HJT-log attachment

[Chronus]

Need help with a popup adware, maybe worse I don't know. I'm playing Diablo 2 and al of the sudden an add pops up in internet explorer, and I’m taken out of online play and brought to an anti spy ware or some other commercially driven site. I've used Microsoft beta1, spybot SaD, Ad aware se, Norton, and I’ve even followed the steps given in WebSearch-Removal. None have given any kid of slow down to this, any advice would be welcomed. 6 popup have come up even while righting this, sooner I can get the help the better.

Thank you kindly for you help.
Tron De Telk

 

[RealBlackStuff]

Acceleration Software\Anti-Virus: This is total rubbish!
http://www.spywarewarrior.com/rogue_anti-spyware.htm#ss_note

C:\Documents and Settings\Kevin\Desktop\hijackthis\HijackThis.exe
Put HijackThis in e.g. C:\Program Files\HJT and NOT in Temp or on the Desktop!.

First Read: Only use these HJT-instructions when asked!
/P/ Process needs to be stopped
/U/ UNinstall anything to do with this
/R/ unRegister the xxx.DLL in that line
Transfer the text from between these dotted lines underneath to between the dotted lines of that post.
Make sure to follow ALL instructions in SEQUENCE, and in HiJackThis tick/fix ALL lines indicated here!
...................................................................................................
R3 - Default URLSearchHook is missing
/R/ O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
/P/U/ O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119652319625
Unless these IP-numbers are from your ISP, fix this O17
O17 - HKLM\System\CCS\Services\Tcpip\..\{1841E1FF-BAC0-4999-B722-6BBB27478B84}: NameServer = 10.10.1.22,10.10.1.19
/R/ O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\irl4l53q1.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VG9tbXk\command.exe (file missing)
...................................................................................................

STOP using that crappy IE (other than for Windows-updates) and install Firefox from www.getfirefox.com

 

[Chronus]

It is in the program files, i just save the txt file to my desctop for easy access, thanks for the help i'l try and let you know.

Seems to have fixed the problem i was having, thank you verry much, however there were 2 problems i encountered.

/R/ O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\irl4l53q1.dll

Couldn't unregester it. it might be a result of following the directions in WebSearch-Removal.

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VG9tbXk\command.exe (file missing)

I tried to delete this folder, however i could not locate this. I looked with windows explorer, and also in cmd. using both i could get into this folder, but could not delete it because windows could not find it. I've tried to fix it with hjt, but it always comes back.

Here is the updated hjt file. Once again i save the txt to the desctop the rest is in program files.

 

[RealBlackStuff]

Go to http://forums.spywareinfo.com/index.php?showtopic=40153

* Download FindIt9Xme.zip here: http://www.thatcomputerguy.us/downloads/findit9xme.zip
* Unzip the contents of FindIt9Xme.zip to a convenient location.
* Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
* A command prompt will open and it will search your computer for malicious files.
* Once it has finished a Notepad window will pop up with output.txt.
* Copy/paste the entire contents of output.txt into your next post.

PLEASE DO NOT REBOOT or power down the computer, until I reply back or the infected file names will change!!!

 

[Chronus]

ok first of all the popups still poped up my brothers account so i tried following the information you gave ne earlyer, it is still there.

Second the popups are now coming up on firefox, and replaciong the page that i am working on, is this usual?

ok here is the result of findit.

...........................................................................................................
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label.
Volume Serial Number is 30B6-87CB

Directory of C:\WINDOWS\System


------- Hidden Files in System Directory -------

Volume in drive C has no label.
Volume Serial Number is 30B6-87CB

Directory of C:\WINDOWS\System


---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A2ABDCDD-C2C0-6F90-F7CE-336A915AABA0}"=""


------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
..........................................................................................................................

Thank oyu for the time.

 

[RealBlackStuff]

Click Start/Run, type regedit and click OK.
Go to this key and delete the highlighted part
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A2ABDCDD-C2C0-6F90-F7CE-336A915AABA0}"=""
by rightclicking it, and select Delete.

 

[Chronus]

Ok i've done this, but my origonal problem seems to have come back, i've attached the most recent hjt log anything i can do?

 

[toymachine2009]

wow

alright for popups you do not need hijackthis you can just download the program adaware se and use the browser firefox.. get rid of ur adaware and spyware with scanners for free... and get rid of toolbars clear ur internet cache. but change to the browser firefox and u will never have an adaware problem again

just keep running scans end process that are like toolbars go to ur C drive and program files now look for folders that is adaware its obvious which ones are cause they are called like save money. Or casio this or that.. or protect ur pc so get rid of files u see that arent anything and just run scans if you still have problems with popups contact me

i had many problems with my computer i ran the program adaware se and it fixed a lot of stuff.. it works really good

 

[Chronus]

Ok, I’ve completely updated Norton, Microsoft ad remover, adware se, and spybot search and destroy. In safe mode I ran each of there scans and cleaned out a few things. The "Popup" as still here, slowed down a bit but here none the less. I say "Popup" for lack of a better term, all I have to do is plug in the internet and the "Popups" come, if I am in firefox it replaces the page I am on, some of them come up as flash media, I cannot find any changes in the running programs and I’ve checked the startup, I even got rid of some questionable files. One I’m not sure of is "laveting" it had, my guess around 500 things in a cache file; I say had because now that I look at it all the files in it are gone????? I moved it from program files to my desktop to see if it would have any affect, but all the file are gone from within it????? Not hidden, but gone. Later I’ll reboot in safe mode to see if they can only be seen in safe mode??? Any info on this would help.

Pleas anything you can think of to get rid of this "Popup" would greatly help.

 

[RealBlackStuff]

First Read: Only use these HJT-instructions when asked!
/R/ unRegister the xxx.DLL in that line
Transfer the text from between these dotted lines underneath to between the dotted lines of that post.
Make sure to follow ALL instructions in SEQUENCE, and in HiJackThis tick/fix ALL lines indicated here!
...................................................................................................
/R/ O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\hrl4053qe.dll <<== filename may have changed, remove whatever!
...................................................................................................

STOP using that crappy IE (other than for Windows-updates) and install Firefox from www.getfirefox.com

 

[Chronus]

cant /r/ it, in use in safe mode. cant end proccess. so now what, fixing it won't help ither.

here is the most recent find it and hjt logs

 

[RealBlackStuff]

As that file keeps changing its name, I can't do anything from here.

Follow this, I've added some new stuff:
Read: How to remove Trojans and its ilk!

 

[Chronus]

Been a wile, i was having problems with the popups, then one day i got some type of error when loging on to my computer. Afret the error the computer restarted and i havent had any problems with thoughs popups and i don't know why.

my only guess is the kill box i dowloaded was still in affect and the file tried to load with one of its old names. kill box might have deleted it.

Here is my most recent hjt log file.

 

[RealBlackStuff]

Run HJT in Safe Mode and FIX these. You don't trust ANY website, OK?
O15 - Trusted Zone: .windowsupdate.microsoft.com[/url]
O15 - Trusted Zone: .windowsupdate.com[/url]
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VG9tbXk\command.exe (file missing)

 

[Chronus]

Well I'm back and have some weird problems. First of al I tried using Microsoft AntiSpyware (Beta) and came up with some errors, so I uninstalled it and re installed it. With doing both I came up with errors, so i tried again. all 3-4 times i tried i kept comming u pwith these errors.

When uninstalling I couldn’t unregistered these files, when installing I couldn't register these files. Each one coming up as a deffrent error.

