Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unwanted pop-pups. Help me please.


  • Please log in to reply
1 reply to this topic

#1 Bertrano

Bertrano

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 14 January 2005 - 09:15 AM

Hi,

Ik keep getting pop-ups of a website named 69sexsearch.com.

I ran Trendmicro Housecall, which identified 3 viruses:

1. TROJ_TIBSER.G with 2 infected files:
C:\Documents and Settings\...\Temporary Internet Files\Content.IE5\119AJVTQ\sbar[1].exe
C:\Documents and Settings\...\Temporary Internet Files\Content.IE5\4TI34TMZ\sbar[1].exe

2. TROJ_DLOADER.W, with 7 infected files:
C:\WINNT\system32\aamibex.dll
C:\WINNT\system32\ardsats.dll
C:\WINNT\system32\atacdlg06.dll
C:\WINNT\system32\ctxsfpol.dll
C:\WINNT\system32\rownetmdlg.dll
C:\WINNT\system32\sycertscu.dll
C:\WINNT\system32\ticactfgery.dll

3. TROJ_SMALL.SM, with 1 infected file:
C:\WINNT\system32\ctsflib.exe

Housecall could not clean any of these files.

I also ran Ad-aware SE and Spybot S&D. Both without success.
Please help, a million thanks in advance.

Here is My Hijackthis logfile:

Logfile of HijackThis v1.99.0
Scan saved at 15:07:25, on 14/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\gearsec.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\sistray.EXE
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
C:\WINNT\system32\lrsveamile.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\WINNT\system32\WTablet\TabUserW.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.standaard.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [A76F0F5E] C:\WINNT\system32\lrsveamile.exe
O4 - HKLM\..\Run: [E3203163] C:\WINNT\system32\certxadp.exe
O4 - HKLM\..\Run: [A953D0EB] C:\WINNT\system32\tifersess.exe
O4 - HKLM\..\Run: [9B99945E] C:\WINNT\system32\nfmsdl.exe
O4 - HKLM\..\Run: [00393E86] C:\WINNT\system32\tresct.exe
O4 - HKLM\..\Run: [D08D935E] C:\WINNT\system32\comsbmsr.exe
O4 - HKLM\..\Run: [0C1B965E] C:\WINNT\system32\lgsetu.exe
O4 - HKLM\..\Run: [AB8D8BFB] C:\WINNT\system32\dptGFsrv.exe
O4 - HKLM\..\Run: [99EB4D73] C:\WINNT\system32\dsmackvic.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [A76F0F5E] C:\WINNT\system32\lrsveamile.exe
O4 - HKCU\..\Run: [E3203163] C:\WINNT\system32\certxadp.exe
O4 - HKCU\..\Run: [A953D0EB] C:\WINNT\system32\tifersess.exe
O4 - HKCU\..\Run: [9B99945E] C:\WINNT\system32\nfmsdl.exe
O4 - HKCU\..\Run: [00393E86] C:\WINNT\system32\tresct.exe
O4 - HKCU\..\Run: [D08D935E] C:\WINNT\system32\comsbmsr.exe
O4 - HKCU\..\Run: [0C1B965E] C:\WINNT\system32\lgsetu.exe
O4 - HKCU\..\Run: [AB8D8BFB] C:\WINNT\system32\dptGFsrv.exe
O4 - HKCU\..\Run: [99EB4D73] C:\WINNT\system32\dsmackvic.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Real-time Monitor.lnk = C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: http://*.69sexsearch.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Gear-beveiligingsvoorziening - GEAR Software - C:\WINNT\System32\gearsec.exe
O23 - Service: iPod-voorziening - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:06:36 PM

Posted 14 January 2005 - 10:18 PM

That's an interesting log. :flowers:

First, open IE, then click on Tools>Internet Options, then delete files. It may take awhile, but that will get rid of a couple of those infections.

While still there, click on Security, then Trusted Zones, and remove the http://*.69sexsearch.com from there.

Download the following :
http://www.downloads.subratam.org/KillBox.zip

Double-click on KillBox.exe. Paste this file into the top "Full Path of File to Delete" box:

C:\WINNT\system32\aamibex.dll


Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.
Repeat steps 5-9 above for these files:

C:\WINNT\system32\ardsats.dll
C:\WINNT\system32\atacdlg06.dll
C:\WINNT\system32\ctxsfpol.dll
C:\WINNT\system32\rownetmdlg.dll
C:\WINNT\system32\sycertscu.dll
C:\WINNT\system32\ticactfgery.dll

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer. Allow machine to reboot.

************************************************************************

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O4 - HKLM\..\Run: [A76F0F5E] C:\WINNT\system32\lrsveamile.exe
O4 - HKLM\..\Run: [E3203163] C:\WINNT\system32\certxadp.exe
O4 - HKLM\..\Run: [A953D0EB] C:\WINNT\system32\tifersess.exe
O4 - HKLM\..\Run: [9B99945E] C:\WINNT\system32\nfmsdl.exe
O4 - HKLM\..\Run: [00393E86] C:\WINNT\system32\tresct.exe
O4 - HKLM\..\Run: [D08D935E] C:\WINNT\system32\comsbmsr.exe
O4 - HKLM\..\Run: [0C1B965E] C:\WINNT\system32\lgsetu.exe
O4 - HKLM\..\Run: [AB8D8BFB] C:\WINNT\system32\dptGFsrv.exe
O4 - HKLM\..\Run: [99EB4D73] C:\WINNT\system32\dsmackvic.exe
O4 - HKCU\..\Run: [A76F0F5E] C:\WINNT\system32\lrsveamile.exe
O4 - HKCU\..\Run: [E3203163] C:\WINNT\system32\certxadp.exe
O4 - HKCU\..\Run: [A953D0EB] C:\WINNT\system32\tifersess.exe
O4 - HKCU\..\Run: [9B99945E] C:\WINNT\system32\nfmsdl.exe
O4 - HKCU\..\Run: [00393E86] C:\WINNT\system32\tresct.exe
O4 - HKCU\..\Run: [D08D935E] C:\WINNT\system32\comsbmsr.exe
O4 - HKCU\..\Run: [0C1B965E] C:\WINNT\system32\lgsetu.exe
O4 - HKCU\..\Run: [AB8D8BFB] C:\WINNT\system32\dptGFsrv.exe
O4 - HKCU\..\Run: [99EB4D73] C:\WINNT\system32\dsmackvic.exe
O15 - Trusted Zone: http://*.69sexsearch.com
***********************************************************************

Boot into SAFE MODE by tapping the f8 key during boot up.

Open My Computer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click"Apply to all folders"

Click[b] "Apply"
then "OK. While you still have the My Computer Window open, click on C:\. Browse to these entries and delete them:

C:\WINNT\system32\lrsveamile.exe
C:\WINNT\system32\certxadp.exe
C:\WINNT\system32\tifersess.exe
C:\WINNT\system32\nfmsdl.exe
C:\WINNT\system32\tresct.exe
C:\WINNT\system32\comsbmsr.exe
C:\WINNT\system32\lgsetu.exe
C:\WINNT\system32\dptGFsrv.exe
C:\WINNT\system32\dsmackvic.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.
[b]************************************************************************


Reboot and post a new HJT log. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users