Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Pop ups and viruses

  1. #1
    Junior Member
    Join Date
    Jun 2006
    Posts
    14

    Default Pop ups and viruses

    i've been using spybo adaware and norton together for ages, and they've delt with everything fine. more recently i've been using CCleaner as well to sort out the rubbish in my registry.

    2 days ago i downloaded a file for a game, but it turned out to be a big explosion of just about everything you can think of. i norton scaned it before i opened it to be on the safe side but it didn't pick anthing up. when i opened the file it disapeared, and opened a tabless/menuless window to a porn site. i scaned my comp almost emidatly, to find lots of spyware malware etc etc. i also did a norton scan and found nothing, but since then it has found to viruses and sucessfully deleted them, and one trojon whihc it got confused about giving me loads of pop ups, the first telling me it couldn't delete it but quartined it, then told me it was restricted, there a load more finally telling me it couldn't solve it.

    any way, even though i got rid of the stuff i could find and before the trojon, i kept getting pop ups to dodgy looking 'windows fixing' sites. the first was the same as the windows installer/help window, only it was inside explorer, and the second was some sort of cleaning program (but it didn't look cosher). i also keep getting new processes with these, two of which were deleted by norton, and many others i have been stoping (i went throuh everything in task manager searching for what it was and deleting the malware ones).
    i also keep getting a pop up that dosn't have a start bar tab, and that i can't find a process for (its some online caseino thing).
    and i've just had another pop up for winantivirus pro, which had no bottom to the browser.

    heres the panda scan log:

    Incident Status Location

    Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.clickbank.net/]
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.statcounter.com/]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.doubleclick.net/]
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.com.com/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.atdmt.com/]
    Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.bfast.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.realmedia.com/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.advertising.com/]
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.mediaplex.com/]
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Matt\Cookies\matt@questionmarket[2].txt
    Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Matt\Cookies\matt@stats1.reliablestats[1].txt
    Adware:Adware/Searchcontrol Not disinfected C:\Documents and Settings\Matt\Local Settings\Temp\win69.tmp.exe
    Adware:Adware/StartPage.ASV Not disinfected C:\Documents and Settings\Matt\Local Settings\Temp\win6F.tmp.exe
    Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Matt\Local Settings\Temp\win71.tmp.exe
    Adware:Adware/SaveNow Not disinfected C:\Program Files\DAEMON Tools\SetupDTSB.exe
    Adware:Adware/WinTools Not disinfected C:\WINXP\system32\grwinsthlp.exe
    Potentially unwanted tool:Application/Restart Not disinfected C:\WINXP\system32\Tools\Restart.exe
    Adware:Adware/IST.ISTBar Not disinfected C:\WINXP\winres.dll

    and the hijack file

    Logfile of HijackThis v1.99.1
    Scan saved at 12:06:54, on 16/06/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINXP\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINXP\system32\nvsvc32.exe
    C:\WINXP\system32\Wt32exe.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINXP\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINXP\system32\tblmouse.exe
    C:\WINXP\SOUNDMAN.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINXP\system32\RunDll32.exe
    C:\WINXP\system32\ctfmon.exe
    C:\WINXP\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\comphelpspybot\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newage3.com/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [CM-SmWizard] C:\WINXP\System\SmWizard.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
    O4 - HKCU\..\Run: [321a9ce2.exe] C:\Documents and Settings\Matt\Local Settings\Application Data\321a9ce2.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.macromedia.com
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126358425546
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab31267.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs:
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\xampp\filezillaftp\filezillaserver.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINXP\system32\Wt32exe.exe


    any help would be greatly appreciated

  2. #2
    Junior Member
    Join Date
    Jun 2006
    Posts
    14

    Default yay

    i think i may have solved it. i did a norton scan and it found the trojan Trojan.Nebuler, but couldn't remove it. it was using a file named winbue32.exe, where the bue was randomly generated. it basically sent info to 3 addresses, and they sent pop ups file and more viruses bk... any way symantec (the norton company) had a 'thing' on it whihc told me how to get rid of it so i tried that. i havn't been using my comp much since i deleted the file so i'm not positive its bk to normal, but i'll delete this thread if its fine in a day or two. thanks if anyone has tried to work out the problem, and so that i could have wasted your time.

    what i did to fix it with detals of the trojan are found here.

  3. #3
    Junior Member
    Join Date
    Jun 2006
    Posts
    14

    Default

    dear god why. it hasn't left me. i'm getting more pop ups still, and i can't get rid of the trojan. i'll do another norton scan when i go to work, but i think its still going to be there...

  4. #4
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi Mr_PieChee,

    one more download to get, then a boot into safe mode to run hjt and ewido:

    1. Download Ewido and install
    Ewido anti malware. It is a free trial version of the program:

    http://www.ewido.net/en/download/

    2. Install ewido anti malware
    3. Launch ewido, there should be an icon on your desktop double-click it.
    4. The program will now go to the main screen

    You will need to update ewido to the latest definition files.

