Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Member
    Join Date
    Jul 2006
    Posts
    7
    Points
    0

    Default Hijack-detective referred me to this forum - please review l

    Greetings! First time posting. Thanks you for such detailed and accurate protocols for detecting and deleting bugs. I have tried all the recommendations and have downloaded, updated and cleansed my computer as well as re-run hijack multiple time, and am still plagued by this program that seems to have taken over my internet explorer. It first appeared when I went to Norton Antivirus' site for a free online computer virus scan. I downloaded ActiveX from the site and this hellish reality has been :roll: happening ever since. Sorry for the disconnect, ads for "modern Singles ' keep popping up. The main ad seems to be for a rouge spy ware program. You are the experts, please review the log. I look forward to your response.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:03:13 AM, on 7/16/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\CAPM5RSK.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - Global Startup: Canon iC D800 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

  2. #2
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Which rogue spyware remover program ?

    You are running an out-of-date version of java

    You can go here and install the latest version of Java.

    http://java.com/en/download/index.jsp

    Then go to add/remove programs and uninstall any earlier versions ...

    Running an out-of-date version of java is an infection risk.

    your hijackthis log is clean

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  3. #3
    Member
    Join Date
    Jul 2006
    Posts
    7
    Points
    0

    Default WinAntiVirus Pro -- is the rouge program!

    Unfortunately, my log file is clean, however, the popups keep coming up on my computer.

    Spybot Search and Destroy, did remove MOST of the program (WinAntiVirus Pro), however, as the posts on download.com indicate, this is a very tricky program to get rid of. Any additional advice would be greatly appreciated!

    My research suggests that got in through the Active X download I did at Norton Antivirus.

    Another's experience:
    "You will spend hours trying to remove this program, on install and first run it is useless and only prompts to buy the product, look in any spyware/malware forums for this product and you will spend hours reading of people trying to remove this program with no success, it will flood your browser with pop-ups and there is no simple way to remove it.. it IS malicisious code! Please remove it from this trusted site!!!"""

  4. #4
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    suz_roberts:

    Your wrote:

    I have tried all the recommendations
    Can I assume that you are talking about everything here ?:

    Browser hijacks, spyware problems: read this BEFORE posting

    http://www.help2go.com/component/opt...wtopic/t,9709/

    You must remember that a HJT log will only show the most common places malware is known to run from. It is not a magic "pill" for all ills.
    Your log indicates that you have not done the on lines scans. They could possible help with your problem. Please don't try to make use work around the programs that "you want" to do.

    Also if the web page(s) you are visiting are the cause of the pop ups, nothing really we can do, to control your surfing habits. A pop up stopper MAY help you.

    My research suggests that got in through the Active X download I did at Norton Antivirus.
    Got a reference for this/url?

    I know, on a personal opinion, when it comes to "norton" and it is not good. But I doubt that it caused the pop ups.

    BG

  5. #5
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Please download

    VundoFix.exe to your desktop.
    1. Double-click VundoFix.exe to run it.
    2. Put a check next to Run VundoFix as a task.
    3. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    4. When VundoFix re-opens - Click the "Scan for Vundo" button.
    5. Once it's done scanning, click the "Remove Vundo" button.
    6. You will receive a prompt asking if you want to remove the files, click "YES".
    7. Once you click yes, your desktop will go blank as it starts removing Vundo.
    8. When completed, VundoFix will prompt that it will shutdown your computer; click "OK".
    9. Turn your computer back on.
    10. Please post the contents of C:\vundofix.txt & let us know if the pop-ups have stopped ...

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  6. #6
    Member
    Join Date
    Jul 2006
    Posts
    7
    Points
    0

    Default Additional information - if it helps?

    I never get popups as I have 2 pop up blockers, including a google toolbar, and a firewall program (I forget the name of now), so the popup phenomenon is new and unusual. Additionally, now, it is taking over my memory - so everything is incredibly slow.

    I have even used msconfig to reduce the programs that startup and run in the background to free memory, but that has not made a significant impact.
    The protocol I used was not from the link you referenced, but was a combination from 2 other postings I saw on the website that included downloading about 6 additional programs for spyware removal and monitoring. What I did was: 1. Downloaded and ran: AVG virus scan, spybot search and destroy, adaware, Windows Defender, a scandanavian spyware scanner, and 3 other programs (referred to in a different protocol for cleaning computers) that are spy monitors (not sure if correct word here), Hijack -ran 2x, netdetective - followed instructions, and dumped trash, ran disk cleanups and restarted a few times in between for a total of about 5 hours of run time.

    Regarding the online virus scans: I am remiss in going to the Panda and other one due to my active x theory. Which may be erroneous/paranoid, etc.. I configured IE to prompt me to enable or disable Active X on each website that runs it - which in my thinking could control the popups (if they are using active x) Sometimes it works (I get these loud bleeps when I hit no), but not always. so, basically, my theory which may be more of superstition/gut/coincidence than fact. The creepy fact is that I downloaded active x and pop ups started slowing my system down.

    What is the recommended donation? Just curious. You are definately providing a REALLY valuable service!

    Thanks!
    Suzanne

  7. #7
    Member
    Join Date
    Jul 2006
    Posts
    7
    Points
    0

    Default Thanks SteamWiz

    Will send new log upon performing your instructions.
    Thanks!

  8. #8
    Member
    Join Date
    Jul 2006
    Posts
    7
    Points
    0

    Default Trojans detected on system!

    Greetings,
    I ran VundoFix. It detected quite a few problem .dlls.

    Additionally, AVG detected and "cleansed" 2 trojans, (Backdoor and another one).

    I will post the official log with all the dlls that are/were infected tonight.

    Thanks Steam!

  9. #9
    Member
    Join Date
    Jul 2006
    Posts
    7
    Points
    0

    Default VundoFix report

    This is the log file from VundoFix.

    VundoFix V5.1.4

    Running as SYSTEM
    from c:\windows\system32\VundoFix.exe

    Checking Java version...

    Java version is 1.4.2.3

    Scan started at 8:57:08 PM 7/19/2006

    Listing files found while scanning....

    C:\windows\system32\ddcya.dll
    C:\windows\system32\aycdd.ini
    C:\windows\system32\aycdd.bak1
    C:\windows\system32\aycdd.bak2
    C:\windows\system32\jkkhedc.dll
    C:\windows\system32\jkkjgfg.dll
    C:\windows\system32\tuvtsss.dll
    C:\windows\system32\tuvustq.dll

    Beginning removal...

    The process smss.exe was successfully stopped

    The process winlogon.exe was successfully stopped

    The process explorer.exe was successfully stopped

    The process iexplore.exe was successfully stopped

    The process rundll32.exe was successfully stopped

    Attempting to delete C:\windows\system32\ddcya.dll
    C:\windows\system32\ddcya.dll Has been deleted!

    Attempting to delete C:\windows\system32\aycdd.ini
    C:\windows\system32\aycdd.ini Has been deleted!

    Attempting to delete C:\windows\system32\aycdd.bak1
    C:\windows\system32\aycdd.bak1 Has been deleted!

    Attempting to delete C:\windows\system32\aycdd.bak2
    C:\windows\system32\aycdd.bak2 Has been deleted!

    Attempting to delete C:\windows\system32\jkkhedc.dll
    C:\windows\system32\jkkhedc.dll Has been deleted!

    Attempting to delete C:\windows\system32\jkkjgfg.dll
    C:\windows\system32\jkkjgfg.dll Has been deleted!

    Attempting to delete C:\windows\system32\tuvtsss.dll
    C:\windows\system32\tuvtsss.dll Has been deleted!

    Attempting to delete C:\windows\system32\tuvustq.dll
    C:\windows\system32\tuvustq.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

  10. #10
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi Suzanne

    You are still running an out of date version of Java

    Checking Java version...

    Java version is 1.4.2.3

    Running an out of date java is one way this infection gets on to your computer...

    See my post #2 for how to update your java...

    Please update us on any problems you are still having...

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

Page 1 of 2 12 LastLast