Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popup that keep coming


  • This topic is locked This topic is locked
7 replies to this topic

#1 BryanBradshaw

BryanBradshaw

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 28 January 2007 - 09:35 PM

//Mod edit: Log split away from thread here http://www.bleepingcomputer.com/forums/t/79575/im-seriously-infected-but-cant-use-hijackthis/

ok, i found the dll file and downloaded and stuff so now it works. Here's my file and i hope it helps. I also forgot to mention that i have popups that keep coming no matter what i do or where i go


Logfile of HijackThis v1.99.1

Scan saved at 6:38:45 PM, on 1/28/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn0\YTBSDK.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://us2-scripts.dlv4.com/binaries/egacc..._1070_em_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D5D0752-C5B3-47F6-9CA7-95332940B89C}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{5D5D0752-C5B3-47F6-9CA7-95332940B89C}: NameServer = 207.69.188.185,207.69.188.186
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Edited by KoanYorel, 28 January 2007 - 09:51 PM.


BC AdBot (Login to Remove)

 


#2 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 30 January 2007 - 09:12 AM

Hello BryanBradshaw,

We are currently studying your log and will be back to you as soon as possible. Thank you for your patience.

Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#3 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 31 January 2007 - 03:23 AM

Hi BryanBradshaw,
Welcome to BleepingComputer. My name is Rosty and I'm going to help you with your log.

Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://www.microsoft.com/windowsxp/downloa...p1/default.mspx and update to Service Pack 1. Without this update, you're wide open to re-infection, and we're both just wasting our time.
When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

Next,I need you to rename Hijackthis because I suspect that you may have the Vundo infection that can hide some entries in your log.

* Please go to the folder where you saved Hijackthis.exe:
"C:\HJT\HijackThis.exe"
* Right-click on it, then select Rename.
* Name it something like: 321.exe (or whatever you want)
* Then double-click 321.exe to scan and then post the new logfile.


Kind regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#4 BryanBradshaw

BryanBradshaw
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 31 January 2007 - 08:56 PM

um yeah, i don't have any service packs installed because i don't have a "valid" copy of windows xp. When i go to update that it tells me my xp isn't real or something

#5 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 01 February 2007 - 12:28 PM

Hi again,

Hi i see you have an Antivirus. Is it still valid??

Please do the next:

Please install an firewall first, because it doesn't make any sense to remove malware from your system if no scanner is preventing them from reinfecting your computer.


Without a firewall your computer is susceptible to being hacked and taken over:
Kerio Personal Firewall OR ZoneAlarm are good FREE firewalls.

Read Understanding and using firewalls to learn more about using firewalls

VERY IMPORTANT: Never install more than ONE firewall on your system! Several together can give problems and decrease their reliability and effectiveness!


I need you to rename Hijackthis because I suspect that you may have the Vundo infection that can hide some entries in your log.

* Please go to the folder where you saved Hijackthis.exe:
"C:\HJT\HijackThis.exe"
* Right-click on it, then select Rename.
* Name it something like: 321.exe (or whatever you want)
* Then double-click 321.exe to scan and then post the new logfile.


Kind regards,

Rosty.

Edited by Rosty, 01 February 2007 - 01:01 PM.

Posted Image
Proud member of ASAP since 2007

#6 BryanBradshaw

BryanBradshaw
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 01 February 2007 - 03:22 PM

Here's the new log after i installed the firewall. And yeah, i have 2 spyware programs, norton system works, and ad-aware. They're both running fine, execpt they don't seem to be able to pick up whatever is kicking my computers butt.



Logfile of HijackThis v1.99.1
Scan saved at 12:19:24 PM, on 2/1/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\321.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://us2-scripts.dlv4.com/binaries/egacc..._1070_em_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D5D0752-C5B3-47F6-9CA7-95332940B89C}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{5D5D0752-C5B3-47F6-9CA7-95332940B89C}: NameServer = 207.69.188.185,207.69.188.186
O17 - HKLM\System\CS3\Services\Tcpip\..\{5D5D0752-C5B3-47F6-9CA7-95332940B89C}: NameServer = 207.69.188.185,207.69.188.186
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Edited by BryanBradshaw, 01 February 2007 - 03:27 PM.


#7 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 02 February 2007 - 10:32 AM

Hi BryanBradshaw,
thanks for the new log.

Download ATF Cleaner.
Do not run it yet, we will shortly.


Please open HijackThis and click do a scan only and place a check next to the following entrie(s):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://us2-scripts.dlv4.com/binaries/egacc..._1070_em_XP.cab

Close all otehr windows and browsers, except HijackThis, and click Fix Checked Close HijackThis.

Now run ATF-Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Next,
Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.


Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#8 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 14 February 2007 - 03:53 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
Proud member of ASAP since 2007




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users