[enzoblue]

Hello hello!

I get popups in IE on like every other link I hit. I've read up on the forums here and have followed the advice Bananafanafo gave another victim below. I've used Ewido in safe mode and got this as my scan report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:13:00 AM, 5/2/2005
+ Report-Checksum: 3CEE7CF5

+ Date of database: 5/2/2005
+ Version of scan engine: v3.0

+ Duration: 24 min
+ Scanned Files: 42263
+ Speed: 29.05 Files/Second
+ Infected files: 4
+ Removed files: 4
+ Files put in quarantine: 4
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\HijackThis\backups\backup-20050501-231132-149.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\HijackThis\backups\backup-20050501-231419-658.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\system32\mr0.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\system32\zww7ka.dll -> Trojan.Delf.cf -> Cleaned with backup


::Report End


Does this mean my troubles are over? Or is there more I can do?

The zww7ka.dll is the super pain. I tried deleting it in every way possible and it just kept coming back. Grrr.

Thanks in advance for any help

Edit: I noticed the Zww7ka.dll still tries to get in but Ewido Security Suite guard catches it. Oddly enough, it doesn't try to get in untill I open Internet Explorer.

Edited by enzoblue, 03 May 2005 - 01:32 AM.

[Advertisements]

Post your HiJackThis log, please.

[Michelle]

Post your HiJackThis log, please.

[enzoblue]

Logfile of HijackThis v1.99.1
Scan saved at 2:51:48 AM, on 5/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Logitech\Profiler\LWEMon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\hijackthis1991.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\zww7ka.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - HKCU\..\RunOnce: [581ejgl.exe] C:\WINDOWS\System32\581ejgl.exe /k
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {076BD9A0-9F4B-4026-A5F8-412356313131} (SIMBIN_WebLauncher Control) - http://www.racemore....WebLauncher.ocx
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113692518108
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[Michelle]

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis and place a check next to the following items and click FIX CHECKED:

O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\zww7ka.dll

O4 - HKCU\..\RunOnce: [581ejgl.exe] C:\WINDOWS\System32\581ejgl.exe /k

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {076BD9A0-9F4B-4026-A5F8-412356313131} (SIMBIN_WebLauncher Control) - http://www.racemore....WebLauncher.ocx <-If you know what this is don't "fix" it!

Reboot your computer into Safe Mode - you can do this by restarting your computer and continually tapping F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode", then hit enter.

Using Windows Explorer, delete the following files (in bold), if found:

C:\WINDOWS\system32\zww7ka.dll
C:\WINDOWS\System32\581ejgl.exe
C:\WINDOWS\bdoscandel.exe

Reboot into normal mode.

Download, install, and run CleanUp! (so the below scan won't take as long because cleanup will clear temporary files and cookies)

Then, please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log.

[enzoblue]

Active Scan Log:

Incident Status Location

Adware:Adware/Adtomi No disinfected C:\HijackThis\backups\backup-20050501-232343-636.dll
Adware:Adware/Adtomi No disinfected C:\WINDOWS\lgxl.sys
Adware:Adware/Adtomi No disinfected C:\WINDOWS\system32\lgxl.sys


New HijackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 4:28:29 AM, on 5/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\hijackthis1991.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O16 - DPF: {076BD9A0-9F4B-4026-A5F8-412356313131} (SIMBIN_WebLauncher Control) - http://www.racemore....WebLauncher.ocx
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113692518108
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[enzoblue]

P.S.

Take all the time you want. Gotta go to sleep now.

P.S.S

SIMBIN thing is ok, it's for a racing game where you can click in IE to launch the game.

By the way, should/can I donate some $ for this help?

[Michelle]

You can donate if you want to, but you don't have to!

Please read these instructions carefully

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\WINDOWS\lgxl.sys
C:\WINDOWS\system32\lgxl.sys

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts. Click "NO" to any "PendingRenameOperation..." prompt.

Post a new HiJackThis log.

[enzoblue]

Ok, I think I'm good!

Logfile of HijackThis v1.99.1
Scan saved at 3:27:44 AM, on 5/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\HijackThis\hijackthis1991.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O16 - DPF: {076BD9A0-9F4B-4026-A5F8-412356313131} (SIMBIN_WebLauncher Control) - http://www.racemore....WebLauncher.ocx
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113692518108
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

No more popups! Ran the panda again and came up clean. Thanx bro, Paypal donation INC !!

[Michelle]

Well your log looks awesome!!

Thank you in advance for the donation! That's very sweet of you! I appreciate that

Now that it's clean, I highly recommend installing XP Service Pack 2! http://www.microsoft.com and click on "Windows Update".

Congratulations your log is clean! Great job on the clean up

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Ewido Security Suite <= Protection against Trojans, Worms, Dialers, Hijackers, Spyware, and Keyloggers.

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
• Firewall<= A firewall is definitely a must have. Two good free versions are Sygate and ZoneLabs.

[Michelle]

I received the donation, that was very generous of you! Thank you very much!!

Michelle

Edited by bananafanafo, 03 May 2005 - 01:44 AM.

[enzoblue]

You welcome

Sorry I called you bro earlier.

[Michelle]

lol It's fine!

I'm going to go ahead and close this topic since it has been resolved. If you have any other problems at all you can PM or another staff member and we'll re-open it for you!

Thanks again!
Michelle