C:\program files\microsoft antispyware\gcAntispywarelibrary.dll hresult -2147220472
C:\program files\microsoft antispyware\gcASPrivacyLib.dll hresult -2147220472
C:\program files\microsoft antispyware\gcASSoaplib.dll hresult -2147220472
C:\program files\microsoft antispyware\gcTCPObjlib.dll -2147220472
C:\program files\microsoft antispyware\gcASThreatAudit.dll hresult -2147220472
C:\program files\microsoft antispyware\gcSoftwareUpdatelib.dll hresult -2147220472

Finally I’m having some O15 that I can’t fix. Thanks for the Help.

 

[RealBlackStuff]

In IE, click on Tools/Internet Options/Security tab
Make a note of any settings you have changed yourself, then for Internet and Local Intranet click on the Default button, then put the changes (you noted down) back in if you think they are needed.

I told you before, and I say it again: STOP using that crap IE, get Firefox instead!

 

[Chronus]

I told you before, and I say it again: STOP using that crap IE, get Firefox instead!

Ever since you told me about FF all computers in my house now use it.

The're already at default

Any sujestions about MA problem?

 

[Chronus]

OK, its time for another checkup. here is my most recent HT log

 

[howard_hopkinso]

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

sp2update00.exe

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\windows\sp2update00.exe

Reboot into normal mode and turn system restore back on.


Regards Howard

 

[Chronus]

Someone's gotten into my brothers checking account, hes reported it to the athorities. wondering if it's some type of key logger. anyways here's a hjt file there's a lot more things than should be in my opinion. any help would be appreciated.

Thanks for the help,

Chronus

Once again the hjt is in program files, i just save the txt to desktop for easy access.

 

[howard_hopkinso]

Please rename HijackThis.exe to HijackThis1991.exe and post a fresh HJT log. This is because some malware can hide from HijackThis.exe.

Regards Howard

This thread is for the use of Chronus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chronus]

Ok, here's the result.
I'm also attaching the log i made while in safe mode before changing name to 1991.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

PowerReg Scheduler V3.exe
PowerReg Scheduler.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Startup: PowerReg Scheduler.exe

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone

O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone

O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

PowerReg Scheduler V3.exe

PowerReg Scheduler.exe

Search your system for the above files and delete all instances of them.

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log from normal mode and let me know how your system is running.

Regards Howard

This thread is for the use of Chronus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Chronus]

Ok, I’ve done what you have asked. Just a few comments

Note:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

These have never been affected by fixing them. They were here since at leas my last hjt file and no one wsa able to help.

The only record I’ve found for

PowerReg Scheduler V3.exe
PowerReg Scheduler.exe

Were in the back up that HJT made. However I found some record of them in the regedit. Since you said nothing about it I left these alone.

Side Note:
I can not install Microsoft antispyware. I get these errors:
C:\program files\microsoft antispyware\gcAntispywarelibrary.dll hresult -2147220472
C:\program files\microsoft antispyware\gcASPrivacyLib.dll hresult -2147220472
C:\program files\microsoft antispyware\gcASSoaplib.dll hresult -2147220472
C:\program files\microsoft antispyware\gcTCPObjlib.dll -2147220472
C:\program files\microsoft antispyware\gcASThreatAudit.dll hresult -2147220472
C:\program files\microsoft antispyware\gcSoftwareUpdatelib.dll hresult -2147220472

It has a problems with these files and can not add or remove files in the registry when install/uninstall happens. Wondering if you had any ideas.

When trying to get onto http://www.google.com all I get is a blank page saying "Do you yahoo?"
Code:
<html><head><title>do you yahoo?</title></head>
<body>
<h1>do you yahoo?</h1>
</body></html>

Even if I disable the internet I get this page.

Thanks for your help

~Chronus

 

[howard_hopkinso]

Try this to get rid of the 015 entries.

Copy and paste the contents of the following quote box into Notepad:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

Save it to the desktop as fixme.reg

Close all browsers and programmes.

Now <double-click> the fixme.reg file on the desktop.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Post a fresh HJT log, only after doing the above and let me know how your system is running.

Regards Howard

This thread is for the use of Chronus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.


Regards Howard