Adware POP-UP! (HJT Log)

Webspot · 2005/02/11

I recently faced with this problem.

Whenever I restart the PC and open I.E. besides the usual window with your homepage loading, another window opens up linking to the URL below.

540.filost.com/randomsites/banner.aspx

I have SPYbot stopped it but a window still opens instead of the URL above, it shows the one below.

filost.com/stop.htm

Who has faced this problem? Is there a way to edit the registry to solve this?

Thanks

PeteC · 2005/02/11

Webspot - Welcome to the Board

I have killed your URLs as I fancy they would dump nasties on a PC if opened.

I suspect your browser may have been hijacked ....

Download, immediately update and run AdAware SE and Spybot through Quicklinks in my sig and delete all they find.

The Google toolbar contains a very effective popup blocker - try it. If you are running XP SP 2 there is now a popup blocker in IE.

(For ongoing protection against adware download MS AntiSpyware Beta 1)

If the above fails to resolve the problem ....

Download HijackThis through Quicklinks - save it to a folder on your drive, e.g. HijackThis - not to the Desktop - run it and post the log here. Fix nothing until advised to do so.

You would be well advised to stay out of the Registry unless you are 100% confident that you know what you are doing - but, if you must fiddle with entries, back them up (export) first.

Webspot · 2005/02/12

I do not know whether the links do create problem. Cuz I do open up TaskManager to check for additional processes but there seems to be none going on. But its gd to kill them.

I do have Ad-aware and SPY-bot updated. I also have PC-cillin and Secretmaker. I tried scanning with them but they dun give me anything to fix.

I do remember getting hit by a backdoor hacking tool called 'conime.exe' Which is none detectable by them. I did a manual deletion by doing a windows search.

I will try the MS-spyware. And I also do not have SP2. Im runnin SP1.

Thanks for the advice. I will follow your solution.

Webspot · 2005/02/12

Ok, i ran Windows Spyware. Gave me a 0 problem to fix. Im updating to SP2. Hope Hijack this will have some results. I will post the results in a while.

Logfile of HijackThis v1.99.0
Scan saved at 3:28:33 PM, on 2/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Neo2-P\Desktop\Lucien\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe "
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1107986706046
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F51B201-2358-4DE2-B547-35C5E1FCDB0C}: NameServer = 165.21.100.88 165.21.83.88
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

PeteC · 2005/02/12

OK - fix nothing - hold fire until one of our experts has the chance to look at your log.

I see you scanned with HJT on SP 1 - if you have updated to SP 2 you will need to run the scan again and post the log.

If you are on SP 2 make sure the pop up blocker is turned on in IE - Tools > Internet Options > Privacy or uncheck it and use the Google tool bar.

noahdfear · 2005/02/12

You will need to open Spybot and turn off TeaTimer. Make sure it is not running in Task Manager before proceeding.

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

Reboot to safe mode and open C:\WINDOWS\System32, then delete the file vbsys2.dll. You may need to set windows to show hidden files and folders, as well as system files and extensions for known file types.
Open C:\Windows\Prefetch, select all and delete.
Empty the recycle bin.

Reboot back into Windows and post a new HJT log.

Webspot · 2005/02/12

This is the fixed log.

Logfile of HijackThis v1.99.0
Scan saved at 11:53:21 PM, on 2/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Neo2-P\Desktop\Unused Desktop Shortcuts\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe "
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33331111-1111-1111-1111-611111193457} -
O16 - DPF: {33331111-1111-1111-1111-611111193458} -
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1107986706046
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

The problem is fixed but i do see some weird empty DPFs. Btw, im using MSI board. Does the activeX related to it be of problem?

And when i first restarted, microsoft spyware block 1 activex installation.

I also got hit by a Generic Host on System 32 prob. Soon after installing MS Sypware. It cuts my internet connection halting it. And i cannot do anything other than HARD reset. The prob appears after about 10 mins of idle connection. It seems to be a virus to me. But i ran PC cillin and got nothing.

noahdfear · 2005/02/12

Open internet Options and click the Settings button in the Temporary Internet Files section, then the View Objects button. If the 3 DPF objects are present, right click and remove.

The InstallFromTheWeb control was left there probably by a downloaded driver update and will be replaced if/when needed again.

Many folks here have reported having to allow the Generic Host Process to access the internet to keep a connection. Should be safe to allow.

Webspot · 2005/02/12

The Generic Host is always cutting my line every 10-15 mins of idle connection. And worst is i can't even reconnect. This is more of a nuisance than help. I do not know wat application enables it. Im still currently observing taskmanager.

noahdfear · 2005/02/12

I'm not familiar with the Trend Micro Firewall, but you should be able to see the filepath of each program that has accessed the internet.

I recommend you do an online scan with RAV and post the results.

Webspot · 2005/02/14

I think I might have been hit by the PUROL VIRUS? I will take a look into it. If it is there then I will post a HJT. But im not too sure whether anti viruses will detect them.

Xraiko · 2005/02/16

Same here

I'm having the exact same problem... but I have no idea how to deal with it!
Does your internet connection username and password gets changed after the filost.com/stop.htm page appears? 'Cause mine does >__<

Lonny Jones · 2005/02/17

ElfaWild Hi, please continure here >
http://www.windowsbbs.com/showthread.php?t=41475

Everyone else needs to start there own topic, Thanks.

Log in or Sign up

Adware POP-UP! (HJT Log)

Webspot Inactive Thread Starter

PeteC SuperGeek Staff

Webspot Inactive Thread Starter

Webspot Inactive Thread Starter

PeteC SuperGeek Staff

noahdfear Inactive

Webspot Inactive Thread Starter

noahdfear Inactive

Webspot Inactive Thread Starter

noahdfear Inactive

Webspot Inactive Thread Starter

Xraiko Inactive

Lonny Jones Inactive Alumni

Share This Page

Log in or Sign up

Adware POP-UP! (HJT Log)

Webspot Inactive Thread Starter

PeteC SuperGeek Staff

Webspot Inactive Thread Starter

Webspot Inactive Thread Starter

PeteC SuperGeek Staff

noahdfear Inactive

Webspot Inactive Thread Starter

noahdfear Inactive

Webspot Inactive Thread Starter

noahdfear Inactive

Webspot Inactive Thread Starter

Xraiko Inactive

Lonny Jones Inactive Alumni

Share This Page

Useful Searches