I am having some trouble with a computer having constant pop ups. I uninstalled a ton of adware and ran spybot several times. I also ran panda active scan. All now give a clean report, but I am still having constant pop ups. I ran hijack this and see many entries that look suspect, however I am not confident enough to identify all of them. If you could please take a look at my log I would appreciate it. I also see two tasks running that seem suspect. Tont.exe, and d1/2dplay.exe.
----------------
Logfile of HijackThis v1.97.7
Scan saved at 11:10:17 AM, on 3/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
.exe
C:\WINNT\system32\services
.exe
C:\WINNT\system32\lsass.ex
e
C:\WINNT\system32\svchost.
exe
C:\WINNT\system32\spoolsv.
exe
C:\WINNT\System32\svchost.
exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.e
xe
C:\WINNT\system32\MSTask.e
xe
C:\WINNT\System32\WBEM\Win
Mgmt.exe
C:\WINNT\system32\svchost.
exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evnts
vc.exe
C:\WINNT\system32\rundll32
.exe
C:\WINNT\system32\rundll32
.exe
C:\WINNT\system32\rundll32
.exe
C:\WINNT\system32\ctfmon.e
xe
C:\WINNT\system32\d?dplay.
exe
C:\Documents and Settings\kenc\Application Data\tont.exe
C:\Program Files\AccuWeatherDesktop\A
ccuWeather
Desktop.ex
e
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\kenc\Desktop\Hija
ckThis.exe
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Search,SearchAssi
stant = about:blank
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Sear
ch_URL = about:blank
R1 - HKCU\Software\Microsoft\In
ternet Explorer\SearchURL,(Defaul
t) = about:blank
R1 - HKCU\Software\Microsoft\Wi
ndows\Curr
entVersion
\Internet Settings,ProxyServer = 192.168.100.4:8080
R0 - HKCU\Software\Microsoft\In
ternet Explorer\Toolbar,LinksFold
erName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH
elper.dll
O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-2
8FC5CACA54
2} - C:\DOCUME~1\ALLUSE~1\APPLI
C~1\Setup\
Setup.dll
O2 - BHO: (no name) - {366DE7EA-5602-7EF9-7CE9-0
795CFA7DC9
D} - C:\WINNT\system32\pci.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
06D7942484
F} - C:\PROGRA~1\SPYBOT~1\SDHel
per.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
0A0C908246
7} - C:\WINNT\System32\msdxm.oc
x
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-0
00000004D0
0} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evnts
vc.exe -osboot
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-
000000004D
00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D
8AC0F7C08E
B] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\Run: [Eojui] C:\WINNT\system32\d?dplay.
exe
O4 - HKCU\..\Run: [Raaa] C:\Documents and Settings\kenc\Application Data\tont.exe
O4 - Global Startup: AccuWeather.com® Desktop.lnk = C:\Program Files\AccuWeatherDesktop\A
ccuWeather
Desktop.ex
e
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
\Office10\
EXCEL.EXE/
3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt
.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt
.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt
.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt
.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
dll
O16 - DPF: {00000EF1-0786-4633-87C6-1
AA7A44296D
A} -
http://www.addictivetechnologies.net/DM0/cab/Ud3rT0n5.cabO16 - DPF: {02BCC737-B171-4746-94C9-0
D8A0B2C008
9} (Microsoft Office Template and Media Control) -
http://office.microsoft.com/templates/ieawsdc.cabO16 - DPF: {166B1BCA-3F9C-11CF-8075-4
4455354000
0} (Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.cabO16 - DPF: {205FF73B-CA67-11D5-99DD-4
4455354000
0} (CInstall Class) -
http://www.spywarestormer.com/files2/Install.cabO16 - DPF: {2B96D5CC-C5B5-49A5-A69D-C
C0A30F9028
C} (MiniBugTransporterX Class) -
http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?O16 - DPF: {2BC66F54-93A8-11D3-BEB6-0
0105AA9B6A
E} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E
099162EEEC
5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cabO16 - DPF: {8C875948-9C60-4381-9248-0
DF180542D5
3} (SbInstObj) -
http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cabO16 - DPF: {90C9629E-CD32-11D3-BBFB-0
0105A1F0D6
8} (InstallShield International Setup Player) -
http://www.installengine.com/engine/isetup.cabO16 - DPF: {917623D1-D8E5-11D2-BE8B-0
0104B06BDE
3} (CamImage Class) -
http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocxO16 - DPF: {9A57B18E-2F5D-11D5-8997-0
0104BD12D9
4} (compid Class) -
http://support.gateway.com/support/serialharvest/gwCID.CABO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5
009F29E09E
1} (ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cabO16 - DPF: {9EB320CE-BE1D-4304-A081-4
B4665414BE
F} -
http://www.mt-download.com/MediaTicketsInstaller.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-4
7A8489BB47
F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37698.5033796296O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
4455354000
0} (Shockwave Flash Object) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cabO16 - DPF: {DDFFA75A-E81D-4454-89FC-B
9FD0631E72
6} -
http://www.bundleware.com/activeX/DS3/DS3.cabO17 - HKLM\System\CCS\Services\T
cpip\Param
eters: Domain = lmakefield
O17 - HKLM\System\CCS\Services\T
cpip\..\{F
6EE89D1-53
B1-47BD-AD
81-546DCF1
6246C}: NameServer = 192.168.100.222,192.168.10
0.1
O17 - HKLM\System\CS1\Services\T
cpip\Param
eters: Domain = lmakefield
O17 - HKLM\System\CS2\Services\T
cpip\Param
eters: Domain = lmakefield
