Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Dead or Alive?[CLOSED]

Started by Carlo , Jul 23 2005 12:27 AM

  • This topic is locked This topic is locked

#1
Carlo
Posted 23 July 2005 - 12:27 AM

Carlo

    New Member

  • Member
  • Pip
  • 3 posts
I've been constantly barraged by this malwares and ads. www.the-best-promos.com and www.security-updater.com keeps on poping-up whenever I launch IE. I have followed your steps, then restarted the computer. I tried to browse the internet again, still this annoying pop-ups keeps on sprouting like mushrooms. :tazz:

This are the steps that I've made:
1. Launch CleanUp
2. Scan with Ad-Aware (nothing was found)
3. CWShredder (nothing was found)
4. Spybot then I "immunized" the system (nothing was found)
5. Microsoft Antispyware (just to be sure), it found egroup dialer from the registry, then I removed it.

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\BD8400524261DF1ADBD8860F22C9CE2B97471448
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\BD8400524261DF1ADBD8860F22C9CE2B97471448

6. Run Ewido & scan everything, but nothing was found.
7. Symantec Antivirus Corporate Edition no viruses were found.
8. Restart the computer
9. I'm using dial-up to connect to the internet.
10. Launch IE. Then for a few moments this CrazyGirls popup appeared from www.the-best-promos.com. Sometimes it advertised softwares, etc.

BTW when I launched IE for the 2nd time, Windows Antispyware blocked this egdaccess_1060.dll, and Ewido found an infected file msclock32.dll located at C:\Windows\system32 by a Dialer.Generic, i cleaned it. It is in the quarantine, yet ewido is still saying that it found msclock32.dll is still infected.

Please I really need your help on this guys! I've posted by HijackThis log file. This was done after using your steps. (some, I've scanned with MS Antispyware to be sure)

Logfile of HijackThis v1.99.1
Scan saved at 1:49:45 PM, on 23/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SSA\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\RKillSrv.exe
C:\PROGRA~1\Udeliver\CASTAN~1\Tuner.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Courion Corporation\PasswordCourier with DIRECT! Access\direct.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://unet.unisys.com/default.aspx
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://unet.unisys.com/default.aspx
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [DIRECT!] C:\Program Files\Courion Corporation\PasswordCourier with DIRECT! Access\direct.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IMDETECT] "C:\Program Files\Unisys IT\IMDETECT.EXE"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ppaproj.com
O17 - HKLM\Software\..\Telephony: DomainName = ppaproj.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{35E56E2E-E01D-4A6A-86FE-E0903FA04B85}: Domain = ph.Unisys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ppaproj.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = au.Unisys.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = au.Unisys.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\ramirezca\My Documents\Carlo\cwshredder.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Process Killer - Unknown owner - C:\WINDOWS\system32\RKillSrv.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Udeliver - Marimba, Inc. - C:\PROGRA~1\Udeliver\CASTAN~1\Tuner.exe

Edited by Carlo, 24 July 2005 - 07:52 PM.

  • 0

Advertisements

#2
Kristy
Posted 11 August 2005 - 12:14 AM

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Duplicate post: http://www.geekstogo...topic=44819&hl=
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP