Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popup trouble and HiJackThis


  • This topic is locked This topic is locked
4 replies to this topic

#1 jlacroix

jlacroix

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 10 May 2004 - 08:10 AM

Greetings,

I have two bit of trouble that I believe may be tied together. About a week ago I started getting popups. I ran Ad Aware, Spy Sweeper and Pest Patrol. When none of those applications fixed my popup problems, I removed all of them execpt Pest Patrol. During this time I noticed that it now takes quite a bit of time to boot. I used to be able to boot to a login prompt within 15 seconds or so. Now it takes about two minutes or longer at times.

Here is the Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 8:30:40 AM, on 5/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\wparad.exe
C:\WINNT\System32\ctfmon.exe
C:\Documents and Settings\Kevin\Application Data\swol.exe
C:\WINNT\System32\msiexec.exe
C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [7soi3ne] wparad.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Arma] C:\Documents and Settings\Kevin\Application Data\swol.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8113.5044328704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F02C6B3B-AB1A-48D3-914D-169954A11142} (WebForm Launch Control) - http://files.stf.com/ActiveX/WebformControl2.cab

Thanks in advance for your help.

Joe

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 10 May 2004 - 11:51 AM

Hi jlacroix and welcome.

I have a couple of questions for you before we get started. Could you give me a little insight on what kind of environment you are in? Office or school network, etc.?

You have an anomoly as to your main system folder. HijackThis says you are running XP but it's system folder is WINDOWS and yours apparently is WINNT which is the system folder for Windows 2000/NT. Any ideas why this is?

What I would like you to do right now is run some free online scans. Please run them in this order & let us know if any malware is found & whether it is cleaned up or not. Then post another HT log.

TrendMicro's HouseCall:
http://housecall.trendmicro.com/

Panda's ActiveScan:
http://www.pandasoftware.com/activescan/

GFi's TrojanScan:
http://www.trojanscan.com/

Also we recommend that you run AdAware AND Spybot Search & Destroy before fixing items with HijackThis. They won't catch everything but that doesn't mean they are useless. If you keep them updated before you run them (this is essential), they will keep your system clean of known spyware & parasites. The unknown is what HijackThis is for. Please take a few minutes to review our tutorials on these programs.

Ad-Aware Tutorial
Spybot - S&D Tutorial

Also this:
Understanding Spyware

However, your log is relatively clean spyware wise. HT has revealed some unkown files & I'm hoping the online scans will root them out. If not we will deal with them first, then address your bootup issues if that isn't corrected.

The thing about people

is they change

when they walk away.--Mipso


#3 jlacroix

jlacroix
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 10 May 2004 - 11:58 AM

I am running in a Netware 6 network. Small office, 15 users or so. We are behind a firewall if that matters.

This is a laptop that has not been changed any since purchase, so I cannot comment on why the software is not in a WINNT folder. But the machine is Windows XP.

I will run the online scans and post back.

Thanks for your help.
Joe

#4 jlacroix

jlacroix
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 10 May 2004 - 02:51 PM

Here is what happened.

Scanned with Trend Micro's product. It found these problems and could not fix them, so I deleted the infected files. These are the trojans that it picked up.

BuddyLink.A
Istbah.DH
Revop.A
Small.Go
Sandbox
Porndial.BP
Stilen.A
Dialer.H

Then I ran Panda Software's product. One problem child existed.

Tri/Downloader.CL

GFI's Trojan scan was stuck on one folder that I had to remove from the scan list.
c:\winnit\system32\novell\nici\system. Once I deselected that folder, the scan ran through without finding a problem.

Here is the Hijackthis log ran after all other scans were run.

Logfile of HijackThis v1.97.7
Scan saved at 3:45:08 PM, on 5/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\wparad.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Novell\GroupWise\GrpWise.exe
C:\Novell\GroupWise\GWSync.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [7soi3ne] wparad.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O9 - Extra button: Research (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8113.5044328704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F02C6B3B-AB1A-48D3-914D-169954A11142} (WebForm Launch Control) - http://files.stf.com/ActiveX/WebformControl2.cab



Thanks again,
Joe

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:27 AM

Posted 11 May 2004 - 12:24 PM

Hi jlacroix,
Sorry for the delay, but it can't be helped.

Here's a few things for you to do. First, I want you to fix some items with HijackThis.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Scan again with HijackThis. Close all other windows, put a checkmark by these entries, double-checking to be sure that only these entries are checked & then click the "Fix checked" button.

R3 - Default URLSearchHook is missing
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

Reboot.

Then I want you to go to this site and have the following file scanned by Kaspersky Labs.

wparad.exe

You may need to do a file Search to know where to browse to since the file path doesn't appear in HT. If KL recommends deletion I suggest you do so. If it's just suspicious or unknown, suggest you zip it up to disable it. You can get a little payback to whoever put this on your machine by submitting the file for analyses. Either to KL or your own AV vendor which seems to be Symantec.

To zip a file--in Windows XP right-click the file and select Send To>Compressed (zipped) Folder. Then double-click the .zip folder> File>Add a password. Make the password something simple like "badfile" & include the password in your email message to the vendor. Attach the zip file to this message and send it to the vendor.

In the case of Symantec, follow the instructions on this page: http://service1.symantec.com/SUPPORT/nav.n...src=sec_web_nam

Let me know how that goes. Then scan again with HijackThis and see if you still have an entry in HijackThis similar to the following & delete if so.

O4 - HKLM\..\Run: [7soi3ne] wparad.exe

Now turn off System Restore & then turn it back on again. Instructions can be found here:

Windows XP System Restore Guide

Rescan with HijackThis and post another log. Let me know if the popups are gone & if there is any improvement in boot speed.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users