Tech Support Forum - View Single Post - popuper / intmonp

MicroBell · 05-30-2005, 02:46 AM

Omerr:

I'm going to start this one...as it's a complicated hijacker. You may finish it though..if you like.

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then create a new restore point.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Download this file: http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Download and install CleanUp http://cleanup.stevengould.org/

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the processes that were identified as related and any of the processes named in the list a bit further down.

C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\SYSTEM\CMD32.EXE

Doubleclick smitfraud.reg and confirm you want to merge it with the registry.

Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Run Killbox...

*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\System32\hp596C.tmp
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\SYSTEM\msmsgs.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/D4VbraANxe5w-O...m::/on-line.exe
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://www.mir3europe.com/nProtect...Crypt/npkcx.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/act...l_v1-0-3-24.cab

Delete the following folders IF you have them....

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

Download Hoster http://www.greyknight17.com/spy/Hoster.exe

Run the program and select "Restore Hosts File"

Download DelDomains.inf
Right-click and select..... Save Target As

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"

Now run the cleanup utility and reboot/logoff when prompted.

Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not.

I also need you to scan this file as you did the other...C:\WINDOWS\SYSTEM\cmd32.exe Report your findings.

05-30-2005, 02:46 AM	#9 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Omerr: I'm going to start this one...as it's a complicated hijacker. You may finish it though..if you like. Hi and Welcome to TSF Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then create a new restore point. Please read these instructions carefully and print them out! Be sure to follow ALL instructions! Download this file: http://www.bleepingcomputer.com/files/reg/smitfraud.reg Download and install CleanUp http://cleanup.stevengould.org/ Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: Security IGuard Virtual Maid Search Maid Exit Add/Remove Programs. IMPORTANT Be sure you know how to VIEW HIDDEN FILES Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the processes that were identified as related and any of the processes named in the list a bit further down. C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\popuper.exe C:\WINDOWS\System32\intmonp.exe C:\WINDOWS\System32\intmon.exe C:\WINDOWS\SYSTEM\CMD32.EXE Doubleclick smitfraud.reg and confirm you want to merge it with the registry. Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip Run Killbox... In the killbox program, select the Delete on Reboot* option. Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C: C:\wp.exe C:\wp.bmp C:\bsw.exe C:\Windows\sites.ini C:\Windows\popuper.exe C:\Windows\System32\helper.exe C:\Windows\System32\intmonp.exe C:\Windows\System32\msmsgs.exe C:\Windows\System32\ole32vbs.exe C:\Windows\system32\msole32.exe C:\WINDOWS\System32\hp596C.tmp C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\System32\intmon.exe C:\WINDOWS\SYSTEM\msmsgs.exe Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Click the red-and-white "Delete File"* button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Run HijackThis and put checkmarks in front of he following items. Close all windows except HijackThis and click Fix checked: O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/D4VbraANxe5w-O...m::/on-line.exe O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://www.mir3europe.com/nProtect...Crypt/npkcx.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/act...l_v1-0-3-24.cab Delete the following folders IF you have them.... C:\Program Files\Search Maid C:\Program Files\Virtual Maid C:\Windows\System32\Log Files C:\Program Files\Security IGuard Reboot into normal mode. Download Hoster http://www.greyknight17.com/spy/Hoster.exe Run the program and select "Restore Hosts File" Download DelDomains.inf Right-click and select..... Save Target As To use: Right-click and select....... Install (no need to restart) Note This will remove all entries in the "Trusted Zone" Now run the cleanup utility and reboot/logoff when prompted. Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not. I also need you to scan this file as you did the other...C:\WINDOWS\SYSTEM\cmd32.exe Report your findings. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder