Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Newbie needs help

Started by calabman , Dec 22 2004 01:06 PM

  • Please log in to reply

#1
calabman
Posted 22 December 2004 - 01:06 PM

calabman

    New Member

  • Member
  • Pip
  • 3 posts
Help! I downloaded a "no cd" crack for a game and have paid the price!! I am now pestered with MSIE popups (I use Netscape as my browser). I have installed the latest versions of Spybot, CWShredder, Ad-Aware SE, Hijack This and Trojan Hunter (30 day trial) and, after running this and deleting recommended files, am still infected so I must be doing something wrong! Any help will be appreciated. Here is my latest Hijack log.


Logfile of HijackThis v1.99.0
Scan saved at 10:36:19 AM, on 12/22/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AnalogX\NetStat Live\nsl.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Documents and Settings\EERidenour\Application Data\miah.exe
C:\WINDOWS\System32\??chost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Gdmhwa.exe
C:\WINDOWS\system32\Tvczm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Utility Files\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.netscape.c...com/index2.psp"); (C:\Documents and Settings\EERidenour\Application Data\Mozilla\Profiles\default\wo3emx9q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\EERidenour\Application Data\Mozilla\Profiles\default\wo3emx9q.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {81A892AE-244D-3A9D-1955-5DF008BA6AB3} - C:\WINDOWS\System32\ivibydqu.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: Search Bar - {0A8CE102-FA03-4612-9BEE-7FE5452F4CB1} - C:\WINDOWS\system32\srchbar.dll
O4 - HKLM\..\Run: [NetStat Live] C:\Program Files\AnalogX\NetStat Live\nsl.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [sbqwoaiuci] C:\WINDOWS\System32\txfjxvsf.exe
O4 - HKLM\..\Run: [f699e11d9a25] C:\WINDOWS\System32\APPXEC32.exe
O4 - HKLM\..\Run: [55DPDYY275JEQK] C:\WINDOWS\system32\KximoD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [ewdzE.exe] C:\documents and settings\eeridenour\local settings\temp\ewdzE.exe
O4 - HKLM\..\Run: [6ar5AYlkn.exe] C:\documents and settings\eeridenour\local settings\temp\6ar5AYlkn.exe
O4 - HKCU\..\Run: [tsddd] C:\WINDOWS\System32\tsddd.exe
O4 - HKCU\..\Run: [Tpat] C:\Documents and Settings\EERidenour\Application Data\miah.exe
O4 - HKCU\..\Run: [Disfxu] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Clock] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
  • 0

Advertisements

#2
admin
Posted 22 December 2004 - 04:44 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
First, we need to remove the pepper trojan. Download this file, run, and let terminate (it'll just blink briefly on your screen and won't appeared to have done much--this is normal):
http://www.geekstogo...=download&id=18

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {81A892AE-244D-3A9D-1955-5DF008BA6AB3} - C:\WINDOWS\System32\ivibydqu.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: Search Bar - {0A8CE102-FA03-4612-9BEE-7FE5452F4CB1} - C:\WINDOWS\system32\srchbar.dll
O4 - HKLM\..\Run: [sbqwoaiuci] C:\WINDOWS\System32\txfjxvsf.exe
O4 - HKLM\..\Run: [f699e11d9a25] C:\WINDOWS\System32\APPXEC32.exe
O4 - HKLM\..\Run: [55DPDYY275JEQK] C:\WINDOWS\system32\KximoD.exe
O4 - HKLM\..\Run: [ewdzE.exe] C:\documents and settings\eeridenour\local settings\temp\ewdzE.exe
O4 - HKLM\..\Run: [6ar5AYlkn.exe] C:\documents and settings\eeridenour\local settings\temp\6ar5AYlkn.exe
O4 - HKCU\..\Run: [tsddd] C:\WINDOWS\System32\tsddd.exe
O4 - HKCU\..\Run: [Tpat] C:\Documents and Settings\EERidenour\Application Data\miah.exe
O4 - HKCU\..\Run: [Disfxu] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Clock] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
(Description: nVidia nForce Taskbar Utility - quick access to the nForce2 "Sound Storm" control panel and related utilities. Removing this will free up some system resources. )

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
(Description: Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it, and thus should remove this entry. )

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
(Description: Complete utter waste of space! Part of MS Office - searches disk drives for Office file types and creates an index to make opening them easier. Removing this entry will free up a significant amount of system resources. )

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINDOWS\System32\ivibydqu.dll
C:\WINDOWS\system32\srchbar.dll
C:\WINDOWS\System32\txfjxvsf.exe
C:\WINDOWS\System32\APPXEC32.exe
C:\WINDOWS\system32\KximoD.exe
C:\documents and settings\eeridenour\local settings\temp\ewdzE.exe
C:\documents and settings\eeridenour\local settings\temp\6ar5AYlkn.exe
C:\WINDOWS\System32\tsddd.exe
C:\Documents and Settings\EERidenour\Application Data\miah.exe
C:\WINDOWS\System32\??chost.exe (NOT svchost.exe)
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\winpack.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:
  • 0

#3
calabman
Posted 22 December 2004 - 05:51 PM

calabman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Here is the new Hijack logfile. Also, after rebooting I did not see any MSIE popup ads and the Trojan Hunter did not find any Adware running in memory as before.

I am getting this message from Windows FIrewall:

Windows Firewall has blocked this program:

Name: Support.com Scheduler and Command Dispatcher
Publisher: Support.com, Inc

It asked if I wanted to keep blocking, unblock or ask me later (I chose ask me later).This has always popped up after I upgraded to SP2 which was just yesterday. I don't think this has anything to do with the MSIE popups but I thought I would ask about it anyway.


Logfile of HijackThis v1.99.0
Scan saved at 3:37:53 PM, on 12/22/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AnalogX\NetStat Live\nsl.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Utility Files\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.netscape.c...com/index2.psp"); (C:\Documents and Settings\EERidenour\Application Data\Mozilla\Profiles\default\wo3emx9q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\EERidenour\Application Data\Mozilla\Profiles\default\wo3emx9q.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NetStat Live] C:\Program Files\AnalogX\NetStat Live\nsl.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
  • 0

#4
calabman
Posted 23 December 2004 - 01:14 PM

calabman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Some more info on the Windows Firewall problem. I installed WinPatrol (neal program) and it linked TGCMD.exe to Support.com. A google on TGCMD.exe indicated that it was probably installed by my cable ISP (Charter) and is possibly used by Charter to monitor my cable useage (Support.com may be a company used by Charter to monitor my cable useage?). All of my internet functions (browser, mail, on-line gaming, etc) seem to be working OK so I may continue to let Windows Firewall block this program and not try to remove TGCMD.exe from my computer.

BTW, after multiple reboots I have not seen any MSIE popup ads so my popup problem may be solved!! Thank you very much for your help in solving this problem. Happy Holidays!
  • 0

#5
admin
Posted 23 December 2004 - 05:18 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Support.com is used by your Internet provider to monitor your connection quality. You can either allow, or disallow it, it won't affect your connection.

If you want to disable it, just fix this entry with HJT:
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP