Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ad.firstadsolution Popups


  • This topic is locked This topic is locked
11 replies to this topic

#1 genesiss

genesiss

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 31 October 2006 - 09:14 AM

Hello, every time I open my browser I'm getting the firstadsolution popup. I am using FireFox 2 and for some reason the popup comes from IE.
I'm using an updated NOD32 and tried both Ad-Aware and Ewido with no luck.
Here is my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 16:00:58, on 31/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
E:\Files\Applications\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx 1.18\Anti-Blaxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TonsSeek] C:\DOCUME~1\ADMINI~1\APPLIC~1\FRAGME~1\Delete Name.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 31 October 2006 - 11:36 AM

Hello genesiss, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Please take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 01 November 2006 - 10:31 AM

Hello genesiss, sorry for the delay in getting back to you.

======

Please Download NoLop to your desktop.
  • First close any other programs you have running; this will need you to reboot.
  • Double click NoLop.exe to run it
  • Now click the button labelled Search and Destroy
    <<Your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK.
  • Now click the REBOOT Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish. Please Post the contents of C:\NoLop.log in your next reply.
Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered", please download mscomctl.ocx to your System32 folder then re-run the program.

======

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
======

Open HijackThis
- Click the Config... button, then go to the Misc Tools section.
- Click on Open Uninstall Manager. You'll see a list of programs.
- Click on Save List...

The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.

======

Post me back the NoLOP log, an uninstall list and a new HijackThis log, please.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#4 genesiss

genesiss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 01 November 2006 - 11:25 AM

Thanks for the assistance, I have followed your instructions and here are the log files:
======

NoLOP:

NoLop! Log by Skate_Punk_21

Fix running from: E:\Files\Applications
[01/11/2006]
[17:53:41]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\869001888B1BB888.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Adobe
C:\Documents and Settings\Administrator\Application Data\Ahead
C:\Documents and Settings\Administrator\Application Data\Apple Computer
C:\Documents and Settings\Administrator\Application Data\Azureus
C:\Documents and Settings\Administrator\Application Data\Dvdcss
C:\Documents and Settings\Administrator\Application Data\Dwgeditor
C:\Documents and Settings\Administrator\Application Data\Frag Meet
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Lavasoft
C:\Documents and Settings\Administrator\Application Data\Macromedia
C:\Documents and Settings\Administrator\Application Data\Media Player Classic
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Mozilla
C:\Documents and Settings\Administrator\Application Data\Real
C:\Documents and Settings\Administrator\Application Data\Solidworks
C:\Documents and Settings\Administrator\Application Data\Sun
C:\Documents and Settings\Administrator\Application Data\Symantec
C:\Documents and Settings\Administrator\Application Data\Teamspeak2
C:\Documents and Settings\Administrator\Application Data\Thunderbird
C:\Documents and Settings\Administrator\Application Data\Ventrilo
C:\Documents and Settings\Administrator\Application Data\Vlc
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Beep Mail Gpl Download
C:\Documents and Settings\All Users\Application Data\Bluebeam Software
C:\Documents and Settings\All Users\Application Data\Bvrp Software
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Nview_profiles -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Real -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Mozilla -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
======

Uninstall list from HJT:

3DMark06
7-Zip 4.32
AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Reader 7.0.7
AFPL Ghostscript 8.51
AFPL Ghostscript Fonts
Attribute Changer 5.23
Avanquest update
AVG Anti-Spyware 7.5
AVI/MPEG/ASF/WMV Splitter 2.31
AVI/MPEG/RM/WMV Joiner 4.61
Azureus
Best Video to Audio Converter 1.30
CleanUp!
DirectVobSub (remove only)
DivX
eDrawings 2005
Fraps (remove only)
Google Video Player
GSpot Codec Information Appliance
GSview 4.7
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Hotfix for Windows XP (KB909394)
Intel Audio Studio 2.0
Intel® PRO Network Connections Drivers
J2SE Runtime Environment 5.0 Update 9
Lexmark Supplies Monitor
Lexmark Z65
Macromedia Flash Player 8 Plugin
MakeTorrent v2.1
Maple 10
MathXpert
Microsoft .NET Framework 1.1 SP1
Microsoft .NET Framework 2.0
Microsoft Office 2003 Resource Kit Tools
Microsoft Office Professional Edition 2003
Microsoft Visual J# 1.1 Redistributable Package
Motorola Phone Tools
Mozilla Firefox (2.0)
Mozilla Thunderbird (1.5)
MP3 Splitter & Joiner
MSN Messenger 7.5
MSXML 4.0 SP2 (KB925672)
MSXML 6.0 Parser (KB925673)
Nero 7 Premium
Nirsoft Utilities Collection
NOD32 antivirus system
NVIDIA Drivers
Oblivion
OpenExpert 1.40
Paint.NET 2.6
PowerISO
QuickTime
Real Alternative 1.48
RegShot 1.7.2
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
SigmaTel Audio
SolidWorks 2005 SP0.1
SpywareBlaster v3.5.1
Sygate Personal Firewall
TaskSwitchXP
TeamSpeak 2 RC2
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VideoLAN VLC media player 0.8.5
VobSub v2.23 (Remove Only)
Winamp (remove only)
WinPcap 3.1 Beta 4
WinRAR 3.51
Wireless ADSL VPN Router
XviD 1.1 final uninstall
ZoneAlarm

======

New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 18:13:25, on 01/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
E:\Files\Applications\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [TonsSeek] C:\DOCUME~1\ADMINI~1\APPLIC~1\FRAGME~1\Delete Name.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 02 November 2006 - 09:53 AM

Hey genesiss, sorry for the delay in getting back to you.

Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible, especially whilst in Safe Mode (you can't use the Internet)

======

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKCU\..\Run: [TonsSeek] C:\DOCUME~1\ADMINI~1\APPLIC~1\FRAGME~1\Delete Name.exe

Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

======

Now, please reboot your computer into Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list.

======

Next, please find and delete the following folders (if present):

C:\Documents and Settings\Administrator\Application Data\Frag Meet <--Folder
C:\Documents and Settings\All Users\Application Data\Beep Mail Gpl Download <--Folder

======

Reboot into Normal Mode again.

======

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report in your next reply
======

Please post me back the Panda report, and a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 genesiss

genesiss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 03 November 2006 - 10:41 AM

Here is my Panda report:


Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[.com.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[server.iad.liveperson.net/hc/47292500]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[server.iad.liveperson.net/hc/47292500]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[server.iad.liveperson.net/hc/15514262]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\euhgclrp.default\cookies.txt[.advertising.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@adultfriendfinder[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
Virus:W32/Spamta.HH.worm Disinfected Personal Folders\Deleted Items\Mail server report.\Update-KB8609-x86.zip[Update-KB8609-x86.exe]
Virus:W32/Spamta.HH.worm Disinfected Personal Folders\Deleted Items\Mail Transaction Failed\readme.dat.bat
Virus:Trj/SpamtaLoad.Y Disinfected Personal Folders\Deleted Items\Mail server report.\Update-KB1453-x86.zip[Update-KB1453-x86.exe]
Virus:Trj/SpamtaLoad.Y Disinfected Personal Folders\Deleted Items\Status\readme.txt.bat
Virus:Trj/SpamtaLoad.Y Disinfected Personal Folders\Deleted Items\Mail server report.\Update-KB2187-x86.zip[Update-KB2187-x86.exe]
Virus:Trj/SpamtaLoad.Y Disinfected Personal Folders\Deleted Items\Status\docs.dat.pif
Potentially unwanted tool:Application/HideWindow.S Not disinfected C:\WINDOWS\system32\cmdow.exe


======

And a new HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 17:34:02, on 03/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
E:\Files\Applications\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

======

Thanks.

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 04 November 2006 - 04:56 AM

Hello genesiss, sorry for the delay in getting back to you.

======

This line in your Panda log:

Potentially unwanted tool:Application/HideWindow.S Not disinfected C:\WINDOWS\system32\cmdow.exe

CmdOw.exe is a program to execute batch files hidden from view. This doesn't mean anything in itself, hence the "Potentially unwanted tool:" tag, but it can pretty perfectly be used for hacking. So if there is an active backdoor on the system, this probably will be the conduit. Are you aware of the program? If not, please delete the associated file: C:\WINDOWS\system32\cmdow.exe.

======

I see you already have AVG AntiSpyware installed...
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

======

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
======

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
======

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
======

Reboot into Normal Mode.

======

Post me back the following, please:
- AVG log
- How are things running now?

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 genesiss

genesiss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 04 November 2006 - 08:01 AM

I have deleted the cmdow.exe file, since I am not aware of any such program that should be on my PC.

The AVG scan came out clean, here is the log:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 14:33:25 04/11/2006

+ Scan result:



Nothing found.


::Report end


Things are running very smooth now, the popups have stopped altogether.
Thanks a lot for all the help.

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 05 November 2006 - 05:41 AM

Hey genesiss- great job in removing all that malware! :thumbsup:

======

Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are ZoneAlarm, Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
Hopefully this should take care of your problems, good luck!
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 genesiss

genesiss
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 05 November 2006 - 03:13 PM

Thanks again for all the help and tips, I really appreciate all your assitance :thumbsup:

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 05 November 2006 - 03:15 PM

You're very welcome... :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 12 November 2006 - 06:43 AM

Since this issue appears resolved, this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users