    1. On the left hand side of the main screen click update
    2. Then click on Start Update

    The update will start and a progress bar will show the updates being installed.
    -------------------------------------
    once its updated, boot computer into safe mode. how? you reach safe mode by tapping the f8 key during a computer restart, chose the first option from the list: safe mode. you might want to copy/paste the rest of this into notepad and save it so you can read it in safe mode, or print it out.
    ------------------------------------
    ok once in safe mode:

    scan with HJT, put a checkmark beside the items below, close all windows and click fix checked

    O4 - HKCU\..\Run: [321a9ce2.exe] C:\Documents and Settings\Matt\Local Settings\Application Data\321a9ce2.exe

    next run ewido anti malware:

    Click on scanner
    Click Complete System Scan and the scan will begin.
    During the scan it will prompt you to clean files, click OK
    When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
    When the scan is finished, click the Save report button at the bottom of the screen.
    Save the report to your desktop

    Close Ewido
    ----------------------------------------------
    using explorer(right click on start>explore) drill down to these >>> you want to delete whats >inside< the folder, not the folder itself<<

    C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

    do this:
    Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

    Temporary Files
    Temporary Internet Files
    Recycle Bin
    --------------------------------------------
    reboot normally, get one of these, install, update and scan:
    spybot search and destroy: http://www.safer-networking.org/en/index.html
    lava softs ad aware: http://www.lavasoftusa.com/software/adaware/
    -------------------------
    rescan and post anew hjt log and the ewido log from safe mode

    shelf life
    How Can I Reduce My Risk?

  5. #5
    Junior Member
    Join Date
    Jun 2006
    Posts
    14

    Default

    thansk for getting bk to me. i've done everything u've said. i did another norton scan and the trojan wasn't picked up, so i guess its gone, but what it downloeded still remains. the malware prog pick up 3 items.

    the new hjk log is:
    Logfile of HijackThis v1.99.1
    Scan saved at 13:16:04, on 18/06/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINXP\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINXP\system32\nvsvc32.exe
    C:\WINXP\system32\Wt32exe.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\system32\tblmouse.exe
    C:\WINXP\SOUNDMAN.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINXP\system32\RunDll32.exe
    C:\WINXP\system32\ctfmon.exe
    C:\WINXP\explorer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\comphelpspybot\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newage3.com/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [CM-SmWizard] C:\WINXP\System\SmWizard.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.macromedia.com
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126358425546
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab31267.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs:
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\xampp\filezillaftp\filezillaserver.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINXP\system32\Wt32exe.exe

    and the anti-malware report is:
    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 22:46:43, 17/06/2006
    + Report-Checksum: 973104D4

    + Scan result:

    C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup
    C:\WINXP\system32\qomjijg.dll -> Adware.Virtumonde : Cleaned with backup
    C:\WINXP\winres.dll -> Downloader.IstBar.ff : Cleaned with backup


    ::Report End

    thanks you form ur time and i hope its not that diffucult to sort out cause i am getting mroe pop ups at the moment, but most of them are for cleaning programs. they all open in IE even though my default browser is set to FF...

  6. #6
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi Mr_PieChee,

    download vundoFix.exe by Atri.

    http://www.atribune.org/ccount/click.php?id=4

    # Double-click VundoFix.exe to run it.
    # Click the Scan for Vundo button.
    # Once it's done scanning, click the Remove Vundo button.
    # You will receive a prompt asking if you want to remove the files, click YES
    # Once you click yes, your desktop will go blank as it starts removing Vundo.
    # When completed, it will prompt that it will shutdown your computer, click OK.
    # Turn your computer back on.

    post the contents of C:\vundofix.txt and a new HiJackThis log.
    ----------------------------------------------
    How Can I Reduce My Risk?

  7. #7
    Junior Member
    Join Date
    Jun 2006
    Posts
    14

    Default

    VundoFix V4.2.84

    Checking Java version...

    Java version is 1.5.0.4

    Java version is 1.5.0.6

    Scan started at 22:51:39 18/06/2006

    Listing files found while scanning....


    C:\WINXP\system32\ghhkj.bak1
    C:\WINXP\system32\ghhkj.bak2
    C:\WINXP\system32\ghhkj.ini
    C:\WINXP\system32\jkhhg.dll
    Attempting to delete C:\WINXP\system32\ghhkj.bak1
    C:\WINXP\system32\ghhkj.bak1 Has been deleted!

    Attempting to delete C:\WINXP\system32\ghhkj.bak2
    C:\WINXP\system32\ghhkj.bak2 Has been deleted!

    Attempting to delete C:\WINXP\system32\ghhkj.ini
    C:\WINXP\system32\ghhkj.ini Has been deleted!

    Attempting to delete C:\WINXP\system32\jkhhg.dll
    C:\WINXP\system32\jkhhg.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!

    --------------------------------------------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 22:55:34, on 18/06/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\csrss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINXP\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINXP\system32\tblmouse.exe
    C:\WINXP\SOUNDMAN.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINXP\system32\RunDll32.exe
    C:\WINXP\system32\ctfmon.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINXP\system32\nvsvc32.exe
    C:\WINXP\system32\Wt32exe.exe
    C:\WINXP\system32\wdfmgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINXP\System32\alg.exe
    C:\WINXP\System32\wbem\wmiprvse.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINXP\System32\svchost.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINXP\system32\wuauclt.exe
    C:\Program Files\comphelpspybot\hijackthis\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newage3.com/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [CM-SmWizard] C:\WINXP\System\SmWizard.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.macromedia.com
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126358425546
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab31267.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs:
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\xampp\filezillaftp\filezillaserver.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINXP\system32\Wt32exe.exe

    ------------------------------------------------------------------------

    there we go, thank you for ur time, i don't seen to get pop ups when i leave my computer... when i view files i seem to get them alot, but not much other times... weird, well 2 me any way...

    how do you work out what to do? what are you looking for/at?

  8. #8
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi Mr_PieChee,

    sorry for delay. try this, set files to show;


    Set Windows to show Hidden files and folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.

    download this norton istbar removal tool:and run it
    http://sarc.com/avcenter/venc/data/adware.istbar.html
    ------------------------------------------
    now boot computer into SAFE MODE, tap f8 key at restart, chose first option.

    while in safe mode: run the istbar removal tool once and run ewido once.
    also see if you can find and delete this dll:
    jkhhg.dll located here:C:\WINXP\system32
    -------------------------------------------
    shelf life
    How Can I Reduce My Risk?

  9. #9
    Junior Member
    Join Date
    Jun 2006
    Posts
    14

    Default

    thats ok, i'm thankfull that ur helping me!

    i ran the istbar tool, and it found nothing. ewido on the other hand found 9 new items:
    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 14:00:54, 20/06/2006
    + Report-Checksum: D56F9383

    + Scan result:

    HKU\S-1-5-21-1465058494-2018322775-2649032648-1005\Software\Video1\Dialers -> Dialer.Generic : Cleaned with backup
    HKU\S-1-5-21-1465058494-2018322775-2649032648-1005\Software\Video1\Dialers\Hot_Tarts -> Dialer.Generic : Cleaned with backup
    HKU\S-1-5-21-1465058494-2018322775-2649032648-1005\Software\Video1\Dialers\Virgins -> Dialer.Generic : Cleaned with backup
    :mozilla.24:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
    :mozilla.27:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt -> TrackingCookie.Com : Cleaned with backup
    :mozilla.28:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.30:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
    C:\Documents and Settings\Matt\Cookies\matt@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\Documents and Settings\Matt\Cookies\matt@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup


    ::Report End

    and i couldn't delete that dll even in safe mode. i can go into the recover console and delete it through that if it does need removing. i also found ghhkj.bak2 and ghhjk.bak1 and a configure file for ghhkj. are they for the same file? it seems weird that there just spelt backwards.
    i also found a file called pavas.exe that was created near the time i got the infection. i can't find anything about the exe on the net.

  10. #10
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi Mr_PieChee,

    its quite possible that those are harmless leftovers, you might try using hjt to delete the .dll

    but before, please disable ewidos real time protection just in case it interferes:
    Launch Ewido and in the main window click "Realtime protection" (in green indicating "Active") to change to inactive.


    start hjt, click on "open misc tools section" htne "delete a file a reboot"
    in the window either browse for the dll or copy/paste this: C:\WINXP\system32\jkhhg.dll
    in the file name window then select open at the prompt reboot computer

    if you can find the others:might as well delete them also
    ghhkj.bak2 and ghhjk.bak1 and a configure file for ghhkj
    and that pavas.exe

    tracking cookies arent a big deal
    ----------------------------------------
    also pick one of these for a online scan:
    BitDefender Free Online Virus Scan
    http://www.bitdefender.com/scan/licence.php
    check AutoClean under Scan Options.

    Panda ActiveScan
    http://www.pandasoftware.com/product...ACHEHINT=Guest

    Kaspersky virus scanner
    http://www.kaspersky.com/virusscanner

    Housecall at TrendMicro
    http://housecall.trendmicro.com/hous...start_corp.asp
    check Auto Clean.

    F-Secure virus scanner
    http://support.f-secure.com/enu/home/ols.shtml


    eTrust Antivirus Web Scanner
    http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •