1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Popup trouble

Discussion in 'Virus & Other Malware Removal' started by ray40049, Oct 17, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. ray40049

    ray40049 Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    5
    Hi, I am having trouble with popups on my daughters computer. I have removed obvious things and it has slowed down but not stopped. Now It will not let me follow a link off of yahoo. I ran shredder and spybot. When I run spybot, some things come up again. Here is my log from Hijack this. Please help. Ray

    Logfile of HijackThis v1.97.2
    Scan saved at 6:17:34 PM, on 10/17/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\emsw.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\System32\Acjz0Y6.exe
    C:\WINDOWS\System32\Acjz0Y6.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Brandy\Desktop\Computer Utilities\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [354HGWC555FRB7] C:\WINDOWS\System32\IpuFme.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37911.6223958333
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
     
  2. MaDKiWi

    MaDKiWi

    Joined:
    Nov 28, 2001
    Messages:
    114
    No matter what you will always get popups, its the internets way of making money. However some certain programs make things worse, for example, Kazaa used to be a bad one. Ive found that adaware is the best freeware for removing spybot programs. go to Lavasoft and find the program. Its great, and rid my fathers computer of approximately 70 spybot related files when he was overrrun by them. Hope this helps
     
  3. OlTramp

    OlTramp

    Joined:
    May 3, 2003
    Messages:
    151
    Hi Ray-
    Close all browsers and rerun HiJack This. Check and delete the following-
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    This one I can find no info. If you don't recognize it delete it too-
    O4 - HKLM\..\Run: [354HGWC555FRB7] C:\WINDOWS\System32\IpuFme.exe
    Restart your computer and delete
    C:\WINDOWS\Belt.exe
    C:\WINDOWS\emsw.exe
    If you deleted IpuFme.exe above then delete it also.
    Restart your computer and run HJT again to make sure all above are gone.
     
  4. ray40049

    ray40049 Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    5
    madkiwi, I did run adware also, sorry I did not mention it.

    olTramp, I did as you said and now have this log. Ray



    Logfile of HijackThis v1.97.2
    Scan saved at 7:28:53 PM, on 10/17/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ZmxCD746.exe
    C:\WINDOWS\System32\Acjz0Y6.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Brandy\Desktop\Computer Utilities\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
    O4 - HKLM\..\Run: [354HGWC555FRB7] C:\WINDOWS\System32\QlsO0A55.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37911.6223958333
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
     
  5. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Regarding Ad-Aware 6, make sure you have build 181 and have run the Webupdate Feature to get the Reference File up to date.

    Please read http://forums.techguy.org/t164245/s.html for further instructions, settings , etc.

    Once you are cleaned up, you might want to visit http://www.wilderssecurity.net/index.html and download the following:

    SpywareBlaster v2.6.1
    SpywareGuard v2.2

    These will prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection.

    Lastly, consider installing IE-SPYAD, a registry file that adds a long list of sites to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm
     
  6. ray40049

    ray40049 Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    5
    Thanks winchester73, I'll give it a try. I am pretty ignorant of the settings for adaware. Ray
     
  7. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    It is imperative that you always have the current Build and Reference File in use to ensure the proper detection and removal of objects.

    If it turns out you have a build older than 181, use Add/Remove Programs to uninstall the old version ... then do a fresh download from the link I gave you.
     
  8. OlTramp

    OlTramp

    Joined:
    May 3, 2003
    Messages:
    151
  9. ray40049

    ray40049 Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    5
    Ran all three virus scans, negative. With the new settings adaware found over 300 new objects. Thanks! Ray
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
    you definitely have peper.a trojan

    these entries confirm it, notice the changes everytime you boot

    O4 - HKLM\..\Run: [354HGWC555FRB7] C:\WINDOWS\System32\QlsO0A55.exe
    C:\WINDOWS\System32\ZmxCD746.exe
    C:\WINDOWS\System32\Acjz0Y6.exe

    O4 - HKLM\..\Run: [354HGWC555FRB7] C:\WINDOWS\System32\IpuFme.exe
    C:\WINDOWS\System32\Acjz0Y6.exe
    C:\WINDOWS\System32\Acjz0Y6.exe


    Download TDS-3 from http://www.wilders.org/anti_trojans.htm
    and update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update
    Then run a full system scan.

    Temporarily disable any other running AV before updating and running TDS-3

    then re-enable your normal AV after cleaning has been done with TDS-3
     
  11. ray40049

    ray40049 Thread Starter

    Joined:
    Oct 17, 2003
    Messages:
    5
    dvk01, good call. TDS-3 did indeed find 2 files. Popups have stopped (except normal type). Thanks. Ray


    Scan Control Dumped @ 10:09:54 18-10-03
    Positive identification (embedded in file): TrojanDownloader.Win32.VB.s
    File: c:\windows\system32\uktbua.exe

    Positive identification: TrojanDownloader.Win32.VB.r
    File: c:\windows\system32\uktbua.exe
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172711

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice