Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Remove Malware and adware [RESOLVED]

Started by cableguy , Sep 15 2006 11:11 PM

  • This topic is locked This topic is locked

#16
cableguy
Posted 20 September 2006 - 06:43 AM

cableguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
Found some more stuff.


Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Suzanne\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Adware:adware/dropspam Not disinfected Windows Registry
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10011.qit
Spyware:Cookie/Cgi-bin Not disinfected C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10019.qit
Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10033.qit
Spyware:Cookie/FortuneCity Not disinfected C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10041.qit
Spyware:Cookie/Humanclick Not disinfected C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10043.qit
Spyware:Cookie/Netster Not disinfected C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10049.qit
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10066.qit
Adware:Adware/Ucmore Not disinfected C:\Program Files\SpywareRemover\Quarantine\14-09-2006-22-23-30\10107.qit
Possible Virus. Renamed C:\QooBox\Purity\Program Files\SSEMBL~1\r?gsvr32.exe
Logfile of HijackThis v1.99.1
Scan saved at 7:41:59 AM, on 9/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inebraska.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120629420108
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158336437468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
  • 0

Advertisements

#17
cfa-ddg2
Posted 20 September 2006 - 07:31 AM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hey cableguy....

Panda didn't find much....

1. Cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...

You need to do this for all user accounts(1) Navigate to C:\Windows\Temp folder
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin. (Note: Do NOT delete the Temp folder)

(2) Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin. (Note: Do NOT delete the Temp folder)

(3) Clean out the Temporary Internet files folder for (EVERY LISTED USER). Proceed like this...
- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start button, click Control Panel, and then double-click Internet Options.
- On the General tab, click Delete Files under Temporary Internet Files.
- In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
- On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
- Click OK
2. Delete a File on Reboot
  • Open HiJackThis
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - c:\windows\keyboard1.dat
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click Yes
Did you go to the MS link I gave you in Post #15 of this thread to see if this corrects the other problem you were having?

Let me know...from a malware perspective I believe we're done and can finish up if your computer is running well.....
  • 0

#18
cableguy
Posted 20 September 2006 - 07:37 AM

cableguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
I missed the ufro file to delete, it is gone now sorry.
  • 0

#19
cfa-ddg2
Posted 20 September 2006 - 07:47 AM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Are you still having the framedyn.dll problem in My Computer or did the MS reference fix that problem?

Any other problems?
  • 0

#20
cableguy
Posted 20 September 2006 - 08:46 AM

cableguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
Cleaned up the temp internet files, reset web settings, and deleted the keyboard1.dat file on reboot as directed but did not find the Local Settings directory for any of the users. Thats probably not good?


Fixed the My Computer thing, thanks ubunch. :whistling: but the system information in system tools still shows -- Cannot access the Windows Management Instrumentation software. Windows Management files may be moved or missing.

While navigating C: I did see some folders that looked suspicious one is C:\QooBox and the other is C:\sUBs there is nothing in sUBs when it is openned.
  • 0

#21
cfa-ddg2
Posted 20 September 2006 - 09:11 AM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts

Cleaned up the temp internet files, reset web settings, and deleted the keyboard1.dat file on reboot as directed but did not find the Local Settings directory for any of the users. Thats probably not good?


Fixed the My Computer thing, thanks ubunch. :whistling: but the system information in system tools still shows -- Cannot access the Windows Management Instrumentation software. Windows Management files may be moved or missing.

While navigating C: I did see some folders that looked suspicious one is C:\QooBox and the other is C:\sUBs there is nothing in sUBs when it is openned.


Your 'users' may not have 'Local Settings'...so if you don't see them listed, that's probably OK. I just wnated to check to make sure. The entry I wanted to make sure was 'removed' was C:\Documents and Settings\Suzanne\Local Settings\Temporary Internet Files\Ssk.log and should have been removed when you cleaned the TIF's. Thoroughly cleaning the temp files is never a bad idea when dealing with malware.

With regard to the C:\QooBox and C:\sUBs folders, they are part of the ComboFix program we ran...take a look at the combofix log...C:\qoobox is where the qoologic files were renamed and put to remove them from your machine. Actually, if you look at the Ewido log we ran after the combofix, ewido cleaned/quarantined the entries in C:\qoobox too! :blink:

You can go ahead and remove ComboFix from you computer...that should take care of those 'issues'.

I did some searching on the Windows Management Instrumentation issue, and I'm not sure I have a solution for you.....but I would bet that this forum will:

http://www.geekstogo...2003_NT-f5.html

Now that your system is clean, you can go to that forum, post a topic detailing your problem and let one of the 'Windows Software' experts give you a hand. Tell them you've been here first and had the system cleaned.

In any case, let's finish up the 'malware' part of this and then you can go to the other forum to see if they can help you with the Windows Management Instrumentation issue:

Your HJT appears clean and I'm glad your system is running well with out problems!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • THIS IS IMPORTANT! - If you are using Windows XP then you should reset system restore to make sure there are no infected files found in a restore point and that you have a clean restore point should you need one!

    Now let's reset your restore points.

    Click Start Menu >> All Programs >> Accessories >> System Tools >> SystemRestore

    Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'.

    Next go to Start Menu >> Run, then type:

    cleanmgr

    click OK, when Disk Cleanup opens go to the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created. To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner by Atribune. This program is for XP and Windows 2000 only. ATF is a new, freeware, temporary file cleaner for Windows, IE, Firefox and Opera with a simple, easy-to-use interface. The main screen allows the user to either clean all temporary files, or select files for cleaning. The program also knows if Firefox and or Opera is being used, and gives the option of cleaning the temporary files associated with those applications.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein. These are excellent reads too: I'm not pulling your leg and Malware: Preventing the Infection



Remember...be careful out there!
  • 0

#22
cableguy
Posted 20 September 2006 - 10:53 AM

cableguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 112 posts
Thanks for all your help :whistling: I think I'm good to go.
  • 0

#23
cfa-ddg2
Posted 20 September 2006 - 03:01 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Great! You are welcome!
  • 0

#24
cfa-ddg2
Posted 20 September 2006 - 03:01 PM

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP