Windows opening up all over the place [HJT Log]

Windows opening up all over the place

I have been running Firefox, for awhile. I updated to 1.6 and it appears ok. A few days ago I was on the internet and windows started opening up all over. Windows were reduced, enlarged, went somewhere else, back to programs, etc, etc. Thought I may have caught a bot, or virus, or something. Ran virus checks with an a program from Germany. Found some rar files which I deleted. Ran AVG Virus Program. All clean. Today, it started happening again.
Any suggestions to curb this problem.

Usually keep computer very free of bots, and such

Thank you all

Donabano

 

Please post a HijackThis log, it will give us an idea what is going on.

 

It sounds like what we call a "Java Trap "
Many script kiddies think it is funny to do things like create a site which says "You're an Idiot" and when you click close it opens many more windows, each set to open another when you close (an exit script).
Tools/ options/ web features to turn off java.
But generally when you get caught in one of these closing your browser and restarting the computer and making sure to empty cache and history before you resume surfing is the only solution.

I normally use one browser with java etc disabled for visiting sites I am unsure of.

 

hijack this log

Logfile of HijackThis v1.99.0
Scan saved at 7:12:40 PM, on 9/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hi Jack This Antispyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Regshave] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,74/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/285c1b2744923879db06/netzip/RdxIE601.cab
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PPInstaller.exe
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{DECD44E4-7916-44FF-BE9E-71C797541B3C}: NameServer = 200.88.127.23,196.3.81.132
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Kerio Personal Firewall - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Is this what you need?

donabano

 

Oshwin

I can be on my desktop working and all of a sudden i am all over the place
If I diable java and java script wont tha effect all other things
Im not that great with the computer

Thanks

donabano

 

I only see this one bad thing to remove using HJT.

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/285c1b27449238...ip/RdxIE601.cab

 

Markp62

I removed the line you mentioned # 16 with HJT
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/285c1b27449238...ip/RdxIE601.cab

Will see if this does it. Hope it works
Any other suggestions Im all ears
Thanks
donabano

 

Well lasted until about 4:15 Pm and the windows started to fly around again.
Any other suggestions.
In talking about the java, I upgraded from Sun systems 2 upgrades , before all this started happening. If that is so, how can I back out and start again with this java. Delete Sun systems completely and re install.?

Don't know

Donabano

 

I want to confirm something.
Since you have a NT based OS (WIn2k) have you disabled messenger and alerter services?
Following for xp , but I think it works in 2k too.
Go to start/ run and type
services.msc
Locate alerter service, double click to alter, change startup to disabled and click stop service.
Same with messenger service.

These were included for use by net admins to send text messages, memos and alerts to members of a LAN. Spammers discovered a way to access them over the internet (well it is a network , whoda thunk you could send network traffic over it too) and if they get your IP (when you visit one of their sites) they can bombard you with popup windows (usually look like IE and often offer fixes for popup windows and adware etc --- IE , pay us and we will tell you how to stop these annoying popup adverts).

In IE, just put the suspect site in the restricted zone sites list. (tools/ internet options/ security / restricted zone / sites) and make sure it is set to highest restrictions.

I normally use Opera for "exploratory" surfing since it has a quick preferences option where you can disable all this stuff (java, gif animation which can send an IP around a proxy, sound, cookies, popups etc) with a few clicks and then restore them when you want.

 

Oshwyn 5

I followed your suggestions and went to services.msc

I already disabled the messenger previously because of Pop-Up Problems previously.
But also disabled alerter service and stop services.

You mention reporting the suspected site into the restricted zone site list. That would work for me but, I don't know which one it would be for me to enter it there.
Well I am trying this. Hope this will help. Wouldn't like to think I have to reinstall.

Thank you all
Keep the ideas coming

Donabano

 

oshwyn 5

While I am answering you my windows are going all over the place again.

Suggestions Please! Getting crazy

Donabano

 

Is this happening with firefox, IE , both , any other programs?

I am beginning to think you may have one of the firefox mouse gestures programs installed. (You do not have that greasemonkey thing installed do you, it was found to have a very dangerous security flaw in it) if it happens in firefox and it is misinterpreting your mouse.

If it is happening in all programs, it could be that your mouse is bad and something it is clicking on things when you move it.

Do you have hover mouse mouseover active (XP)? If so , try parking your mouse cursor off to the right of the screen .

 

oshwyn 5

Well, your not going to believe this. A friend of mine came over. and started checking out a few things in my computer. First, he checked the on board video because I was getting some shakiness on the monitor. Tghen he started to look at the memory modules. He found them a bit dirty. He used the eraser, then cleaned them with a swab and alcohol, then reset them.
He increased ther monitor rates up to 70 hz-72 hz , then increased the color to 32 bit.
The shakiness disappeared, the monitor cleaned up, and the windows running all over stopped so far.
This was so frustrating. It seems the main culprit was the memory. We checked the mouse and other things.

Glad I didn't re format and re-install.
Thank you all for your help and support.
You folks have been great, as usual

Donabano