Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Guy Needs Help!


  • Please log in to reply
37 replies to this topic

#1 dnap

dnap

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 02 April 2007 - 06:12 PM

hello, i am new to this site, but i have been here before looking at some of the stuff you guys have on here, and looking at some of the problems people have, and seeing how you help them is amazing, and well, i really need some help this time.

just recently i got hacked or something, and had tons of virused, trojans, and malware, so i ran spybot and ad-aware and found lots of things, some were fixed, others quarantines, i also had the free version of zonealarm as well, but none of that helped. since them, i purchased the zonealarm internet security suite, but my problems still persist. basically my computer runs slow on start up, and i get annoying pop-ups like singlesnet.com, c5.zedo.com, mirarsearch.com to name a few, and i have ran zonealarm, spybot and ad-aware, and anything they find they fix, but nothing gets rid of this problem. i downloaded hjt, and ran it, and will post the log of it for you guys to look over.

Logfile of HijackThis v1.99.1
Scan saved at 6:52:04 PM, on 4/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: 0 - {933C276F-9162-4D97-7E84-80CA37968142} - C:\Program Files\MSN\qukato.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

compared to some of the other peoples logs i see on here, there isnt much to mine, basically because i dont let to much stuff run, but if anyone can help me, please let me know what to do, thanks in advance,

dominic.

CPU - AMD FX-8350 Black Edition

Motherboard -MSI 990FXA-GD80

Ram - G.SKILL Ripjaws X Series 8GB (2 x 4GB)

Video Card - MSI Radeon R9 280

Storage - Western Digital Velociraptor 300GB 10k RPM

Power Supply - hec XP1080 800W

Case - Antec DF-35


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 02 April 2007 - 06:23 PM

Welcome to the BleepingComputer HijackThis forum dnap :thumbsup:

Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer into Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

********************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the results file Report.txt from SDFix,the C:\ComboFix.txt,and a new Hijackthis log into your next reply please.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#3 dnap

dnap
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 02 April 2007 - 08:04 PM

ok i did what you said, and this is what i got:

Logfile of HijackThis v1.99.1
Scan saved at 8:55:13 PM, on 4/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: 0 - {933C276F-9162-4D97-7E84-80CA37968142} - C:\Program Files\MSN\qukato.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


SDFix: Version 1.76

Run by dominic napolitano - Mon 04/02/2007 - 20:23:30.14

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
TCP and UDP Supp0rt

ImagePath:
C:\WINDOWS\System32\tccpip.exe /winnt

TCP and UDP Supp0rt Deleted


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\NetworkService\Local Settings\Temp\mst26.bat - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe

Finished


"dominic napolitano" - 07-04-02 20:00:34 Service Pack 1
ComboFix 07-04-01 - Running from: "C:\Documents and Settings\dominic napolitano\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\bund1\temp.txt
C:\DOCUME~1\DOMINI~1\Desktop\internet.lnk
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\bund1
C:\Program Files\Common Files\{6C43F~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\Runtime
-------\LEGACY_RUNTIME


((((((((((((((((((((((((((((((( Files Created from 2007-03-02 to 2007-04-02 ))))))))))))))))))))))))))))))))))


2007-03-26 00:47 512 --a------ C:\ScanSectorLog.dat
2007-03-26 00:08 79,392 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-03-26 00:08 2,596,640 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-03-26 00:08 <DIR> d-------- C:\DOCUME~1\DOMINI~1\APPLIC~1\MailFrontier
2007-03-25 23:57 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-03-25 17:46 0 --a------ C:\WINDOWS\nsreg.dat
2007-03-25 15:02 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-03-24 19:06 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-03-24 19:03 <DIR> d-------- C:\DOCUME~1\DOMINI~1\APPLIC~1\WholeSecurity
2007-03-24 14:37 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-03-18 13:49 784 --a------ C:\DOCUME~1\DOMINI~1\APPLIC~1\mpauth.dat
2007-03-03 11:15 <DIR> d-------- C:\Program Files\MSN Messenger


