TechSpot - PC Technology News and Analysis

Last time I let my roommate use my computer unattended. I get popups every time I goto a website with keywords. If I type in a website and don't type the w's at beginning I get a search page with links, and about every half hour an official looking popup comes up saying I have a security firewall breach, etc.

I've run updated versions of Adaware, Spybot S&D and CWShredder with no luck.

Out of curiosity is there a way to make a donation via paypal or something if someone from here helps you out? That'd be a good addition I think

Well here is my log file and I thank everyone in advance for any help.

Tad

Attached Files

hijackthis.txt (8.1 KB, 2 views)

Boot in Safe Mode
Switch off System Restore
Put Hijackthis in its OWN, PERMANENT directory.
Now run HJT on its own and let it 'fix':
C:\WINDOWS\ieop.exe
C:\WINDOWS\System32\tibs5.exe
C:\WINDOWS\winpl32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nvcny.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A67AC66F-E66D-B230-07D8-8163A013AE40} - C:\WINDOWS\system32\appqa32.dll
O4 - HKLM\..\Run: [3A.tmp] C:\DOCUME~1\MYBABY~1\LOCALS~1\Temp\3A.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [winpl32.exe] C:\WINDOWS\winpl32.exe
O4 - HKLM\..\Run: [3A.tmp.exe] C:\DOCUME~1\MYBABY~1\LOCALS~1\Temp\3A.tmp.exe 1 10001
O4 - HKLM\..\Run: [D.tmp] C:\DOCUME~1\MYBABY~1\LOCALS~1\Temp\D.tmp.exe 2 28129
O4 - HKLM\..\RunOnce: [ieop.exe] C:\WINDOWS\ieop.exe
O4 - Startup: DLHelperEXE.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - C:\Program Files\Starluck Casino\bin\IEExtension_SL.dll
O9 - Extra 'Tools' menuitem: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - C:\Program Files\Starluck Casino\bin\IEExtension_SL.dll
O9 - Extra button: PlanetLuck.com - {6F477182-DE4F-4326-ACE3-3110A676771B} - C:\Program Files\Planetluck Casino\bin\IEExtension_PL.dll
O9 - Extra 'Tools' menuitem: PlanetLuck.com - {6F477182-DE4F-4326-ACE3-3110A676771B} - C:\Program Files\Planetluck Casino\bin\IEExtension_PL.dll
O9 - Extra button: partybingo.com - {9CDE474A-A688-48f4-8B49-55CFB2356A6F} - C:\Program Files\PartyBingo\bin\IEExtension_PB.dll
O9 - Extra 'Tools' menuitem: partybingo.com - {9CDE474A-A688-48f4-8B49-55CFB2356A6F} - C:\Program Files\PartyBingo\bin\IEExtension_PB.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)

ALL lines with O16 - DPF:

O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\mfcqd32.exe (file missing)

When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

Clean EVERYTHING from C:\DOCUME~1\MYBABY~1\LOCALS~1\Temp
Reboot in Safe Mode
Make a new HJT log and post it here.

You sure it was your roommate?

I would give you my secret offshore account number in the Cayman Islands, but Internal Revenue would be down on me like a ton of bricks in a jiffy!
So I'll help you out for nought.

Looks like everything is back to normal. I play poker professionally so I didn't delete all of the gambling software. But aside from a few of the O15's staying it looks like everything is fixed and IE is working now. Are the O15s something to worry about? Thanks for all your help so far!



Thanks!
Tad

Attached Files

hijackthis2.txt (2.6 KB, 3 views)

The golden rule is not to trust ANYBODY. Run HJT and delete those O15 entries.
These O15 entries were put there from outside, meaning that the security settings of your IE are medium at best.
But you never know who owns those websites tomorrow, or what software they install on your PC behind your back!
You can have them in your Bookmarks/Favorites if you like.

Otherwise you log is clean.
Stop using IE, except for Windows-updates.
Go get Firefox from www.getfirefox.com and use that from now on. Firefox also stops loads of pesky popups.

How would you suggest getting rid of the O15s? I run hijack this, fix them, then run it again right away and they are back.

All help is appreciated.

Tad

Have a look here:
http://www.bleepingcomputer.com/foru...ial=42#O15Diag