Malwarebytes

Welcome Guest ( Log In | Register )

2 Pages V  < 1 2  
 Closed TopicStart new topic
> AV Systemcare+ Popups
JeanInMontana
post Jul 20 2007, 11:41 PM
Post #21


Forum Deity
******

Group: Honorary Members
Posts: 3,960
Joined: 9-February 07
From: South Central Montana
Member No.: 1,030
I'm at a loss. I'm not giving up....just need to get some second opinions. There is a new version of your infection, that is why none of the fixes are working yet.
Go to the top of the page
 
+Quote Post
JeanInMontana
post Jul 21 2007, 04:35 AM
Post #22


Forum Deity
******

Group: Honorary Members
Posts: 3,960
Joined: 9-February 07
From: South Central Montana
Member No.: 1,030
This program updated today and is including navipromo let's give it a try http://www.lavasoftusa.com/products/ad_aware_free.php Run a full system scan and remove anything it finds. Let me know how it goes. I've been searching all over for a fix. We will get this Jean, heh two Jeans can't be beat. wink.gif
Go to the top of the page
 
+Quote Post
bushy
post Jul 22 2007, 07:47 AM
Post #23


New Member
*

Group: Members
Posts: 16
Joined: 15-July 07
From: UK
Member No.: 1,468
Hi Jean

I have installed Ad-aware but it keeps crashing. I've posted a help request on the Ad-aware forum. I will let you know if I get a response.

Should have thought of it before, but I have stopped the repeated windows for the AV Systemcare ads by blocking the AV Systemcare site using the firewall on our router - we still get the first popup, it now gives the firewall blocked site message. I've blocked all of the sites which the popups link to which should prevent anybody unintentionally clicking on a link.

Jean's other half smile.gif


QUOTE (JeanInMontana @ Jul 21 2007, 05:35 AM) *
This program updated today and is including navipromo let's give it a try http://www.lavasoftusa.com/products/ad_aware_free.php Run a full system scan and remove anything it finds. Let me know how it goes. I've been searching all over for a fix. We will get this Jean, heh two Jeans can't be beat. wink.gif
Go to the top of the page
 
+Quote Post
JeanInMontana
post Jul 22 2007, 06:27 PM
Post #24


Forum Deity
******

Group: Honorary Members
Posts: 3,960
Joined: 9-February 07
From: South Central Montana
Member No.: 1,030
I'm willing to bet Ad-Aware is crashing because of the malware or the malware is crashing it. The miscreants behind this infection have obviously gotten much more determined.

I can't remember if we tried this, so forgive me if you did but boot into safe mode and try to find the following files.

gohgfhaaya.dat
gohgfhaaya.exe
gohgfhaaya_nav.dat
gohgfhaaya_navps.dat

If you want to try and zip them and send to me fine, otherwise (and I don't blame you) just delete them and run CCleaner immediately. http://www.ccleaner.com/ So get the program install, update ect and be ready. If the safe mode delete won't work or we already tried it, I woke up with this idea. (This is driving me nutty blink.gif )

Get this program

Author: Option^Explicit Download Location
License: Freeware KillBox Download Link
Operating System: Windows

File Description:

Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.

Usage Information:

Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

You will need to run it for every instance of the files listed above.

Sorry I didn't get to this sooner. Good luck and let me know.
Go to the top of the page
 
+Quote Post
bushy
post Jul 22 2007, 08:35 PM
Post #25


New Member
*

Group: Members
Posts: 16
Joined: 15-July 07
From: UK
Member No.: 1,468
Jean

A success to some extent
Four files gohgfhaaya*.* showed up in safe mode and deleted with no problem.
I have sent them in a zip file.
We'll see whether that cures the popups
I'll post again to confirm.

Jean's other half smile.gif

QUOTE (JeanInMontana @ Jul 22 2007, 07:27 PM) *
I'm willing to bet Ad-Aware is crashing because of the malware or the malware is crashing it. The miscreants behind this infection have obviously gotten much more determined.

I can't remember if we tried this, so forgive me if you did but boot into safe mode and try to find the following files.

gohgfhaaya.dat
gohgfhaaya.exe
gohgfhaaya_nav.dat
gohgfhaaya_navps.dat

If you want to try and zip them and send to me fine, otherwise (and I don't blame you) just delete them and run CCleaner immediately. http://www.ccleaner.com/ So get the program install, update ect and be ready. If the safe mode delete won't work or we already tried it, I woke up with this idea. (This is driving me nutty blink.gif )

Get this program

Author: Option^Explicit Download Location
License: Freeware KillBox Download Link
Operating System: Windows

File Description:

Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.

Usage Information:

Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

You will need to run it for every instance of the files listed above.

Sorry I didn't get to this sooner. Good luck and let me know.
Go to the top of the page
 
+Quote Post
JeanInMontana
post Jul 22 2007, 08:55 PM
Post #26


Forum Deity
******

Group: Honorary Members
Posts: 3,960
Joined: 9-February 07
From: South Central Montana
Member No.: 1,030
Great!! Reboot and see if that did the trick. See if you can run AdAware now too.
Go to the top of the page
 
+Quote Post
bushy
post Jul 22 2007, 09:54 PM
Post #27


New Member
*

Group: Members
Posts: 16
Joined: 15-July 07
From: UK
Member No.: 1,468
The good news is AdAware ran right through and didn't find much, 5 tracking cookies and 2 'most recently used' objects - log below.
The bad news is we have had one popup linked to a site not seen in those encountered in the last 6 days.
So far, no AV Systemcare popups.
I have checked again for gohgfhaaya.exe and it could not be found by the Virustotal upload script.
For completeness I have run HJT again.
AAW log:

Ad-Aware 2007 Build
Log File Created on: 2007-07-22 22:31:34
Using Definitions File: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\core.aawdef
Computer name: DF8D2D1J
Name of user performing scan: SYSTEM

System information
===========================
Number of processors: 1
Processor type: Intel® Pentium® M processor 1.60GHz
Memory Available: 24%
Total Physical Memory: 534994944 Bytes
Available Physical Memory: 126619648 Bytes
Total Page File Size: 1308155904 Bytes
Available On Page File: 744308736 Bytes
Total Virtual Memory: 2147352576 Bytes
Available Virtual Memory: 1993908224 Bytes
OS: Microsoft Windows XP Service Pack 2 (Build 2600)

Ad-Aware 2007 Settings
===========================
Skipping files larger than 1048576 kB
Ignoring infections with lower TAI than: 3


Extended Ad-Aware 2007 Settings
===========================
Unloading known modules during scan
Ignoring spanned files when scanning cab archives
Reanalyzing results after scanning before displaying results
Trying to unload modules prior to removal
Let Windows remove files currently in use at next reboot
Removing quarantined objects after restore
Deactivating Ad-Watch during scans
Writeprotecting system files after repairs
Include info about ignored objects in log file
Including basic settings in log file
Including advanced settings in log file
Including user and computer name in log file
Create and save WebUpdate log file

Databaseinfo
===========================
Version number: 9
Build Number: 0
Build Date and Time: 2007/07/16 08:53:54

Scan Statistics
===========================
Method: Full
Scan tracking cookies.............................: On
Scan ADS filestreams..............................: Off

Item Scanned: 170774
Infections Detected: 7
Infections Ignored: 0

Scan detailed statistics
===========================
Type Critical Total
Process Scan....: 0 0
Registry Scan...: 0 0
Registry PE Scan: 0 0
Hosts File Scan.: 0 0
File Scan.......: 0 0
Folder Scan.....: 0 0
LSP Scan........: 0 0
ADS Scan........: 0 0
Cookie Scan.....: 5 5
File Hash Scan..: 0 0

Infections Found
===========================
Family Id: 725 Name: Tracking Cookie Category: DataMiner TAI:3
Item Id: 600000050 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\jean\Cookies\index.dat tribalfusion.com ANON_ID /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\jean\Cookies\index.dat ad.yieldmanager.com uid /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\jean\Cookies\index.dat ad.yieldmanager.com crfb /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\jean\Cookies\index.dat ad.yieldmanager.com vuday1 /
Item Id: 600000460 Value: Browser: Internet Explorer Cookie: C:\Documents and Settings\jean\Cookies\index.dat ad.yieldmanager.com ih /
Family Id: 9999 Name: MRU Object Category: MRU Object TAI:0
Item Id: 1 Value: MRU Path: C:\Documents and Settings\jean\Recent Count: 4
Item Id: 3 Value: MRU Registry Key: S-1-5-21-1305153199-1465807469-2791770948-1006\Software\Microsoft\Internet Explorer\TypedURLs Count: 5

