Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups


  • This topic is locked This topic is locked
13 replies to this topic

#1 vlynno

vlynno

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 09 February 2006 - 01:06 PM

I have a Windows XP machine that i can't seem to get clean. Im having aproblem with popups whrn i run internet explorer. can you look at the hijack log for me??


Logfile of HijackThis v1.99.1
Scan saved at 12:56:44 PM, on 2/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\wuauclt.exe
\border\sys\public\clntrust.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Common Files\SkyTracker 13 Desktop Weather Center\TrueWeather.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ehancock.k12.in.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ehancock.k12.in.us/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.0.8:8081
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\8h3u5zhg.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: SkyTracker 13 Desktop Weather Center.lnk = C:\Program Files\Common Files\SkyTracker 13 Desktop Weather Center\TrueWeather.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} (Wyncs Control) - http://www.highschoolsports.net/Wyncs.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup155.cab
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 11 February 2006 - 07:02 AM

Hello and welcome to the forum. I see a couple of items that could be responsible for adware popups, let's do this.

1) What's this? \border\sys\public\clntrust.exe

2) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

3) Open your ewido and choose update. Allow that to run untio complete then open the scanner, choose complete system scan. Have ewido remove everything it locates unless you know it is not bad. Save that scan report, I must see it.

4) If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

restart the computer and post the ewido scan results, a new HJT log and your feedback including any information I requested above.

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 vlynno

vlynno
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 15 February 2006 - 02:29 PM

Sorry it has taken so long to reply.



\border\sys\public\clntrust.exe
This is a client trust key for Novell Authentication to allow internet access. It is supposed to be there.

I followed the instructions in http://tomcoyote.org/aawsb.php removed everthing that came up.


While the Ewido scan was running mcafee found 2 files that were adv640(1).htm vir.

Ewido scan



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:16:43 PM, 2/15/2006
+ Report-Checksum: B90D8F31

+ Scan result:

C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp -> TrackingCookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp -> TrackingCookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> TrackingCookie.Targetnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp -> TrackingCookie.Valueclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> TrackingCookie.Zedo : Cleaned with backup


::Report End



Hijackthis report


Logfile of HijackThis v1.99.1
Scan saved at 2:23:07 PM, on 2/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wuauclt.exe
\border\sys\public\clntrust.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ehancock.k12.in.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ehancock.k12.in.us/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.0.8:8081
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\8h3u5zhg.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

#4 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 15 February 2006 - 07:58 PM

That's ok, I don't close them until after at least a week goes by. Thanks for completing the instructions, I did not get any feedback from you to let me know if this helped with the popups?

ewido anti-malware - Scan report Created on: 2:16:43 PM, 2/15/2006
Clean everything it located, I suggest you clean out the Yahoo quarantine folder.
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Logfile of HijackThis v1.99.1 Scan saved at 2:23:07 PM, on 2/15/2006 The log appears to be clean, so here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
http://cybercoyote.org/security/not-admin.shtml

If you are still experiencing popups please tell me some more about them, where do they appear to be coming from, how frequent are they occuring? Do you have the popup blocker in your Google toolbar activated.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 vlynno

vlynno
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 16 February 2006 - 09:47 AM

Thanks for your help. And Yes i'm still having popups. Everytime i run one of the cleaners it finds something... Ewdio keeps finding cookies from doubleclick..questionmarket.. adyield manager. and Mcafee keeps killing this adv640(1).htm vir.

#6 vlynno

vlynno
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 16 February 2006 - 09:49 AM

more info... yes i have the google toolbar activated i have even uninstalled and reinstalled it because it does not appear to be catching any of them. the popups come up behind the browser.... I tried the yahoo toolbar it did not catch them either...

#7 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 16 February 2006 - 10:04 AM

Frustrating for both of us, please run free :

1) http://www.kaspersky.com/virusscanner using these instructions:
Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.

Once the scanner is installed and the definitions downloaded, click Next.

Now click on Scan Settings

In the scan settings make sure that the following are selected:

Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)

Scan Options:

Scan Archives

Scan Mail Bases

Click OK

Now under select a target to scan select My Computer

The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

2) Then restart the computer in safe mode: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/
run the scan removing anything it locates unless you know it is not bad, save the scan report.

3) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Post the Kaspersky results, the ewido scan results, the uninstall list and a new HJT log.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#8 vlynno

vlynno
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 16 February 2006 - 12:10 PM

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, February 16, 2006 11:14:09 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 16/02/2006
Kaspersky Anti-Virus database records: 177041
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 38694
Number of viruses found: 6
Number of infected objects: 25
Number of suspicious objects: 2
Duration of the scan process: 00:46:40

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip/actalert.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip ZIP: suspicious - 1 skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP503\A0029322.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP503\A0029323.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP503\A0029328.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP503\A0029329.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP503\A0029330.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP506\A0030322.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP506\A0030323.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP506\A0030324.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP582\A0047415.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP582\A0047440.vxd/C:/WINDOWS/System32/exdl.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP582\A0047440.vxd/C:/WINDOWS/System32/mqexdlm.srg Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP582\A0047440.vxd/C:/WINDOWS/System32/exul.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP582\A0047440.vxd/C:/WINDOWS/System32/javexulm.vxd Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP582\A0047440.vxd ZIP: infected - 4 skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP582\A0047443.ax/C:/WINDOWS/System32/mscb.dll Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP582\A0047443.ax/C:/Program Files/CashBack/bin/cashback.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.j skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP582\A0047443.ax/C:/Program Files/CashBack/bin/cb.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP582\A0047443.ax/C:/Program Files/CashBack/bin/flash.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP582\A0047443.ax ZIP: infected - 4 skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP584\A0047649.exe/EXE-file/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.MyWebSearch.ae skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP584\A0047649.exe/EXE-file Infected: not-a-virus:AdWare.Win32.MyWebSearch.ae skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP584\A0047649.exe Embedded EXE: infected - 2 skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP586\A0055772.exe Infected: Trojan.Win32.Crypt.t skipped
C:\WINDOWS\system32\atrzactx.exe Infected: Trojan.Win32.Crypt.t skipped
C:\WINDOWS\system32\nipearts.exe Infected: Trojan.Win32.Crypt.t skipped

Scan process completed.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:02:03 PM, 2/16/2006
+ Report-Checksum: FF2F97C3

+ Scan result:

C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned with backup


::Report End

Abacast Client
Ad-Aware SE Personal
Adobe Reader 6.0
Advanced Networking Pack for Windows XP
Agnitum Tauscan 1.7
AVG Free Edition
CCleaner (remove only)
ContextPlus
Documents To Go
DrawPlus 3.0
Easy Track II
ewido anti-malware
Google Toolbar for Internet Explorer
HijackThis 1.99.1
hp deskjet 6122
hp deskjet 6122 series
Intel® 845G Chipset Graphics Driver Software
Intel® PRO Ethernet Adapter and Software
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Kaspersky On-line Scanner
Macromedia Flash Player 8
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
Microsoft Web Publishing Wizard 1.52
Netscape (7.1)
NICI (Shared) U.S./Worldwide (128 bit) (2.6.4-5)
NMAS Client Components (2.3)
Novell Client for Windows
Outlook Express Q823353
Palm Desktop
Panda ActiveScan
Privacy Eraser Pro
Shockwave
SideStep
SkyTracker 13 Desktop Weather Center
Spy Sweeper
Spybot - Search & Destroy 1.4
Spyware Doctor 3.5
The Print Shop
TrackMate 4.22
TrojanHunter 4.0
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB820291
Windows XP Hotfix - KB821253
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q819696

Logfile of HijackThis v1.99.1
Scan saved at 12:06:26 PM, on 2/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wuauclt.exe
\border\sys\public\clntrust.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ehancock.k12.in.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ehancock.k12.in.us/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.0.8:8081
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\8h3u5zhg.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

#9 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 16 February 2006 - 03:41 PM

Thanks for this new information. The Kaspersky has identified some of this stuff for us I believe. First I will look over the other information.

1) ewido anti-malware - Scan report Created on: 12:02:03 PM, 2/16/2006Did it's job for us, and it does at least remove what it locates. Refer to earlier instructions for how to handle this program once the trial is over unless you own it.

2) Uninstall list: I am looking for out of date security issues and malware. You may want to look for programs you do not know or no longer use. Good to to co some cleaning while you can see them all.

ContextPlus <<< rootkit installer (need to run the rootkit tool for this one) Major popup causer

SideStep <<< problem program, adware at least. Please uninstall it if uninistall is available.

Spy Sweeper <<< if you own this one fine, if not you may wish to uninstall it, using resources and giving nothing in return.

3) Logfile of HijackThis v1.99.1 Scan saved at 12:06:26 PM, on 2/16/2006
The log looks ok, please be aware HJT can not see everything and it turns out you had a very infected computer.

4) Kaspersky identified a few bad items, most of the stuff is in your System Restore files, we will clean that out in a few. Here are the bad ones we must deal with manually:
I see the words password protected, I assume this is your computer and you will be signed in as Administrator, this stuff must be removed:

Instructions start here:
Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.


Open your Spybot program and click on Recovery, then delete anything in there.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip/actalert.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip ZIP: suspicious - 1 skipped

Boot to safe mode: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/ or do this
Reboot Your System in Safe Mode:
Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.

Locate and delete the files highlited in red.

C:\WINDOWS\system32\atrzactx.exe Infected: Trojan.Win32.Crypt.t skipped
C:\WINDOWS\system32\nipearts.exe Infected: Trojan.Win32.Crypt.t skipped

Now while still in safe mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode.

Let's clean System Restore files now:
MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Surf a bit to see how the computer is running, then please run another Kaspersky scan and post the results.

Thanks...Phil

Edited by pskelley, 16 February 2006 - 03:44 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#10 vlynno

vlynno
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 22 February 2006 - 11:21 AM

Welll.... no popups ..this is a good thing... but mcafee caught winfixer while i was running the kaspersky scan. And all this showed up in the scan
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, February 22, 2006 11:18:36 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 22/02/2006
Kaspersky Anti-Virus database records: 178147
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 39198
Number of viruses found: 4
Number of infected objects: 13
Number of suspicious objects: 1
Duration of the scan process: 00:49:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Desktop\aproposfix\backups\ace.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\Administrator\Desktop\aproposfix\backups\jscpfldr.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\Administrator\Desktop\aproposfix\backups\ureshost.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\Administrator\Desktop\aproposfix\backups\WinGenerics.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Comblish\Cache\00003742_43eb4461_00000000 Infected: Trojan-Downloader.HTML.Agent.ad skipped
C:\Program Files\Comblish\Cache\00005e9d_43eb508b_00098968 Infected: Trojan-Downloader.HTML.Agent.ae skipped
C:\Program Files\Comblish\Cache\00006172_43eb5093_000d9701 Infected: Trojan-Downloader.HTML.Agent.ad skipped
C:\Program Files\Comblish\jscpfldr.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Comblish\ureshost.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Comblish\WinGenerics.dll Infected: Trojan.Win32.Crypt.t skipped
C:\RECYCLER\S-1-5-21-1935655697-1284227242-725345543-500\Dc72.exe Infected: Trojan.Win32.Crypt.t skipped
C:\RECYCLER\S-1-5-21-1935655697-1284227242-725345543-500\Dc73.exe Infected: Trojan.Win32.Crypt.t skipped
C:\WINDOWS\system32\drivers\fipa301b.sys Suspicious: Rootkit.Win32.Agent.ao skipped
C:\WINDOWS\system32\htiuiext.exe Infected: Trojan.Win32.Crypt.t skipped

Scan process completed.

#11 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 22 February 2006 - 12:29 PM

Went back a little and saw this:

Ewdio keeps finding cookies from doubleclick..questionmarket.. adyield manager. and Mcafee keeps killing this adv640(1).htm vir.

You can stop those cookies like this, they will get there when you surf unless you put a stop to it.
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/...acy/config.mspx
IE cookies

http://privacy.getnetwise.org/browsing/too...fdisablecookies
http://www.mozilla.org/projects/security/p..._priv_help.html
Firefox
_________________________________________________
Did you run this fix? if not please do so and post the log for me to view.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

___________________________________________________
Looking at the results from the Kaspersky scan:

Looks like you did run the aproposfix:
C:\Documents and Settings\Administrator\Desktop\aproposfix\backups\ace.dll Infected: Trojan.Win32.Crypt.t skipped
these are backups in the aproposfix\backups (folder) You can delete that folder( aproposfix and the junk will go with it) but I would like to see this:

along with the entire contents of the log.txt file in the aproposfix folder <<< post that log.txt file

You may need to do this in safe mode: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

C:\Program Files\Comblish\Cache\00003742_43eb4461_00000000 Infected: Trojan-Downloader.HTML.Agent.ad skipped
C:\Program Files\Comblish\Cache\00005e9d_43eb508b_00098968 Infected: Trojan-Downloader.HTML.Agent.ae skipped
C:\Program Files\Comblish\Cache\00006172_43eb5093_000d9701 Infected: Trojan-Downloader.HTML.Agent.ad skipped

Comblish <<< do you know what this is? at the very least for now you need to delete everything in the Cache highlited in red.

C:\Program Files\Comblish\jscpfldr.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Comblish\ureshost.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Comblish\WinGenerics.dll Infected: Trojan.Win32.Crypt.t skipped
C:\WINDOWS\system32\drivers\fipa301b.sys Suspicious: Rootkit.Win32.Agent.ao skipped
C:\WINDOWS\system32\htiuiext.exe Infected: Trojan.Win32.Crypt.t skipped


I am frustrated because I can't find out what "Comblish" is, if you can validate it as bad, delete the whole folder, at the very least the files in red must be deleted.

If you need to validate and file or folder one way or another, use these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

These are in the C:\Recycler:
C:\RECYCLER\S-1-5-21-1935655697-1284227242-725345543-500\Dc72.exe Infected: Trojan.Win32.Crypt.t skipped
C:\RECYCLER\S-1-5-21-1935655697-1284227242-725345543-500\Dc73.exe Infected: Trojan.Win32.Crypt.t skipped
delete everything in there.

Once this is done run another Kaspersky scan and post the results and a fresh HJT log. Please include any comments you think will help.

Thanks...Phil

Edited by pskelley, 22 February 2006 - 12:32 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#12 vlynno

vlynno
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 22 February 2006 - 12:44 PM

I have no idea what comblish is.. I have deleted the whole folder and had it return.i'm runnign the kasper now and will post it

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Administrator\Desktop\aproposfix

************



Registry entries found:

[HKEY_LOCAL_MACHINE\Software\C6PW8AE8IQmD]
@="qJeEqJRUVVUVVWVu lcbaaUVVUkXV0qvlw0 V SMN8GbaV7LCP8LMV9CJ4bYZ5WMSM"
"Device"="\\\\.\\MSD4322"
"DriverPath"="C:\\WINDOWS\\System32\\drivers\\fipa301b.sys"
"DriverName"="Ip6kIpx"
"HideUninstallerName"="C:\\Program Files\\Comblish\\jscpfldr.exe"
"UninstallerPath"="C:\\WINDOWS\\System32\\nipearts.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{CB7ED9E4-8BAC-48EB-8ABF-46507BC3C998}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\System32\\wucertrm.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{Xb74e8eb-ae20-51e4-1fd7-7122b08e27b6}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Comblish\\ureshost.exe"

************

Removing hidden service:
Service Ip6kIpx removed.

Removing hidden folder:

#13 vlynno

vlynno
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 22 February 2006 - 01:37 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:37:01 PM, on 2/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
\border\sys\public\clntrust.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ehancock.k12.in.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ehancock.k12.in.us/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.0.8:8081
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\8h3u5zhg.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe





-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, February 22, 2006 1:35:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 22/02/2006
Kaspersky Anti-Virus database records: 178168
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 34200
Number of viruses found: 2
Number of infected objects: 10
Number of suspicious objects: 1
Duration of the scan process: 00:38:57

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP1\A0000054.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP1\A0000055.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP1\A0000062.sys Suspicious: Rootkit.Win32.Agent.ao skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP1\A0000063.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP1\A0000069.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP1\A0000070.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP1\A0000071.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP1\A0000072.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP1\A0000073.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP1\A0000074.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{033BEE58-5693-4E17-91C8-95EF90F7FC3B}\RP1\A0000075.dll Infected: Trojan.Win32.Crypt.t skipped

Scan process completed.

#14 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 22 February 2006 - 01:48 PM

Everything Kaspersky is locating is in your System Restore files, this will take care of that:
System Restore does not know good from bad, it backs up everything. In case some of the infection got into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, restart your computer and turn it back on.
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Your HJT log is clean, I would say you are good to go. Here are some ideas that may even help you to run better:
http://www.microsoft.com/windows/IE/commun...s/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Ea...rs_article.html

Safe surfing...Phil :thumbsup:

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users