Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

popupbaropener 1

Status
Not open for further replies.
msperfect

msperfect

Technical User
Nov 22, 2002
13
US
I have a user that has a toolbar at the bottom of her IE screen (it pops up every time you open IE) which redirects IE to searchexe.com/passthrough/popupbaropener.htm. I was in another forum earlier and they suggested I run highjackthis and then post the log here so here it is. I hope someone can help me get rid of this. Thanks

Logfile of HijackThis v1.97.7
Scan saved at 1:18:14 PM, on 2/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ANTETR~1\helplog.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\Seiko\slpcap.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\lotus\Notes\NLNOTES.EXE
C:\lotus\Notes\ntaskldr.EXE
C:\Corel\Suite8\Programs\WPWIN8.EXE
C:\Corel\Suite8\Programs\ps80.exe
C:\Corel\Suite8\Programs\PFPPOP80.EXE
G:\USERS\FRONTOFF\SUPFILES\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = O1 - Hosts: 156.121.2.2 psvtd
O1 - Hosts: 156.121.2.3 JMS PSVTDJ
O1 - Hosts: 156.121.2.7 FAST PSVTDF
O1 - Hosts: 156.121.2.112 vtdecm01
O1 - Hosts: 156.121.3.5 bvtp1
O1 - Hosts: 156.121.3.6 psvtpp
O1 - Hosts: 156.121.3.10 vtpnt01
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {110DA1CF-DD5E-56DC-B2B2-265D30C48F8A} - C:\PROGRA~1\ACIDRU~1\Body Manager.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Bleh base anti - {281742B7-6C79-0B93-0952-5E73B4DE4C34} - C:\PROGRA~1\ACIDRU~1\Body Manager.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dart Dale] C:\PROGRA~1\ANTETR~1\helplog.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O17 - HKLM\System\CCS\Services\Tcpip\..\{23550A4A-A518-42DE-B9DE-41EFB81D408C}: NameServer = 156.119.13.27,156.119.5.27,156.121.2.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B1A77DD-9673-4F40-812B-2F77AB434FEA}: NameServer = 156.119.13.27,156.119.5.27,156.121.2.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uscmail.dcn
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = uscmail.dcn
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uscmail.dcn
 
Sort by date Sort by votes
I just posted your fix in the other forum, but here it is again:

First, disable system restore. Instructions here:

Then, remove the following entries using Hijack this!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: 156.121.2.2 psvtd
O1 - Hosts: 156.121.2.3 JMS PSVTDJ
O1 - Hosts: 156.121.2.7 FAST PSVTDF
O1 - Hosts: 156.121.2.112 vtdecm01
O1 - Hosts: 156.121.3.5 bvtp1
O1 - Hosts: 156.121.3.6 psvtpp
O1 - Hosts: 156.121.3.10 vtpnt01

O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

Reboot.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
Upvote 0 Downvote
This one, I'm a little leery of:
O4 - HKLM\..\Run: [Dart Dale] C:\PROGRA~1\ANTETR~1\helplog.exe


Any idea what this is? A game you installed perhaps? Or another piece of software?

"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
Upvote 0 Downvote
I'd also consider these for removal too if you don't know what they are?


O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uscmail.dcn
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = uscmail.dcn
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uscmail.dcn
 
Upvote 0 Downvote
I think that those are network/domain related...wouldn't mess with them.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
Upvote 0 Downvote
I ran highjackthis and deleted the top 6 files and rebooted. It's still there. I was leary about deleting the hosts because those are actually servers we log into and I didn' know what would happen if I delete them. Would she not be able to see those servers anymore? Would it just be a temp thing?

The last 2-winactive and autoupdater I don't know what they do either and don't know if deleting them would cause a problem.

Do you think the reason it didn't work is because I didn't delete all of the ones you told me to?

I appreciate your taking the time to help. Thanks.
 
Upvote 0 Downvote
I'm glad you told me the HOSTS entries were servers. I rescind anything I said about deleting them. Leave them be. You'd have been able to restore them via Hijack This!' backup, but...who needs the hassle.

Definitely get rid of winactive and autoupdater. They are as follows:

winactive - a variant of the lop.com hijacker
( [URL unfurl="true"]http://www.doxdesk.com/parasite/lop.html [/url] )

autoupdater - is PeopleOnPage spyware/foistware
( [URL unfurl="true"]http://www.pchell.com/support/peopleonpage.shtml [/url] )

So....burn those two, leave the HOSTS entries.
Reboot.

Verify for me...the "uscmail.dcn" entries are valid, no?


"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
Upvote 0 Downvote
Good.
Take out the peopleonpage and lop.com files and you should be good to go.
After all is said and done, download and use regularly a copy of SpyBot S&D...excellent freeware utility to stave off problems liek these in the future. Find it here:
[URL unfurl="true"]http://www.safer-networking.org/ [/url]

"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
Upvote 0 Downvote
what about the Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll entries?
 
Upvote 0 Downvote
I generally assume that that's something the user put there.
It's benign, accepted as a "legitimate" BHO (Browser Helper Object) by most sources.
You can take or leave it. I personally avoid anything of the sort (i.e. Yahoo, Google toolbar, etc. ... but it's a matter of choice).

"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
Upvote 0 Downvote
It Worked!!!!! The user is happy and I'm happy. Thank you very much for all your help.
 
Upvote 0 Downvote
You bet.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger
 
Upvote 0 Downvote
It was gone but now it's back...I can't believe it. Sould I just go thru the same procedure again but also use spybot and adware? This thing is very annoying!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top