Items Ignored During Scan
===========================


Listing of running processes
===========================
C:\WINDOWS\SYSTEM32\SMSS.EXE
c:\windows\system32\smss.exe

c:\windows\system32\ntdll.dll

C:\WINDOWS\SYSTEM32\CSRSS.EXE
c:\windows\system32\csrss.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\csrsrv.dll

c:\windows\system32\basesrv.dll

c:\windows\system32\winsrv.dll

c:\windows\system32\gdi32.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\user32.dll

c:\windows\system32\sxs.dll

c:\windows\system32\advapi32.dll

c:\windows\system32\rpcrt4.dll

C:\WINDOWS\SYSTEM32\WINLOGON.EXE
c:\windows\system32\winlogon.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\advapi32.dll

c:\windows\system32\rpcrt4.dll

c:\windows\system32\authz.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\crypt32.dll

c:\windows\system32\user32.dll

c:\windows\system32\gdi32.dll

c:\windows\system32\msasn1.dll

c:\windows\system32\nddeapi.dll

c:\windows\system32\profmap.dll

c:\windows\system32\netapi32.dll

c:\windows\system32\userenv.dll

c:\windows\system32\psapi.dll

c:\windows\system32\regapi.dll

c:\windows\system32\secur32.dll

c:\windows\system32\setupapi.dll

c:\windows\system32\version.dll

c:\windows\system32\winsta.dll

c:\windows\system32\wintrust.dll

c:\windows\system32\imagehlp.dll

c:\windows\system32\ws2_32.dll

c:\windows\system32\ws2help.dll

c:\windows\system32\imm32.dll

c:\windows\system32\msgina.dll

c:\windows\system32\shell32.dll

c:\windows\system32\shlwapi.dll

c:\windows\system32\comctl32.dll

c:\windows\system32\odbc32.dll

c:\windows\system32\comdlg32.dll

c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

c:\windows\system32\odbcint.dll

c:\windows\system32\shsvcs.dll

c:\windows\system32\sfc.dll

c:\windows\system32\sfc_os.dll

c:\windows\system32\ole32.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\msctfime.ime

c:\windows\system32\winscard.dll

c:\windows\system32\wtsapi32.dll

c:\windows\system32\sxs.dll

c:\windows\system32\uxtheme.dll

c:\windows\system32\winmm.dll

c:\windows\system32\avgwlntf.dll

c:\windows\system32\msvcr71.dll

c:\windows\system32\rsaenh.dll

c:\windows\system32\cscdll.dll

c:\windows\system32\wlnotify.dll

c:\windows\system32\winspool.drv

c:\windows\system32\mpr.dll

c:\windows\system32\wgalogon.dll

c:\windows\system32\oleaut32.dll

c:\windows\system32\ntmarta.dll

c:\windows\system32\wldap32.dll

c:\windows\system32\samlib.dll

c:\windows\system32\clbcatq.dll

c:\windows\system32\comres.dll

c:\windows\system32\lgnotify.dll

c:\windows\system32\cscui.dll

c:\windows\system32\msv1_0.dll

c:\windows\system32\iphlpapi.dll

c:\windows\system32\xpsp2res.dll

c:\windows\system32\drprov.dll

c:\windows\system32\ntlanman.dll

c:\windows\system32\netui0.dll

c:\windows\system32\netui1.dll

c:\windows\system32\netrap.dll

c:\windows\system32\davclnt.dll

c:\windows\system32\mprui.dll

c:\windows\system32\netui2.dll

c:\windows\system32\netmsg.dll

c:\windows\system32\wdmaud.drv

c:\windows\system32\msacm32.drv

c:\windows\system32\msacm32.dll

c:\windows\system32\midimap.dll

C:\WINDOWS\SYSTEM32\SERVICES.EXE
c:\windows\system32\services.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\advapi32.dll

