Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • Please log in to reply
1 reply to this topic

#1 Cantankerous

Cantankerous

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 13 May 2006 - 12:10 PM

I've recently begun to have some significanty pop up issues. It started with Winfixer, but I think that's been resolved. However, a ton of other pop ups and programs that cannot be removed from normal means are popping up. Any help is much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 1:02:21 PM, on 5/13/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\defender19a.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\RightFax\fuw32.exe
C:\Program Files\ALS COM Client\VistaApp.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\WinZip\WINZIP32.EXE
C:\Documents and Settings\tomk\Local Settings\Temp\wzcdb9\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [defender] C:\\defender19a.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard19.exe
O4 - HKLM\..\Run: [newname] C:\\newname19.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .CAL: C:\Program Files\VisionShape\TiffSurfer\Plugins\nptsurf.dll
O12 - Plugin for .LST: C:\Program Files\VisionShape\TiffSurfer\Plugins\nptsurf.dll
O12 - Plugin for .PCX: C:\Program Files\VisionShape\TiffSurfer\Plugins\nptsurf.dll
O12 - Plugin for .TIF: C:\Program Files\VisionShape\TiffSurfer\Plugins\nptsurf.dll
O12 - Plugin for .TIFF: C:\Program Files\VisionShape\TiffSurfer\Plugins\nptsurf.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall.../watches/3d.lbl
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = condorcap.local
O17 - HKLM\Software\..\Telephony: DomainName = condorcap.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = condorcap.local
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

BC AdBot (Login to Remove)

 


#2 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:06:53 AM

Posted 13 May 2006 - 04:45 PM

Hi Cantankerous

You may wish to Subscribe to this thread (Options) so that you are notified when you receive a reply.

Do you know who or what condorcap is? I can’t find any info on it – please let me know.


Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.


If there is anything you don't understand, please ask BEFORE proceeding with the fixes.


Please ensure that you follow the instructions in the order I have them listed.


Show Hidden Files
Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option.



Downloads
Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later.


Download Ewido Anti-Malware
  • Install Ewido Anti-Malware
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
When you have finished updating, EXIT Ewido.


Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:BFU).

Do not do anything with these yet!



Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked.
Click OK, Press the CleanUp! button to start the program and reboot when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.



Reboot
Reboot your system in Safe Mode.
  • Restart the computer. The computer begins processing a set of instructions known as BIOS.
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
  • Instead of Windows loading as normal, a menu should appear
  • Use the arrow key to highlight Safe Mode and press Enter.
Uninstall Programmes
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if present):

ViewMgr

ViewMgr.exe is an advertising program by Viewpoint. This process monitors your browsing habits and distributes the data back to the authors.



HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall.../watches/3d.lbl
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab


Please remember to close all other windows, including browsers then click Fix checked.



File Deletions
Delete the following Folders indicated in BLUE if they still exist.

C:\Program Files\Viewpoint




Run Ewido
Run Ewido with it's updated definitions (...it's important that all windows must be closed)
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido anti-malware.



Run the Brute Force Uninstaller
Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HijackThis log.



Online Scan

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner.

1. Click Check Now and a "pop up" window will appear. *Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan




Logs required
Ewido Log
Panda Log
HijackThis Log


Please also let me know how your system is performing now and if you have any specific problems.
Iain
Win XP Pro / Win 7 Pro
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users