Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-up/browser Hijack


  • This topic is locked This topic is locked
2 replies to this topic

#1 finalrights

finalrights

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 08 February 2006 - 02:03 PM

I seem to have most of the pop-ups coming from 64.194.221.33.
I've tried blocking this ip in HOST files,but it doesnt work. I've also run both Spybot/Spyblaster and Ad-Aware. Both are up to date on definitions. I can't run House Call because it won't stay on the page long enough to run a scan.

Logfile of HijackThis v1.99.1
Scan saved at 1:01:07 PM, on 2/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\TBPanel.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tim\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.gamefaqs.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.gamefaqs.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Tim\Desktop\New Folder\HijackThis.exe /startupscan
O4 - Startup: Q329115_WXP_SP2_X86[1].exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\nk4_disp.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Mod Edit - Moved to appropriate forum - Leurgy

Edited by Leurgy, 08 February 2006 - 04:26 PM.


BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 09 February 2006 - 09:46 AM

Hi Tim and welcome to the forum. You have this: Winlogon Notify App Management, App Paths, Applets, BITS, Control
Panel, Controls Folder, CSCSettings, DateTime, Dynamic
Directory, Explorer X random named dll in the System32 folder Variant of Adware.Look2Me

and the free trial of SpySweeper usually remove it if the directions are followed. Before I give you that information, I am super concerned about this one: O4 - Startup: Q329115_WXP_SP2_X86[1].exe
My scanners are giving me two possibles and they are both severe security risks. I will post information about both, you use the information to do what you need to as a result of this security breach:

1) http://www.symantec.com/avcenter/venc/data...an.esteems.html
2) http://securityresponse.symantec.com/avcen...l.bancos.x.html

I would take action right away, notify your bank, whatever else Symantec suggests for protecting your security. We will remove the Look2me first and perhaps SpySweeper will kill this trijan? If not, we will go after it next,tThanks.

We need to download: Spy Sweeper 4.5 - Free Trial at the bottom of this page, no other product will help us:
http://www.webroot.com/consumer/products/s...er/latestv.html Then follow these directions:

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer >>> very important

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O4 - Startup: Q329115_WXP_SP2_X86[1].exe
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\nk4_disp.dll (if there)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Restart again and post the SpySweeper log with a new HJT log and your comments.

We will probably need to do more with that trojan?

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 19 February 2006 - 06:11 PM

There has been no response to this topic in ten days :thumbsup:

This topic is closed
Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users