Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Popups problems and recurring adware

Started by misterselfdestruct420 , Jun 29 2005 07:55 AM

  • Please log in to reply

#1
misterselfdestruct420
Posted 29 June 2005 - 07:55 AM

misterselfdestruct420

    New Member

  • Member
  • Pip
  • 3 posts
Hi. I am having some problems with popups on my PC here. Also, I have a number of programs which I have deleted through the Add/Remove app and within a day or two they are back. They are not installed curently but I imagine they may recurr again shortly. They are all part of a "consumer alert" family of programs but I can't remember their names (I think bullseye network was one).

Here is my hijack this log. I have done a number of steps to remove the adware (MS Antispyware, McAfee also caught some)

Logfile of HijackThis v1.99.1
Scan saved at 9:51:24 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\Drivers\ldlcserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\GASP eClient\eClient.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\rappuu.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\E214810\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adi.adi-adonis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://adi.adi-adonis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [eClient] C:\Program Files\GASP eClient\eClient.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rappuu.exe reg_run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\DSNWSOCK.DLL
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ldlcserv - IBM Corporation - C:\WINDOWS\System32\Drivers\ldlcserv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrcBoot - IBM Corporation - C:\WINDOWS\System32\drivers\trcboot.exe
  • 0

Advertisements

#2
Wizard
Posted 29 June 2005 - 12:18 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi 420 Man and Welcome!

I need to see a couple of files from your System please!

You may need to be viewing Hidden Files in order to see them Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Right Click the Desktop and Select "Compressed(zipped)Folder"

Open it and Click "File">> Click "Add Password"<< Make the password "infected"

Locate these 2

C:\WINDOWS\System32\rappuu.exe
and
C:\WINDOWS\system32\DSNWSOCK.DLL

Zip them up and Email them here>> [email protected]

Let me get a look at those and while you wait I want you to do a couple of things to help us out!

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net...wnload/updates/

Solo Antivirus
http://www.srnmicro....ate/TrySolo.exe

Click Update to let Solo check for new updates available,then Click Options,put a check by "Scan Archives" and "Create a Report"

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Open both Ewido and Solo but dont Run or Minimise them!

Right Click the TaskBar and Select Task Manager>> Click Processes>> Look for

rappuu.exe<< Click once and Select End Process

rundll32.exe<< Click once and Select End Process

Go back to the Task Manager>> Processes>> Locate Explorer.exe>> End Process

When you drop the Explorer process,the Desktop and TaskBar will disappear,dont panic this is Normal!

Scan with Solo and Select "Scan&Delete" (The Report will be located in Program Files Folder under SRN Micro)

Scan with Ewido>when prompted>Select to clean and place a check by the box to use this action for all infections!

Once it completes,Click the tab to Save the report and Save it to your Desktop for easy access!

Locate and Delete if found

C:\WINDOWS\System32\rappuu.exe

C:\WINDOWS\system32\DSNWSOCK.DLL

C:\WINDOWS\web\related.htm

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rappuu.exe reg_run

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx

O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\DSNWSOCK.DLL

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post a fresh HijackThis log along with the Reports from Panda>> Ewido and Solo
  • 0

#3
misterselfdestruct420
Posted 30 June 2005 - 07:35 AM

misterselfdestruct420

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks for the reply but I think I have it under control for now. This stuff was recurring every hour or so and I think that I have all but eliminated it as I have been free from any Virus/Spyware warnings since yesterday afternoon. Also the last qouple MS antispyware scans have come up clean and I haven't seen any popups yet today.

You can go ahead and close this topic, if this happens again I will post a new thread or just send it to our IT team. I was just trying to avoid this because I don't want to have to be without a PC while it ships to New York to be fixed.

Thanks again for your time.
  • 0

#4
misterselfdestruct420
Posted 30 June 2005 - 07:40 AM

misterselfdestruct420

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
One quick question before you do close this. I found a couple of the programs that were recurring in my Prefetch folder. I cleared this out in case but I'm wondering would having these programs in the prefetch, even is the .exe file has been deleted do anything to cause it to reload somehow? If so then maybe this was the cause and it could explain why they haven't returned.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP