Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Relentless pop-ups 1

Status
Not open for further replies.
Dimandja

Dimandja

Programmer
Apr 29, 2002
2,720
US
I have sort of inherited a PC that launches a popup screen every time I go to a new web page. I have run a Symantec Antivirus, AdAware, Spybot, to no effect.

Any suggestions?
 
Sort by date Sort by votes
OS?
If XP or ME, you MUST disable system restore before doing any cleanup.

IF in doubt, download Hijack This! ( scan the pc, and post a log back here. I, and others, will be happy to give it a once over.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
XP SP1.

I did run the antivirus with restore disabled.
 
Upvote 0 Downvote
AV's not going to do you much good, as most are just now getting on the malware bandwagon.

As I mentioned, post up a log and we'll likely make short work of it.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
hijackthis.log:

Logfile of HijackThis v1.98.2
Scan saved at 1:16:22 PM, on 12/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
c:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\PROGRA~1\NavNT\rtvscan.exe
C:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
C:\Program Files\<company name>\TeleCommute\urunlock.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\System32\uucionl.exe
C:\Program Files\<company name>\TeleCommute\uRAgent.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Marimba\CASTAN~1\Tuner.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\nhldaemn.EXE
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = name>.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = name>.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = name>.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = name>.com/home.shtml
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by <company name>
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = name>.com/cgi-bin/getproxy
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll (file missing)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O1 - Hosts: 144.28.52.17 USCAGOLPATS01
O1 - Hosts: 107.3749.9 USNYMEN11WS02
O1 - Hosts: 107.3749.7 USNYMEN11WS01
O1 - Hosts: 104.132.30.150 USNYTRYSAVS01
O1 - Hosts: 144.70.113.8 USILCBDMONS02
O1 - Hosts: 161.128.126.29 USMABURBUDS06
O1 - Hosts: 161.128.8.48 USMABURBUDS05
O1 - Hosts: 104.139.2.132 USNYKNGBRDS01
O1 - Hosts: 161.128.126.27 USMABURBUDS03
O1 - Hosts: 138.83.34.28 USTXCOPSV1S08
O1 - Hosts: 138.83.36.53 USTXCOPSV1S07
O1 - Hosts: 138.83.34.45 USTXCOPSV1S04
O1 - Hosts: 138.83.34.44 USTXCOPSV1S03
O1 - Hosts: 139.49.192.12 USTXCOPSV1S02
O1 - Hosts: 161.128.162.171 USNYMNHPRLS05
O1 - Hosts: 141.156.23.47 USMDCOCYASS04
O1 - Hosts: 141.156.23.45 USMDCOCYASS03
O1 - Hosts: 141.149.187.24 USPALEVFALS02
O1 - Hosts: 143.91.61.41 USTXIRVRRGS03
O1 - Hosts: 161.128.162.150 USNYMNHPRLS04
O1 - Hosts: 136.151.101.109 USFLCLRCLES02
O1 - Hosts: 161.128.162.137 USNYMNHPRLS03
O1 - Hosts: 151.205.63.31 USPALEVFALS01
O1 - Hosts: 143.91.61.40 USTXIRVRRGS02
O1 - Hosts: 136.151.101.108 USFLCLRCLES01
O1 - Hosts: 144.28.170.20 USCAPOMA05S02
O1 - Hosts: 141.156.23.10 USMDCOCYASS01
O1 - Hosts: 161.128.162.135 USNYMNHPRLS02
O1 - Hosts: 161.128.145.248 USNYMNHPRLS01
O1 - Hosts: 159.161.147.223 USCAPOMA05S01
O1 - Hosts: 151.205.79.132 USPACSHFAYS01
O1 - Hosts: 136.151.115.82 USFLTPA301S02
O1 - Hosts: 136.151.115.82 USFLTPA301S01
O1 - Hosts: 138.83.70.38 USFLTTPSTCS09
O1 - Hosts: 138.83.70.37 USFLTTPSTCS08
O1 - Hosts: 104.148.58.84 USNYMNHWESS02
O1 - Hosts: 136.151.208.185 USFLTTPSTCS07
O1 - Hosts: 104.148.58.82 USNYMNHWESS01
O1 - Hosts: 138.83.66.40 USFLTTPSTCS04
O1 - Hosts: 104.6.5.104 USMAHYNNRTS01
O1 - Hosts: 138.83.66.56 USFLTTPSTCS03
O1 - Hosts: 143.91.99.35 USTXIRVHQWS03
O1 - Hosts: 141.157.79.196 USVARICHSRS01
O1 - Hosts: 161.128.238.56 USNYPRLBHDSC2
O1 - Hosts: 143.91.100.135 USTXIRVHQWS02
O1 - Hosts: 161.128.238.55 USNYPRLBHDSC1
O1 - Hosts: 143.91.100.9 USTXIRVHQWS01
O1 - Hosts: 104.153.66.16 USNYPTCOCNS01
O1 - Hosts: 143.91.233.133 USTXIRVCARS01
O1 - Hosts: 162.83.31.69 USNJSCOCELS02
O1 - Hosts: 104.132.28.151 USNYNTNTRMS01
O1 - Hosts: 141.239.50.1 USHIHNLMBYS01
O1 - Hosts: 144.28.133.14 USCASFSLNRS01
O1 - Hosts: 162.83.31.68 USNJSCOCELS01
O1 - Hosts: 162.83.21.5 USNJMAM11SS01
O1 - Hosts: 161.128.43.200 USMABOSHISS01
O1 - Hosts: 162.83.76.70 USNJSPLHADS01
O1 - Hosts: 151.196.20.20 USMDSILCOLS01
O1 - Hosts: 141.150.76.108 USNJMLAMIDS01
O1 - Hosts: 141.154.100.14 USPAPHIRACS01
O1 - Hosts: 105.38.11.95 USNYGRDZCKS03
O1 - Hosts: 105.38.11.48 USNYGRDZCKS02
O1 - Hosts: 105.38.11.46 USNYGRDZCKS01
O1 - Hosts: 141.157.33.6 USVAROAAIRS02
O1 - Hosts: 141.157.33.8 USVAROAAIRS01
O1 - Hosts: 104.8.1.86 USNHMNCLMSS01
O1 - Hosts: 104.132.34.163 USNYBFFELMS01
O1 - Hosts: 159.161.39.168 USMOWENBLDS03
O1 - Hosts: 141.157.119.42 USVANEWNEWS01
O1 - Hosts: 159.161.39.165 USMOWENBLDS01
O1 - Hosts: 105.38.114.181 USNYMNHW5SS01
O1 - Hosts: 144.70.105.218 USILBLMMONS01
O1 - Hosts: 141.157.72.11 USVARICMAIS01
O1 - Hosts: 141.152.119.12 USNJMADPARS03
O1 - Hosts: 141.152.119.11 USNJMADPARS01
O1 - Hosts: 132.197.120.82 USMAWLTSYLS01
O1 - Hosts: 151.198.23.98 USPAWILWCOS01
O1 - Hosts: 104.132.6.118 USNYALBSTTS02
O1 - Hosts: 162.83.18.248 USNJHPL657S01
O1 - Hosts: 104.132.6.116 USNYALBSTTS01
O1 - Hosts: 161.128.100.186 USMATNTMYLS03
O1 - Hosts: 161.128.100.184 USMATNTMYLS02
O1 - Hosts: 161.128.100.193 USMATNTMYLS01
O1 - Hosts: 144.70.150.95 USMIMUKTERS01
O1 - Hosts: 104.139.3.7 USNYELRWCHS01
O1 - Hosts: 143.91.13.20 USTXIRVHQES02
O1 - Hosts: 143.91.12.54 USTXIRVHQES01
O1 - Hosts: 141.149.187.36 USVAFCHFAIS02
O1 - Hosts: 141.149.187.27 USVAFCHFAIS01
O1 - Hosts: 136.151.70.14 USFLTPATCCS01
O1 - Hosts: 144.28.176.125 USCAIRWAZUS02
O1 - Hosts: 104.2.5.239 USMEPRTFRSS01
O1 - Hosts: 139.49.7.9 USCACALAGRS02
O1 - Hosts: 139.49.7.1 USCACALAGRS01
O1 - Hosts: 136.151.88.1 USFLTPAADAS02
O1 - Hosts: 105.12.34.242 USMEPRTDVSS01
O1 - Hosts: 136.151.109.7 USFLTPAADAS01
O1 - Hosts: 151.205.55.82 USPAALLWINS01
O1 - Hosts: 144.70.165.12 USOHMARRVYS03
O1 - Hosts: 136.151.137.8 USKYLEXHARS01
O1 - Hosts: 144.70.165.48 USOHMARRVYS02
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VoiceIP.dll
O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [sefjzruov] C:\WINDOWS\System32\uucionl.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [erv] C:\WINDOWS\System32\erv.exe
O4 - Global Startup: TeleCommute Agent.lnk = C:\Program Files\<company name>\TeleCommute\uRAgent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://eweb.<company name>.com/home.shtml
O16 - DPF: JavaConnect - file://C:\TEMP\SISD\JavaConnect.cab
O16 - DPF: Sametime Directory Applet ST31 - file://C:\TEMP\SISD\STDirectoryApplet.cab
O16 - DPF: ST BC ST31IF1 PMR-90722999000 - file://C:\TEMP\SISD\STBroadcastClient.cab
O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - file://C:\TEMP\SISD\STMeetingRoomClient.cab
O16 - DPF: {041FA6AB-BA33-498F-AD6D-5913F66801D2} (AClientX Class) - name>.com:10028/activexshare/urxcli.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {719433EA-60DE-45A8-8255-115826F16D5B} (STConnectivityAgent Control) - file://C:\TEMP\SISD\InstallSTConnAgent.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - file://C:\TEMP\SISD\STJNILoader.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us1.ent.<company name>.com
O17 - HKLM\Software\..\Telephony: DomainName = us1.ent.<company name>.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us1.ent.<company name>.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = <company name>.com,ent.<company name>.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = <company name>.com,ent.<company name>.com
 
Upvote 0 Downvote
Nice HOSTS hijack!

With system restore off, remove the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = name>.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = name>.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = name>.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = name>.com/home.shtml
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by <company name>
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = name>.com/cgi-bin/getproxy
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll (file missing)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O1 - Hosts: 144.28.52.17 USCAGOLPATS01
O1 - Hosts: 107.3749.9 USNYMEN11WS02
O1 - Hosts: 107.3749.7 USNYMEN11WS01
O1 - Hosts: 104.132.30.150 USNYTRYSAVS01
O1 - Hosts: 144.70.113.8 USILCBDMONS02
O1 - Hosts: 161.128.126.29 USMABURBUDS06
O1 - Hosts: 161.128.8.48 USMABURBUDS05
O1 - Hosts: 104.139.2.132 USNYKNGBRDS01
O1 - Hosts: 161.128.126.27 USMABURBUDS03
O1 - Hosts: 138.83.34.28 USTXCOPSV1S08
O1 - Hosts: 138.83.36.53 USTXCOPSV1S07
O1 - Hosts: 138.83.34.45 USTXCOPSV1S04
O1 - Hosts: 138.83.34.44 USTXCOPSV1S03
O1 - Hosts: 139.49.192.12 USTXCOPSV1S02
O1 - Hosts: 161.128.162.171 USNYMNHPRLS05
O1 - Hosts: 141.156.23.47 USMDCOCYASS04
O1 - Hosts: 141.156.23.45 USMDCOCYASS03
O1 - Hosts: 141.149.187.24 USPALEVFALS02
O1 - Hosts: 143.91.61.41 USTXIRVRRGS03
O1 - Hosts: 161.128.162.150 USNYMNHPRLS04
O1 - Hosts: 136.151.101.109 USFLCLRCLES02
O1 - Hosts: 161.128.162.137 USNYMNHPRLS03
O1 - Hosts: 151.205.63.31 USPALEVFALS01
O1 - Hosts: 143.91.61.40 USTXIRVRRGS02
O1 - Hosts: 136.151.101.108 USFLCLRCLES01
O1 - Hosts: 144.28.170.20 USCAPOMA05S02
O1 - Hosts: 141.156.23.10 USMDCOCYASS01
O1 - Hosts: 161.128.162.135 USNYMNHPRLS02
O1 - Hosts: 161.128.145.248 USNYMNHPRLS01
O1 - Hosts: 159.161.147.223 USCAPOMA05S01
O1 - Hosts: 151.205.79.132 USPACSHFAYS01
O1 - Hosts: 136.151.115.82 USFLTPA301S02
O1 - Hosts: 136.151.115.82 USFLTPA301S01
O1 - Hosts: 138.83.70.38 USFLTTPSTCS09
O1 - Hosts: 138.83.70.37 USFLTTPSTCS08
O1 - Hosts: 104.148.58.84 USNYMNHWESS02
O1 - Hosts: 136.151.208.185 USFLTTPSTCS07
O1 - Hosts: 104.148.58.82 USNYMNHWESS01
O1 - Hosts: 138.83.66.40 USFLTTPSTCS04
O1 - Hosts: 104.6.5.104 USMAHYNNRTS01
O1 - Hosts: 138.83.66.56 USFLTTPSTCS03
O1 - Hosts: 143.91.99.35 USTXIRVHQWS03
O1 - Hosts: 141.157.79.196 USVARICHSRS01