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-02 17:25 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-29 23:07 12800 --a------ C:\WINDOWS\system32\svchost.exe
2007-03-24 20:35 -------- d-------- C:\Program Files\msn gaming zone
2007-02-25 11:19 -------- d-------- C:\Program Files\java
2007-02-17 16:45 -------- d-------- C:\Program Files\olympus
2007-02-17 16:41 -------- d--h----- C:\Program Files\installshield installation information
2007-02-13 21:58 -------- d-------- C:\Program Files\norton internet security
2007-02-13 21:58 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-09 20:06 -------- d-------- C:\Program Files\pixela
2007-02-08 20:02 8464 --a------ C:\WINDOWS\system32\sporder.dll
2007-02-01 21:18 60416 --a------ C:\WINDOWS\ic5.exe
2007-01-20 12:17 516608 --a------ C:\WINDOWS\system32\winlogon.exe
2007-01-20 12:16 51200 --a------ C:\WINDOWS\system32\spoolsv.exe
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-16 21:59 875 --a------ C:\DOCUME~1\DOMINI~1\APPLIC~1\adobedlm.log
2007-01-16 21:59 0 --a------ C:\DOCUME~1\DOMINI~1\APPLIC~1\dm.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\Monitor.exe -NoStart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\FirstStart.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-02 20:04:03

CPU - AMD FX-8350 Black Edition

Motherboard -MSI 990FXA-GD80

Ram - G.SKILL Ripjaws X Series 8GB (2 x 4GB)

Video Card - MSI Radeon R9 280

Storage - Western Digital Velociraptor 300GB 10k RPM

Power Supply - hec XP1080 800W

Case - Antec DF-35


#4 dnap

dnap
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 02 April 2007 - 10:38 PM

well so far my computer seems to be running faster again, and no annoying pop-ups yet, but how does my logs look?

CPU - AMD FX-8350 Black Edition

Motherboard -MSI 990FXA-GD80

Ram - G.SKILL Ripjaws X Series 8GB (2 x 4GB)

Video Card - MSI Radeon R9 280

Storage - Western Digital Velociraptor 300GB 10k RPM

Power Supply - hec XP1080 800W

Case - Antec DF-35


#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 03 April 2007 - 03:41 AM

Please disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

************************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (disabled by BHODemon)

Exit Hijackthis,find and delete if present:
C:\Program Files\Ofb11
C:\WINDOWS\ic5.exe

************************

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

************************

Your log is clean :thumbsup:
If all's ok,please do the following:

Re-enable Spybot's protection.

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading unselect 'Show hidden files and folders'.
* Re-check the 'Hide file extensions for known types' option.
* Re-check the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Posted Image
Posted Image

#6 dnap

dnap
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 03 April 2007 - 10:28 PM

well i done everything i was told, and it seemed to work, but i am still getting pop-ups, this time its for something like ecsecured.com, about downloading WinAntiVirus, and WinAntiSpyware, and my computer is infected, and techygadget.com about winning a free laptop, and UpSpiral.com search thing, and that full screen monster marketplace search, whatever its called, those are some of the pop-ups im getting, is there anything i can do?

Edited by dnap, 03 April 2007 - 11:53 PM.

CPU - AMD FX-8350 Black Edition

Motherboard -MSI 990FXA-GD80

Ram - G.SKILL Ripjaws X Series 8GB (2 x 4GB)

Video Card - MSI Radeon R9 280

Storage - Western Digital Velociraptor 300GB 10k RPM

Power Supply - hec XP1080 800W

Case - Antec DF-35


#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 04 April 2007 - 04:02 AM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

******************************

Download RogueRemover from the link below:
http://www.malwarebytes.org/rogueremover.php
Unzip to a convenient location such as C:\RogueRemover.
Navigate to the folder you unzipped the files to and double click on the file named RogueRemover.exe.
Finally,select 'Scan' and the program will walk you through the remaining steps.

******************************

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply

******************************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 – Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Posted Image
Posted Image

#8 dnap

dnap
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 05 April 2007 - 03:02 PM

ok, i did everything i was told again, heres what i got... rogue remover also found nothing...


Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
-----------------------------------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
Generated 04/03/2007 at 11:46 PM

Application Version : 3.6.1000

Core Rules Database Version : 3213
Trace Rules Database Version: 1223

Scan type : Complete Scan
Total Scan Time : 01:24:24

Memory items scanned : 372
Memory threats detected : 0
Registry items scanned : 3599
Registry threats detected : 0
File items scanned : 15848
File threats detected : 9

Adware.Tracking Cookie
C:\Documents and Settings\dominic napolitano\Cookies\dominic napolitano@emarketmakers[2].txt
C:\Documents and Settings\dominic napolitano\Cookies\dominic napolitano@www.upspiral[1].txt
C:\Documents and Settings\dominic napolitano\Cookies\dominic napolitano@upspiral[2].txt
C:\Documents and Settings\dominic napolitano\Cookies\dominic napolitano@publishers.clickbooth[2].txt
C:\Documents and Settings\dominic napolitano\Cookies\dominic napolitano@revsci[1].txt
C:\Documents and Settings\dominic napolitano\Cookies\dominic napolitano@atwola[1].txt
C:\Documents and Settings\dominic napolitano\Cookies\dominic napolitano@cpvfeed[2].txt
C:\Documents and Settings\dominic napolitano\Cookies\dominic napolitano@questionmarket[2].txt
C:\Documents and Settings\dominic napolitano\Cookies\dominic napolitano@trafficmp[1].txt
-----------------------------------------------------------------------------------------------------------------------------

SmitFraudFix v2.164

Scan done at 15:50:30.46, 07-04-04
Run from C:\Documents and Settings\dominic napolitano\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\RogueRemover\RogueRemover.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dominic napolitano


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dominic napolitano\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DOMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: HP EN1207D-TX PCI 10/100 Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 68.87.75.194
DNS Server Search Order: 68.87.64.146

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8BDC483C-FF47-48D8-B62E-7716E23D19FE}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8BDC483C-FF47-48D8-B62E-7716E23D19FE}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8BDC483C-FF47-48D8-B62E-7716E23D19FE}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

CPU - AMD FX-8350 Black Edition

Motherboard -MSI 990FXA-GD80

Ram - G.SKILL Ripjaws X Series 8GB (2 x 4GB)

Video Card - MSI Radeon R9 280

Storage - Western Digital Velociraptor 300GB 10k RPM

Power Supply - hec XP1080 800W

Case - Antec DF-35


#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 05 April 2007 - 04:08 PM

You've no virus protection installed.
Download\install one of the following.
Once installed update its definitions and run a full system virus scan:

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Active Virus Shield
There's a nice setup tutorial Here:
http://www.activevirusshield.com/antivirus/freeav/

Let me know how your pc is running now please.
Posted Image
Posted Image

#10 dnap

dnap
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 05 April 2007 - 04:10 PM

i have zone alarm internet security suite, it comes with antivirus protection, doesnt it? and so far, things seem good, for the 10 minutes i been online, no pop-ups or anything yet

CPU - AMD FX-8350 Black Edition

Motherboard -MSI 990FXA-GD80

Ram - G.SKILL Ripjaws X Series 8GB (2 x 4GB)

Video Card - MSI Radeon R9 280

Storage - Western Digital Velociraptor 300GB 10k RPM

Power Supply - hec XP1080 800W

Case - Antec DF-35


#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 05 April 2007 - 05:33 PM

Ok dnap,let me know how it goes please.
Posted Image
Posted Image

#12 dnap

dnap
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 05 April 2007 - 10:28 PM

thank you so much for your help so far richie. i havent gotten any pop-ups at all today, but i dont know what changed from the first scans, then to the second scans, do you?

also, i updated, and ran my zonealarms anti-virus/spyware, and it found 4 low risk spyware it always finds, and deleted them, but it also found 4 viruses,

3 named not-a-virus:risktool.win32.reboot.f

1 called win32.trojan.shutdown.

for now, i quarantined them, then deleted them, but do you know anything about them?

CPU - AMD FX-8350 Black Edition

Motherboard -MSI 990FXA-GD80

Ram - G.SKILL Ripjaws X Series 8GB (2 x 4GB)

Video Card - MSI Radeon R9 280

Storage - Western Digital Velociraptor 300GB 10k RPM

Power Supply - hec XP1080 800W

Case - Antec DF-35


#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 06 April 2007 - 05:07 AM

Those are all tools that are part of SmitfraudFix,nothing at all to be concerned about :thumbsup:
Posted Image
Posted Image

#14 dnap

dnap
  • Topic Starter

  • Members
  • 262 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:24 PM

Posted 06 April 2007 - 06:50 AM

ok well anyways, pop-ups are happening again once i restarted... everything was fine yesterday, i dont get it? is there anything else i can do?

CPU - AMD FX-8350 Black Edition

Motherboard -MSI 990FXA-GD80

Ram - G.SKILL Ripjaws X Series 8GB (2 x 4GB)

Video Card - MSI Radeon R9 280

Storage - Western Digital Velociraptor 300GB 10k RPM

Power Supply - hec XP1080 800W

Case - Antec DF-35


#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 06 April 2007 - 07:26 AM

Download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users