Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scanners Say I'm Clean


  • This topic is locked This topic is locked
12 replies to this topic

#1 Rybo85

Rybo85

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 February 2006 - 10:25 PM

I'm trying to help someone clean up their computer, and I've done that for the most part. Unfortunately I'm still getting some pop-ups. Here's my HT log. Thanks for any help.

Logfile of HijackThis v1.99.1
Scan saved at 10:19:40 PM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\fsecure\Anti-Virus\fsgk32st.exe
C:\fsecure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\fsecure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\pctspk.exe
C:\fsecure\Common\FSMA32.EXE
C:\fsecure\Common\FSMB32.EXE
C:\fsecure\Common\FCH32.EXE
C:\fsecure\Common\FAMEH32.EXE
C:\fsecure\Common\FNRB32.EXE
C:\fsecure\Common\FIH32.EXE
C:\fsecure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\fsecure\Common\FSM32.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb02.exe
C:\WINDOWS\system32\sms_msn.exe
C:\WINDOWS\system32\sms_msn40.exe
C:\WINDOWS\system32\ngpw40.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/news/default.asp
O2 - BHO: ngsh35.clsIS - {392BAF48-A26A-45B5-9263-97128E429268} - C:\WINDOWS\system32\ngsh35.dll
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O3 - Toolbar: Search - {A4C72BBA-5D76-8385-CA4B-70C31B7F4093} - C:\WINDOWS\Uauyrgzz.dll
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [F-Secure Manager] "C:\fsecure\Common\FSM32.EXE" /nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [sms_msn40] C:\WINDOWS\system32\sms_msn40.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins004.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133188655468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133188642250
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CA356D79-679B-4B4C-8E49-5AF97014F4C1} - http://files-pl.starware.com/installs/4.0....tarware_323.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O21 - SSODL: SysTray.Exiv - {2963ECFC-4E5C-2f3b-B334-D67434FC72E0} - (no file)
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - (no file)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\fsecure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\fsecure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\fsecure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\fsecure\Common\FSMA32.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 PM

Posted 27 February 2006 - 05:30 AM

Hello,

Looks like the scanners you are using don't do a good job, unless they are not up to date. I see some bad processes actively running.


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: ngsh35.clsIS - {392BAF48-A26A-45B5-9263-97128E429268} - C:\WINDOWS\system32\ngsh35.dll
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O3 - Toolbar: Search - {A4C72BBA-5D76-8385-CA4B-70C31B7F4093} - C:\WINDOWS\Uauyrgzz.dll
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [sms_msn40] C:\WINDOWS\system32\sms_msn40.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins004.exe
O16 - DPF: {CA356D79-679B-4B4C-8E49-5AF97014F4C1} - http://files-pl.starware.com/installs/4.0....tarware_323.cab
O21 - SSODL: SysTray.Exiv - {2963ECFC-4E5C-2f3b-B334-D67434FC72E0} - (no file)
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - (no file)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\sms_msn.exe
C:\WINDOWS\system32\sms_msn40.exe
C:\WINDOWS\system32\ngpw40.exe
C:\WINDOWS\Uauyrgzz.dll

*Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

* Reboot your system back to normal mode.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Rybo85

Rybo85
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 27 February 2006 - 09:53 AM

Thanks for the help!

Panda Scan:

Incident Status Location

Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@go[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@c.goclick[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@belnk[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@dist.belnk[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@winfixer[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@c.enhance[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@adopt.hbmediapro[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@ask[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@stats1.reliablestats[1].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@microsoftwga.112.2o7[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@azjmp[1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@microsofteup.112.2o7[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@adultfriendfinder[1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@kount[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@ad.yieldmanager[2].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@kount[3].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@belnk[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@ad.yieldmanager[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Najeeb\Cookies\najeeb@dist.belnk[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[27].txt
Spyware:Cookie/888 Not disinfected C:\Temp\Cookies\najeeb@888[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Temp\Cookies\najeeb@cassava[1].txt
Spyware:Cookie/888 Not disinfected C:\Temp\Cookies\administrator@888[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Temp\Cookies\administrator@stats1.reliablestats[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Temp\Cookies\administrator@tucows[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[5].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[11].txt
Spyware:Cookie/Cassava Not disinfected C:\Temp\Cookies\administrator@cassava[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[10].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[32].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Temp\Cookies\najeeb@trafficmp[3].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Temp\Cookies\najeeb@trafficmp[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[12].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[14].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[13].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[18].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[16].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[33].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[15].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Temp\Cookies\najeeb@adopt.hbmediapro[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[4].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[6].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[25].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[7].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[9].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[26].txt
Spyware:Cookie/YieldManager Not disinfected C:\Temp\Cookies\najeeb@ad.yieldmanager[28].txt
Spyware:spyware/virtumonde Not disinfected C:\Temp\bw2.com
Adware:Adware/Look2Me Not disinfected C:\Temp\temp.fr5814


Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:48:54 AM, on 2/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\fsecure\Anti-Virus\fsgk32st.exe
C:\fsecure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\fsecure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\pctspk.exe
C:\fsecure\Common\FSMA32.EXE
C:\fsecure\Common\FSMB32.EXE
C:\fsecure\Common\FCH32.EXE
C:\fsecure\Common\FNRB32.EXE
C:\fsecure\Common\FAMEH32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\fsecure\Anti-Virus\fsav32.exe
C:\fsecure\Common\FIH32.EXE
C:\WINDOWS\Explorer.EXE
C:\fsecure\Common\FSM32.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb02.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/news/default.asp
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [F-Secure Manager] "C:\fsecure\Common\FSM32.EXE" /nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb02.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133188655468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133188642250
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\fsecure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\fsecure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\fsecure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\fsecure\Common\FSMA32.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 PM

Posted 27 February 2006 - 10:06 AM

Hello,

Looks clean again. What panda found were mainly cookies.

Delete next file:

C:\WINDOWS\uniq
Delete the entire contents of this folder: C:\temp (since it is called a temp folder, everything in there may get deleted -- unless you created that folder there yourself because this is not a standard folder on C:\ either)

Let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Rybo85

Rybo85
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 27 February 2006 - 10:11 AM

Thanks! Should I do this in safe mode or regular or does that not matter?

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 PM

Posted 27 February 2006 - 10:13 AM

No need to do this in safe mode. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Rybo85

Rybo85
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 27 February 2006 - 11:11 AM

The machine is probably as clean as it's been in a while, but it's still getting pop-ups. Here are some of the pop-up addresses:

http://images.trafficmp.com/tmpad/content/space.gif
http://shopping.hp.com/webapp/shopping/sto...Home&aoid=15537
http://cdn.fastclick.net/adserver.com/1000...id1162/nice.gif

Should I do another panda scan or another type of scan?

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:05:52 AM, on 2/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\fsecure\Common\FSM32.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb02.exe
C:\fsecure\Anti-Virus\fsgk32st.exe
C:\fsecure\Anti-Virus\FSGK32.EXE
C:\fsecure\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\fsecure\Common\FSMA32.EXE
C:\fsecure\Common\FSMB32.EXE
C:\fsecure\Common\FCH32.EXE
C:\fsecure\Common\FAMEH32.EXE
C:\fsecure\Common\FNRB32.EXE
C:\fsecure\Common\FIH32.EXE
C:\fsecure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/news/default.asp
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [F-Secure Manager] "C:\fsecure\Common\FSM32.EXE" /nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb02.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133188655468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133188642250
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\fsecure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\fsecure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\fsecure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\fsecure\Common\FSMA32.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 PM

Posted 27 February 2006 - 11:15 AM

probably you are dealing with the apropos rootkit, so it won't hurt to run that fix anyway.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

I can't stress enough how important it is this has to be performed in safe mode, because this infection is only visible in safe mode.

Once in Safe Mode, please double-click aproposfix.exe.
This will create a new folder on your desktop called aproposfix.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

Post the contents of the log.txt file in the aproposfix folder in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Rybo85

Rybo85
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 27 February 2006 - 11:31 AM

Apropos Log:

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Administrator\Desktop\aproposfix

************



Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CoQU2ABrYU86]
@="HNHdJIDPQQPQQRQv31HEI7PQQPfSQzlqgrzvQvNHI3BWVQ2G7K3GHQ2B73A723RHNH"
"Device"="\\\\.\\Secspti"
"DriverPath"="C:\\WINDOWS\\System32\\drivers\\dmielide.sys"
"DriverName"="sysAuto"
"HideUninstallerName"="C:\\Program Files\\Viepollo\\regkbdit.exe"
"HDll"="C:\\WINDOWS\\System32\\quarayel.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.LAV"
"InstallationId"="{Xbb4f79b-6c4a-0f66-0565-70590af779b1}"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80
"ClientName"="C:\\Program Files\\Viepollo\\atirprof.exe"
"AutoUpdater"="C:\\WINDOWS\\System32\\hdihal.exe"
"Version"="2.0.131"

************

Removing hidden service:
Service sysAuto removed.

Removing hidden folder:
Deletion of folder Viepollo succeeded!

Deleting files:

Deletion of file C:\WINDOWS\System32\drivers\dmielide.sys succeeded!
Deletion of file C:\WINDOWS\System32\hdihal.exe succeeded!
Deletion of file C:\WINDOWS\System32\quarayel.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CoQU2ABrYU86]
[-HKEY_LOCAL_MACHINE\Software\CoQU2ABrYU86]

Done!

Finished!


Latest HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:28:19 AM, on 2/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\fsecure\Anti-Virus\fsgk32st.exe
C:\fsecure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\fsecure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\fsecure\Common\FSMA32.EXE
C:\fsecure\Common\FSMB32.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\fsecure\Common\FSM32.EXE
C:\fsecure\Common\FCH32.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb02.exe
C:\fsecure\Common\FAMEH32.EXE
C:\fsecure\Common\FNRB32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\fsecure\Common\FIH32.EXE
C:\fsecure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/news/default.asp
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [F-Secure Manager] "C:\fsecure\Common\FSM32.EXE" /nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb02.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133188655468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133188642250
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\fsecure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\fsecure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\fsecure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\fsecure\Common\FSMA32.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 PM

Posted 27 February 2006 - 11:42 AM

Well, it looks like we spotted the right infection. You were indeed dealing with the Apropos rootkit.
I recognised one of the popups you were getting.

Normally popups must be gone now. Let me know in your next reply. :thumbsup:
Your hijackthislog still looks clean.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Rybo85

Rybo85
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 27 February 2006 - 11:48 AM

So far so good! Thanks alot!!!! I'll check back in if the pop-ups ever come back. Thanks again.

:thumbsup:

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 PM

Posted 27 February 2006 - 11:49 AM

Glad I could help. :thumbsup:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Happy surfing again! :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 PM

Posted 27 February 2006 - 06:34 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users