c:\windows\system32\rpcrt4.dll

c:\windows\system32\user32.dll

c:\windows\system32\gdi32.dll

c:\windows\system32\userenv.dll

c:\windows\system32\scesrv.dll

c:\windows\system32\authz.dll

c:\windows\system32\umpnpmgr.dll

c:\windows\system32\winsta.dll

c:\windows\system32\netapi32.dll

c:\windows\system32\ncobjapi.dll

c:\windows\system32\msvcp60.dll

c:\windows\system32\shimeng.dll

c:\windows\apppatch\acgenral.dll

c:\windows\system32\winmm.dll

c:\windows\system32\ole32.dll

c:\windows\system32\oleaut32.dll

c:\windows\system32\msacm32.dll

c:\windows\system32\version.dll

c:\windows\system32\shell32.dll

c:\windows\system32\shlwapi.dll

c:\windows\system32\uxtheme.dll

c:\windows\system32\imm32.dll

c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

c:\windows\system32\comctl32.dll

c:\windows\system32\secur32.dll

c:\windows\system32\apphelp.dll

c:\windows\system32\eventlog.dll

c:\windows\system32\ws2_32.dll

c:\windows\system32\ws2help.dll

c:\windows\system32\psapi.dll

c:\windows\system32\wtsapi32.dll

C:\WINDOWS\SYSTEM32\LSASS.EXE
c:\windows\system32\lsass.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\advapi32.dll

c:\windows\system32\rpcrt4.dll

c:\windows\system32\lsasrv.dll

c:\windows\system32\mpr.dll

c:\windows\system32\user32.dll

c:\windows\system32\gdi32.dll

c:\windows\system32\msasn1.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\netapi32.dll

c:\windows\system32\ntdsapi.dll

c:\windows\system32\dnsapi.dll

c:\windows\system32\ws2_32.dll

c:\windows\system32\ws2help.dll

c:\windows\system32\wldap32.dll

c:\windows\system32\secur32.dll

c:\windows\system32\samlib.dll

c:\windows\system32\samsrv.dll

c:\windows\system32\cryptdll.dll

c:\windows\system32\shimeng.dll

c:\windows\apppatch\acgenral.dll

c:\windows\system32\winmm.dll

c:\windows\system32\ole32.dll

c:\windows\system32\oleaut32.dll

c:\windows\system32\msacm32.dll

c:\windows\system32\version.dll

c:\windows\system32\shell32.dll

c:\windows\system32\shlwapi.dll

c:\windows\system32\userenv.dll

c:\windows\system32\uxtheme.dll


HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:38:02, on 22/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Nova Development\Greeting Card Factory

Deluxe\ReminderApp.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.dell.co.uk/myway
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update

Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media

Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program

Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting

Card Factory Deluxe\ReminderApp.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program

Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity

Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software

Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [gohgfhaaya] c:\windows\system32\gohgfhaaya.exe gohgfhaaya
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe

/RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe

/RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) -

http://www.msngamecentre.co.uk/online2/MSN.../pandaonline.ca

b
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...86/client/muweb

_site.cab?1123967771117
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) -

http://www.msngamecentre.co.uk/online2/MSN...um/zylomgamespl

ayer.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class)

-

http://www.msngamecentre.co.uk/online2/MSN...nzy/SproutLaunc

her.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -

http://www.msngamecentre.co.uk/online2/MSN...shapo/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://msnuk.oberon-media.com/online2/MSN_...on_zylom/popcap

loader_v6.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -

C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation

- C:\WINDOWS\system32\S24EvMon.exe

--
End of file - 9402 bytes


Jean's other half rolleyes.gif

QUOTE (JeanInMontana @ Jul 22 2007, 09:55 PM) *
Great!! Reboot and see if that did the trick. See if you can run AdAware now too.
Go to the top of the page
 
+Quote Post
JeanInMontana
post Jul 22 2007, 11:48 PM
Post #28


Forum Deity
******

Group: Honorary Members
Posts: 3,960
Joined: 9-February 07
From: South Central Montana
Member No.: 1,030
I think we have it on the run. Google must have ditched the files.

Scan again with HJT and put a check next to this:

O4 - HKLM\..\Run: [gohgfhaaya] c:\windows\system32\gohgfhaaya.exe gohgfhaaya

You could get rid of some stuff you don't need at startup too with StartUpLite, on the download page. Also your Adobe Reader is an unsafe outdated version.

You need to flush all restore points and create a clean one. Stuff like this hides in system restore points then if you use one you are infected all over again. Do this after you run CCleaner.

If you add a layer of prevention to your machine it will help immensely in the future. SpywareBlaster by Javacool is free and excellent also WinPatrol and a hosts file like hpHosts or IE-Spyads or both...LOL If you using the Windows firewall it isn't good enough you need one that monitors what is going out from your PC. ZonsAlarm, Sunbelt, Comodo are all good and free. A program like SiteAdvisor or SiteHound will warn you of a bad site. Also surfing with a non administrator account prevents anything installing. If you have kids, limit their permissions to no installs or downloads. wink.gif

Let me know if this removal gets it and post another log after reboot. Please.
Go to the top of the page
 
+Quote Post
bushy
post Jul 23 2007, 08:52 PM
Post #29


New Member
*

Group: Members
Posts: 16
Joined: 15-July 07
From: UK
Member No.: 1,468
Jean

Good news - no popups today smile.gif

Have flushed system restore, have full version of AVG inc anti-spyware & firewall etc. made the main account limited and updated Acrobat Reader. I will follow up with some of the other recommendations. Kids are 23 & 25.

HJT Log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:39:10, on 23/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Nova Development\Greeting Card Factory

Deluxe\ReminderApp.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.dell.co.uk/myway
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update

Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media

Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program

Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting

Card Factory Deluxe\ReminderApp.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program

Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity

Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software

Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe

/RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) -

http://www.msngamecentre.co.uk/online2/MSN.../pandaonline.ca

b
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...86/client/muweb

_site.cab?1123967771117
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) -

http://www.msngamecentre.co.uk/online2/MSN...um/zylomgamespl

ayer.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class)

-

http://www.msngamecentre.co.uk/online2/MSN...nzy/SproutLaunc

her.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -

http://www.msngamecentre.co.uk/online2/MSN...shapo/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://msnuk.oberon-media.com/online2/MSN_...on_zylom/popcap

loader_v6.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -

C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation

- C:\WINDOWS\system32\S24EvMon.exe

--
End of file - 8270 bytes
Go to the top of the page
 
+Quote Post
JeanInMontana
post Jul 23 2007, 09:01 PM
Post #30


Forum Deity
******

Group: Honorary Members
Posts: 3,960
Joined: 9-February 07
From: South Central Montana
Member No.: 1,030
Your log looks clean. Credit to njustice for suggesting the safe mode delete. I'm just so glad we beat this thing. Stay clear of those free game sites. They are breeding grounds for malware. If you need anything else just let us know. Take care.
Go to the top of the page
 
+Quote Post
bushy
post Jul 24 2007, 06:34 PM
Post #31


New Member
*

Group: Members
Posts: 16
Joined: 15-July 07
From: UK
Member No.: 1,468
Thank you very much for your help

The other half

QUOTE (JeanInMontana @ Jul 23 2007, 10:01 PM) *
Your log looks clean. Credit to njustice for suggesting the safe mode delete. I'm just so glad we beat this thing. Stay clear of those free game sites. They are breeding grounds for malware. If you need anything else just let us know. Take care.
Go to the top of the page
 
+Quote Post
JeanInMontana
post Jul 25 2007, 04:24 AM
Post #32


Forum Deity
******

Group: Honorary Members
Posts: 3,960
Joined: 9-February 07
From: South Central Montana
Member No.: 1,030
Your welcome. Since this has been resolved I will now close this topic.
Go to the top of the page
 
+Quote Post
« Next Oldest · Malware Removal - HijackThis Logs · Next Newest »
 

2 Pages V  < 1 2
Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version Time is now: 9th February 2010 - 01:03 PM ()
Powered By IP.Board © 2010  IPS, Inc.
Licensed to: Malwarebytes