Hidden Pop-Ups

Jfoersch · #1 March 9th, 2004, 06:38 PM

Everytime i access the internet at work, i get a pop-up. But the pop-up comes open and goes off my screen. I can see it running in my task window, but i can't seem to find it in my cookies or program files.

Any ideas?

dammit · #2 March 9th, 2004, 07:05 PM

Hi buddy....Download 'Hijack This!'(not into a temp folder) Unzip, doubleclick HijackThis.exe, Check for updates first by clicking the config then tools buttons. and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.
Here are a few download sites...
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
http://www.majorgeeks.com/download.php?det=3155
http://www.sherrylynn.us/HijackThis.exe
It will show what's running on your computer...Don't make any changes until
someone checks it out.

Jfoersch · #3 March 9th, 2004, 08:17 PM

Here you go:

--------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 2:18:48 PM, on 3/9/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\timeserv.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
C:\WINNT\System32\wm.exe
C:\PROGRA~1\EXECUT~1\DISKEE~1\DkService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINNT\System32\WMRUNDLL.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\NOVELL\ZENRC\wuser32.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINNT\system32\nddeagnt.exe
C:\WINNT\UTLite.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\loadwc.exe
C:\mouse\system\em_exec.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\System32\NALDESK.EXE
C:\WINNT\System32\qttask.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\System32\ddhelp.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Novell\GroupWise\Notify.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Novell\GroupWise\GrpWise.exe
C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
U:\MECHDEPT\1111\ENGR\MECH\Foerschler\Storage\HiJa ck\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat....16210010120286
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat....16210010120286
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINNT\gsim.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {020f6116-407b-11d3-a3bb-00c04fa32518} -
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/...9106/flash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINNT\msxml4.cab
O16 - DPF: {CC8DE29C-87B9-4297-98CA-B98AAAE449D9} (IntraLaunch.MainControl) - file://Y:\products\IntraLaunch\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-0000-000000000000} - http://active.macromedia.com/flash/cabs/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D2ECD726-ACFB-4993-9D2A-C718B0F891E2} (Citadon Software Distribution) - https://collaboration.gepower.com/cl...entExt3216.cab

Jfoersch · #4 March 9th, 2004, 08:18 PM

I wonder if your fixes may help my shutdown error? I posted a message about my computer not correctly shutting down:

http://www.cybertechhelp.com/forums/...ad.php?t=30759

dammit · #5 March 9th, 2004, 09:25 PM

Hi again...dunno about you shutdown error...it might....lets see
Close IE and all open windows...run hijack again and have it fix the following

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll

O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINNT\gsim.dll

O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe

O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe

O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe

O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...19106/flash.cab

Reboot into safe mode (tap f8 while booting) and run a search for

stcloader.exe

Belt.exe

delete when found.

Reboot.

Jfoersch · #6 March 9th, 2004, 10:14 PM

I did all you asked and it appears to have fixed it. thanks a bunch! Plus, i successfully rebooted my computer twice after the fix.

Thanks again!

dammit · #7 March 9th, 2004, 11:38 PM

Hey....thats great!! :thumb: