We have one Dell workstation that is over a year old and has a problem with pop-ups for a while now. A while back I managed to stop them temporarily by removing miscellaneous programs (except Weatherbug), but now they are back with a vengeance. I removed any software or programs that looked frivolous to her system. (Including WeatherBug) and AOL toolbar (She does continue to use AIM). But still more popups.
I am now pretty sure her browser is hijacked. It doesn’t change her home page or take her to any unwanted sites, but the popups are not linked to any clear separate process. They appear to link most often to iexplore.exe or explore.exe
Sometimes even taskmanager! They only appear when she is online, but they come from her computer, not the websites. (thereby getting past IE’s popup blocker) I did see “Inqwire” as the title of a few of the popups and searched that. But after downloading and running HijackThis I did not see any of the things that they say to remove if you get hijacked by Inqwire.
So…below is the HijackThis log. I cannot see any apparent problems. Can anyone else spot what is amiss? thanks for any help! Tink
Logfile of HijackThis v1.99.1
Scan saved at 10:36:48 AM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\carinsdell\My Documents\HijackThis\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kolorcure.com/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O2 – BHO: AcroIEHlprObj Class – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 – BHO: NAV Helper – {BDF3E430-B101-42AD-A544-FADC6B084872} – C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} – C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 – HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 – HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 – HKLM\..\Run: [AdaptecDirectCD] “C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 – HKLM\..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 – HKLM\..\Run: [Dell AIO Printer A940] “C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe”
O4 – HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 – HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 – HKLM\..\Run: [Tracker] C:\Program Files\MySoftware\MyInvoices\tracker.exe
O4 – HKCU\..\Run: [DellSupport] “C:\PROGRA~1\DELLSU~1\DSAgnt.exe” /startup
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: AIM – {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} – C:\PROGRA~1\AIM\aim.exe
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 – IERESET.INF: START_PAGE_URL=http://companyweb
O17 – HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kolorcure.local
O17 – HKLM\Software\..\Telephony: DomainName = kolorcure.local
O17 – HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kolorcure.local
O20 – Winlogon Notify: igfxcui – C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager (ccSetMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: LexBce Server (LexBceS) – Lexmark International, Inc. – C:\WINDOWS\system32\LEXBCES.EXE
O23 – Service: Norton AntiVirus Auto-Protect Service (navapsvc) – Symantec Corporation – C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) – Symantec Corporation – C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 – Service: SAVScan – Symantec Corporation – C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service (SNDSrvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Symantec SPBBCSvc (SPBBCSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 – Service: Symantec Core LC – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 – Service: SymWMI Service (SymWSC) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