O1 - Hosts: 161.128.238.56 USNYPRLBHDSC2
O1 - Hosts: 143.91.100.135 USTXIRVHQWS02
O1 - Hosts: 161.128.238.55 USNYPRLBHDSC1
O1 - Hosts: 143.91.100.9 USTXIRVHQWS01
O1 - Hosts: 104.153.66.16 USNYPTCOCNS01
O1 - Hosts: 143.91.233.133 USTXIRVCARS01
O1 - Hosts: 162.83.31.69 USNJSCOCELS02
O1 - Hosts: 104.132.28.151 USNYNTNTRMS01
O1 - Hosts: 141.239.50.1 USHIHNLMBYS01
O1 - Hosts: 144.28.133.14 USCASFSLNRS01
O1 - Hosts: 162.83.31.68 USNJSCOCELS01
O1 - Hosts: 162.83.21.5 USNJMAM11SS01
O1 - Hosts: 161.128.43.200 USMABOSHISS01
O1 - Hosts: 162.83.76.70 USNJSPLHADS01
O1 - Hosts: 151.196.20.20 USMDSILCOLS01
O1 - Hosts: 141.150.76.108 USNJMLAMIDS01
O1 - Hosts: 141.154.100.14 USPAPHIRACS01
O1 - Hosts: 105.38.11.95 USNYGRDZCKS03
O1 - Hosts: 105.38.11.48 USNYGRDZCKS02
O1 - Hosts: 105.38.11.46 USNYGRDZCKS01
O1 - Hosts: 141.157.33.6 USVAROAAIRS02
O1 - Hosts: 141.157.33.8 USVAROAAIRS01
O1 - Hosts: 104.8.1.86 USNHMNCLMSS01
O1 - Hosts: 104.132.34.163 USNYBFFELMS01
O1 - Hosts: 159.161.39.168 USMOWENBLDS03
O1 - Hosts: 141.157.119.42 USVANEWNEWS01
O1 - Hosts: 159.161.39.165 USMOWENBLDS01
O1 - Hosts: 105.38.114.181 USNYMNHW5SS01
O1 - Hosts: 144.70.105.218 USILBLMMONS01
O1 - Hosts: 141.157.72.11 USVARICMAIS01
O1 - Hosts: 141.152.119.12 USNJMADPARS03
O1 - Hosts: 141.152.119.11 USNJMADPARS01
O1 - Hosts: 132.197.120.82 USMAWLTSYLS01
O1 - Hosts: 151.198.23.98 USPAWILWCOS01
O1 - Hosts: 104.132.6.118 USNYALBSTTS02
O1 - Hosts: 162.83.18.248 USNJHPL657S01
O1 - Hosts: 104.132.6.116 USNYALBSTTS01
O1 - Hosts: 161.128.100.186 USMATNTMYLS03
O1 - Hosts: 161.128.100.184 USMATNTMYLS02
O1 - Hosts: 161.128.100.193 USMATNTMYLS01
O1 - Hosts: 144.70.150.95 USMIMUKTERS01
O1 - Hosts: 104.139.3.7 USNYELRWCHS01
O1 - Hosts: 143.91.13.20 USTXIRVHQES02
O1 - Hosts: 143.91.12.54 USTXIRVHQES01
O1 - Hosts: 141.149.187.36 USVAFCHFAIS02
O1 - Hosts: 141.149.187.27 USVAFCHFAIS01
O1 - Hosts: 136.151.70.14 USFLTPATCCS01
O1 - Hosts: 144.28.176.125 USCAIRWAZUS02
O1 - Hosts: 104.2.5.239 USMEPRTFRSS01
O1 - Hosts: 139.49.7.9 USCACALAGRS02
O1 - Hosts: 139.49.7.1 USCACALAGRS01
O1 - Hosts: 136.151.88.1 USFLTPAADAS02
O1 - Hosts: 105.12.34.242 USMEPRTDVSS01
O1 - Hosts: 136.151.109.7 USFLTPAADAS01
O1 - Hosts: 151.205.55.82 USPAALLWINS01
O1 - Hosts: 144.70.165.12 USOHMARRVYS03
O1 - Hosts: 136.151.137.8 USKYLEXHARS01
O1 - Hosts: 144.70.165.48 USOHMARRVYS02

O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VoiceIP.dll
O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [sefjzruov] C:\WINDOWS\System32\uucionl.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [erv] C:\WINDOWS\System32\erv.exe
O4 - Global Startup: TeleCommute Agent.lnk = C:\Program Files\<company name>\TeleCommute\uRAgent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O14 - IERESET.INF: START_PAGE_URL=http://eweb.<company name>.com/home.shtml

O16 - DPF: {041FA6AB-BA33-498F-AD6D-5913F66801D2} (AClientX Class) - name>.com:10028/activexshare/urxcli.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {719433EA-60DE-45A8-8255-115826F16D5B} (STConnectivityAgent Control) - file://C:\TEMP\SISD\InstallSTConnAgent.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - file://C:\TEMP\SISD\STJNILoader.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) -

REBOOT, into SAFE MODE.

Kill these two files:
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe

Reboot.

How's it doing now?









Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
Not a single impromptu popup! Thanks!

Although, since this PC is "controlled" by company software, I had to leave some entries untouched until I can get hold of the admins.

 
Upvote 0 Downvote
Understood. Some of those appeared to be "company," but I figured since you'd inherited it...why not?

Good luck.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CherBIRDWISE
  • Locked
  • Question
Pop up notice of avail. network - Can't delete 2
Replies
18
Views
82
SirBlack
SirBlack
Okiewild
  • Locked
  • Question
Popup malware keeps coming back after scans
Replies
3
Views
73
manhunter2826
manhunter2826
Matrixa
  • Locked
  • Question
Internet POP UP's 2
Replies
6
Views
32
EBGreen
EBGreen
kris123
  • Locked
  • Question
Popuppers.com - please help!
Replies
1
Views
27
carrr
carrr
NevHolland
  • Locked
  • Question
POPUPPERS!!! Please help me remove it 2
Replies
10
Views
33
carrr
carrr

Part and Inventory Search

Sponsor

Back
Top