|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
11-22-2005, 12:41 PM
|
#1 (permalink) | |
|
Member
Join Date: Nov 2005
Posts: 22
OS: XP
|
Constant Pop Ups and Spyware issues
Dear Analysts,
I clicked on a file sent by someone, it automatically launched all these flashy things, my virus software program (Symantec) caught something but obviously not everything. My background image changed to a blue with a black box saying my PC had been infected, and that i needed to fix it, at the bottom left hand corner, where the time is displayed three red circles with crosses appeared like windows warnings and displayed a message in the same format as windows, 'You have been infected Windows will now download an appropriate anti-spyware software....' or something to that effect. If i launched internet explorer, it would take me to a page which would have links to something called Spy Sheriff or something and after it had downloaded and ran it would say that my PC had such and such bad files, however if i tried to clear it, it would ask for me to get a registration code. I uninstalled it, changed my defalt web page back to google, and ran, Ad-Aware, Microsoft AntiSpyware, SpyBot, Xsoft the free version, CWShredder, Kill2me, and Registry Mechanic. I have followed your instructions as per your request in a post at the top of the forum. Last night i removed something called Adtech2005 however i think it came back when i restarted my computer. Things seem to be fine with the PC, though i am still getting full page pop up adds and some of those adds that have been created in Flash and are in funny shapes and sizes. I don't know what i should do and have spent all of today and the best part of yesterday trying to clean up my system as much as possible. Below you will find my HijackThis report. Thanking you in advance for your time and patience. Quote:
|
|
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
11-23-2005, 02:09 AM
|
#2 (permalink) | |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,353
OS: N/A
|
Hello and Welcome to TSF!
Please subscribe to this thread to get immediate notification of fixes as soon as they are posted. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Download & immediately run - L2MFix.exe Click "Install" to extract the contents to a newly created folder. Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then it will ask for a password so please enter bye (lowercase) then hit enter. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! If after the reboot the log does not open double click on it in the l2mfix folder and post it. If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Please download & install - CleanUp! Also download - KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175) 'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise. If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * With HiJackThis & place a check next to these items and select "Fix checked": O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\d4j02e1mgh.dll O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Click Start->Run - type SERVICES.MSC & then click on the OK button
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Launch KillBox.exe & select the following options:
* Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. Quote:
After you have rebooted, locate and delete the following files/folders, if present:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following:
5. Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. * CleanUp! will not create any backups!! * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Perform an online scan with Internet Explorer with Panda ActiveScan
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. *Turn off the real time scanner of any existing antivirus program while performing the online scan * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
It would produce a log called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * In your next post, please include fresh logs from:
__________________
Question - what have you done for the community today? |
|
|
|
|
|
11-23-2005, 05:01 AM
|
#3 (permalink) | ||
|
Member
Join Date: Nov 2005
Posts: 22
OS: XP
|
Dear sUBs,
Thank you for getting back to me, as per your instructions i did as asked, however, i think there may have been a problem with the L2MFix part, i ran it twice and below is the log, Quote:
'Please fix the missing file 020 with Hijack This' Below is also a Hijack This report. I haven't done anything, just ran it and am producing the report below. Quote:
Once again, thank you for your help so far. Take Care Adeelia |
||
|
|
|
|
11-23-2005, 05:05 AM
|
#4 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,353
OS: N/A
|
Pls try running L2Mfix's option #2 again.
When keying in the pasword, make sure to key the 3 lower case alphabets exactly - bye You will not be able to see the alphabets when you're keying it in.
__________________
Question - what have you done for the community today? |
|
|
|
|
11-23-2005, 06:51 AM
|
#5 (permalink) | ||
|
Member
Join Date: Nov 2005
Posts: 22
OS: XP
|
Dear sUBs,
I did what you asked and the results are below. The error i received was, 'Runas Error: Unable to run - switch.bat' In the meantime i have disconnected from the internet and the network, connecting only to view this site. I ran Hijack This again and the report is also below. Your advice is greatly appreciated. Thank you Quote:
Quote:
Adeelia |
||
|
|
|
|
11-23-2005, 07:31 AM
|
#6 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,353
OS: N/A
|
Are you running from an account with Administrator priveleges? If unsure, we can boot to Safe Mode & try running L2Mfix from there.
Pease reboot your computer in SafeMode by doing the following: 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the first option, to run Windows in Safe Mode. Then try running L2Mfix's option #2 again If it succeeds, please proceed with the rest of my earlier instructions. If it fails, please scrap the instructions & run L2Mfix's option #1. It shall produce a log for you to post to me.
__________________
Question - what have you done for the community today? Last edited by sUBs; 11-23-2005 at 07:37 AM. |
|
|
|
|
11-23-2005, 09:25 AM
|
#7 (permalink) | ||
|
Member
Join Date: Nov 2005
Posts: 22
OS: XP
|
Dear sUBs,
I did as you said, i tried to run it in Safe Mode, to log on i used the administrator password. I ran #2 in safe mode and still got the same answer, below is the log Quote:
Quote:
Take care Adeelia |
||
|
|
|
|
11-23-2005, 09:29 AM
|
#8 (permalink) |
|
Member
Join Date: Nov 2005
Posts: 22
OS: XP
|
The line where you see the smiley
jt6s07~1.dll Wed 23 Nov 2005 11  30 ..S.R 234,175 228.68 KShould read jt6s07~1.dll Wed 23 Nov 2005 11.06.30 ..S.R 234,175 228.68 K in the code it is 11 30 i used 11.06.30 (full stop as opposed to colon) to show you what the reading is.Adeelia |
|
|
|
|
11-23-2005, 09:33 AM
|
#9 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,353
OS: N/A
|
LOL...You can avoid that if you disable smilie while making that post
I'll be back with a workaround in a short while. Please do not reboot your computer. Last edited by sUBs; 11-23-2005 at 09:36 AM. |
|
|
|
|
11-23-2005, 09:47 AM
|
#10 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,353
OS: N/A
|
Read through the entire passage before beginning this fix. It's a bit complicated.
Download the file I've attached to this post - lm.zip Double-click on Killbox.exe to run the program. At the bottom right of the main screen, click on the arrow to the right of System Process (The area is to the left of the yellow triangle.) Select the following entry: rundll32.exe Now click the yellow triangle to End Task Wait a few seconds, and check again for rundll32.exe, as it may reload! If so, End Task once again. Next, open lm.zip & doubleclick on lm.bat after that, highlight the entries below and press the Ctrl and the C key at the same time to copy them to the clipboard: c:\windows\system32\guard.tmp c:\windows\system32\msupdate32.dll c:\windows\system32\ore2nls.dll c:\windows\system32\fpls0337e.dll c:\windows\system32\ode2nls.dll c:\windows\system32\enp6l17s1.dll c:\windows\system32\ktlql7351.dll c:\windows\system32\n24slch71f4.dll c:\windows\system32\jt6s07j7e.dll c:\windows\system32\l4j8le1u1h.dll c:\windows\system32\m4820eloehqc0.dll c:\windows\system32\dn8601lse.dll c:\windows\system32\sde.dll C:\WINDOWS\TWluYWw\command.exe C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe Click on the File menu of Pocket KillBox and select: Paste from Clipboard In the Full Path of File to Delete box you should see the first entry. Make sure C:\Windows\System32\guard.tmp appears on the list. If not, click on the arrow to the right of System Process Once again select the following entry: rundll32.exe Click the yellow triangle to End Task (End Task on rundll32.exe until C:\WINDOWS\SYSTEM32\guard.tmp is on the list!) Then, highlight the file entries once again and press the Ctrl and the C key at the same time to copy them to the clipboard: Click on the File menu of Pocket KillBox and select: Paste from Clipboard In the Full Path of File to Delete box you should see the first entry. Once again, use the down arrow to see the rest of the files. C:\Windows\System32\guard.tmp must appear on the list!! Press the button with a red circle and a white X (Delete File button) Click Yes at the confirmation message that files will be deleted on next reboot Click Yes at the request to reboot If the PendingFileRenameOperations error appears , then you must reboot. Upon reboot, L2M file names may change. In that case, exit out of KillBox Run L2MFix Option 1 and post its log in your reply. >>Please wait for new instructions!!<< If the PendingFileRenameOperations error does not appear, post a fresh HJT after you have rebooted
__________________
Question - what have you done for the community today? Last edited by sUBs; 11-23-2005 at 12:19 PM. |
|
|
|
|
11-23-2005, 12:10 PM
|
#11 (permalink) | |
|
Member
Join Date: Nov 2005
Posts: 22
OS: XP
|
Dear sUBs,
The news isn't good! I tried to follow your instructions, however this what happened. 1 - Before i got a chance to look at this web page again, i had to reboot my machine to restore some of my connections! 2 - When i did read this page i printed off what you had written and tried to follow them, 2a - i downloaded lm.zp 2b - i double clicked on killbox.exe 2c - i selected the file rundll32.exe 2d - i ended task, i waited and it didnt show up 3 - i ran lm.bat 4 - i highlighted the files you said in the c:windows\system32\ folder except ktlql7351.dll wasn't there, anyways i tried to highlight the ones in the other folders whenever i did the ones highlighted in the other folder would unhighligh, plus command.exe isnt there either. 4a - i tried to copy over the ones that i did highlight to killbox, only they never showed in the list 4b - i closed an reopened killbox to find rundll32.exe not in list on the bottom right. 4c - i stopped doing anything took another hijack report and wrote this message, below is the hijack report. Please help, i'm feeling very panicked  Quote:
Once again thanking you for your help and patience Adeelia |
|
|
|
|
|
11-23-2005, 12:13 PM
|
#12 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,353
OS: N/A
|
Please post a fresh L2Mfix option#1 log again.
After you have posted, wait 5 - 10 minutes for me to get back to you. Do not reboot the PC.
__________________
Question - what have you done for the community today? |
|
|
|
|
11-23-2005, 12:27 PM
|
#13 (permalink) | |
|
Member
Join Date: Nov 2005
Posts: 22
OS: XP
|
Dear sUBs,
As per your request, Quote:
Adeelia xx |
|
|
|
|
|
11-23-2005, 12:40 PM
|
#14 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,353
OS: N/A
|
I have uploaded a new lm.zip for you.
Dont worry if this attempt fail. I still have a Plan C & D. Haven't thought of Plan E yet though  Download the file I've attached to this post - lm.zip Double-click on Killbox.exe to run the program. At the bottom right of the main screen, click on the arrow to the right of System Process (The area is to the left of the yellow triangle.) Select the following entry: rundll32.exe Now click the yellow triangle to End Task Wait a few seconds, and check again for rundll32.exe, as it may reload! If so, End Task once again. Next, open lm.zip & doubleclick on lm.bat after that, highlight the entries below and press the Ctrl and the C key at the same time to copy them to the clipboard: c:\windows\system32\guard.tmp c:\windows\system32\msupdate32.dll c:\windows\system32\hr8005lme.dll c:\windows\system32\ore2nls.dll c:\windows\system32\fpls0337e.dll c:\windows\system32\ode2nls.dll c:\windows\system32\enp6l17s1.dll c:\windows\system32\n24slch71f4.dll c:\windows\system32\jt6s07j7e.dll c:\windows\system32\l4j8le1u1h.dll c:\windows\system32\m4820eloehqc0.dll c:\windows\system32\dn8601lse.dll c:\windows\system32\sde.dll C:\WINDOWS\TWluYWw\command.exe C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe Click on the File menu of Pocket KillBox and select: Paste from Clipboard In the Full Path of File to Delete box you should see the first entry. Make sure C:\Windows\System32\guard.tmp appears on the list. If not, click on the arrow to the right of System Process Once again select the following entry: rundll32.exe Click the yellow triangle to End Task (End Task on rundll32.exe until C:\WINDOWS\SYSTEM32\guard.tmp is on the list!) Then, highlight the file entries once again and press the Ctrl and the C key at the same time to copy them to the clipboard: Click on the File menu of Pocket KillBox and select: Paste from Clipboard In the Full Path of File to Delete box you should see the first entry. Once again, use the down arrow to see the rest of the files. C:\Windows\System32\guard.tmp must appear on the list!! Press the button with a red circle and a white X (Delete File button) Click Yes at the confirmation message that files will be deleted on next reboot Click Yes at the request to reboot If the PendingFileRenameOperations error appears , then you must reboot. Upon reboot, L2M file names may change. In that case, exit out of KillBox Run L2MFix Option 1 and post its log in your reply. >>Please wait for new instructions!!<< If the PendingFileRenameOperations error does not appear, post a fresh HJT after you have rebooted
__________________
Question - what have you done for the community today? Last edited by sUBs; 12-01-2005 at 12:02 PM. |
|
|
|
|
11-23-2005, 01:09 PM
|
#18 (permalink) | ||
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,353
OS: N/A
|
Quote:
Quote:
Then right click on it & select Copy. Go to KillBox. Select File & then select 'Paste from clipboard' Make sure guard.tmp is in the list Select delete on reboot Then, click the red X
__________________
Question - what have you done for the community today? |
||
|
|
|
|
11-23-2005, 01:50 PM
|
#19 (permalink) |
|
Member
Join Date: Nov 2005
Posts: 22
OS: XP
|
Dear sUBs,
i finally understood what you said, as i copied the files in i saw guard.tmp, but i forgot to click Delete on Reboot, and instead hit the delete button in Killbox, i tried to copy the list in again but the guard.tmp file isnt there, what should i do? Thanks Adeelia (dizzy cant follow instructions!) |
|
|
|
| Thread Tools | |
|
|
