PDA

View Full Version : adware punisher pls help



edward
2006-02-01, 23:07
this is my attached hjt log file can someone pls give me some guidance as to how to remove this pesky thing :(


Logfile of HijackThis v1.99.1
Scan saved at 4:53:59 AM, on 2/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\windows\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\windows\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\windows\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\windows\System32\shell386.exe
C:\windows\explorer.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\windows\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
D:\HijackThis.exe
C:\windows\System32\mswinb32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mysingtel.com.sg
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by mysingtel
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: winapi32.MyBHO - {B439D5EB-0A61-4ED9-8C8F-EC4148BB23F7} - C:\WINDOWS\System32\winapi32.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Windows Genuine Tool - {c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee} - %SystemRoot%\system32\catsrvuts.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BPS Popup Cookie Shield] C:\Program Files\BPS Popup and Cookie Shield\BPSPopup.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4682/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

Mosaic1
2006-02-02, 03:14
Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

----------

Download Pocket Killbox here
http://www.downloads.subratam.org/KillBox.exe
Save it on the dekstop. You'll use it shortly.
----------


Close all Internet Explorer windows.
Close all windows folders.

Go to Start >Run
Type Hijackthis
Press enter.

O2 - BHO: winapi32.MyBHO - {B439D5EB-0A61-4ED9-8C8F-EC4148BB23F7} - C:\WINDOWS\System32\winapi32.dll
O2 - BHO: Windows Genuine Tool - {c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee} - %SystemRoot%\system32\catsrvuts.dll (file missing)

---------




Run Killbox.exe by double clicking on it.

Select Delete on Reboot



Copy this entire list of files to the clipboard.

C:\windows\System32\shell386.exe
C:\windows\System32\mswinb32.exe
C:\WINDOWS\System32\winapi32.dll
C:\WINDOWS\adw.htm
C:\WINDOWS\system32\intxt.exe
C:\WINDOWS\system32\mswinb32.dll
C:\WINDOWS\system32\mswinup32.dll
C:\WINDOWS\system32\mswinxml.dll
C:\WINDOWS\system32\shell386.exe
C:\WINDOWS\system32\winlfl32.dll



(Highlight the list. Press CTRL + C)
In the Killbox,
Go to the toolbar to File> Paste from clipboard. Click Paste from Clipboard.
All of the files you pasted in might not show up on the list in Killbox. That's normal. Some may not be present and so will not be listed. Go ahead to the next step.



Click the red icon with the white X at the upper right.

You will be prompted to restart. Say yes.

-----

When you get back into Windows, run hijackthis again and post the new log into your next reply here please.



Download Autoruns from this page:
http://www.sysinternals.com/Utilities/Autoruns.html

Unzip to a folder and the double click on autoruns.exe

Wait until the program has finished running (the status line will show 'Ready')
Under the 'Options' menu, make sure that 'Include Empty Sections' is checked.
Wait again until ready.

Be sure the 'Everything' tab is selected.
Select 'File -> Save' and save the output file.

Copy the contents of the Autoruns text file and post its contents in your next reply here.

----------------

You may have to reply more than once to fit all the logs into your response. Please be sure the entire contents of all logs is showing in your reponses. Thank you.

Mosaic1
2006-02-02, 03:29
We should look at a blacklight log too.

Download blacklight from here:

http://www.f-secure.com/blacklight/try.shtml

click "I accept" at bottom of page which takes you to download site.
Download the app to the desktop.
Double click it, accept the agreement, make sure "scan through windows explorer IS checked then hit "scan"
It should only take at most 5 minutes.

If any results Don't rename anything yet!
Sometimes legit items are listed along with nasties.
Just click next> finish.

Log will be created on desktop that starts with fsbl-datetime.log

Post its results here.

edward
2006-02-02, 16:47
lol i cant reply wtf let me try to send this as a reply ignore it if it goes through, bear with me im a noob

Mosaic1
2006-02-02, 20:45
Try to reply again. Make your reply shorter. Just post one log per reply and reply several times. So long as I get all the information that's ok.

tashi
2006-02-09, 18:23
Hello edward, this topic will now be archived to prevent others with similar issues posting in it.

I hope you will return and let us know the status of the situation.

If you need the topic re-opened please send me a pm and provide a link to the topic.