Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Problem With Adware


  • Please log in to reply
10 replies to this topic

#1 gfreed

gfreed

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle
  • Local time:05:35 AM

Posted 12 December 2007 - 08:12 PM

I asked for some help a little while back! Never got any reply at all! What am I doing wrong here! Is there info I need to get and post?

--------------------------------------------------------------------------------------------------------------------------------------------------------------------
I'm working with a friends computer via UltraVNC. It has adware that causes popups but will also change add banners and pictures to read that the computer has a virus and to get free virus removal software. Here are some of the program titles "Privacy Conductor, System Error Fixer."
I have run AVG, Spybot, Adaware, Combofix, CureIt, Fixwareout, Hijackthis. Found lots of bad stuff and deleted it all but this one virus or whatever it might be still remains.

I'm comfortable digging around in the registry so I can make reg changes without killing things. I will attach the log file from HijackThis and Combofix. I really interested in learning from this problem! Thanks for any info you all can give me on this problem!
Attached File(s)
Attached File Combofix.txt ( 7.58k ) Number of downloads: 0
Attached File hijackthis.log ( 7.31k ) Number of downloads: 2
--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Attached Files


Edited by gfreed, 12 December 2007 - 08:14 PM.


BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:06:35 AM

Posted 26 December 2007 - 10:36 PM

Welcome to BC :thumbsup:

Sorry for the delay, the forum has been extremely busy lately.

Since its been a few days, please post a fresh Hijackthis log. Thanks.
Microsoft MVP Consumer Security--2007-2010

#3 gfreed

gfreed
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle
  • Local time:05:35 AM

Posted 29 December 2007 - 12:39 AM

Welcome to BC :thumbsup:

Sorry for the delay, the forum has been extremely busy lately.

Since its been a few days, please post a fresh Hijackthis log. Thanks.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:33 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\HP_Administrator\Desktop\HelpdeskNew.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\7zS14.tmp\winvnc.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\MyDownloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6199 bytes

#4 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:06:35 AM

Posted 30 December 2007 - 08:22 PM

Log looks clean. Are you experiencing any popups??? How is everything running?
Microsoft MVP Consumer Security--2007-2010

#5 gfreed

gfreed
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle
  • Local time:05:35 AM

Posted 02 January 2008 - 07:25 PM

Log looks clean. Are you experiencing any popups??? How is everything running?


This has been a frustrating problem. Yes I get popups saying I have a virus and to either purchase or down this or that free program to fix the problem. This adware virus has a multitude of different looking popups and will even change banners on sites like www.snapfiles.com. For now I've removed IE and replaced it with Firefox. I would still like to know what this virus is so that i can get rid of it. I'm also quite curious as to what this thing is exactly.

Thanks

#6 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:06:35 AM

Posted 02 January 2008 - 07:35 PM

Okay, Hijackthis isn't always going to show everything. Obviously, the little bugger is hiding, so lets do some digging.

For now I've removed IE and replaced it with Firefox


Can you tell why you did this???



Please download RogueRemover & save it to your desktop.
  • Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover.
  • Navigate to the folder and double click on the file named RogueRemover.exe or use the icon that was created on your desktop.
  • Once the program runs, select Check for Updates.
  • When prompted, select Check for Updates.
  • If prompted again, click Download to receive the latest updates.
  • When completed, close the update window.
  • Finally, select Scan and the program will walk you through the remaining steps.

Compatible with Windows 2000, NT, XP, Vista
Microsoft MVP Consumer Security--2007-2010

#7 gfreed

gfreed
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle
  • Local time:05:35 AM

Posted 04 January 2008 - 05:24 PM

Okay, Hijackthis isn't always going to show everything. Obviously, the little bugger is hiding, so lets do some digging.

For now I've removed IE and replaced it with Firefox


Can you tell why you did this???



