Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

STILL getting popups!


  • This topic is locked This topic is locked

#1
pariaugs

pariaugs

    New Member

  • Member
  • Pip
  • 3 posts
I'm looking for a little help... I've run adaware, spybot, AVG, the web scans and the windows servicepack updates, and I'm still getting constant SearchInqwire, PartyPoker.com, and some Registry Cleaner popups.

Soooo... I searched the post for related questions and found a posting by Walt that Metalicca answered with advice to run Findit. I've run it, and STILL the popups won't go awat! Below is the Findit Log, and I'm posting the Hijack This log after that. Any advice?

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label.
Volume Serial Number is FC77-708F

Directory of C:\WINDOWS\System


------- Hidden Files in System Directory -------

Volume in drive C has no label.
Volume Serial Number is FC77-708F

Directory of C:\WINDOWS\System


---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\LPT$VPN.448: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.448: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.448: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.448: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.448: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.448: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\abi.exe: .aspack
C:\WINDOWS\remtm3.exe: .aspack
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"SiS Windows KeyHook"="C:\\WINDOWS\\System32\\keyhook.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"guX8wWbI"="c:\\documents and settings\\rascal\\local settings\\temp\\guX8wWbI.exe"
"iflJs"="c:\\documents and settings\\rascal\\local settings\\temp\\iflJs.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"
"iBGcF"="c:\\documents and settings\\rascal\\local settings\\temp\\iBGcF.exe"
"N3bhv1fxm"="C:\\documents and settings\\rascal\\local settings\\temp\\N3bhv1fxm.exe"
"98D0CE0C16B1"="rundll32.exe D0CE0C16B1,D0CE0C16B1"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

And here's the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 12:56:52 PM, on 3/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\n?pdb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rascal\Desktop\AntiVIrus\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DA14336-FEDF-F224-D29F-F70A7B79A6EE} - C:\WINDOWS\system32\hvudjo.dll
O2 - BHO: (no name) - {1DA1433C-FEDA-8521-D2E9-810A707AA69D} - C:\WINDOWS\system32\hvudjo.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\Rascal\Desktop\ANTIVI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C8BBF9F2-5F1D-686C-B265-A0082E15F49B} - C:\WINDOWS\javana32.dll (file missing)
O2 - BHO: SDWin32 Class - {C9332F7E-1326-4DD2-BF16-3702E4524C40} - C:\WINDOWS\System32\upmms.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [guX8wWbI] c:\documents and settings\rascal\local settings\temp\guX8wWbI.exe
O4 - HKLM\..\Run: [iflJs] c:\documents and settings\rascal\local settings\temp\iflJs.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [iBGcF] c:\documents and settings\rascal\local settings\temp\iBGcF.exe
O4 - HKLM\..\Run: [N3bhv1fxm] C:\documents and settings\rascal\local settings\temp\N3bhv1fxm.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Rascal\Application Data\eetu.exe
O4 - HKCU\..\Run: [Upg] C:\WINDOWS\system32\n?pdb.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\egztydov.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101946530583
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectk...flowActiveX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Shannon
O17 - HKLM\Software\..\Telephony: DomainName = Shannon
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Shannon
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Shannon
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Any help is greatly appreciated!

Eric
  • 0

Advertisements


#2
pariaugs

pariaugs

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Just checking in to see if anyone had any advice on this... I'm getting lots of popups, now, even more than before. Still, none of the recommended malware/virus removers have found anyting. Any help would be greatly appreciated!
  • 0

#3
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi pariaugs

Welcome to geekstogo ;)

Please read through the instructions before you start (you may want to print this out).

Please download and install these programs - don't run them yet!!

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.


Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

Download and unzip cwsserviceremove to your desktop. use either link below:
cwsserviceremove

cwsserviceremove.zip


Download CW-Shredder at the link below:
CWShredder

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - Click here to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

Using Windows Add Remove Program Files uninstall the following Program:
C:\Program Files\VBouncer\VirtualBouncer.exe


+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:


No items to delete move on to next step

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

2. Reboot into Safe Mode: Click here if you don't know how to do this.


3. Press Ctrl+Alt+Delete once -> Click Task Manager -> Click the Processes tab -> Double-click the Image Name column header to alphabetically sort the processes -> Scroll through the list and look for:

C:\WINDOWS\javana32.dll (file missing)
C:\WINDOWS\System32\upmms.dll (file missing)
c:\documents and settings\rascal\local settings\temp\guX8wWbI.exe
c:\documents and settings\rascal\local settings\temp\iflJs.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
D0CE0C16B1,D0CE0C16B1
C:\Documents and Settings\Rascal\Application Data\eetu.exe
C:\WINDOWS\system32\n?pdb.exe


If you find the files, click on them, and then click End Process -> Exit the Task Manager.

4. CLOSE ALL WINDOWS AND BROWSERS Scan with HijackThis and put checks next to all the following,

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {C8BBF9F2-5F1D-686C-B265-A0082E15F49B} - C:\WINDOWS\javana32.dll (file missing)
O2 - BHO: SDWin32 Class - {C9332F7E-1326-4DD2-BF16-3702E4524C40} - C:\WINDOWS\System32\upmms.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [guX8wWbI] c:\documents and settings\rascal\local settings\temp\guX8wWbI.exe
O4 - HKLM\..\Run: [iflJs] c:\documents and settings\rascal\local settings\temp\iflJs.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Rascal\Application Data\eetu.exe
O4 - HKCU\..\Run: [Upg] C:\WINDOWS\system32\n?pdb.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\egztydov.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectk...flowActiveX.CAB


Then click on "Fix Checked"

5. Using Windows Explorer delete the following files if present:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINDOWS\javana32.dll <--Delete this file
C:\WINDOWS\System32\upmms. <--Delete this file
c:\documents and settings\rascal\local settings\temp\guX8wWbI.exe<--Delete this file
c:\documents and settings\rascal\local settings\temp\iflJs.exe<--Delete this file
C:\PROGRA~1\VBouncer\<--Delete the whole folder
D0CE0C16B1,D0CE0C16B1<--Delete this file
C:\Documents and Settings\Rascal\Application Data\eetu.exe<--Delete this file
C:\WINDOWS\system32\n?pdb.exe<--Delete this file

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

7. Scan with AdAware and let it remove any bad files found.

8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Download the ccleaner
I use this Program and is setup like this all boxs are check.

Clean out all temp files in Mozilla, Internet Explorer.
Internet Explorer: Tools/ Internet Options/ General/ Temporary internet files/ Delete Files (NOTE, that this may take very long!). You can also set the memory limit to about 80 MB at the Settings.

Mozilla: Edit/ Options/ Extended/ Cache/ Clear Cache

9. Double click on the cwsserviceremove and when asked to merge say yes.

10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

11. Reboot into normal mode.

12. Download the Hoster from here Press "Restore Original Hosts. and press "OK". Exit Program.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

[b]Please post the logs From both virus scans and HJT.log
we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
No reply from user

Topic closed

Kc
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP