Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unwanted Pop-up


  • Please log in to reply
9 replies to this topic

#1 Punk-Nerd

Punk-Nerd

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 03 April 2007 - 02:56 AM

A month earlier, I was infected by virtumonde. I used spyware doctor to remove it, but unsuccessful. Then, I used the program from this forum, amazingly it worked. However I still have one small problem, whenever I surf the web for 5 mins+ on Opera. I immediately get a targed-ad when I close the web browser. The targeted site has always been adultfriendfinder.com... The problem isn't so serious, but it's annoying, especially when my brother, who often uses this computer, is only 9. Thanks in advance =]

BC AdBot (Login to Remove)

 


#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:09:58 AM

Posted 03 April 2007 - 03:56 AM

Posted Image to BC

Click Click Here for New User orientation.
Here are the Tutorials
Feel free to join in at the Forum Games
especially at the New Game Opens Up! thread.


In the meantime may I draw your attention to a worthy cause we serve here at BC, it is called Folding&Home. PLease click the banner in my sig which takes you to the thread.

as to your problem :
start with checking for malware causes to your problem.
Install Super Antispyware. Run it in SAFE MODE. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/]SuperAintiSpyware

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html]Bitdefender

Your solution might be to create a new user

Microsoft Windows XP - Add a new user to the computer

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:58 AM

Posted 03 April 2007 - 09:46 AM

Hi Punk-Nerd,

A new user account is not going to remove any malware that is causing the problem. Vundo doesn't always clean up real well and often comes with other malware. Even if the additional scans seem to clear up the remaining problem, I recommend you post a HijackThis log and let us see what else is going on.

Please don't post your log back in this thread. Go to the following link and follow all those instructions that apply to you:

Preparation Guide For Use Before Posting A Hijackthis Log

The thing about people

is they change

when they walk away.--Mipso


#4 Punk-Nerd

Punk-Nerd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 11 April 2007 - 02:46 AM

sorry for being inactive :thumbsup: My internet hasn't worked properly over the last few days.

this is my hijack log. I personally don't understand jack looking at it =[

Logfile of HijackThis v1.99.1
Scan saved at 5:40:46 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\PROGRA~1\AUTOSH~1\AS_Service.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nexon.net/
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3DB1E1DE-972E-43B7-A547-B51D459B6AC9} - (no file)
O2 - BHO: (no name) - {544967E5-F15D-48E7-9E23-373A8F266F60} - (no file)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX430 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE" /P31 "EPSON Stylus Photo RX430 Series" /O6 "USB001" /M "Stylus Photo RX430"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFlyer32.dll] "rundll32.exe" C:\WINDOWS\system32\WinFlyer32.dll,Run
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AutoShutdown Service (AutoShutdown) - Barefoot Productions, Inc. - C:\PROGRA~1\AUTOSH~1\AS_Service.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe



#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:58 AM

Posted 11 April 2007 - 10:32 AM

Hi again Punk-Nerd,

You weren't supposed to post your log here, but since you did I've moved it to the HJT forum so you don't get inadequate and/or dangerous advice.

As I suspected, you have a Vundo related file that wasn't deleted and a few orphaned reg entries. I'm not sure if you used VundoFix earlier, but if you did you can delete it and download again so we get the most up to date version.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Download and scan with SUPERAntiSypware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Scan again with HijackThis and put a checkmark next to the following entries (if present):

O2 - BHO: (no name) - {3DB1E1DE-972E-43B7-A547-B51D459B6AC9} - (no file)
O2 - BHO: (no name) - {544967E5-F15D-48E7-9E23-373A8F266F60} - (no file)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - (no file)


Close all other windows--you should only see HijackThis on your Desktop and Taskbar--and then click the "Fix checked" button.

Reboot your system, scan again with HijackThis and post a new log, please, along with the vundofix.txt and SAS log. There will likely be more to do.

The thing about people

is they change

when they walk away.--Mipso


#6 Punk-Nerd

Punk-Nerd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 12 April 2007 - 05:37 AM

Man, it took ages for the scans >.<, NOD32krnl was running 50% of my processor when VundoFix was scanning. They don't seem to agree with each other so much =o

here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 8:29:04 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AUTOSH~1\AS_Service.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nexon.net/
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX430 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE" /P31 "EPSON Stylus Photo RX430 Series" /O6 "USB001" /M "Stylus Photo RX430"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AutoShutdown Service (AutoShutdown) - Barefoot Productions, Inc. - C:\PROGRA~1\AUTOSH~1\AS_Service.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

SUPERAntiSpyware Scan Log
Generated 04/12/2007 at 06:51 PM

Application Version : 3.6.1000

Core Rules Database Version : 3217
Trace Rules Database Version: 1227

Scan type : Complete Scan
Total Scan Time : 03:29:05

Memory items scanned : 431
Memory threats detected : 1
Registry items scanned : 6582
Registry threats detected : 2
File items scanned : 323777
File threats detected : 31

Trojan.Downloader-WinFlyer
C:\WINDOWS\SYSTEM32\WINFLYER32.DLL
C:\WINDOWS\SYSTEM32\WINFLYER32.DLL
[WinFlyer32.dll] C:\WINDOWS\SYSTEM32\WINFLYER32.DLL

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57E218E6-5A80-4f0c-AB25-83598F25D7E9}

Adware.Tracking Cookie
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@mb[1].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@mediaplex[1].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@as-eu.falkag[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@stats[1].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@partygaming.122.2o7[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@fastclick[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@mb[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@doubleclick[1].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@2o7[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@partypoker[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@cgi-bin[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@adinterax[1].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@questionmarket[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@112.2o7[1].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@ads.pointroll[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@revsci[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@apmebf[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@paypal.112.2o7[1].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@adlegend[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@msnportal.112.2o7[1].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@statcounter[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@cpvfeed[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@bs.serving-sys[1].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@clicksor[1].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@serving-sys[1].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@ad.yieldmanager[1].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@atdmt[2].txt
C:\Documents and Settings\Thang Nguyen\Cookies\thang nguyen@adbrite[1].txt

Trojan.Downloader-UniBBB
C:\WINDOWS\SYSTEM32\PMNOPNL.DLL.VIR

Trace.Known Threat Sources
C:\Documents and Settings\Thang Nguyen\Local Settings\Temporary Internet Files\Content.IE5\WTYZKHUV\scanner[1].htm

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 3:08:19 PM 4/12/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...


I suppose it's clean now :D I really appreciate the help :thumbsup:

Edited by Papakid, 12 April 2007 - 09:25 AM.


#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:58 AM

Posted 12 April 2007 - 11:22 AM

Yep, log looks clean now. So has the problem gone away?

Just a little more to do to tidy up and some suggestions.BTW, I took you logs out of the quote boxes to make it easier for me to read.

You have an old version of Java that is vulnerable; Vundo used it's security hole to install on your system. Sun leaves old versions installed even when you update it, which is kind of weird. You also don't have the latest version. It is always best to uninstall all previous versions and install the latest for your system's security.

Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment....)
    It should have this icon next to it: Posted Image
    Select it and click Remove.

    You should find these two versions:

    1.5.0.2
    1.5.0.11


  • Then Download and install the newest version (6 Update 1) from here--choose offline installation: http://www.java.com/en/download/manual.jsp
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

You don't appear to be using a software firewall. Even if you have Windows firewall running, it is not very manageable so using a third party software firewall is always highly recommended. Even if you are using a hardware firewall, a software one will only help increase your security. Here are some good free ones:

Kerio Personal Firewall
OutPost Firewall Free
ZoneAlarm
Comodo


Understanding and Using Firewalls
US-CERT's Understanding Firewalls

Then test your firewall's ability at Shields Up

To do some more tidying up and see if there is anything else to attend to that HiajckThis doesn't "see", let's run one more scan. Please do this after following the above instructions:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

Please let me know how your system is running now when you post back.

BTW, it is normal for Scanners like SAS to take up resources so it is best to run them when you aren't otherwise going to use the computer. Not sure if there is a conflict with nod or if that is by design. It may be a good idea to disable nod and go off line to run such tools.

The thing about people

is they change

when they walk away.--Mipso


#8 Punk-Nerd

Punk-Nerd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 15 April 2007 - 02:06 AM

I thank you very much for your help. The system is running perfectly normal now. I don't really want a new firewall to be installed on my system, it's too much of a hassle, always asking for "allow" or "block" (just like the Mac ad). Windows firewall rarely asks for stuff, not safe but I find it convinient. Thanks again for wasting your precious time to help me =]

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:58 AM

Posted 15 April 2007 - 09:14 AM

Yes, I know firewalls can be inconvenient. Just ask yourself what is more annoying to you--having to remove an infection and possibly having to change all your passwords and even contact your bank, or to take the time to train a firewall and prevent that from happening in the first place?

The Windows firewall is better than nothing and in combination with Nod32 is not a bad setup, but doesn't monitor outgoing packets very well. Yes, a third party firewall will bug you with a lot of deny or allow questions for a while, but you should be able to tell it to remember your decision so after about a week or so you will rarely be asked for a decision. It's up to you, just want you to know that it isn't a waste of my time when I volunteer it. If you become a "repeat customer" because you don't follow recommendations, then it may become that and people will be less willing to volunteer their time.

So do me a favor and follow the instructions from my last post--that scan only takes about five minutes at most. There probably won't be much to do unless you've managed to re-infect yourself.

The thing about people

is they change

when they walk away.--Mipso


#10 Punk-Nerd

Punk-Nerd
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 17 April 2007 - 04:24 AM

Hi Papakid, I think your advice is worth-considering. After reviewing the listed firewall, I have chosen to install comodo on my system. Well, it took me 3 hours to train it, I ran every single application on my computer and allow their access >.< Though time consuming, it now gives me the piece of mind. The firewall doesn't hog the system as much as I thought, so it's going great. There's only one problem left, the firewall is blocking my shared network access, including printer and network drive. I'm trying to figure it out >_> Edit: tada, got it, the configuration was as easy as walking the park

BTW, I'm sorry for using the word "wasting time", I should've used "spending time". Pardon me =]

Edited by Punk-Nerd, 17 April 2007 - 05:52 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users