[jglois]

Hi,

I hope I am in the right place and I can explain my problems
without adding more confusion. I have an old computer;
Pentium II running Win98SE. No other option.

Recently, I added NIS 2005, in an effort to, of course, add
security, cut down on the spam and above all curb the
pop-up ads which plague my internet research efforts. (I
have always used Norton Antivirus as a stand alone
application before.)

I am not real skilled at installation but I followed all the
instructions and I think I did is correctly. Now, the spam
is somewhat lessened, at least the porn is, but the pop-ups
are much worse. They are non-stop. Interestingly, I haven't
had one since I have been on this site, but this is the only
time.

After searching the subject on Google I concluded that I
should raise the Anti-spam security level. I did that but
the result was that I was disconnected from my ISP every
30 seconds. When I reduced the level to the medium
setting that did not occur, but the pop-ups still did.

Is there a magic bullet that will make this product work
as advertised? If not, do you recommend installing a
separate pop-up blocker? Incidentally, when I run Spy-Bot
and Ad-aware, there are far fewer listings than before NIS,
but some still do get through.

To any kind soul who responds, please keep in mind that
I have no idea how to do anything in the Registry and
would be scared to even try.

TIA

 

[Rollin' Rog]

Internet Explorer, apart from the one that comes with XP SP2 has no built in pop-up protection -- so you should consider using another browser such as Opera or Mozila firefox

However many pop-ups are generated by installed malware, rather than just a result of visiting sites which use them.

Let us see what you have running by following these directions:

Create a new, permanent folder for HijackThis and save the file to that. Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

Direct HijackThis download link: http://www.spywareinfo.com/~merijn/files/HijackThis.exe

 

[jglois]

Thankyou Rollin Rog

Here it is:

Logfile of HijackThis v1.99.0
Scan saved at 9:04:35 PM, on 1/10/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\DANTZ\RETROSPECT\RETRORUN.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\ZJ80X22E\HIJACKTHIS[1].EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.snip.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [Retrospect Launcher] C:\PROGRAM FILES\DANTZ\RETROSPECT\RETRORUN.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ISSVC] "C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: FavSearch - {9C0A2D0C-9EAB-45f7-B75D-5CFCE41EC19E} - C:\Program Files\FavSearch\favsrch.exe (HKCU)
O9 - Extra 'Tools' menuitem: FavSearch - {9C0A2D0C-9EAB-45f7-B75D-5CFCE41EC19E} - C:\Program Files\FavSearch\favsrch.exe (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .hip: C:\WINDOWS\SYSTEM\nphijkjv.dll
O12 - Plugin for .hiv: C:\WINDOWS\SYSTEM\nphijkjv.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {82267FE0-D80D-11D3-B006-00500406C1BC} (AXStub Class) - ftp://plugin:[email protected]/printQuick.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.amazon.ofoto.com/OfotoDND.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab

 

[Rollin' Rog]

This should definitely be checked and "fixed" using HijackThis:

O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL

ref: http://computercops.biz/clsid-1257.html
http://www.doxdesk.com/parasite/Transponder.html

Also: O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

These two "favsearch" entries are of unclear origin. The program is listed on some antispyware sites, but there is no indication that it is "malicious", just that it may not be user installed. If you don't use it and don't know how it got there, I would recommend removing them:

O9 - Extra button: FavSearch - {9C0A2D0C-9EAB-45f7-B75D-5CFCE41EC19E} - C:\Program Files\FavSearch\favsrch.exe (HKCU)
O9 - Extra 'Tools' menuitem: FavSearch - {9C0A2D0C-9EAB-45f7-B75D-5CFCE41EC19E} - C:\Program Files\FavSearch\favsrch.exe (HKCU)

Only the first entry I mentioned would be likely to result in unwanted pop-ups in my view.

 

[jglois]

Thanks once again. Can you please tell me the procedure for dealing with these on HijackThis? I would assume I run the application as I did before. Will I be then be directed on how to deal with these particular files?

 

[Rollin' Rog]

Just run HijackThis as you did before and select "Scan"

You will see check boxes. ONLY check the ones I listed that you want to delete. Then click on "fix checked". The deleted entries will be stored in a HijackThis "backups" folder and could be restored if desired.

Let me know if the unusual pop-ups cease after removing that 02 entry. You should have Internet Explorer closed when "fixing" such items.

 

[jglois]

I think you got it. I went to two sites where I was previously plagued with the pop-ups and they did not appear!

I have a few more (dumb) questions that will help me sort out what has happened here.

1. In the future if this same scenerio occurs, I would of course run HiJackThis, but how would I know which are the truly offending entries? Would I have to bother you guys each time it happens?

2. Can I assume that this malware was present before I installed NIS 2005 and that I am now protected against such plagues?

3. Should I still run SpyBot and Adaware?

4. I am having trouble finding my way to this site. Only manage to get back to it by using the hyperlink in the e-mail. Is there a better way? Can I bookmark it? So far,
I have been unable to do so. Please forgive my inexperience.

I will noodle around on the net for a while and if I continue to have a pop-up free
life (relatively speaking) I will send a contribution.

TIA,
jglois

 

[Rollin' Rog]

To answer your last question first, this is the link that I bookmark and open from a shortcut on the links bar:

http://forums.techguy.org/

As for identifying malware entries, it does take some experience to know what doesn't belong. For now, keep a saved scanlog and pay special attention to the R0 - 03 entries. These are the ones most likely to change when these particular types of hijacks occur.

You can also review the suggestions in the "How did I get infected" thread/sticky in this forum. The Security settings are particularly important to ensure unprompted downloads are not allowed.

And frankly, you are not stuck with Internet Explorer, which is especialy vulnerable to these types of infections. Both Opera and Mozilla Firefox are good alternatives that don't use "browser helper objects". You still need IE for certain purposes though, including running online virus scans.

It certainly won't hurt to keep a Spybot or Ad-Aware install (I tend to favor Ad-aware), and run it from time to time. You will always get "tracking cookie" hits, but these are nothing much to be concerned about.

If you feel the problem is resolved, you can mark the thread "Solved" using the thread tools tab. You're most welcome for the help, and of course we appreciate the support too...