[problems with popups and "quick web Search"] -


problems with popups and "quick web Search"

Discuss problems with popups and "quick web Search"


Posted by: stalax17

Hey, Ya'll,

Like the title says I have that Quick Web Search opening page and im having a lot of problems with pop ups. I've tried spybot adaware and a whole bunch of other things but it wont go away heres my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 1:56:43 PM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\wiadxrip.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\?ttrib.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Application Data\uael.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\dmsadmins.exe
C:\WINDOWS\System32\qwinnta.exe
C:\WINDOWS\System32\sesmgr.exe
C:\Documents and Settings\Owner\Desktop\AboutBuster\AboutBuster\Abo
utBuster.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IE SP2 AddOn - {13A19221-88B3-47CE-AE02-3AD70A9284A9} - C:\WINDOWS\System32\splew.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [7srW3FP] cidtcfg.exe
O4 - HKLM\..\RunOnce: [dwvqi.exe] dwvqi.exe
O4 - HKLM\..\RunOnce: [dwbpo.exe] dwbpo.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ktjqbceb] C:\WINDOWS\System32\?ttrib.exe
O4 - HKCU\..\Run: [MB06RPj8g] atc32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Wdal] C:\Documents and Settings\Owner\Application Data\uael.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: [url]http://ny.contentmatch.net[/url] (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - [url]http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c18.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5488C4E-9132-4D69-A8D2-34006D5458BC}: NameServer = 69.50.184.86,195.225.176.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5527474-885A-4761-B1D6-A3726071F545}: NameServer = 69.50.184.86,195.225.176.110
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

any help would be greatly appreciated!


Posted by: SHAWN

Try scanning with Spysweeper and Microsoft Anti-Spyware. Then go to [url]www.antivirus.com[/url] and run a free online scan.


Posted by: bullhammer

hello stalax.

In HJT fix these lines.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IE SP2 AddOn - {13A19221-88B3-47CE-AE02-3AD70A9284A9} - C:\WINDOWS\System32\splew.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [7srW3FP] cidtcfg.exe
O4 - HKLM\..\RunOnce: [dwvqi.exe] dwvqi.exe
O4 - HKLM\..\RunOnce: [dwbpo.exe] dwbpo.exe
O4 - HKCU\..\Run: [Ktjqbceb] C:\WINDOWS\System32\?ttrib.exe
O4 - HKCU\..\Run: [Wdal] C:\Documents and Settings\Owner\Application Data\uael.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O15 - Trusted Zone: [url]http://ny.contentmatch.net[/url] (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - [url]http://static.windupdates.com/cab/6.../bridge-c18.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5488C4E-9132-4D69-A8D2-34006D5458BC}: NameServer = 69.50.184.86,195.225.176.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5527474-885A-4761-B1D6-A3726071F545}: NameServer = 69.50.184.86,195.225.176.110


Reboot. then delete this.

C:\WINDOWS\System32\?ttrib.exe

Reboot again and run cw shredder/adaware and spybot.

Good luck.

Oh, by the way, make sure you do this in safe mode>>> F8


Posted by: Warez Monster

Remove entries at your own risk

C:\WINDOWS\System32\?ttrib.exe This is a unknown process.


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.

O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file) Entries found in this registry zone are potentially nasty. This application ([08BEC6AA-49FC-4379-3587-4B21E286C19E] - Result: ) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed.

O4 - HKLM\..\Run: [7srW3FP] cidtcfg.exe Unknown application.

O4 - HKLM\..\RunOnce: [dwvqi.exe] dwvqi.exe It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file

O4 - HKLM\..\RunOnce: [dwbpo.exe] dwbpo.exe It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe" Unknown application.

O15 - Trusted Zone: [url]http://ny.contentmatch.net[/url] (HKLM) If you did not add these pages to your trusted pages, they should be fixed.

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - [url]http://static.windupdates.com/cab/6.../bridge-c18.cab[/url] This entry is possibly nasty. Should be fixed.

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/...all/xscan53.cab[/url] This entry is possibly nasty. Should be fixed.