HELP! yesadvertising/paypopup popunders

Forums: Computers
Email this Topic • Print this Page

Hi all,

I've read others posts about yesadvertising/paypopup popunders, and I couldn't really get any information that helped me specifically from them. I wanted to post my hijackthis log and see if I couldn't get my problem resolved. About every 15 minutes or so I get a popunder from these guys whether im browsing the internet or not, just as long as I'm connected. I have the most updated versions of ad aware and search and destroy, but they are unable to find it. Here is my log, any help would be greatly appreciated. (I also went to c:windows and found iexplore.exe, clicked on it and no pop ups appeared, so I chose not to delete it.

Thanks!

Logfile of HijackThis v1.97.7
Scan saved at 12:35:22 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\iexplore.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\webshots.scr
C:\Program Files\GIANT Company Software\Spam Inspector\siMailProxyServer.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siClientUI.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siMain.exe
C:\Program Files\Microsoft Works\wkswp.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Documents and Settings\Cliff Green\Desktop\My Briefcase\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Windows Service] winsvc.exe
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Startup: Internet.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38038.6409837963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C7AD22F-4B03-45FE-8BA4-FC93B6257DBA}: NameServer = 208.220.74.5 208.220.74.14

Topic Stats
Top Replies
Link to this Topic

Type: Discussion • Score: 1 • Views: 1,023 • Replies: 2

No top replies

I know its tedious and the people looking at these are only volunteers, but i would greatly appreciate some help.

Sincerely,

clgreen

0 Replies

Re: HELP! yesadvertising/paypopup popunders
Hi, I am skipping the running processes so a particularly clever infection may require us to do a round 2.

Please complete the following steps in safe mode. If you do not know how to boot to safemode you can search for instructions on how to do so on this forum or ask us.

clgreen wrote:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Fix

Quote:

O4 - HKLM\..\Run: [Windows Service] winsvc.exe

This is the same name as a file a trojan uses as a backdoor to your computer.

You need to do a full system scan of your computer with an uncompromised and updated scanner. Use an online scanner (you can find linsk to them in the featured threads in this forum as well as at least one online scanner in the Able2Know portal).

Quote:

O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Startup: Internet.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

Fix, some may not be baddies but those at the very least don't look necessary for startup.

Quote:

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

Consider getting rid of the webshots software.

Quote:

O17 - HKLM\System\CCS\Services\Tcpip\..\{9C7AD22F-4B03-45FE-8BA4-FC93B6257DBA}: NameServer = 208.220.74.5 208.220.74.14

Ask your ISP if these are their nameservers. If not, get rid of this.

Once you have completed these steps please reboot and report your results (even if you are free of problems report this as it helps us help others, and because this is tedious work help is appreciated).

0 Replies

HELP! yesadvertising/paypopup popunders

Related Topics

Quick Links

My Account

able2know