Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware warning messages


  • This topic is locked This topic is locked
2 replies to this topic

#1 Tuscany

Tuscany

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 13 June 2005 - 09:35 AM

I am getting "Spyware Warning - Microsoft Internet Explorer" and "Warning - Microsoft Internet Explorer" , etc. popups every 30 seconds or so. I ran Hijackthis. This is the logfile that was created:

Logfile of HijackThis v1.99.1
Scan saved at 8:32:22 AM, on 6/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\nslsvice.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\SYSMGT\TNGAMr\AGENTS\UAMrStub.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\ltcm000c.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINNT\MXOALDR.EXE
C:\WINNT\system32\PELMICED.EXE
C:\WINNT\system32\RUNDLL32.exe
C:\Program files\ThinkPad\Utilities\tponscr.exe
C:\WINNT\system32\msxct.exe
C:\WINNT\system32\alrsvc52.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\vpnrkn.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINNT\system32\stlb2.dll
O2 - BHO: Cas - {B5F3970B-745E-46AC-B890-E08F69777D80} - C:\WINNT\system32\ca.dll
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINNT\system32\stlb2.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TP98UTIL] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE /s
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [AMOClient] "C:\SYSMGT\TNGAMr\AGENTS\umclogin.exe"
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [saap] c:\program files\180search assistant\saap.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [1c7b2bd19245] C:\WINNT\system32\alrsvc52.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\vpnrkn.exe reg_run
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINNT\sfita.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\Downloaded Program Files\SbCIe02a.dll (file missing)
O15 - Trusted Zone: *.csc.com (HKLM)
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0015.exe
O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - https://amer-st09.amer.csc.com/sametime/stm...STJNILoader.cab
O23 - Service: Asset Management Remote Agent (AMrAgent) - Unknown owner - C:\SYSMGT\TNGAMr\AGENTS\UAMrStub.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Unknown owner - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe (file missing)
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Unknown owner - C:\Program Files\CA\eTrust Antivirus\InoRT.exe (file missing)
O23 - Service: eTrust Antivirus Job Server (InoTask) - Unknown owner - C:\Program Files\CA\eTrust Antivirus\InoTask.exe (file missing)
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINNT\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe

Can someone help me understand what I need to do next to fix this problem?

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:57 AM

Posted 13 June 2005 - 04:35 PM

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download and install CCleaner
Do not use it yet.

*Hijackthis is still in your temp-folder, so I strongly advise to create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

* Please set your system to show all files; please see here if you're unsure how to do this.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\Searchx.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINNT\system32\stlb2.dll
O2 - BHO: Cas - {B5F3970B-745E-46AC-B890-E08F69777D80} - C:\WINNT\system32\ca.dll
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINNT\system32\stlb2.dll
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [saap] c:\program files\180search assistant\saap.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [1c7b2bd19245] C:\WINNT\system32\alrsvc52.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\vpnrkn.exe reg_run
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINNT\sfita.exe
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\Downloaded Program Files\SbCIe02a.dll (file missing)
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0015.exe
O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - https://amer-st09.amer.csc.com/sametime/stm...STJNILoader.cab


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.


* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINNT\system32\msxct.exe
C:\WINNT\system32\alrsvc52.exe
C:\WINNT\system32\vpnrkn.exe
c:\program files\180search assistant <== folder
C:\WINNT\system32\wintask.exe
C:\Program Files\sf <== folder
C:\WINNT\sfita.exe

Search for next: most probably present in your C:\WINNT or C:\WINNT\System32:

E6F1873B.DLL
D9EBC318C
D0CE0C16B1
D0CE0C16B1
AUNPS2.DLL

* Still in safe mode Run Ccleaner and click Run Cleaner (bottom right)

* Reboot your system back to normal mode.

Download FindQoologic.zip save it to your Desktop.
http://forums.net-integration.net/index.ph...=post&id=134981

Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic.bat file to run it.
Wait until a text opens.
Post this in your next reply together with a new hijackthislog.

If you are getting an error when running findqoologic similar to: ''C:\winnt\system32\cmd.exe
C:\winnt\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application..

Go to next site and use the right fix for your system:
http://www.tech-forums.net/computer/topic/29806.html

Run findqoologic again afterwards.

Edited by miekiemoes, 13 June 2005 - 04:35 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:57 AM

Posted 23 June 2005 - 07:47 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users