Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Viruses, popups and spyware


  • Please log in to reply
3 replies to this topic

#1 Cantankerous

Cantankerous

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 18 July 2005 - 08:09 AM

Please help. Computer had a lot of spyware, removed with Adware, but didn't get everything. Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 9:01:50 AM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\cscrmap.exe
C:\WINDOWS\System32\aaarrp.exe
C:\WINDOWS\cskware.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\windows\system32\ppdmzn.exe
C:\Program Files\ProSiteFinder\prositefinder.exe
C:\WINDOWS\System32\97_Ventura4_4_0_3_7.exe
C:\WINDOWS\system\clli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\crtroxy.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\saar\elat.exe
C:\WINDOWS\System32\w?nspool.exe
C:\Ps2000\Prt9532.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ProSiteFinder\prositefinderh.exe
C:\Program Files\ProSiteFinder\prositefinder.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\christinaf\Desktop\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {00000000-0000-42AE-B15F-AD676CFC31B5} - C:\Program Files\ProSiteFinder\ProSiteFinder.dll
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {621182C3-2908-8578-B60F-7C5130483F0A} - C:\WINDOWS\cdapp\noacrmuncl.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitezwj32.exe
O4 - HKLM\..\Run: [x3sQ3sW] cscrmap.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\aaarrp.exe reg_run
O4 - HKLM\..\Run: [xware] "C:\WINDOWS\cskware.exe"
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ppdmzn] c:\windows\system32\ppdmzn.exe
O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [g034Riamg] crtroxy.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [qizi] C:\PROGRA~1\COMMON~1\qizi\qizim.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Pyeud] C:\WINDOWS\System32\w?nspool.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dddk.exe
O4 - Global Startup: Printscreen 2000.lnk = C:\Ps2000\Prt9532.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O15 - Trusted Zone: *.filesharingaccess.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosxxy.mht!http://filesharingaccess.com/script/lc.chm::/Bridge-c139.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nosuxxx.mht!http://filesharingaccess.com/data/cskware.chm::/cskware.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF} (JInitiator 1.3.1.9) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = condorcap.local
O17 - HKLM\Software\..\Telephony: DomainName = condorcap.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = condorcap.local
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

BC AdBot (Login to Remove)

 


m

#2 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 20 July 2005 - 03:08 AM

Please download miekiemoes' LQfix batch here:
http://www.downloads.subratam.org/LQfix.zip
Unzip it to the desktop but do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please run LQfix.bat. When finished, restart your computer in normal mode and please post a new HijackThis log.

#3 Cantankerous

Cantankerous
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 21 July 2005 - 10:48 AM

I tried booting in Safe Mode by setting up the msconfig boot.ini for safeboot rather than using the F8 key. However, the computer is password locked and the user password doesn't work and now not only can I not get into the computer in safe mode, I can't get it to boot normally. Any suggestions? Thanks.

EDIT: Well, that problem is solved, but I couldn't run the program in Safe Mode and since it's a company computer, we're not going to go messing with stuff for now. But thanks for all your help.

Edited by Cantankerous, 21 July 2005 - 12:13 PM.


#4 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 21 July 2005 - 03:20 PM

Are you sure? We can use normal mode to remove this bleep, it's just easier to use safe mode to remove items. Let me know if you want to proceed we can still remove items in that log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users