Tech Support Forum banner
Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
4 Posts
Discussion Starter · #1 ·
Hello,

Thank you in advance for your help. I hope to help others as well after becoming more knowledgable about this subject.

I have heaps of popups and infections that keep coming back after using the latest versions of Lavasoft AdAware and Spybot to rid myself of them. Any assistance I can get will be incredibly appreciated. WIN XP Pro...

Here is my Highjackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:52:51 PM, on 8/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\etb\pokapoka63.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Joel\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitegyz32.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124116761857
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Please advise what I can do to remove the spyware and popups please.

Thank you,

Joel
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please download LQFix & Unzip it to a new folder on Desktop

REBOOT TO SAFE MODE
  1. Shut Windows down, and then turn off the computer.
  2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
  3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
    Windows Advanced Options menu appears.
  4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Run LQFix.bat

  1. Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)
  2. Select Drive C: & click the 'OK' button
  3. Select the following options:
    • Temporary Internet Files
      [*] Recycle Bin
      [*] Temporary Files
  4. Click the 'OK' button

Reboot & post a fresh HijackThis log
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #3 ·
Hello, and thanks so much for your help. I ran the Adaware proram as well as the Spybot program and then rebooted to Safe Mode as instructed. I ran the program you recommended and then did a cleanmgr checking the boxes your specified. I have rebooted and here is my updated Hijackthis file:

Logfile of HijackThis v1.99.1
Scan saved at 5:45:59 PM, on 8/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\Joel\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adsonwww.com/servlet/ajrotator/126190/0/viewHTML?zone=enternet
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124116761857
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Please let me know what I should do next. Many thanks,

Joel
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Have Hijackthis fix this entry now: (make sure your browser is closed)

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adsonwww.com/servlet/ajrotat...L?zone=enternet


Then Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply

I would also require a fresh HJT log
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #5 ·
So many thanks once again. I am making a donation to this wonderful board!

As directed, I deleted the key mentioned above after doing a HiJackThis scan. Then I scanned my computer using the online Panda app as indicated. Here are the results of that scan:



Incident Status Location

Adware:adware/ncase No disinfected C:\DOCUMENTS AND SETTINGS\JOEL\LOCAL SETTINGS\TEMP\180sainstallersilsais1.exe
Adware:adware/apropos No disinfected C:\DOCUMENTS AND SETTINGS\JOEL\LOCAL SETTINGS\TEMP\cfout.txt
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM32\exclean.exe
Adware:adware/elitebar No disinfected C:\DOCUMENTS AND SETTINGS\JOEL\FAVORITES\Casino & Carrers
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Joel\Desktop\registrymechanic41_LkDiRkBwFnCxGbCr\install_cheat_001.exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\Joel\Local Settings\Temp\180sainstallersilsais1.exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\Joel\Local Settings\Temp\Del111.tmp
Adware:Adware/nCase No disinfected C:\Documents and Settings\Joel\Local Settings\Temp\Del16D.tmp
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Joel\Local Settings\Temp\fGEdLPu.exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\Joel\Local Settings\Temp\res112.tmp
Adware:Adware/nCase No disinfected C:\Documents and Settings\Joel\Local Settings\Temp\res16E.tmp
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Joel\Local Settings\Temp\temp.fr22B5
Adware:Adware/SurfAccuracy No disinfected C:\Documents and Settings\Joel\Local Settings\Temp\uninstall.exe
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Joel\Local Settings\Temporary Internet Files\Content.IE5\WX61U7CZ\kw[1].exe
Virus:Trj/Downloader.ABL Disinfected C:\Program Files\Easy Tab Maker Pro\mod\Desk-visaid.exe
Virus:Trj/Downloader.ABL Disinfected C:\Program Files\Easy Tab Maker Pro\mod\Desktop-visaid.exe
Virus:Trj/Downloader.ABL Disinfected C:\Program Files\Easy Tab Maker Pro\mod\FWN-visaid.exe
Virus:Trj/Downloader.DOM Disinfected C:\Program Files\Easy Tab Maker Pro\mod\gam.exe
Virus:Trj/Downloader.ABL Disinfected C:\Program Files\Easy Tab Maker Pro\mod\Movie-visaid.exe
Virus:Trj/Downloader.ABL Disinfected C:\Program Files\Easy Tab Maker Pro\mod\PCSkins-visaid.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Easy Tab Maker Pro\mod\visaid-loud.exe
Possible Virus. No disinfected C:\Program Files\Easy Tab Maker Pro\mod\visaid.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows TaskAd\WinProject.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Windows TaskAd\WinSched.exe
Adware:Adware/nCase No disinfected C:\temp\180SAInstaller.exe
Adware:Adware/SAHAgent No disinfected C:\temp\bundle_cdt1006.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\Downloaded Program Files\ClientAX.dll
Possible Virus. No disinfected C:\WINDOWS\Temp\ASHeuristic\visaid.exe.vir


Here is my HiJackThis log following that scan:


Logfile of HijackThis v1.99.1
Scan saved at 10:27:20 AM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Joel\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124116761857
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thank you so much for your help once again.

Joel
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please download & install this program - CleanUp!.exe
We 're gonna use that later to remove all the malware hiding in your temp folders.

Reboot to Safe Mode

Uninstall the following programs using Add/Remove programs:

Easy Tab Maker Pro
Windows TaskAd


If you have not done so already, please enable the viewing of Hidden files
  1. From Windows Explorer, go to Tools>Folder Options> View tab.
  2. Enable the option for Show hidden files and folder
  3. Disable the option for Hide file extensions for known types
  4. Disable the option for Hide protected operating system files
  5. Click Yes to confirm & then click OK
Delete the following folders, if present:

C:\Program Files\Easy Tab Maker Pro\
C:\Program Files\Windows TaskAd\


Locate and delete the following files

C:\WINDOWS\SYSTEM32\exclean.exe
C:\DOCUMENTS AND SETTINGS\JOEL\FAVORITES\Casino & Carrers
C:\WINDOWS\Downloaded Program Files\ClientAX.dll


Run Cleanup! using the following configuration:
1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Reboot to Normal Mode & post a fresh log.

Let me know how the machine feels now.
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #7 ·
Gracias,

I do believe that my computer is now virus, and spyware (et al) free.


You have been very kind and patient with me and it is most appreciated. If I may ask an exit question; are there any screen saver/ windows skins website that you would consider "safe" from malware, etc? I tried "WindowsBlinds" but believe, this is where my troubles started. I cannot confirm this, but... it certainly could have been from them...


So kind of you to help me. I hope I can help others,


Joel
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Sorry.. I dont use any screen savers. You might wanna try posting a query at General Security. Some of the other guys may be able to answer that.

Please post a fresh log so I can verify that you're clean
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top