Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Pop Ups Spyware Malware


  • Please log in to reply

#1
Vincevin

Vincevin

    Member

  • Member
  • PipPip
  • 10 posts
Hi guys,

I'm sorry i didnt log on for quite some time. i tried my hand at removing my problem.

I have a bad VX2 infection. CWShredder doesnt work, ie., my pc crashes when
rebooting after removing it. ADAware's VX2 cleaner doesnt even detect anything. I've updated my ADAware definition, its removed quite a number of stuff. But the VX2 seems to remain.

i'm getting popups by http://ads1.revenue.net/ and loadingwebsite. in internet explorer.
In Opera i'm getting http://64.192.130.141/cgi-bin/Keyword... popups.

Spysweeper and Spybot dont detect anything.

Superadblocker found something called BW2loader in my C:\WINDOWS\Temp
directory, which reappears sometimes.

Here is my Hijackthis log....

Logfile of HijackThis v1.99.1
Scan saved at 10:51:31 PM, on 5/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\PROGRA~1\NORTON~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Net\FlashGet\flashget.exe
D:\Net\Opera\opera.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\system32\notepad.exe
D:\systemhelp\Hijack this\HijackThis.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download All by FlashGet - D:\Net\FlashGet\jc_all.htm
O8 - Extra context menu item: Download by Net Transport - D:\Net\NetTransport 2

\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet -

D:\Net\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

D:\Net\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-

0050BA6940E3} - D:\Net\FlashGet\flashget.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C72A641-A010-4ABA-AE83-

783F5F6B4D64}: NameServer = 61.1.192.65 61.1.128.5 -----> ???
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\f02mlaf11d2.dll ----

>???
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\rtvscan.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program

Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com -

D:\systemhelp\Super Ad Blocker\SABSVC.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32

\slserv.exe
O23 - Service: Speed Disk service - Symantec Corporation - d:\systemhelp\Speed

Disk\nopdb.exe






Here is a Silentrunner log as well

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"vptray" = "C:\PROGRA~1\NORTON~1\vptray.exe" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon

Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Program Files\Microsoft

Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon

Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Program Files\Microsoft

Office\Office10\msohev.dll" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\upnpui.dll" [MS]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll"

["Hilgraeve, Inc."]
"{C169E5F0-E2B3-41F3-B81A-7BA529CBE193}" = "ZipGenius Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\SYSTEM~2\ZIPGEN~1\contmenu.dll"

[null data]
"{2E5AC2E0-406D-11D4-86B3-FA5861508E25}" = "ZipGenius Zip InfoTip"
-> {CLSID}\InProcServer32\(Default) = "D:\SYSTEM~2\ZIPGEN~1\zgtips.dll" [null

data]
"{310A0C95-EA11-42AE-A8E4-53E69E650310}" = "ZipGenius Zip Drop handler"
-> {CLSID}\InProcServer32\(Default) = "D:\SYSTEM~2\ZIPGEN~1

\DROPHA~1.DLL" [null data]
"{FE8D01BF-610A-4261-9C6E-32D65A42C907}" = "ZipGenius Drag and Drop

handler"
-> {CLSID}\InProcServer32\(Default) = "D:\SYSTEM~2\ZIPGEN~1

\ZGDRAG~1.DLL" ["M.Dev Software"]
"{3E307794-57B9-473A-98CC-4A039255063F}" = "OpenOffice.org/ZipGenius

Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\SYSTEM~2\ZIPGEN~1\oodll.dll"

["M.Dev Software"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1

\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1

\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1

\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1

\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "D:\Nero\InCD 4\InCD\incdshx.dll" ["Ahead

Software AG"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll"

[MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll"

[MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec

Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{B4B3001E-0F56-4E51-8250-BDE11547EC55}" = "Super Ad Blocker Toolbar"
-> {CLSID}\InProcServer32\(Default) = "D:\systemhelp\Super Ad Blocker\sabtb.dll"

[null data]
"{2CB9757D-C6DE-4645-8317-2943B1CFD61F}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dpskcopy.dll"

[null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}" =

"SABShellExecuteHook Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\systemhelp\Super Ad

Blocker\SABSEHB.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! Setup\DLLName = "C:\WINDOWS\system32

\f02mlaf11d2.dll" [null data]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\JEYACHANDRAN D\Local

Settings\Application Data\Microsoft\Wallpaper1.bmp"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2

\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9

\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{16664849-0E00-11D2-8059-000000000000}\
-> {CLSID}\(Default) = "MSIE Spy"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\ReGet

Shared\Catcher.dll" ["ReGet Software"]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\
-> {CLSID}\(Default) = "Real.com"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll"

[MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\
-> {CLSID}\(Default) = "Real.com"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll"

[MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "&FlashGet"
"Exec" = "D:\Net\FlashGet\flashget.exe" ["Amaze Soft"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe"" [MS]
Norton AntiVirus Client, Norton AntiVirus Server, "C:\Program Files\Norton

AntiVirus\rtvscan.exe" ["Symantec Corporation"]
RIP Listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs"

{"C:\WINDOWS\System32\iprip.dll" [MS]}
Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-

08002BE10318}\
"UpperFilters" = INFECTION WARNING! "FsHotKey" ["Farstone Inc."]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------



PLEASE HELP

Thank you,

Vince
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP