Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having Some Ads Popping On Screen


  • Please log in to reply
2 replies to this topic

#1 stickman

stickman

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 20 October 2006 - 07:50 PM

Daughter downloaded file from friend over msn,now computer infected with pop ups. I did ad aware scan,spybot ,bit defender and Mcafee Stinger but still poping up. Found on comp was Dxc.exe manage to clean it?, house call 6.6\Qurantine\304.exe, Trojan Puritan scan.U,Trojan Purityscan AR, Adaware Clickspring. AA, are some of the file that were found and deleted. hope you can help.



Greg


here is copy of HJL.


Logfile of HijackThis v1.99.1
Scan saved at 8:19:02 PM, on 10/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\crunner\cproc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Renée\Desktop\304.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [Math bind jugs burn] C:\Documents and Settings\All Users\Application Data\Waitcitymathbind\hole mess.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://frdsr4lfe.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142101846279
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144265799046
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bejeweled...aploader_v6.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe




here is what I have on my computer

Windows XP Pro
Version 2002

Service Pack 2

AMD Athlon
1.04 Ghz,512 MB of ram

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 PM

Posted 21 October 2006 - 07:21 AM

Hello stickman

I'd like to take a look at this log and I'll get back you you as soon as I can.

ourwilly. :thumbsup:

#3 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 PM

Posted 21 October 2006 - 12:29 PM

Hello stickman

Sorry to keep you waiting.. :thumbsup:

Copy and Paste this Fix into a new text document or print it out for reference.

Step 1

I would like to recommend if you are using The Windows Firewall that you replace it as soon as possible Please choose to install One of these good free firewalls below to fully protect your system anyone of these will give you Full control over everything that requests Internet access a feature not available in the default Windows Firewall

ZoneAlarm
Kerio Personal Firewall
OutPost Firewall Free
Sygate Personal Firewall


Can you please now Create a Startup List

Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Click on the button "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post


Step 2

Please show Hidden Files on your system, to do this:

Click Start and then double-click My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm the changes.
Click OK.


Now go to Start | Control Panel | Add/Remove Programs and uninstall the following: ( If listed )

PrintView
ipwins
SpywareBot
<--This is not a recommended Anti-Spyware Product For more information go to Spyware Warrior


Re-Scan with HijackThis and place a "checkmark" next to these entries:

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Renée\Desktop\304.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [Math bind jugs burn] C:\Documents and Settings\All Users\Application Data\Waitcitymathbind\hole mess.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bejeweled...aploader_v6.cab

Make sure all browser and all Windows Explorer windows are closed and select "Fix checked". Exit Hijack This


Now Hold Down The Windows Key + E to Open Windows Explorer,
Navigate to then Right Click on and Delete these Bold Files/Folders:

C:\PROGRAM FILES\PrintView
C:\Documents and Settings\Renée\Desktop\304.exe
C:\Program Files\ipwins
C:\Documents and Settings\All Users\Application Data\Waitcitymathbind
C:\Program Files\SpywareBot
C:\WINDOWS\system32\crunner


Step 3

Download AVG Anti-Spyware 7.5
http://www.ewido.net/en/download/

The program should launch automatically after installation. If not, double-click the desktop icon.

Deactivate the "Resident Shield" as this may prevent changes to the registry.
To do this, click "Change State" to the right of the Resident Shield option in the main window.
You will clearly see the status change to Inactive if you have done this correctly.

Now Update AVG Anti-Spyware 7.5
click the "Update" icon from the main menu.
Then click the "Start Update" button.
When you receive the "Update successful" prompt, close Ewido.
Note: If you have any problems with the updater, you can Update AVG Anti-Spyware 7.5 Manually.
Do not Scan with this yet!

Please Reboot your System into Safe Mode Shut down your system, then Restart your computer
as soon as it starts booting up again continuously tap F8 from the menu select the option to enter Safe Mode

Reopen AVG Anti-Spyware 7.5 and click the "Scanner" icon from the main menu.
Click "Complete System Scan" to start scanning.
When the scan completes, click "Recommended action" beneath the results window and select "Quarantine".
Then click the "Apply all actions" button to quarantine everything detected.
Then click Save report > Save report as and save the Report-Scan.txt to your desktop.
Then Reboot back into Normal Mode


Step 4

Please now Re-Scan your system with the Panda ActiveScan
http://www.pandasoftware.com/activescan.htm

When the scan completes, click the See Report button, then Save Report, and save it to your desktop.

Reboot your System

Then Re-scan with HijackThis and post

1/ The new HijackThis Log,
2/ The Online Panda Result's,
3/ The AVG Anti-Spyware 7.5 Report-Scan.txt,
4/ The StartupList Log.

ourwilly.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users