Pop-up Problems, Hijack log Options

[sims2j]

Logfile of HijackThis v1.97.7
Scan saved at 7:49:48 AM, on 4/16/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\local\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\local\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\starter.exe
C:\WINNT\shrayobo.exe
C:\WINNT\Wast.exe
C:\RIMS6.0\Apps\Rims.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\SysAI\SysAI.exe
X:\My Stuff\Tech Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://terminus.modtechcorp.com/tc4/dhtml/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 192.207.163.171 intranet
O1 - Hosts: 192.207.163.171 intranet.scott.disa.mil
O1 - Hosts: 192.207.163.171 intranet.ditco.disa.mil
O1 - Hosts: 192.207.163.172 www.scott.disa.mil
O1 - Hosts: 192.207.163.172 www.ditco.disa.mil
O1 - Hosts: 192.207.163.172 www.acquireit.disa.mil
O1 - Hosts: 209.22.65.2 ims-ditco-nch-server
O1 - Hosts: 209.22.65.19 idmrm-test-nch-server
O1 - Hosts: 209.22.91.104 panback
O1 - Hosts: 209.22.91.102 panavue5
O1 - Hosts: 209.22.91.116 spx1
O1 - Hosts: 209.22.91.112 spx2
O1 - Hosts: 209.22.91.116 vcx2
O1 - Hosts: 209.22.91.112 vcx1
O1 - Hosts: 209.22.91.82 conbtms.jdcs.scott.disa.mil
O1 - Hosts: 164.117.145.51 tmsiso.ncr.disa.mil
O1 - Hosts: 209.22.91.100 panmain
O1 - Hosts: 214.4.143.117 tmscol.csd.disa.mil tmscol
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - u:\adobe\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8AEC07E9-7DD9-40C5-9EAA-DA08F090292E} - C:\WINNT\ruljeop.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [lcfep] "C:\local\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [SNPZVCNXF] C:\WINNT\SNPZVCNXF.exe
O4 - HKLM\..\Run: [qybuuu] C:\WINNT\shrayobo.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Wast] C:\WINNT\Wast
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINNT\ARUpdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\plugins\npvdo32.dll
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab

[Daemon]

Could you go here and run online scans (all), allow them to delete whatever they find:

TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done, rescan with HJT and post a new log here so that any remnants can be removed manually.

[sims2j]

Daemon,

I have followed your directions to the letter regarding the Ad-Aware program. Here are the results of the new HijackThis scan:

Logfile of HijackThis v1.97.7
Scan saved at 10:23:41 AM, on 4/19/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\local\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\MsiExec.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\local\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\starter.exe
C:\WINNT\shrayobo.exe
C:\WINNT\Wast.exe
C:\Program Files\SysAI\SysAI.exe
X:\My Stuff\Tech Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://terminus.modtechcorp.com/tc4/dhtml/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 192.207.163.171 intranet
O1 - Hosts: 192.207.163.171 intranet.scott.disa.mil
O1 - Hosts: 192.207.163.171 intranet.ditco.disa.mil
O1 - Hosts: 192.207.163.172 www.scott.disa.mil
O1 - Hosts: 192.207.163.172 www.ditco.disa.mil
O1 - Hosts: 192.207.163.172 www.acquireit.disa.mil
O1 - Hosts: 209.22.65.2 ims-ditco-nch-server
O1 - Hosts: 209.22.65.19 idmrm-test-nch-server
O1 - Hosts: 209.22.91.104 panback
O1 - Hosts: 209.22.91.102 panavue5
O1 - Hosts: 209.22.91.116 spx1
O1 - Hosts: 209.22.91.112 spx2
O1 - Hosts: 209.22.91.116 vcx2
O1 - Hosts: 209.22.91.112 vcx1
O1 - Hosts: 209.22.91.82 conbtms.jdcs.scott.disa.mil
O1 - Hosts: 164.117.145.51 tmsiso.ncr.disa.mil
O1 - Hosts: 209.22.91.100 panmain
O1 - Hosts: 214.4.143.117 tmscol.csd.disa.mil tmscol
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - u:\adobe\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8AEC07E9-7DD9-40C5-9EAA-DA08F090292E} - C:\WINNT\ruljeop.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [lcfep] "C:\local\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [SNPZVCNXF] C:\WINNT\SNPZVCNXF.exe
O4 - HKLM\..\Run: [qybuuu] C:\WINNT\shrayobo.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Wast] C:\WINNT\Wast
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINNT\ARUpdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\plugins\npvdo32.dll
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab

[Daemon]

OK, well we've got some manual stuff to do still. Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {8AEC07E9-7DD9-40C5-9EAA-DA08F090292E} - C:\WINNT\ruljeop.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O4 - HKLM\..\Run: [SNPZVCNXF] C:\WINNT\SNPZVCNXF.exe
O4 - HKLM\..\Run: [qybuuu] C:\WINNT\shrayobo.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Wast] C:\WINNT\Wast
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINNT\ARUpdate.exe
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab

Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, reboot into safe mode by tapping F8 after the BIOS has loaded, find and delete the following:

C:\WINNT\SNPZVCNXF.exe
C:\WINNT\shrayobo.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\Wast
C:\WINNT\ARUpdate.exe

Reboot back into normal mode, rescan with HJT and post a new log here for a final check over.

[sims2j]

Daemon,

Followed your directions with some exceptions. I scanned again w/HijackThis, then selected & deleted all the files you mentioned. However, I could not log on in the safe mode so I brought my computer up in normal mode, scanned again using HijackThis and saw that all of the files I deleted after the previous scan did not return. I then went to my C: drive and found/deleted 3/5 files you mentioned. Could not find the SNPZVCNXF.exe file and the AutoUpdate.exe files. Below is my latest scan after deleting the files on the C: drive.

Logfile of HijackThis v1.97.7
Scan saved at 8:17:47 AM, on 4/20/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\local\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\local\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\starter.exe
X:\My Stuff\Tech Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://terminus.modtechcorp.com/tc4/dhtml/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 192.207.163.171 intranet
O1 - Hosts: 192.207.163.171 intranet.scott.disa.mil
O1 - Hosts: 192.207.163.171 intranet.ditco.disa.mil
O1 - Hosts: 192.207.163.172 www.scott.disa.mil
O1 - Hosts: 192.207.163.172 www.ditco.disa.mil
O1 - Hosts: 192.207.163.172 www.acquireit.disa.mil
O1 - Hosts: 209.22.65.2 ims-ditco-nch-server
O1 - Hosts: 209.22.65.19 idmrm-test-nch-server
O1 - Hosts: 209.22.91.104 panback
O1 - Hosts: 209.22.91.102 panavue5
O1 - Hosts: 209.22.91.116 spx1
O1 - Hosts: 209.22.91.112 spx2
O1 - Hosts: 209.22.91.116 vcx2
O1 - Hosts: 209.22.91.112 vcx1
O1 - Hosts: 209.22.91.82 conbtms.jdcs.scott.disa.mil
O1 - Hosts: 164.117.145.51 tmsiso.ncr.disa.mil
O1 - Hosts: 209.22.91.100 panmain
O1 - Hosts: 214.4.143.117 tmscol.csd.disa.mil tmscol
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - u:\adobe\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [lcfep] "C:\local\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\plugins\npvdo32.dll

[Daemon]

Well you nailed them anyway, that's a clean log - well done How is it running now?

[sims2j]

Daemon,

Thank you, thank you, thank you for your help. No more pop-ups. Computer is running great.

[Daemon]

You're welcome - glad to help

As this problem has been resolved the topic will be closed. If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)

The subject of the email must be "Reopen". Include your post username and details about why you need it reopened, with a valid link to your post.