Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Few Problems... ADS1.revenue, [RESOLVED]


  • This topic is locked This topic is locked

#1
aldaros23

aldaros23

    Member

  • Member
  • PipPip
  • 86 posts
okay so i was checking one of my business computers in the office and it's got a few problems:

[1] ads1.revenue popup's when opening internet explorer

[2] there's a toolbar at the top that looks like this:
Window-------------------------------------------------------------------------------------------------Window
Address Bar http://www.geekstogo................... [-->GO]
[ Search ______ [ --> ] THEN FOLDER LIKE TABS WITH KEY WORDS PICKED UP FROM PAGE ]
FIELD GO BUTTON


[3] another pop -up toolbar that attaches to the bottom task bar (where the windows icon and time/date are) it attaches just above it and has certain links like "casino" or "cards" or "money" but it has a [X] in the corner so it can be closed, but it's there every time internet explorer opens (upon reboot)
---------------------------------------------------------------------------------------------------------------------------

i have 4 spyware programs, AVG Free, Spyboy SD, AdAware, Antispyware + Hijack this - none could get rid of these problems! ANY HELP WOULD BE GREATLY APPRECIATED! thanks very much

HIJACK THIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 4:31:21 PM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.muppvevow...pnT4IaQ_N3.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BASEDARTBINTONS] C:\Documents and Settings\All Users\Application Data\Creative ref base dart\Litemp3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [flap skip] C:\DOCUME~1\genny\APPLIC~1\AxisHide\Program Second.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

------------------

THANKS ALOT !!!
  • 0

Advertisements


#2
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Hello!!!!!!!!! :tazz: :) :)

Because you have the lop infection we first going to see where it hides, you do that as followed

Download Findlop by Metallica. Unzip it to your desktop.
Double click findlop.bat. It will open a notepad file.
Copy the content of that file and past it here in your reply.

Edited by skate_punk_21, 28 October 2005 - 02:01 PM.

  • 0

#3
aldaros23

aldaros23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
sorry for the delay - heres the notepad text

[TRACE] Enumerating jobs and queues
[TRACE] Activating job '8269696A90131436.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\angelica\applic~1\axishide\License Bone Heck.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Angelica'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 08/08/2005 11:00:00
NextRun: 10/28/2005 20:00:00
StartError: 0x80070534
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/27/1997
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'AA8032949187A6D8.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\genny\applic~1\axishide\License Bone Heck.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'genny'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/28/2005 19:00:00
NextRun: 10/28/2005 20:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/03/1999
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'FRU Task #Hewlett-Packard#hp officejet 6100 series#1087
251390.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe'
Parameters: '-I "#Hewlett-Packard#hp officejet 6100 series#1087251390"'
WorkingDirectory: ''
Comment: ''
Creator: 'genny'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 00/00/0000 0:00:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 1
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

No triggers
  • 0

#4
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Check and fix the following in HIjackThis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.muppvevow...pnT4IaQ_N3.html
O4 - HKLM\..\Run: [BASEDARTBINTONS] C:\Documents and Settings\All Users\Application Data\Creative ref base dart\Litemp3.exe
O4 - HKCU\..\Run: [flap skip] C:\DOCUME~1\genny\APPLIC~1\AxisHide\Program Second.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present



Delete the following folders in blue:
C:\Documents and Settings\All Users\Application Data\Creative ref base dart\
C:\Documents and Settings\angelica\Application Data\axishide\
C:\Documents and Settings\Genny\Application Data\axishide\


Copy the following into notepad and save it as "kill.bat" WITH THE QUOTATIONS

attrib -s -r -h C:\windows\tasks\8269696A90131436.job
del /q C:\windows\tasks\8269696A90131436.job
attrib -s -r -h C:\windows\tasks\AA8032949187A6D8.job
del /q C:\windows\tasks\AA8032949187A6D8.job

Once saved, double click this file to run it.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click Start Scan
  • After it's done scanning, click Scan Results
  • Make sure all items found have a check next to them, then click Clean Threats Now.
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called Antispyware.log, please double-click that log and copy the entire contents and paste them here.
  • 0

#5
aldaros23

aldaros23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
Everyting done as you stated:

Started Scanning
Internet Cookies
Found 'com.com' in 'Internet Explorer Cache'
Found 'server.iad.liveperson.net' in 'Internet Explorer Cache'
Found 'dist.belnk.com' in 'Internet Explorer Cache'
Found 'adknowledge.com' in 'Internet Explorer Cache'
Found 'server.iad.liveperson.net' in 'Internet Explorer Cache'
Found 'partypoker.com' in 'Internet Explorer Cache'
Found 'landing.domainsponsor.com' in 'Internet Explorer Cache'
Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Found 'belnk.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Altnet'
Found '' in 'SOFTWARE\Altnet\Dashboard'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683}'
Found '' in 'SOFTWARE\Classes\TypeLib\{379919F2-1612-45B7-B9F4-773F6D5214F5}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{379919F2-1612-45B7-B9F4-773F6D5214F5}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{379919F2-1612-45B7-B9F4-773F6D5214F5}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{379919F2-1612-45B7-B9F4-773F6D5214F5}'
Found '' in 'SOFTWARE\Classes\SOFTWARE\MM'
Found '' in 'SOFTWARE\Classes\eD2KDownloadManager.object\CurVer'
Found '' in 'SOFTWARE\Classes\eD2KDownloadManager.object\CLSID'
Found '' in 'SOFTWARE\Classes\eD2KDownloadManager.object.1\CLSID'
Found '' in 'SOFTWARE\Classes\eD2KDownloadManager.object.1'
Found '' in 'SOFTWARE\Classes\eD2KDownloadManager.object'
Internet URL Shortcuts
Files and Directories
Found 'kwv2.dat' in 'C:\WINDOWS'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SOFTWARE\Altnet'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SOFTWARE\Altnet\Dashboard'. Error=5.
Checking for 'C:\WINDOWS\kwv2.dat' in shortcut areas.
Checking for 'C:\WINDOWS\kwv2.dat' in startup areas.
Cleaning 'C:\WINDOWS\kwv2.dat'
Finished Cleaning
  • 0

#6
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
OK, before i give you the all clear, lets have one last FRESH HijackThis Log.

Edited by skate_punk_21, 01 November 2005 - 10:02 AM.

  • 0

#7
aldaros23

aldaros23

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
it's good, i checked it out myself... there's nothing i cannot identify; PROBLEM SOLVED! THANKS A LOT, you're definetly a pro
  • 0

#8
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Congratulations Your Log is Clean!!

If you are still having trouble, please dont continue with these instructions just yet. LET ME KNOW!

Otherwise, we have a few clean up items to deal with.

1. System Restore
Now that we know your system is clean, we want to purge any potentially infected restore points. To do that, complete the following:

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

To re-enable this function - simply uncheck this same box, and click "apply" and "ok"


2. Reset Hidden Files & Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is UNchecked. Also make sure that the System Files and Folders are invisible. CHECK the Hide protected operating system files option.


Also Consider...
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:
How is she running now? Any further problems? If not, Good work, and Happy Computing!

Please reply once more so we know you have read these measures.
  • 0

#9
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP