[speedwell]

Please tell me what I need to delete from this log. Are any of the objects listed here causing the huge number of pop-ups? (even after running ad-aware on a regular basis) Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 9:56:47 AM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Windows\System32\NMSSvc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Windows\System32\actxprxy.exe
C:\Windows\System32\audiosrv.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Windows\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\FkYao.exe
C:\Windows\System32\wstuinit.exe
C:\Windows\System32\wshadmin.exe
C:\Windows\System32\?hkntfs.exe
C:\WINDOWS\system32\FkYao.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\system32\userinit.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Documents and Settings\ginnys\Desktop\Tools for fixing\HijackThis.exe

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\Windows\System32\IrqY.exe
O4 - HKLM\..\Run: [fash] C:\Windows\fash.exe
O4 - HKLM\..\Run: [31c696a648aa] C:\Windows\System32\actxprxy.exe
O4 - HKLM\..\Run: [1e2cf0395e88] C:\Windows\System32\audiosrv.exe
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Nsv] C:\Windows\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [FkYao.exe] C:\WINDOWS\system32\FkYao.exe
O4 - HKLM\..\Run: [t37g33Q] wstuinit.exe
O4 - HKCU\..\Run: [c0omRTc5h] wshadmin.exe
O4 - HKCU\..\Run: [Ebru] C:\Windows\System32\?hkntfs.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ncada.com
O17 - HKLM\Software\..\Telephony: DomainName = ncada.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ncada.com
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe

[Advertisements]

I see I cleared your 98 computer last time. Is this the same computer?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

You have the Peper infection. Download PeperUninstall http://www.greyknigh...erUninstall.exe. Make sure you are connected online to run this program. Run it once and reboot. Then run it again for the second time. Download PeperFix http://www.greyknigh...py/PeperFix.exe and save it to your Desktop. Run it and click 'Find and Fix' (reboot if prompted).

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

TV Media

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\Windows\System32\IrqY.exe
O4 - HKLM\..\Run: [fash] C:\Windows\fash.exe
O4 - HKLM\..\Run: [31c696a648aa] C:\Windows\System32\actxprxy.exe
O4 - HKLM\..\Run: [1e2cf0395e88] C:\Windows\System32\audiosrv.exe
O4 - HKLM\..\Run: [Nsv] C:\Windows\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [FkYao.exe] C:\WINDOWS\system32\FkYao.exe
O4 - HKLM\..\Run: [t37g33Q] wstuinit.exe
O4 - HKCU\..\Run: [c0omRTc5h] wshadmin.exe
O4 - HKCU\..\Run: [Ebru] C:\Windows\System32\?hkntfs.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Windows\System32\actxprxy.exe
C:\Windows\System32\audiosrv.exe
C:\Windows\System32\nsvsvc\
C:\WINDOWS\system32\FkYao.exe
C:\Windows\System32\wstuinit.exe
C:\Windows\System32\wshadmin.exe
C:\WINDOWS\system32\FkYao.exe
C:\Windows\system32\userinit.exe
C:\Program Files\CxtPls\
C:\Program Files\TV Media\
C:\Program Files\SEP\
C:\Windows\System32\IrqY.exe
C:\Windows\fash.exe

Do a search for ?hkntfs.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

[greyknight17]

I see I cleared your 98 computer last time. Is this the same computer?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

You have the Peper infection. Download PeperUninstall http://www.greyknigh...erUninstall.exe. Make sure you are connected online to run this program. Run it once and reboot. Then run it again for the second time. Download PeperFix http://www.greyknigh...py/PeperFix.exe and save it to your Desktop. Run it and click 'Find and Fix' (reboot if prompted).

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

TV Media

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\Windows\System32\IrqY.exe
O4 - HKLM\..\Run: [fash] C:\Windows\fash.exe
O4 - HKLM\..\Run: [31c696a648aa] C:\Windows\System32\actxprxy.exe
O4 - HKLM\..\Run: [1e2cf0395e88] C:\Windows\System32\audiosrv.exe
O4 - HKLM\..\Run: [Nsv] C:\Windows\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [FkYao.exe] C:\WINDOWS\system32\FkYao.exe
O4 - HKLM\..\Run: [t37g33Q] wstuinit.exe
O4 - HKCU\..\Run: [c0omRTc5h] wshadmin.exe
O4 - HKCU\..\Run: [Ebru] C:\Windows\System32\?hkntfs.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Windows\System32\actxprxy.exe
C:\Windows\System32\audiosrv.exe
C:\Windows\System32\nsvsvc\
C:\WINDOWS\system32\FkYao.exe
C:\Windows\System32\wstuinit.exe
C:\Windows\System32\wshadmin.exe
C:\WINDOWS\system32\FkYao.exe
C:\Windows\system32\userinit.exe
C:\Program Files\CxtPls\
C:\Program Files\TV Media\
C:\Program Files\SEP\
C:\Windows\System32\IrqY.exe
C:\Windows\fash.exe

Do a search for ?hkntfs.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

[speedwell]

Thanks again for your help! Last time, it was a 98; this time it was an XP. I work for a small non-profit, and I'm the closest thing to an IT person that we have. So, I am very appreciative of your help.

Here is the log from the last HiJack This scan:

Logfile of HijackThis v1.99.1
Scan saved at 10:05:55 AM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Windows\System32\NMSSvc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Windows\System32\loctrol.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\system32\userinit.exe
C:\Windows\System32\wuauclt.exe
C:\Documents and Settings\ginnys\Desktop\Tools for fixing\HijackThis.exe

O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [t37g33Q] loctrol.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ncada.com
O17 - HKLM\Software\..\Telephony: DomainName = ncada.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ncada.com
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe

[greyknight17]

Almost done.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [t37g33Q] loctrol.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\AutoUpdate\
C:\Windows\System32\loctrol.exe

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

[speedwell]

How does this look?

Logfile of HijackThis v1.99.1
Scan saved at 9:35:25 AM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Windows\System32\NMSSvc.exe
C:\Windows\System32\wuauclt.exe
C:\Windows\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Windows\System32\dmurch.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\system32\userinit.exe
C:\Documents and Settings\ginnys\Desktop\Tools for fixing\HijackThis.exe

O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [c0omRTc5h] dmurch.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ncada.com
O17 - HKLM\Software\..\Telephony: DomainName = ncada.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ncada.com
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe

[greyknight17]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKCU\..\Run: [c0omRTc5h] dmurch.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Windows\System32\dmurch.exe

Restart and run a new HijackThis scan. Save the log file and post it here.

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.