Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware - Causes Ie Popups


  • Please log in to reply
2 replies to this topic

#1 richkrack

richkrack

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 01 February 2008 - 03:49 PM

I'm running Windows XP.

Over the last 24 hours I started receiving Internet Explorer 7 popups. Web advertisements will open in a whole new window (even though the browser is completely set on only tabbed windows) and these popups occur occassionally even when Internet Explorer is not open or being used.

The popups appear to always be redirected from adtrgt.com and generally appare like this:
http://url.adtrgt.com/cpv.jsp?p=1121...tingId=7013811

First I ran AVG Internet Security (nothing major appeared) and then Spybot (nothing major appeared). After that, I landed the BleepingComputer page suggesting Combofix be used. I downloaded and ran Combofix (the log is below) and then downloaded and ran HijackThis (log is also below) - I've used HijackThis before, so I knew to rename it and place it in a new folder to hide the name of the file, which I did.

One more thing, prior to the popups occurring, I noticed a 24 hour period where my machine would stall when I opened up new applications. The task manager revealed explorer.exe hogging all of the CPU power (between 95-99%). When I'd close the process and re-run explorer, it would generally run fine for an hour or so. It was at that point that I first downloaded and ran AVG.

Please help. Thanks.

--------------------------------------
ComboFix 08-02.01.6 - Rick 2008-02-01 14:11:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.824 [GMT -6:00]
Running from: C:\Documents and Settings\Rick.DESK\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
.
---- Previous Run -------
.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\awtqopp.dll
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINDOWS\system32\efcccay.dll
C:\WINDOWS\system32\gebxxww.dll
C:\WINDOWS\system32\iifcaaa.dll
C:\WINDOWS\system32\iifgeec.dll
C:\WINDOWS\system32\ljjghec.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 13:55 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-01 13:55 . 2007-06-05 00:58 211 --a------ C:\Boot.bak
2008-02-01 13:45 . 2008-02-01 13:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7
2008-02-01 10:33 . 2008-02-01 10:33 101 --a------ C:\WINDOWS\wininit.ini
2008-01-31 23:48 . 2008-01-31 23:48 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-31 23:48 . 2008-01-31 23:48 86,144 --a------ C:\WINDOWS\system32\drivers\asyncmacc.sys
2008-01-31 23:47 . 2008-02-01 13:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-26 22:45 . 2008-01-26 22:45 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-26 14:15 . 2008-01-26 14:15 <DIR> d-------- C:\Program Files\Apex
2008-01-26 13:50 . 2008-01-26 13:50 <DIR> d-------- C:\Program Files\eRightSoft
2008-01-26 13:50 . 2007-12-17 07:43 27,648 --ahs---- C:\WINDOWS\system32\Smab0.dll
2008-01-26 13:48 . 2008-01-26 13:48 <DIR> d-------- C:\Program Files\SourceTec
2008-01-26 13:48 . 2007-02-05 12:00 413,760 --a------ C:\WINDOWS\system32\MPG4c32.dll
2008-01-26 13:48 . 2008-01-26 13:49 323 --a------ C:\WINDOWS\SWFConverter.INI
2008-01-26 13:08 . 2008-01-26 13:08 <DIR> d-------- C:\Documents and Settings\Rick.DESK\Application Data\VSRevoGroup
2008-01-26 13:07 . 2008-01-26 13:07 <DIR> d-------- C:\Program Files\VS Revo Group
2008-01-26 03:19 . 2008-01-26 03:19 <DIR> d-------- C:\Program Files\Moyea
2008-01-26 03:19 . 2008-01-26 03:19 <DIR> d-------- C:\Documents and Settings\Rick.DESK\Application Data\Moyea
2008-01-26 01:45 . 2008-01-26 01:45 <DIR> d-------- C:\Documents and Settings\Rick.DESK\Application Data\Talkback
2008-01-26 01:43 . 2008-01-31 03:18 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-01-26 01:43 . 2008-01-26 01:43 <DIR> d-------- C:\Documents and Settings\Rick.DESK\Application Data\Thunderbird
2008-01-26 00:13 . 2008-01-26 00:13 <DIR> d-------- C:\Program Files\Quick StartUp
2008-01-25 23:38 . 2008-01-25 23:39 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-01-25 23:19 . 2008-01-25 23:19 <DIR> d-------- C:\Program Files\Foxit Software
2008-01-23 23:33 . 2008-01-24 21:30 <DIR> d-------- C:\Program Files\AVI Joiner
2008-01-23 19:12 . 2008-01-23 19:12 <DIR> d-------- C:\Program Files\Easy Video Joiner
2008-01-10 16:28 . 2008-01-10 16:28 <DIR> d-------- C:\Program Files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 19:55 --------- d-----w C:\Documents and Settings\Rick.DESK\Application Data\Free Download Manager
2008-02-01 08:55 --------- d-----w C:\Program Files\MSTpscre
2008-02-01 05:54 --------- d-----w C:\Documents and Settings\Rick.DESK\Application Data\uTorrent
2008-02-01 03:34 --------- d-----w C:\Program Files\PeerGuardian2
2008-02-01 00:11 --------- d-----w C:\Program Files\Nero
2008-01-31 09:18 --------- d-----w C:\Program Files\DivX
2008-01-31 08:15 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-29 07:58 --------- d-----w C:\Program Files\xnews
2008-01-29 06:55 --------- d-----w C:\Program Files\MediaMonkey
2008-01-26 19:20 --------- d-----w C:\Program Files\uTorrent
2008-01-26 19:20 --------- d-----w C:\Program Files\Music Challenge
2008-01-26 19:20 --------- d-----w C:\Program Files\GoldWave
2008-01-26 01:07 --------- d-----w C:\Documents and Settings\Rick.DESK\Application Data\LimeWire
2008-01-13 02:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink
2008-01-10 07:23 --------- d-----w C:\Program Files\LimeWire
2007-12-30 19:35 --------- d-----w C:\Program Files\TomTom DesktopSuite
2007-12-28 04:51 --------- d-----w C:\Program Files\TomTom HOME 2
2007-12-28 04:51 --------- d-----w C:\Documents and Settings\Rick.DESK\Application Data\TomTom
2007-12-28 04:51 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\TomTom
2007-12-28 04:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 04:50 --------- d-----w C:\Documents and Settings\Rick.DESK\Application Data\InstallShield
2007-12-12 09:01 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2007-12-06 06:25 --------- d-----w C:\Documents and Settings\Rick.DESK\Application Data\VMK Pal
2007-12-06 06:24 --------- d-----w C:\Program Files\VMK Pal
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA09A9FA-AD5C-48FD-9D38-BBE36AF5AC03}]
C:\WINDOWS\system32\vturs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:07 15360]
"Desktop Architect"="C:\Program Files\Desktop Architect\datray.exe" [2001-05-07 19:35 53248]
"Aim6"="" []
"Start WingMan Profiler"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-22 17:32 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"System Updater Machine"="windows_update.exe" []

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
IEEE 802.11g USB Wireless LAN Utility.lnk - C:\Program Files\IEEE 802.11g USB Wireless LAN\Wireless LAN\WlanUtil.exe [2007-06-05 21:13:57 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccawvt]
fccawvt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

R1 asyncmacc;asyncmacc;C:\WINDOWS\system32\drivers\asyncmacc.sys [2008-01-31 23:48]
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2007-09-27 14:50]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-10-28 12:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81cc0ac9-ae8a-11dc-86a1-000d870402c0}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 14:13:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Desktop Architect\dashell.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\runservice.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\IEEE 802.11g USB Wireless LAN\Wireless LAN\WlanUtil.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-01 14:20:12 - machine was rebooted [Rick]
ComboFix-quarantined-files.txt 2008-02-01 20:20:10
.
2008-01-09 09:01:51 --- E O F ---



--------------------------------------------------
--------------------------------------------------
--------------------------------------------------
--------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:18 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\runservice.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\IEEE 802.11g USB Wireless LAN\Wireless LAN\WlanUtil.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\compfix\compfix.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CA09A9FA-AD5C-48FD-9D38-BBE36AF5AC03} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [System Updater Machine] windows_update.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\IEEE 802.11g USB Wireless LAN\Wireless LAN\WlanUtil.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: fccawvt - fccawvt.dll (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7599 bytes

Edited by richkrack, 01 February 2008 - 07:59 PM.


BC AdBot (Login to Remove)

 


#2 richkrack

richkrack
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:18 PM

Posted 01 February 2008 - 07:40 PM

Followup - I ran both the BitDefender Online and TrendMicro Online (Housecall) and both found some malware and deleted them. However, the problem, as decribed above, has not gone away.

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:18 PM

Posted 07 February 2008 - 12:51 AM

Hello richkrack and welcome to the BC HijackThis forum. Let's see what we can find.

Before running the scan let's clean out the temporoary folders.

Download ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users