Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Advertisement Pop Up

Started by sftong , Jul 25 2005 08:54 AM

  • Please log in to reply

#1
sftong
Posted 25 July 2005 - 08:54 AM

sftong

    New Member

  • Member
  • Pip
  • 6 posts
My PC has IE advertisements pop up at random time. I really do not know where and how did I get infected. Everytime the pop up occurs, it always point to the web site http://nc.eurosunsa.com/. For example, http://nc.eurosunsa....ds/reunion.html.

I check out the web site http://eurosunsa.com/, and found that they are the mean Desktop Advertisement publisher, claiming advertisement is good for everyone.

I have tried the latest free version of AdAware and SpyBoat, and found nothing of spyware or malware. Attached is the log of HijackThi. Please help, and many Thanks in advance!

Please note


Logfile of HijackThis v1.99.1
Scan saved at 10:33:29 AM, on 7/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\System32\ibmpmsvc.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Lotus\Notes\ntmulti.exe
C:\PROGRA~1\SMSLog\smslog.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\CCM\CcmExec.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\tp4serv.exe
C:\WINXP\System32\ltmsg.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\WINXP\Status.exe
C:\Program Files\Lotus\Notes\NLNOTES.EXE
C:\Program Files\Network Associates\VirusScan\MCUPDATE.EXE
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
C:\Program Files\Lotus\Notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\eclipse\eclipse.exe
C:\WINXP\system32\javaw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINXP\System32\MDM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\tongs\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nwportal.nwie.net/wps/portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xpress.nwie.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Nationwide
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://confserver.en...proxy/proxy.pac
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://nwportal.nwie...net/wps/portal"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINXP\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HTTP1_1.exe] C:\WINXP\System32\http1_1.exe /s
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - Global Startup: SMC2635W 11Mbps WLAN Monitor.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xpress.nwie.net
O15 - Trusted Zone: http://*.custrel01
O15 - Trusted Zone: http://*.ddcweba02
O15 - Trusted Zone: http://*.edcsrv33
O15 - Trusted Zone: http://*.edcweba03
O15 - Trusted Zone: http://*.edcweba59
O15 - Trusted Zone: http://edcapps109.nwie.net
O15 - Trusted Zone: http://script.nwie.net
O15 - Trusted Zone: http://*.Xtremelearning.com
O15 - Trusted Zone: http://*.custrel01 (HKLM)
O15 - Trusted Zone: http://*.ddcweba02 (HKLM)
O15 - Trusted Zone: http://*.edcsrv33 (HKLM)
O15 - Trusted Zone: http://*.edcweba03 (HKLM)
O15 - Trusted Zone: http://*.edcweba59 (HKLM)
O15 - Trusted Zone: http://edcapps109.nwie.net (HKLM)
O15 - Trusted Zone: http://script.nwie.net (HKLM)
O15 - Trusted Zone: http://*.Xtremelearning.com (HKLM)
O16 - DPF: Nationwide SignOn LNotes Password Sync - https://nationwidedi...Notespwdchg.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://nwsst01.nwie...STJNILoader.cab
O16 - DPF: {D0ACFA35-5C20-450C-8A61-931E346A995B} (NWKeepAlive.UserControl1) - https://inside.nwie....NWKeepAlive.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microstrateg...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nwie.net
O17 - HKLM\Software\..\Telephony: DomainName = nwie.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nwie.net
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINXP\System32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Lotus\Notes\ntmulti.exe
O23 - Service: SMS Alerting Service (SMSLog) - Nationwide Services Corp. - C:\PROGRA~1\SMSLog\smslog.exe
  • 0

Advertisements

#2
andydf
Posted 27 July 2005 - 02:39 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi, sftong

I'm working on your log, as soon as another staff member reviews it I'll post a reply. :tazz: Thank you for your patience.

Regards,

Andydf
  • 0

#3
andydf
Posted 28 July 2005 - 03:52 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi sftog
My name is Andy and I will be helping you with your log.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
    • C:\WINXP\System32\http1_1.exe
  • Click on the submit button
  • Please post the results in your next reply.


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O1 - Hosts: comments (such as these) may be inserted on individual
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.

After that, Reboot.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. ;)

There are alot of entries refering to nwie.net is this a site you visit often and trust? if so please let me know in your reply.

Andy :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP