Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Popups that wont die


  • This topic is locked This topic is locked

#1
anthonyl79

anthonyl79

    Member

  • Member
  • PipPip
  • 11 posts
I have some spyware that I cant seem to get rid of. If anyone would be able to help, that would be greatly appriciated. Thanks


Logfile of HijackThis v1.98.2
Scan saved at 1:15:58 AM, on 4/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WinTask\Bin\SchedSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Easy\TV Capture\RemoteCtl.exe
C:\WINDOWS\regedit.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Downloaded Program Files\kavss.exe

O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteunn32.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TV Capture Remote Control.lnk = C:\Program Files\Easy\TV Capture\RemoteCtl.exe
  • 0

Advertisements


#2
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello and welcome to GeeksToGo!!

Have you already removed some things yourself with HijackThis? If so, please restore them. Sometimes, we need to use other tools to remove problems besides just fixing them in HJT. Seeing the backup would allow me to see the full picture of what is going on.

To restore the backups:
  • Open HiJackThis
  • Click Open the Misc Tools section
  • Click the Backups button
  • Place a check mark next to everything in that window
  • Click Restore
  • Click Yes
  • Reboot your computer
After you restore everything, I need you to update to the newer version of HijackThis!
Please go Here and download the newest version 1.99.1. Please be sure to save it to a permanent directory, such as C:\Prgram Files\HJT.

Once you have done this, scan for a new log and paste it here in a reply!
  • 0

#3
anthonyl79

anthonyl79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I restored everything like you asked and got the new version of HJT. Here is the log file. After restoring all those file this thing is running bad. Popups everywhere.

Logfile of HijackThis v1.99.1
Scan saved at 8:45:18 AM, on 4/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WinTask\Bin\SchedSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\RunDLL32.EXE
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\Program Files\WinTask\Bin\SchedInd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Easy\TV Capture\RemoteCtl.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\system32\exdl2.exe
C:\WINDOWS\system32\exdl3.exe
C:\WINDOWS\system32\exdl1.exe
C:\DOCUME~1\Anthony\LOCALS~1\Temp\bs519.tmpbsx32\sah.exe
C:\WINDOWS\sahagent-fellymedia1002.exe
C:\DOCUME~1\Anthony\LOCALS~1\Temp\bundle.exe
C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe
F:\hijackthis\HijackThis.exe
C:\WINDOWS\zeta.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 69.50.166.11 google.ca
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 google.fr
O1 - Hosts: 69.50.166.11 google.de
O1 - Hosts: 69.50.166.13 cracks.am
O1 - Hosts: 69.50.166.11 www.google.co.uk
O1 - Hosts: 69.50.166.11 www.google.com
O1 - Hosts: 69.50.166.13 www.astalavista.com
O1 - Hosts: 69.50.166.14 www.yahoo.com
O1 - Hosts: 69.50.166.11 www.google.ca
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 69.50.166.11 www.google.com.au
O1 - Hosts: 69.50.166.11 google.com
O1 - Hosts: 69.50.166.12 www.msn.com
O1 - Hosts: 69.50.166.11 www.google.de
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.14 yahoo.com
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 69.50.166.12 search.msn.com
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.13 astalavista.box.sk
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 www.google.fr
O1 - Hosts: 69.50.166.12 msn.com
O1 - Hosts: 69.50.166.13 astalavista.com
O1 - Hosts: 69.50.166.12 go.com
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\system32\azesearch3.ocx
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteunn32.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ncwkay] C:\WINDOWS\system32\nlbd\ncwkay.exe
O4 - HKLM\..\Run: [lsiw] C:\WINDOWS\system32\yxrrrkxy\lsiw.exe
O4 - HKLM\..\Run: [wvklqtj] C:\WINDOWS\system32\xrgoc\wvklqtj.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [tsvcin] C:\Documents and Settings\Anthony\n20050308.EXE
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [WTIndicator] C:\Program Files\WinTask\Bin\SchedInd.exe
O4 - HKLM\..\Run: [rzrqpzkw] c:\windows\system32\rzrqpzkw.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TV Capture Remote Control.lnk = C:\Program Files\Easy\TV Capture\RemoteCtl.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co.../azesearch3.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\dnlq0135e.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WTScheduler - Unknown owner - C:\Program Files\WinTask\Bin\SchedSrv.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
  • 0

#4
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Ok. You do indeed have several different infections going on here. Let's get you fixed up, and then I"ll show you how to stay that way! You need to print these instructions, or save them to a Notepad file on your desktop! Please follow them in order. If you have trouble at any point, please post your question/difficulty here in a reply. I'll be around until late tonight (1 or 2 am most likely) so I'll see it and respond ASAP!

1. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)

O1 - Hosts: 69.50.166.11 google.ca
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 google.fr
O1 - Hosts: 69.50.166.11 google.de
O1 - Hosts: 69.50.166.13 cracks.am
O1 - Hosts: 69.50.166.11 www.google.co.uk
O1 - Hosts: 69.50.166.11 www.google.com
O1 - Hosts: 69.50.166.13 www.astalavista.com
O1 - Hosts: 69.50.166.14 www.yahoo.com
O1 - Hosts: 69.50.166.11 www.google.ca
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 69.50.166.11 www.google.com.au
O1 - Hosts: 69.50.166.11 google.com
O1 - Hosts: 69.50.166.12 www.msn.com
O1 - Hosts: 69.50.166.11 www.google.de
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.14 yahoo.com
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 69.50.166.12 search.msn.com
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.13 astalavista.box.sk
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 www.google.fr
O1 - Hosts: 69.50.166.12 msn.com
O1 - Hosts: 69.50.166.13 astalavista.com
O1 - Hosts: 69.50.166.12 go.com

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\system32\azesearch3.ocx

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteunn32.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ncwkay] C:\WINDOWS\system32\nlbd\ncwkay.exe
O4 - HKLM\..\Run: [lsiw] C:\WINDOWS\system32\yxrrrkxy\lsiw.exe
O4 - HKLM\..\Run: [wvklqtj] C:\WINDOWS\system32\xrgoc\wvklqtj.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [tsvcin] C:\Documents and Settings\Anthony\n20050308.EXE
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [rzrqpzkw] c:\windows\system32\rzrqpzkw.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe


O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co.../azesearch3.cab

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\dnlq0135e.dll

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Exact (or Exact Search)
AzeSearch (or Aze)
Bulls Eye Network
NaviSearch
CashBack


Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):
C:\WINDOWS\isrvs
C:\Program Files\BullsEye Network
C:\Program Files\NaviSearch
C:\Program Files\CashBack
C:\WINDOWS\zeta.exe

Please delete these files using Windows Explorer(if present):
C:\WINDOWS\cfgmgr51.dll
C:\WINDOWS\system32\nvms.dll
C:\WINDOWS\system32\mscb.dll
C:\WINDOWS\system32\msbe.dll
C:\WINDOWS\system32\azesearch3.ocx
C:\windows\system32\eliteunn32.exe
C:\WINDOWS\cfgmgr51.dll,DllRun
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\system32\nlbd\ncwkay.exe
C:\WINDOWS\system32\yxrrrkxy\lsiw.exe
C:\WINDOWS\system32\xrgoc\wvklqtj.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\Documents and Settings\Anthony\n20050308.EXE
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\farmmext.exe
c:\windows\system32\rzrqpzkw.exe
C:\WINDOWS\system32\dnlq0135e.dll
After that, Reboot.

2. Please download hoster , then Unzip the program and install it, then run it. Choose "restore original hosts" and then close the program.

3. Please download CleanUp! and run it to remove any leftover remnants of infection. Click the CleanUp button, and let it scan and select any files it needs to remove. Once it is done, exit the program.

4. After all of the above has been completed, scan for a fresh HijackThis log, and paste it here in a reply, and let me know how the machine is running now! There will probably be another step or two to get everything back on track!

Edited by ~Kat~, 29 April 2005 - 05:17 PM.

  • 0

#5
anthonyl79

anthonyl79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I try to download host and I am getting a error message. Here is the message as follows:

Internet Explorer cannot download hoster.zip from members.aol.com
Internet Explorer was not able to open this Internet sit. The requested site is either unavailable or cannot be found. Please try again later.

