mred
asked on
Hijack This? System slow & Porn sites pop up.
I have a customers computer that he says Porn sites pop up. He has cable & I'm using dial up. I put a popup stopper on, ran EWIDO & Counter Spy, & Avg. There were about 80 total hits. Still no popups for me but the system is very slow. Here is my hijack log.
Logfile of HijackThis v1.97.7
Scan saved at 11:07:55 PM, on 2/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\System32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgamsv r.exe
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgupsv c.exe
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgemc. exe
C:\WINNT\system32\drivers\ dcfssvc.ex e
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\HPConfig .exe
c:\PROGRA~1\mcafee.com\vso \mcvsrte.e xe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\system32\ZONELABS \vsmon.exe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\system32\mspmspsv .exe
C:\WINNT\system32\svchost. exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt. exe
C:\WINNT\essspk.exe
C:\WINNT\System32\hkcmd.ex e
C:\Program Files\Synaptics\SynTP\SynT PLpr.exe
C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTo uch.EXE
C:\WINNT\ESSD.exe
c:\PROGRA~1\mcafee.com\vso \mcshield. exe
C:\PROGRA~1\PESTPA~1\PPCon trol.exe
C:\PROGRA~1\PESTPA~1\PPMem Check.exe
C:\PROGRA~1\PESTPA~1\Cooki ePatrol.ex e
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgcc.e xe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex e
C:\PROGRA~1\PANICW~1\POP-U P~1\dpps2. exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINNT\system32\CMMON32. EXE
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINNT\system32\taskmgr. exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServAlert.exe
C:\ADownload\HijackThis.ex e
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page = \blank.htm
F1 - win.ini: run=C:\WINNT\inet20075\win logon.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ ycomp5_6_0 _0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-93BE-B E2DF4D9AE2 9} - C:\PROGRA~1\COMCAS~1\COMCA S~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9 05236F6F65 5} - c:\progra~1\mcafee.com\vso \mcvsshl.d ll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ ycomp5_6_0 _0.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-B E2DF4D9AE2 9} - C:\PROGRA~1\COMCAS~1\COMCA S~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 1.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray .exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.ex e
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT PLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTo uch.EXE
O4 - HKLM\..\Run: [ESS Daemon] C:\WINNT\ESSD.exe
O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer .exe -tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vs o\mcmnhdlr .exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vs o\mcvsshld .exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age nt\mcagent .exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\age nt\McUpdat e.exe
O4 - HKLM\..\Run: [dkzzexyn] C:\WINNT\system32\zywlidmu .exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\dr ivers\w32x 86\3\hpzts b04.exe
O4 - HKLM\..\Run: [E-nrgyPlus] C:\Program Files\E-nrgyPlus\E-nrgyPlu s.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPCon trol.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMem Check.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\Cooki ePatrol.ex e
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE ~1\avgcc.e xe /STARTUP
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex e"
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP- UP~1\dpps2 .exe"
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmse arch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmwo rdtrans.ht ml
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmca che.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmsi milar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmtr ans.html
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {33564D57-0000-0010-8000-0 0AA00389B7 1} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2 2031317559 2} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-9 7E826C8482 2} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-F B9E207A39E 6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4692/mcfscan.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{9 AA175C7-F5 4A-4D61-A4 86-FEE3BF0 F2D11}: NameServer = 64.40.40.51 209.102.96.10
Logfile of HijackThis v1.97.7
Scan saved at 11:07:55 PM, on 2/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\spoolsv.
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\WINNT\system32\drivers\
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\HPConfig
c:\PROGRA~1\mcafee.com\vso
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\system32\ZONELABS
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\mspmspsv
C:\WINNT\system32\svchost.
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.
C:\WINNT\essspk.exe
C:\WINNT\System32\hkcmd.ex
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTo
C:\WINNT\ESSD.exe
c:\PROGRA~1\mcafee.com\vso
C:\PROGRA~1\PESTPA~1\PPCon
C:\PROGRA~1\PESTPA~1\PPMem
C:\PROGRA~1\PESTPA~1\Cooki
C:\PROGRA~1\Grisoft\AVGFRE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
C:\PROGRA~1\PANICW~1\POP-U
C:\Program Files\palmOne\Hotsync.exe
C:\WINNT\system32\CMMON32.
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINNT\system32\taskmgr.
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServAlert.exe
C:\ADownload\HijackThis.ex
R0 - HKCU\Software\Microsoft\In
F1 - win.ini: run=C:\WINNT\inet20075\win
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-93BE-B
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-C
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-B
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.ex
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTo
O4 - HKLM\..\Run: [ESS Daemon] C:\WINNT\ESSD.exe
O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vs
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vs
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [dkzzexyn] C:\WINNT\system32\zywlidmu
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\dr
O4 - HKLM\..\Run: [E-nrgyPlus] C:\Program Files\E-nrgyPlus\E-nrgyPlu
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPCon
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMem
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\Cooki
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {E5D419D6-A846-4514-9FAD-9
O16 - DPF: {EF791A6B-FC12-4C68-99EF-F
O17 - HKLM\System\CCS\Services\T
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Downloaded it again, is OK!
ASKER
Sorry i couldn't see your log, you need to click "Save' after clicking analyze.
Or paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Or paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
ASKER
Sorry but I could not find it on the laptop I was working on. I got the startuplist and analize this!
But that's OK I'm finished & returning it. The analizeses looked ok tho just some unknowns, alot I put on there.
But that's OK I'm finished & returning it. The analizeses looked ok tho just some unknowns, alot I put on there.
Based on the log you posted this is what I see, but this is an older version and I'm sure there are many more ban entries related to this nasties. You would have to manually delete the relevant files because Hijackthis does not do that.
F1 - win.ini: run=C:\WINNT\inet20075\win logon.exe
O4 - HKLM\..\Run: [dkzzexyn] C:\WINNT\system32\zywlidmu .exe
F1 - win.ini: run=C:\WINNT\inet20075\win
O4 - HKLM\..\Run: [dkzzexyn] C:\WINNT\system32\zywlidmu
ASKER