Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sponsored Links And Searchpopups


  • Please log in to reply
5 replies to this topic

#1 D from KY

D from KY

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 25 October 2005 - 07:40 AM

Recently I have started getting keyword popups. I have scanned with Spybot, AdAware, and Avast. Found some problems and corrected but the popups continue as do the green sponsored links. I use google toolbar with popup blocker but no help. Win Messaging is defeated as well. Here is hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:35:16 AM, on 10/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\tunebite\tunebite.exe
C:\Program Files\MSI\i-Speeder\i-Speeder.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Michael DeLand.MIKE_PC\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mikey's Browser
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINNT\system32\nsf1D9.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINNT\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tunebite] C:\Program Files\tunebite\tunebite.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Bookmark Master - {B6DE1DA0-9C51-4D75-B634-60ECB031D70E} - C:\Program Files\BookMark Master\FavMM.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {91602283-B7B5-11D3-A32A-005004B0E00E} (DiscoverWhy Class) - http://216.132.173.29/CabFiles/dwInfo.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

Edited by D from KY, 25 October 2005 - 07:54 AM.


BC AdBot (Login to Remove)

 


#2 bilko

bilko

  • Members
  • 276 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:31 AM

Posted 26 October 2005 - 07:17 AM

Hello,

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
Posted Image

#3 bilko

bilko

  • Members
  • 276 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:31 AM

Posted 26 October 2005 - 11:55 AM

Hello,

You are currently running HijackThis from the desktop. Since HijackThis makes backups of any entries you fix, you should create a folder just to hold the HijackThis program and its backups, so the backups and the program are not accidentally deleted.

You dont appear to be using a firewall, please download one of the following. ZoneAlarm, Sygate Personal Firewall and Kerio Personal Firewall are good free firewalls. Never install more than one firewall on your system!

You will have to close this window so you might want to save these instructions to Notepad, or print them out.

Please run HijackThis and click "Scan." Place checks next to the following entries:

O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINNT\system32\nsf1D9.dll

Close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis remove the entries you checked.

Go to the Start Menu, click "Run", and in the window type cleanmgr. This will run the System Cleanup program. Make sure the box next to "Temporary files" is checked, and then click "OK".

Reboot

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log

There is no need to PM me a new log, just use the ADD REPLY button to continue in this thread.
Posted Image

#4 D from KY

D from KY
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 26 October 2005 - 02:47 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:46:14 PM, on 10/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\tunebite\tunebite.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Michael DeLand.MIKE_PC\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mikey's Browser
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINNT\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [Tunebite] C:\Program Files\tunebite\tunebite.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Bookmark Master - {B6DE1DA0-9C51-4D75-B634-60ECB031D70E} - C:\Program Files\BookMark Master\FavMM.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe


Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\Michael DeLand.MIKE_PC\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-7c728-55aa8cb4.class
Possible Virus. No disinfected C:\Documents and Settings\Michael DeLand.MIKE_PC\Start Menu\Programs\Shockwave.com\Jewel Quest\jewelres.dll
Adware:Adware/IWon No disinfected C:\RECYCLER\S-1-5-21-343818398-152049171-854245398-1000\Dc20\backup-20051024-233341-233.inf
Adware:Adware/IST.ISTBar No disinfected C:\WINNT\Downloaded Program Files\ISTprotect.inf
Adware:Adware/Pacimedia No disinfected C:\WINNT\Downloaded Program Files\pcs_0002.exe
Adware:adware/ist.yoursitebar No disinfected C:\WINNT\Downloaded Program Files\YSBactivex.dll
Dialer:Dialer.Gen No disinfected C:\WINNT\Hackersnake[hnc-10037,de,1].exe
Adware:Adware/Pacimedia No disinfected C:\WINNT\system32\APD123.exe
Adware:Adware/ISearch No disinfected C:\WINNT\system32\MTE2ODM6ODoxNg.exe
Spyware:Spyware/LinkReplacer No disinfected C:\WINNT\system32\PreUninstallQL.exe
Adware:adware/searchresults No disinfected C:\WINNT\system32\qlink32.dll

#5 bilko

bilko

  • Members
  • 276 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:31 AM

Posted 27 October 2005 - 06:44 AM

Hello,

IMPORTANT You are currently running HijackThis from the desktop. Since HijackThis makes backups of any entries you fix, you should create a folder just to hold the HijackThis program and its backups, so the backups and the program are not accidentally deleted. Create a folder on your desktop and move Hijack This into it.

I'm still seeing no evidence of a firewall, did you install one. If you dont install one then you are leaving yourself wide open to malicious attacks. Read this link here for good reasons why you should install one.


Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

Post a new Hijack This log and the Ewido log.

Are you still having problems??
Posted Image

#6 D from KY

D from KY
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 27 October 2005 - 07:09 AM

I manually removed the following
Dialer:Dialer.Gen No disinfected C:\WINNT\Hackersnake[hnc-10037,de,1].exe
Adware:Adware/Pacimedia No disinfected C:\WINNT\system32\APD123.exe
Adware:Adware/ISearch No disinfected C:\WINNT\system32\MTE2ODM6ODoxNg.exe
Spyware:Spyware/LinkReplacer No disinfected C:\WINNT\system32\PreUninstallQL.exe
Adware:adware/searchresults No disinfected C:\WINNT\system32\qlink32.dll
Problem went away.
Many thanks. Will install zonealarm today




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users