ActiveX HJT Log Posted

When trying to download something from a website, which I have used in the past, I was asked to install ActiveX in order to open it. I stupidly ( ) did this and now I keep getting pop-ups everywhere (I have a pop-up stopper running) and am constantly asked to run ActiveX.

This is now preventing me from accessing some frequently accessed websites where I have to login with a username and password (including my Yahoo account! ).

I have no idea about ActiveX - anyone have any ideas how I can sort this extremely annoying problem?

Thanks
zism : (

Edited by PeteC

 

zism --In addition, you might want to run a spyware detector
AdAware
http://www.lavasoft.de/support/download/
SpybotS&D
http://www.safer-networking.org/en/index.html
After installing either and running a scan, be sure to get the latest reference files.
I assume you have an antivirus program running at start up and that its virus definitions are also up to date.
"I was asked to install ActiveX in order to open it "
Are you saying that the downloaded setup file would not install until you allowed ActiveX controls to run? Or do you just run all downloaded files directly as part of the download, without first saving and scanning for a virus?

 

Thanks

I regularly run AdAware and Spybot and I have an antivrus programme running.

I have done everything advised but I am still getting lots of popups!

"Are you saying that the downloaded setup file would not install until you allowed ActiveX controls to run? Or do you just run all downloaded files directly as part of the download, without first saving and scanning for a virus?" - sorry I dont understand this ?

Cheers
zism

 

zism--I have reread your initial post.
You say "I was asked to install ActiveX in order to open it "
I do not think you installed ActiveX, but you may have installed a Browser Helper Object" from some spyware.
Two suggestions for getting rid of the BHO.
1) Install SpywareBlaster.
http://www.javacoolsoftware.com/spywareblaster.html
Update it. You do not need to scan with SWB, but you should look for updates every 10 days or so.
2) IE Tools|Internet Options|General Tab|Settings|View Objects. Do the names of any of those items look suspicious? Right click (individually) on any that you do not recognize|Properties. Does the information on the General tab suggest you do not want this item? If so, right click|Remove. (You actually do not need any of them, since the next time you go to a page that uses them, you will be asked if you want to download again.)
What is your setting for "Run ActiveX controls and plugins" in IE Tools|Internet Options|Security tab|Custom Level?
If that does not help, concerning those popups, can you find a blank spot, right click|Properties to learn the source of the popup (Address line)? (Or record what is in the title bar at the very top?
Would you like to post that URL (address) here?
You can use a HOSTS file to block access to that site.
http://www.accs-net.com/hosts/
P.S. "This is now preventing me from accessing some frequently accessed websites where I have to login with a username and password (including my Yahoo account." This is the most concerning thing. What actually happens when you try to access such sites? Do you get to the login window, but you cannot log in? Or?
P.P.S. Would you want to tell us the download file or website that started all the problem so we can test it?

 

Hi Jim

My Run ActiveX controls and plugins settings is - enable

The URL for the first popup I came across was - http://creatives.contextplusnet/YCC550x450.gif (Yes Car Credit)

I am now able to get into my Yahoo and other accounts

The website that originally started my problems was www.coveruniverse.com

Thanks (again! )

zism

 

zism--Thanks for posting back. Glad to hear the good news. Which of the suggestions was the solution?

 

Hi Jim

Dont know which one sorted the problem out but at least I can get into my email!

I went into the Host link but cant quite work out what Im meant to be doing! (sorry )

Still getting pop-ups though

zism

 

zism--If those popups are all coming from the one site (right click|Properties), then create a HOSTS file as mentioned earlier. It is pretty easy. Just follow the instructions. Basically, search for the HOSTS.sam file. Copy it in Notepad. Type 127.0.0.1 localhost at the end (maybe that is already there). Now type 127.0.0.1 creatives.contextplusnet. File|Save As. Call it HOSTS (no file extension) and put in the same directory where you found HOSTS.sam. (You can add other sites as you find it necessary. Prefix each "bad URL" with 127.0.0.1 .)
However, if you have installed XP SP2, you should have a popup stopper as default. Are these popups or rather redirects to another website?
Or maybe the SP2 popup blocker is disabled.
See here to enable.
http://www.microsoft.com/windowsxp/using/web/sp2_popupblocker.mspx

 

Hi Jim

Unfortuantely the pop-ups are coming from various sites!

I have tried to open the hosts.sam file but it does not seem to recognise it. I really am going mad ( ) with all these pop-ups!! (sorry if I seem a bit stupid at this but, well I probably am!)

XP SP2 is also installed correctly

zism

 

A possibilty that the Hosts file may itself be the problem, this should be the only entry:
127.0.0.1 localhost

Regards - Charles

 

ok - I have added various sites to the host file but am still getting pop-ups from some of them! do I need to put http:// and/or www. in front of the address?

Charles - if localhost is the only site that should be in the host file why does it give you instructions on how to add?

Please, please, please I am going mad!!!!

 

Hi zism,

Charles - if localhost is the only site that should be in the host file why does it give you instructions on how to add?

Should of explained the first time.

If you do not use the Hosts to block malware sites - since you obviously don't do that, than that is the only entry that should be there.

Some malware will do either one of two things with the host file, or both - add entries to block domains and IP's such as MS update or security sites. The other trick that they foist on the user is to redirect your Browser to the malware's site. So this is what I asked you to check.

What Jim was suggesting was for you to add entries to block domains and IP's, in this case, the places where the pop-ups come from.

I think its time for you to run a HijackThis log and post it.

Download here http://radiosplace.com/ latest version 1.99

Download it to it's own folder - unzip (double click on zipped folder) - click on the execute - click scan button - click save log and save to the folder you just created *DO NOT FIX ANYTHING* - copy resultant .txt file and paste into your next post.

Regards - Charles

 

Admin note: most of the HJT log removed. Bad hijackthis.exe location and still compressed. Newt

Thanks Charles! (again!)

Heres my log from Hijack This

zism

Logfile of HijackThis v1.99.0
Scan saved at 21:03:24, on 01/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
.................
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\LINZIS~1\LOCALS~1\Temp\Rar$EX03.535\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
........................

 

Hi zism,

This thread will be moved to the Security/virus removal section where it'll be looked at by the removal experts.

This is one of the problems that I was able to identify:

C:\Program Files\CxtPls\CxtPls.exe

Disable it in Task Manager - it won't be permenant unfortunately, but it may give temporary relief in the meantime.

Also clean out your temp files, use the links below on where and how to:

http://www.helpwithwindows.com/WindowsXP/howto-16.html#tmp
http://www.helpwithwindows.com/WindowsXP/howto-16.html#tif

Regards - Charles

 

C:\DOCUME~1\LINZIS~1\LOCALS~1\Temp\Rar$EX03.535\Hi jackThis.exe

It just won't work right that way. Try again AFTER you unzip the .exe to a normal folder (so not a temp folder and not the desktop) and post the new scan log.

I'm removing most of the original one to cut down some on thread length and to avoid confusion.

 

Here's the new scan log
Thanks

Logfile of HijackThis v1.99.0
Scan saved at 17:45:40, on 01/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Office mouse\1.1\moffice.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\documents and settings\linzi smith\local settings\temp\DKbKmo.exe
C:\WINNT\system32\exekinfo.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\dpwlt.exe
C:\Program Files\Office mouse\1.1\MOUSE32A.DAT
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Linzi Smith\Local Settings\Temporary Internet Files\Content.IE5\XO9NM1MA\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.111-big.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.111-big.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office mouse\1.1\moffice.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42 "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DKbKmo] C:\documents and settings\linzi smith\local settings\temp\DKbKmo.exe
O4 - HKLM\..\Run: [os4R34P] exekinfo.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ZBv5RQj8V] dpwlt.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.111-big.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

 

no-one able to help?