MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Ads Galore!
March 31, 2020, 07:53:54 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
March 31, 2020, 07:53:54 AM

Login with username, password and session length
 Featured Sites:
News
Article Writers We are looking for quality, informational articles to add to our Computer Articles
Please contact us if you are interested in submitting some....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2 Go Down Print
Author Topic: Ads Galore!  (Read 3281 times)
Team48Lowes
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 170


Bookmark and Share

View Profile
« on: November 25, 2005, 04:07:34 AM »

Operating System Version: Win XP SP1



I have been getting tons of popups lately....here is my log...

Logfile of HijackThis v1.99.1
Scan saved at 10:01:10 PM, on 11/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Tony Hobson\My Documents\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\korpoc.exe reg_run
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\System32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\System32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [adtech2005] c:\windows\adtech2005.exe
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - Global Startup: iqgo.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9CEEB89-A609-4290-B188-B948E553ED62}: NameServer = 166.102.165.11 166.102.165.13
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\dddskmgr.dll
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

All help will be greatly appreciated!!!

HAPPY THANKSGIVING!!!!!!!
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: November 25, 2005, 07:12:40 AM »

Hi
 Lets start by  downloading Ewido Security Suite

 Install Ewido Security Suite.
 When installing, under 'Additional Options' uncheck: "Install background guard" and  "Install scan via context menu"

To open the main screen double click the icon on the desktop.
 
 You will get a warning 'Database could not be found!'.(only if no updated have first been installed) Click OK.

 Update to the latest definition files.On the left of the main screen click Update.Then click on Start Update.Let it complete the updates.

Now Click on Scanner and Click on Complete System Scan and the scan will start.

During some scans  it may find cases of false positives so you will need to step through the process of cleaning files one-by-one.

If a file is detected you KNOW to be legitimate, select None as the action. Do NOT select 'Perform action on all infections'
 
If you are unsure of any entry found play safe and select None as the action.
Press the button marked Save Report

Save the report .txt file to your desktop or somewhere you can find it.Post it back with your next HJT log.

----------------------------



Download Killbox v2.0.0.473 and unzip the file to your Desktop and have it ready to use.

Right click and drag your cursor over the below files to highlight them and then.use Control+C to copy them to the clipboard..Open KILLBOX and go to File and click on"Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X.  You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.  


C:Program FilesMsConfigsMsConfigs.exe
C:WINDOWSsystem32p2pnetwork.exe
C:WINDOWSsystem32CMD.COM
C:WINDOWSsystem32netstat.com
C:WINDOWSsystem32ping.com
C:WINDOWSsystem32regedit.com
C:WINDOWSsystem32tasklist.com
C:WINDOWSsystem32taskkill.com
C:WINDOWSsystem32taskmgr.com
C:WINDOWSsystem32tracert.com



After the reboot run HijackThis again. Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:


O4 - HKCU..Run: [p2pnetwork] p2pnetwork.exe  
O4 - HKCU..RunServices: [p2pnetwork] p2pnetwork.exe  [/b]

Reboot once more and post the resulting HijackThis log.  

« Last Edit: November 25, 2005, 07:18:23 AM by Pancake » Logged

An Australian Member of

EDDY
Team48Lowes
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 170


Bookmark and Share

View Profile
« Reply #2 on: November 29, 2005, 01:20:35 PM »

Logfile of HijackThis v1.99.1
Scan saved at 7:17:34 AM, on 11/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tony Hobson\My Documents\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: November 29, 2005, 01:54:04 PM »

Run HJT and fix this item..

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
Logged

An Australian Member of

EDDY
Team48Lowes
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 170


Bookmark and Share

View Profile
« Reply #4 on: November 29, 2005, 09:30:01 PM »

I did it and I rescanned and it was still there....I done this several times.
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: November 29, 2005, 11:57:47 PM »

To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK


Reboot into Safe Mode by restarting the computer; then repeatedly hit F8 while rebooting until you see the Windows Advanced Options menu. Use the arrow keys to highlight safe mode from the menu and press Enter.

Now please search for and delete the following file if found:

C:\WINDOWS\lsass.exe

Do NOT remove the same named file in C:\Windows\System32\
Logged

An Australian Member of

EDDY
Team48Lowes
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 170


Bookmark and Share

View Profile
« Reply #6 on: December 01, 2005, 01:11:09 PM »

It's not there....but its still in the HJT log.
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #7 on: December 01, 2005, 01:25:04 PM »

Run HJT and remove it.....
Logged

An Australian Member of

EDDY
Team48Lowes
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 170


Bookmark and Share

View Profile
« Reply #8 on: December 02, 2005, 01:13:05 PM »

As I previously stated, it is in the the HJT log, and when I try to delete it from the log, it is still there when I run it again...
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #9 on: December 02, 2005, 01:35:34 PM »

Download SILENT RUNNERS  to a new folder,... Unzip if Zipped, and run the Silent Runners.vbs file.
Open the "Startup Programs.txt" file it creates, and copy/paste the contents to this post, please.
The "Startup Programs.txt" file will be in the folder you ran the "Silent Runners.vbs" file from.
Logged

An Australian Member of

EDDY
Team48Lowes
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 170


Bookmark and Share

View Profile
« Reply #10 on: December 02, 2005, 09:35:48 PM »

This is what comes up after I run the script...

http://putfile.com/pic.php?pic=12/33515310719.jpg&s=x12
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #11 on: December 03, 2005, 12:41:17 AM »


Look in the registry and remove this key if it is there.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Winlogon="C:\WINDOWS\LSASS.EXE"

Then run HJT and fix the entry.
Logged

An Australian Member of

EDDY
Team48Lowes
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 170


Bookmark and Share

View Profile
« Reply #12 on: December 05, 2005, 04:56:39 AM »

For some reason, when I Click: Start-Run-then type regedit and hit enter, a black window flashes on the screen and the registry editor never comes up...Is there any other way to access the registry or fix this prob with the Registry Editor?
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #13 on: December 05, 2005, 05:13:25 AM »

Open a notepad window by Clicking start->run->type notepad.exe
Hit Enter
Paste in the following text in bold into the notepad window:

cd C:\WINDOWS\System32\
attrib -s -h -r regedit.com
attrib -s -h -r cmd.com
del regedit.com;cmd.com
pause


Save the file to your desktop by setting the "Save as Type" to "all files", and save it as delfiles.bat

Double-click the delfiles.bat icon on your desktop (allow the script to run and disable any script blocking programs).

Next try to open regedit
Logged

An Australian Member of

EDDY
Team48Lowes
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 170


Bookmark and Share

View Profile
« Reply #14 on: December 07, 2005, 09:38:46 PM »

Thanks that script worked, but...the registry entry wasn't there and tried to delete the entry...but still there..

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
Logged

 
Pages: [1] 2 Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page December 30, 2018, 07:58:49 PM