Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyfalcon - Followed Guide, Still Present


  • Please log in to reply
3 replies to this topic

#1 KlumpDud

KlumpDud

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 26 June 2006 - 10:53 PM

I was getting many IE pop-ups (even though I use Firefox) and there were fake warnings coming from the system tray as well as "handicap" icons. I ran Adaware and Spybot. Didn't work. I searched the internet and found bleepingcomputer's guide to remove it located here. I followed the guide's instructions and noticed that the system tray icons were no longer present. However, I still have IE pop-ups. I then ran a Panda Online scan which found approximately 20 things.

Here are the results of the Panda log:

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected D:\Downloads\Firefox Downloads\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected F:\Documents and Settings\Maximus1\Application Data\Mozilla\Firefox\Profiles\wvg40j2q.default\Cache\3EFBEAA3d01[smitRem/Process.exe]
Spyware:Cookie/YieldManager Not disinfected F:\Documents and Settings\Maximus1\Cookies\maximus1@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected F:\Documents and Settings\Maximus1\Cookies\maximus1@adopt.hbmediapro[2].txt
Spyware:Cookie/Belnk Not disinfected F:\Documents and Settings\Maximus1\Cookies\maximus1@belnk[1].txt
Spyware:Cookie/FortuneCity Not disinfected F:\Documents and Settings\Maximus1\Cookies\maximus1@fortunecity[2].txt
Spyware:Cookie/Media-motor Not disinfected F:\Documents and Settings\Maximus1\Cookies\maximus1@mmm.media-motor[1].txt
Spyware:Cookie/Reliablestats Not disinfected F:\Documents and Settings\Maximus1\Cookies\maximus1@stats1.reliablestats[1].txt
Spyware:Cookie/BurstBeacon Not disinfected F:\Documents and Settings\Maximus1\Cookies\maximus1@www.burstbeacon[1].txt
Potentially unwanted tool:Application/Processor Not disinfected F:\Documents and Settings\Maximus1\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected F:\Documents and Settings\Maximus1\loaded.exe
Adware:Adware/SystemDoctor Not disinfected F:\Documents and Settings\Maximus1\Local Settings\Application Data\ca64a6b.exe
Adware:Adware/PurityScan Not disinfected F:\Documents and Settings\Maximus1\My Documents\?racle\explorer.exe
Adware:Adware/PurityScan Not disinfected F:\Program Files\Common Files\??mbols\d?dplay.exe
Potentially unwanted tool:Application/Processor Not disinfected F:\Program Files\Roguescanfix\Process.exe
Potentially unwanted tool:Application/Psshutdown.A Not disinfected F:\Program Files\Shutdown\shutdown.exe
Dialer:dialer.avv Not disinfected F:\WINNT\Downloaded Program Files\gdnUS2338.exe
Adware:Adware/SystemDoctor Not disinfected F:\WINNT\system32\ca64a6b.exe
Adware:Adware/PurityScan Not disinfected F:\WINNT\system32\chkntfs.dll
Adware:Adware/SpyFalcon Not disinfected F:\WINNT\system32\twain32.dll_tobedeleted
Adware:Adware/BigTrafficNet Not disinfected F:\WINNT\system3200


Here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:59:27 PM, on 6/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\WINNT\System32\svchost.exe
F:\Program Files\M-Audio\Install\EvoInst.exe
F:\WINNT\system32\nvsvc32.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\system32\mspmspsv.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\Explorer.EXE
F:\WINNT\system32\ca64a6b.exe
F:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
F:\DOCUME~1\Maximus1\MYDOCU~1\RACLE~1\explorer.exe
F:\Program Files\Common Files\??mbols\d?dplay.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - F:\WINNT\system32\hp100.tmp (file missing)
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - F:\WINNT\system32\hp100.tmp (file missing)
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - F:\WINNT\system32\hp100.tmp (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ca64a6b.exe] F:\WINNT\system32\ca64a6b.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] F:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Pmta] "F:\DOCUME~1\Maximus1\MYDOCU~1\RACLE~1\explorer.exe" -vt yazr
O4 - HKCU\..\Run: [Muicmpaf] F:\Program Files\Common Files\??mbols\d?dplay.exe
O4 - HKCU\..\Run: [ca64a6b.exe] F:\Documents and Settings\Maximus1\Local Settings\Application Data\ca64a6b.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130607206859
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?325
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BD17DF8-A98D-4F6B-9BA5-769248804465}: NameServer = 68.87.66.196,68.87.76.178
O20 - AppInit_DLLs: chkntfs.dll F:\WINNT\system32\chkntfs.dll
O20 - Winlogon Notify: winhab32 - winhab32.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - F:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - F:\WINNT\system32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Any help is greatly appreciated!

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 27 June 2006 - 07:46 PM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HJT – mark them, close IE, click fix checked

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - F:\WINNT\system32\hp100.tmp (file missing)

O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - F:\WINNT\system32\hp100.tmp (file missing)

O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - F:\WINNT\system32\hp100.tmp (file missing)

O4 - HKLM\..\Run: [ca64a6b.exe] F:\WINNT\system32\ca64a6b.exe

O4 - HKCU\..\Run: [Pmta] "F:\DOCUME~1\Maximus1\MYDOCU~1\RACLE~1\explorer.exe" -vt yazr

O4 - HKCU\..\Run: [Muicmpaf] F:\Program Files\Common Files\??mbols\d?dplay.exe

O4 - HKCU\..\Run: [ca64a6b.exe] F:\Documents and Settings\Maximus1\Local Settings\Application Data\ca64a6b.exe

O20 - AppInit_DLLs: chkntfs.dll F:\WINNT\system32\chkntfs.dll (You may get an error – normal)

O20 - Winlogon Notify: winhab32 - winhab32.dll (file missing)

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by DELETE ON REBOOT. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

F:\WINNT\system32\chkntfs.dll
F:\WINNT\system32\ca64a6b.exe
F:\DOCUME~1\Maximus1\MYDOCU~1\RACLE~1\explorer.exe
F:\Program Files\Common Files\??mbols\d?dplay.exe
F:\Documents and Settings\Maximus1\Local Settings\Application Data\ca64a6b.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 KlumpDud

KlumpDud
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 28 June 2006 - 08:14 PM

I followed your instructions. When using Killbox in safe mode, of all the files that you told me to put path in the box and delete, the only one that didn't give me an error was F:\DOCUME~1\Maximus1\MYDOCU~1\RACLE~1\explorer.exe. The error that it gave me was "PendingFileOperations Registry Data has been Removed by External Process." After doing that with all the files you listed, I emptied the temp folder and emptied recycle bin, then restarted into normal mode. The only abnormal thing I notice now is that whenever Windows starts up, for some reason the folder F:\WINNT\system32 opens up in Windows Explorer.

Here's the new HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 6:23:09 PM, on 6/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\WINNT\System32\svchost.exe
F:\Program Files\M-Audio\Install\EvoInst.exe
F:\WINNT\system32\nvsvc32.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\system32\mspmspsv.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\Explorer.EXE
F:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] F:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130607206859
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?325
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BD17DF8-A98D-4F6B-9BA5-769248804465}: NameServer = 68.87.66.196,68.87.76.178
O20 - AppInit_DLLs: chkntfs.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - F:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - F:\WINNT\system32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 29 June 2006 - 04:49 PM

http://support.microsoft.com/?kbid=170086

Fix this

O20 - AppInit_DLLs: chkntfs.dll

Delete this file using the DELETE ON REBOOT option in killbox

F:\WINNT\system32\chkntfs.dll
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users