Please download RogueRemover & save it to your desktop.
  • Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover.
  • Navigate to the folder and double click on the file named RogueRemover.exe or use the icon that was created on your desktop.
  • Once the program runs, select Check for Updates.
  • When prompted, select Check for Updates.
  • If prompted again, click Download to receive the latest updates.
  • When completed, close the update window.
  • Finally, select Scan and the program will walk you through the remaining steps.

Compatible with Windows 2000, NT, XP, Vista


Ok thanks! Sorry this takes me a while I'm working on a friends machine using UltraVNC. So I have to get a hold of him and take control over his computer. My friend is in his 80's and forgets how to get VNC to operate. So its interesting setting this all up, but he's fun to talk too and a nice old guy! The type of computers he worked with when he was young were Slide Rules :thumbsup:

#8 gfreed

gfreed
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle
  • Local time:05:35 AM

Posted 13 January 2008 - 05:17 PM

Okay, Hijackthis isn't always going to show everything. Obviously, the little bugger is hiding, so lets do some digging.

For now I've removed IE and replaced it with Firefox


Can you tell why you did this???

Please download RogueRemover & save it to your desktop.
[list]
Compatible with Windows 2000, NT, XP, Vista


Ok thanks! Sorry this takes me a while I'm working on a friends machine using UltraVNC. So I have to get a hold of him and take control over his computer. My friend is in his 80's and forgets how to get VNC to operate. So its interesting setting this all up, but he's fun to talk too and a nice old guy! The type of computers he worked with when he was young were Slide Rules :thumbsup:


OK I tried Rogue Remover and it did the following!

Malwarebytes' RogueRemover
Malwarebytes 2007 http://www.malwarebytes.org
6725 total fingerprints loaded.

Loading database ...
Expanding environmental variables ...

Scanning files ... [ 100% ].
Scanning folders ... [ 100% ].
Scanning registry keys ... [ 100% ].
Scanning registry values ... [ 100% ].

RogueRemover has detected rogue antispyware components! Results below...

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\arrow.gif
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\checkup.gif
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\chkbox0.gif
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\chkbox1.gif
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\info.gif
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\performcheckup.gif
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\progress.gif
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\repair.gif
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\spacer.gif
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\trueassistant.dat
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\TrueAssistant.exe
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\TrueInstall.exe
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\warning.gif
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\aolinfo.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\checkstatus.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\completecancel.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\completecani.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\completecanichat.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\completefwding.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\completehowlong.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\completepersonal.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\completeswitchback.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\completewheredoi.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\compuserveinfo.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\doessupport.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\downloadcani.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\downloaddeletedaol.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\downloaddeletedmsn.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\downloadhowdoi.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\downloadhowlong.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\downloadshouldi.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\downloadwhatif.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\earthlinkinfo.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\EasyChange_styles.css
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\howdoes.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\knowledgebase.xml
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\miscaccesserror.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\miscaccountnotinit.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\miscadditionalaccounts.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\miscattachments.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\misccancel.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\misccontactnotification.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\miscfilter.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\miscfwdemail.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\mischowlong.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\miscnotify2.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\miscreceive.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\misctransfer.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\msninfo.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\oeinfo.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\outlookinfo.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\sbcyahooinfo.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\securitydoesmy.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\securityhowdoi.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\securityhowsecure.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\securityismy.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\securitywhydoes.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\spacer.gif
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\true.js
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\trueswitch_styles.css
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingaolpass.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingattbipass.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingcancel.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingcancelaccount.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingconfirmselect.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingcontactupdate.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingcopy.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingcopypersonal.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingedit.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingforwardemails.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingmsnpass.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingnotify.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingnotifycontacts.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingnspass.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\usingsetup.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\whatis.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\whichemail.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange\willwork.htm
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Program Files\TrueSwitch\TrueSwitch.log
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Documents and Settings\All Users\Start Menu\Programs\TrueSuite\EasyChange Powered by TrueSwitch.lnk
Selected for removal: Yes

Type: File
Vendor: TrueWatch
Location: C:\Documents and Settings\All Users\Start Menu\Programs\TrueSuite\TrueAssistant.lnk
Selected for removal: Yes

Type: File
Vendor: Registry Cleaner
Location: C:\Documents and Settings\HP_Administrator\Application Data\Registry Cleaner\Regclean.ini
Selected for removal: Yes

Type: Folder
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant
Selected for removal: Yes

Type: Folder
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\EasyChange
Selected for removal: No

Type: Folder
Vendor: TrueWatch
Location: C:\Program Files\TrueAssistant\Messages
Selected for removal: No

Type: Folder
Vendor: TrueWatch
Location: C:\Program Files\TrueSwitch
Selected for removal: Yes

Type: Folder
Vendor: TrueWatch
Location: C:\Documents and Settings\All Users\Start Menu\Programs\TrueSuite
Selected for removal: Yes

Type: Folder
Vendor: Registry Cleaner
Location: C:\Documents and Settings\HP_Administrator\Application Data\Registry Cleaner
Selected for removal: Yes

Type: Registry Key
Vendor: TrueWatch
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Esaya\TrueAssistant
Selected for removal: Yes

I reinstalled IE and its totally massed up with popups. I removed IE and installed Firefox so the user can use the internet without having to deal with all the popups. As a matter of fact this virus or whatever it is tried to run a scan or something on his machine. I have again remove IE so it can not be activated and cause trouble.

The following are the programs I've tried so far:
Spybot
Spywareblaster
Adaware
Combofix
HijackThis
Cureit by Dr Web

Dr Web Log:

hctp[1];C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\JDBXNKYU;Trojan.Virtumod.232;Deleted.;
A0023688.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Adware.Funweb;Incurable.Moved.;
A0023692.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Adware.Websearch;Incurable.Moved.;
A0023694.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Adware.Funweb;Incurable.Moved.;
A0023698.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Adware.Funweb;Incurable.Moved.;
A0023704.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Adware.Funweb;Incurable.Moved.;
A0023707.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Adware.Websearch;Incurable.Moved.;
A0023710.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Adware.Websearch;Incurable.Moved.;
A0023714.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Adware.Websearch;Incurable.Moved.;
A0023716.EXE;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Adware.Websearch;Incurable.Moved.;
A0023765.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Adware.Funweb;Incurable.Moved.;
A0023766.DLL;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Adware.Funweb;Incurable.Moved.;
A0023970.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Probably STPAGE.Trojan;Incurable.Moved.;
A0023971.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Probably DLOADER.Trojan;Incurable.Moved.;
A0023972.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP109;Probably DLOADER.Trojan;Incurable.Moved.;


New Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:01 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\HP_Administrator\Desktop\HelpdeskNew.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\7zS21.tmp\winvnc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\MyDownloads\cureit2.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\RarSFX0\_start.exe
C:\MyDownloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6271 bytes

This is what I got so far!!!!

#9 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:06:35 AM

Posted 13 January 2008 - 08:24 PM

Well, please explain how you removed IE because its not a good idea.


Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu.


========================================

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  • Please attach extra.txt to your post.
To attach a file to a new post, simply
  • Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  • copy and paste the following into the "Upload File from your Computer" box:

    C:\Deckard\System Scanner\extra.txt

  • Click Upload.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Microsoft MVP Consumer Security--2007-2010

#10 gfreed

gfreed
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle
  • Local time:05:35 AM

Posted 13 January 2008 - 09:31 PM

To remove IE I opened Control Panel, opened Add or Remove Programs. Then select Add\Remove windows Components. Uncheck the IE component box. At the very least this procedure seems to completely shut down IE with no chance of accidental activation. Even with Firefox selected as the default IE was opening and causing big problems. So I needed to kill IE completely. When reactivated it seemed to start up ok. Popups everywhere, all kinds of popups! :thumbsup: Wicked problem! Challenging too!

#11 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:06:35 AM

Posted 14 January 2008 - 07:30 AM

Still getting popups, please post the DSS log. Thnks.
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users