfgjwn.exe
O4 - HKLM\..\Run: [AutoLoadervsxG1LWTPPXV] "C:\WINDOWS\System32\recill.exe"
O4 - HKLM\..\Run: [vFEg39j] recill.exe
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Kvw1.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Lil\Application Data\acao.exe
O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstssv.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\Run: [eoxmRVH7U] ceway.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: KaZaA Lite.lnk = C:\Program Files\KaZaA Lite\Kazaa.exe
O4 - Startup: LiveJournal.lnk = C:\Program Files\LiveJournal\LiveJournal.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {19AFDA19-05F4-4AC9-9C6B-E22E40CC5274} (CMiniGolfPlayer Object) - http://www.playminigolf.com/MiniGolf.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/fu...tup1.0.0.8.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extend...s/iaieplay.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12a924c0cb4d448...p/RdxIE601.cab
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} (SpeedCtrl Class) - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {8C6CED34-E352-4ED2-B405-25E121DECBFF} (PreContrl Class) - http://www.plan3d.com/PreControl.dl_
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7868.317349537
O16 - DPF: {9F839FFB-6295-4A71-8C61-2EB0646B73BE} (Floorplanner Class) - http://www.plan3d.com/P3DFloorplan.dl_
O16 - DPF: {9FEFFBDE-FE2F-4756-B4A7-90D976255F9B} (StopZilla Class) - http://www.playminigolf.com/Stopzilla.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBA27691-AF16-4C69-8482-98883485E72A}: NameServer = 128.122.253.92,128.122.253.37
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nyu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nyu.edu
Any help that can be given as to what really doesn't belong in this mess would be vastly appreciated. ^_^
Last edited by chibilil; June 14th, 2004 at 09:53 PM.
-
June 14th, 2004, 09:22 PM
#2
Registered User
Got a few in there...
P2P Networking is a potential; wgifej.exe, recill.exe and Kvw1.exe look viral; Kazaa needs to come off your machine - too much danger as a doorway to crapware and viruses; ...
I just don't have the time to google everything suspicious on that list friend.
You can give it a shot, or wait for more feedback - or better yet: format/re-install Windows. It might even be faster than hunting down all that stuff.
Just a tought. 
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams
-
June 14th, 2004, 10:29 PM
#3
Registered User
I found him by the raidlroad track this mornin.
I could see that he was nearly dead.
I knealt down beside hime and I listedned.
Just to hear what the dyin man said.
Give my love to Rose, please won't ya Mr.
Take her my money, tell her buy some pretty clothes.
Deliver me from Swedish furniture!
-
June 14th, 2004, 11:38 PM
#4
Registered User
I don't know, but I think my thought is a bit more... pertinent. 
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams
-
November 14th, 2004, 07:14 PM
#5
unless you have some new and improved spybot i don't think that C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe is really a spybot file.
"just a thought"
-
November 14th, 2004, 11:07 PM
#6
Registered User
 Originally Posted by chaser999
unless you have some new and improved spybot i don't think that C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe is really a spybot file.
"just a thought"
Yes, it is.
What is the Resident TeaTimer?
The Resident TeaTimer is a new tool of Spybot-S&D which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options how to deal with this process in the future: You can set TeaTimer to:
- be informed, when the process tries to start again
- automatically kill the process
- or generally allow the process to run There is also an option to delete the file associated with this process.
In addition, TeaTimer detects, when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either "Allow" or "Deny" the change. As TeaTimer is always running in the background, it takes some resources of about 5 MB.
Why does Resident TeaTimer terminate the application before asking?
Because threats like toll dialers are time critical - they cost from the first second they've connected. In order to protect you, these have to be terminated at the moment they appear before they can connect at all.
Why is the TeaTimer called "TeaTimer"?
As we used to forget our tea, when we let it brew, we built a small tool with a system tray icon to remind us. We called this tool "TeaTimer". When we started to develop the Resident tool for Spybot-S&D, we also needed a system tray icon for this. As we do not like having too many icons in the system tray, we decided to put both tools together and kept the name "TeaTimer". The next version of the Resident tool will also have the functions of the original "TeaTimer".
You can find the Resident TeaTimer in the tools section.
Probability factor of one to one...we have normality, I repeat we have normality. Anything you still can't cope with is therefore your own problem.
-
November 14th, 2004, 11:16 PM
#7
Banned
Yeah.
Tell it like it is smithy!!
Hey Silence: what was THAT all about? _eek_
-
November 15th, 2004, 10:08 AM
#8
Registered User
Try running AdAware too its free and complements SPybot.
-
November 15th, 2004, 12:18 PM
#9
Registered User
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [dpcproxy] C:\WINDOWS\System32\dpcproxy.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [bmzhdonlfaxzs] C:\WINDOWS\System32\wgifej.exe
O4 - HKLM\..\Run: [kzkfgjwn] C:\WINDOWS\kzkfgjwn.exe
O4 - HKLM\..\Run: [AutoLoadervsxG1LWTPPXV] "C:\WINDOWS\System32\recill.exe"
O4 - HKLM\..\Run: [vFEg39j] recill.exe
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Kvw1.exe
O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Lil\Application Data\acao.exe
O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstssv.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\Run: [eoxmRVH7U] ceway.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: KaZaA Lite.lnk = C:\Program Files\KaZaA Lite\Kazaa.exe
You should remove those...download Spybot and Adaware, update, and reboot into safe mode. Scan and remove items...then empty your temp folders...finally you might want to run this:
Microsoft TVMedia Removal Tool
I would probably uninstall Kazaa and BearShare if there are any entries left for them...I know Kazaa is spyware infested, don't know about BearShare. Even so, seems like they all are these days so I would just take it off just to make sure.
-
November 15th, 2004, 12:25 PM
#10
Registered User
Also, I've never heard/seen anything good about SpyHunter...in fact it's listed on many websites as being in league with spyware makers, so it shouldn't be trusted...here's a link I found:
http://www.spywarewarrior.com/rogue_...re.htm#sh_note
it basically says it looks like they've stopped most bad activities, but I'm not the kinda person who would even care...they aer dead to me 
Just something to think about...could be the reason you're not picking up all the spyware. I'm a big Spybot fan, but lately AdAware has been getting some good results in their scans so don't forget to download that one!!!
-
November 16th, 2004, 12:44 AM
#11
Registered User
I feel that its best to have both of them, Adaware and SPybot. Theyre both free and like I said compliment each other.
-
November 21st, 2004, 08:53 AM
#12
Couldn't hurt to visit Steve Gibson's site too (http://www.grc.com/default.htm) and take a look at his 'Shoot The Messenger' software.
Could be usual spyware/adware troubles (which Ad-Aware, Spybot, SpywareBlaster et al should be able to solve) or could be something is taking advantage of your OS's Windows Messenger service - and I gather this would not necessarily show up in firewall.
Similar Threads
-
By randomguy132 in forum Windows XP
Replies: 15
Last Post: May 6th, 2004, 08:10 AM
-
By NooNoo in forum Tech Lounge & Tales
Replies: 19
Last Post: November 20th, 2002, 10:07 AM
-
By wrzl in forum Windows NT/2000
Replies: 5
Last Post: June 4th, 2002, 11:08 AM
-
By jaeger in forum Tech Lounge & Tales
Replies: 9
Last Post: August 28th, 2001, 04:39 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
Bookmarks