Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups, Random Underlined Words, PLEASE HELP!


  • Please log in to reply
5 replies to this topic

#1 sugarquill

sugarquill

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 21 April 2005 - 02:44 AM

I recently went to this site and suddenly, I have a toolbar, pop-ups are popping every few minutes and freezing the computer up, there are random words on Internet pages underlined as links, icons labelled "Free MP3s!" and the like are appearing on my desktop, and I think they're all centered around this thing called "WebSearch." :thumbsup: I did a whole lot of scanning, deleting, removing, etc; and the toolbar and icons have gone. There haven't been any pop-ups for about 20 minutes now, so maybe they're gone too, but there are still those underlined links! :flowers: I've gone through my log a couple of times, and I want someone to see if there's something critical in it. :trumpet: I've used Dr. Delete, APT, Ad-Aware, SpyBot: Search & Destroy, and HijackThis v.1.99.1. If you need anymore information, please post! :inlove:



Logfile of HijackThis v1.99.1
Scan saved at 17:33:57, on 21/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\winupdt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\nkvmzz.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\msjanman.exe
C:\WINDOWS\System32\msntrust.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\DOCUME~1\Second\LOCALS~1\Temp\Rar$EX00.277\HijackThis.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsyBC.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [┾觫謏X櫆擁姡燃凉綜:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tcvvgf.exe
O4 - HKLM\..\Run: [<棋螜?U逅莔$
C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tcvvgf.exe
O4 - HKLM\..\Run: [澑? 4}<?
?5]C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tcvvgf.exe
O4 - HKLM\..\Run: [3苾?仢"E鎕o?7U諟C:\Program Files\ISTsvc\istsvc.exe] NY鄝??P???:儲?uZ56 ?5?5ZI??塚?U}k-㊣??
O4 - HKLM\..\Run: [Q1?囹?&%腹匲f驶W婥:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tcvvgf.exe
O4 - HKLM\..\Run: [澑? 4}<?
?5]C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tcvvgf.exe
O4 - HKLM\..\Run: [}fN憈qZk谭鸞~:纕幀祠C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tcvvgf.exe
O4 - HKLM\..\Run: [w縚?穌)y:Cpxx0撘C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tcvvgf.exe
O4 - HKLM\..\Run: [磈N轩怠棓q??砦泟宼C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tcvvgf.exe
O4 - HKLM\..\Run: [/] C:\WINDOWS\tcvvgf.exe
O4 - HKLM\..\Run: [bO?]讁-瘜] C:\WINDOWS\tcvvgf.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nkvmzz.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [蕏ぐ蕳c姆须#??m/`BC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tcvvgf.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteift32.exe
O4 - HKLM\..\Run: [dnouwdz] c:\windows\system32\escejb.exe
O4 - HKLM\..\Run: [p72Q3pX] msntrust.exe
O4 - HKLM\..\RunServices: [Windows API Structure] win.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [kffu] C:\PROGRA~1\COMMON~1\kffu\kffum.exe
O4 - HKCU\..\Run: [Ywt4Rfbph] msjanman.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Second\Application Data\DownloadPlus.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:17 AM

Posted 21 April 2005 - 01:15 PM

Hi sugarquill and welcome to the BC forums. Your computer is pretty heavily infected so let's start out with some basic scans that you have not used yet and see wht's left. Please proceed with the following steps in order:

Step #1

Please run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
Make sure that you choose "fix" or "clean".

Step #2

Download and install ewido security suite (the free version). Start the program and update it. Then run a full system scan.

Step #3

Download and install the Microsoft AntiSpyware Beta. Update the program and let it do a complete scan. This may take a little while so be patient. Perform the fixes that it suggests.

Step #4

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

Some of the infections will not be removed with the above scans but we need to knock down what we can before attempting to repair them.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 sugarquill

sugarquill
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 22 April 2005 - 07:18 PM

Hey, thanks for the reply. :thumbsup: I just thought I'd drop in and tell you what's troubling me. I tried to use the Panda Online Scan, but first time I did it, in the middle of the scan, some pop-ups (grr) froze up the computer and eventually it told me to end the "non-responsive program: Internet Explorer", so I had to end the scan. When I tried it again, the scan just froze up and the window blanked out, and I waited but nothing happened. After that, I d'loaded Ewido and clicked on "scanner', and in about 3 hours it got 4.0% done. I had to turn the comp off then, so the scan had to be cancelled. :flowers: It's driving me nuts. I'm going to try the other two online scans, but I have no idea what to do with Ewido, and I haven't even tried the other two programs yet. Also, the Panda Online Scan was taking FOREVER! Do you have any idea why it's so slow??

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:17 AM

Posted 22 April 2005 - 09:29 PM

Hi sugarquill. I suspect that all of the infections are fighting the scanners. A couple of big problems is that your operating system is extremely outdated and thus you are susceptible to everything bad that is out there. Once we get you cleaned up we will want to upgrade your operating system to Service Pack 2.

The second problem is that you are not running any kind of anti-virus application and thus you have become infected with all of these infections. It's like a feeding grounds on your computer.

Try the other scans and if nothing works we can attempt to eliminate the infections manually. But be forwarned, it will take some time to accomplish this and we will have to proceed a little at a time. Don't worry, we can do it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 sugarquill

sugarquill
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 01 May 2005 - 03:36 AM

Hi!!! :cool: Sorry it took me so long to reply. My computer wouldn't connect to the internet no matter what my brother tried and it kept restarting itself at random!!! :flowers: Yeah, I felt like kicking it. Well, my bro formatted it and now it's fine, but I just wanted to thank you SOO MUCH for your time and effort and everything! I'm just glad to know that, next time if I have a problem (and I probably will), I'll have someone to ask on. :thumbsup: So thanks! :trumpet: Hehe, so happy now that my compie's all better... :inlove: Lol. Thanks again!

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:17 AM

Posted 01 May 2005 - 09:59 AM

Hi sugarquill. I'm sorry that you had to reformat but sometimes that is the best way when there are many infections. Here are some tips and applications I recommend now that you are clean. I strongly encourage you to upgrade your operating system to Service Pack 2 and get all of the Critical Updates that are available. After that, check monthly for any new updates.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall and a good antivirus application like the ones you are currently using. It is critical to have both a firewall and antivirus to protect your system and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users