I will go ahead and try the rest then reply back. Thanks Tony
  • 0

#6
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
I apologize, anthony. Somehow when I changed my canned speech to reflect Hosters' new 'home', it didn't save the change! Here is the correct address!!

http://www.funkytoad...load/hoster.zip

Please make sure that you are doing all the steps in the order I wrote them!
  • 0

#7
anthonyl79

anthonyl79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here is a copy of everything that I was able to find and remove. I put NA next to the things that were not found on my system when I went to remove them. Fixed next to everything that was removed. The HJT list you have here, everything on the list was removed by HJT. Ran Host, and restored to original. Ran Cleanup and removed 13908 files in 800mb. At the end is my new HJT log. Thanks for the help. Seems better so far.
!Just happend my browser went to : http://www.redzip.co...6...an payment !

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)

O1 - Hosts: 69.50.166.11 google.ca
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 google.fr
O1 - Hosts: 69.50.166.11 google.de
O1 - Hosts: 69.50.166.13 cracks.am
O1 - Hosts: 69.50.166.11 www.google.co.uk
O1 - Hosts: 69.50.166.11 www.google.com
O1 - Hosts: 69.50.166.13 www.astalavista.com
O1 - Hosts: 69.50.166.14 www.yahoo.com
O1 - Hosts: 69.50.166.11 www.google.ca
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 69.50.166.11 www.google.com.au
O1 - Hosts: 69.50.166.11 google.com
O1 - Hosts: 69.50.166.12 www.msn.com
O1 - Hosts: 69.50.166.11 www.google.de
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.14 yahoo.com
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 69.50.166.12 search.msn.com
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.13 astalavista.box.sk
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 www.google.fr
O1 - Hosts: 69.50.166.12 msn.com
O1 - Hosts: 69.50.166.13 astalavista.com
O1 - Hosts: 69.50.166.12 go.com

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\system32\azesearch3.ocx

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteunn32.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ncwkay] C:\WINDOWS\system32\nlbd\ncwkay.exe
O4 - HKLM\..\Run: [lsiw] C:\WINDOWS\system32\yxrrrkxy\lsiw.exe
O4 - HKLM\..\Run: [wvklqtj] C:\WINDOWS\system32\xrgoc\wvklqtj.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [tsvcin] C:\Documents and Settings\Anthony\n20050308.EXE
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [rzrqpzkw] c:\windows\system32\rzrqpzkw.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe


O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co.../azesearch3.cab

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\dnlq0135e.dll

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe


Exact (or Exact Search)-NA
AzeSearch (or Aze)-NA
Bulls Eye Network-Fixed
NaviSearch-Fixed
CashBack-Fixed


Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):
C:\WINDOWS\isrvs-NA
C:\Program Files\BullsEye Network-Fixed
C:\Program Files\NaviSearch-Fixed
C:\Program Files\CashBack-Fixed
C:\WINDOWS\zeta.exe-Fixed

Please delete these files using Windows Explorer(if present):
C:\WINDOWS\cfgmgr51.dll-NA
C:\WINDOWS\system32\nvms.dll-NA
C:\WINDOWS\system32\mscb.dll-NA
C:\WINDOWS\system32\msbe.dll-NA
C:\WINDOWS\system32\azesearch3.ocx-fixed
C:\windows\system32\eliteunn32.exe--NA
C:\WINDOWS\cfgmgr51.dll,DllRun-NA
C:\WINDOWS\isrvs\desktop.exe-fixed
C:\WINDOWS\system32\nlbd\ncwkay.exe-NA
C:\WINDOWS\system32\yxrrrkxy\lsiw.exe-NA
C:\WINDOWS\system32\xrgoc\wvklqtj.exe-NA
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe-fixed
C:\Documents and Settings\Anthony\n20050308.EXE-Access Denied
C:\WINDOWS\system32\picsvr\picsvr.exe-fixed
C:\WINDOWS\farmmext.exe-NA
c:\windows\system32\rzrqpzkw.exe-fixed
C:\WINDOWS\system32\dnlq0135e.dll-NA


Here is the HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 1:17:35 AM, on 4/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Easy\TV Capture\RemoteCtl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
F:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteunn32.exe
O4 - HKLM\..\Run: [ncwkay] C:\WINDOWS\system32\nlbd\ncwkay.exe
O4 - HKLM\..\Run: [lsiw] C:\WINDOWS\system32\yxrrrkxy\lsiw.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TV Capture Remote Control.lnk = C:\Program Files\Easy\TV Capture\RemoteCtl.exe
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\mvjml9111.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Thanks for the time. Tony
  • 0

#8
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Looking much better now, Tony! There's still a few things we need to do to get you fixed up!!

Download and Install Spybot S&D, accepting the Default Settings
(Please ensure you have version 1.3 final.)
Home - The home of Spybot-S&D!: http://www.safer-networking.org/
Here is a nice Tutorial http://www.safer-net...p?page=tutorial
  • Go to Start > Programs >Spybot Search & Destroy and choose 'Spybot S&D'
  • Close ALL windows except Spybot S&D
  • Click the button 'Search for Updates' and download and install the Updates.
  • Next click the button 'Check for Problems'
  • When Spybot is complete, it will be showing 'RED' entries BLACK entries and GREEN entries in the window
  • Make sure there is a check mark beside the RED entries ONLY.
  • Choose Fix Selected Problems and allow Spybot to fix the RED entries.
  • REBOOT
Scan the computer here:
http://www.ewido.net/en/
Let it do a full run, than copy the log. Past it to a blank Notepad file and save it to post here.


in your next reply, let me see the log from Ewido, along with a fresh HJT log.
  • 0

#9
anthonyl79

anthonyl79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry I havent replied yet. I can not log onto windows. I was using GRUB to dual boot XP and Redhat. As soon as I can get back online with windows I will continue to fix the popups. Thanks Tony. Do you know anyone that might be able to help with my dual boot problem. Thanks Tony
  • 0

#10
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hi Tony! I am mainly trained in Malware removal. I am uncomfortable with trying to help you decipher the Boot problems you're having. I have just pm'd an Expert who is online at the moment to come take a look, and help you get this sorted out. I have seen his work, and am confident he will be able to help. Hang tight for me for just a bit, ok?
  • 0

Advertisements


#11
anthonyl79

anthonyl79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ok thank you. Greatly appriciate it.
  • 0

#12
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Hi anthonyl79

~Kat~ has asked me to take a look here. My background is predominantly malware removal also but I'll see what I can do to help. Could you tell me a bit more about the set-up of your two OS's - are they on separate partitions or separate drives?

What version of GRUB are you using - have you tried reinstalling it?
  • 0

#13
anthonyl79

anthonyl79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I have cured the problem and now have another. My background is been taken over and says A fatal error in IE has occured. Error was caused by Trojan-Spy.Html.Smitfraud.c

Startpage-EH: Bookmark (Internet Explorer: Anthony) (Bookmark, nothing done)


CoolWWWSearch.Aff.Winshow: Bad Favorite (File, nothing done)
C:\Documents and Settings\Anthony\Favorites\Search the web.url

URLSearchHook.Atlpz: Uninstall settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW\UninstallString


--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-04-27 Includes\Dialer.sbi
2005-04-27 Includes\Hijackers.sbi
2005-04-15 Includes\Keyloggers.sbi
2005-04-27 Includes\Malware.sbi
2005-04-27 Includes\Revision.sbi
2005-02-09 Includes\Security.sbi
2005-04-27 Includes\Spybots.sbi
2005-04-27 Includes\Trojans.sbi
2005-02-17 Includes\Tracks.uti
2004-11-29 Includes\LSP.sbi
2005-04-27 Includes\PUPS.sbi


Logfile of HijackThis v1.99.1
Scan saved at 5:46:47 PM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\addkl32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\crpf32.exe
G:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sxmta.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sxmta.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sxmta.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sxmta.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sxmta.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sxmta.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FCEBB27B-4E18-DA71-68DF-31397091EAF8} - C:\WINDOWS\javajw.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [crpf32.exe] C:\WINDOWS\crpf32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\addkl32.exe

There are several programs that I can not unistall.
*Home search assistant
*Shopping Wizard
*Search Extender
I can not set a screen saver, or change background pics. Thank you for your time.
  • 0

#14
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hi again Tony. Ok, let's start from scratch and get you cleaned back up. What sites are you visiting that keeps infecting you? :tazz: Are you running a firewall? If not, get one NOW and use it! ;)

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

#15
anthonyl79

anthonyl79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello. I am geting a error message when I try to run buster. I have tried to install several times and still the same message. Can I skip that step? I will wait to here from you. What would be a good firewall? I am running XP's firewall, and I have a built in firewall in my router but they dont seem to be doing the job. Thanks. Tony
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP