TechSpot

HJT-log attachment

By Chronus
Nov 10, 2005
  1. Need help with a popup adware, maybe worse I don't know. I'm playing Diablo 2 and al of the sudden an add pops up in internet explorer, and I’m taken out of online play and brought to an anti spy ware or some other commercially driven site. I've used Microsoft beta1, spybot SaD, Ad aware se, Norton, and I’ve even followed the steps given in WebSearch-Removal. None have given any kid of slow down to this, any advice would be welcomed. 6 popup have come up even while righting this, sooner I can get the help the better.

    Thank you kindly for you help.
    Tron De Telk
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Acceleration Software\Anti-Virus: This is total rubbish!
    http://www.spywarewarrior.com/rogue_anti-spyware.htm#ss_note

    C:\Documents and Settings\Kevin\Desktop\hijackthis\HijackThis.exe
    Put HijackThis in e.g. C:\Program Files\HJT and NOT in Temp or on the Desktop!.

    First Read: Only use these HJT-instructions when asked!
    /P/ Process needs to be stopped
    /U/ UNinstall anything to do with this
    /R/ unRegister the xxx.DLL in that line
    Transfer the text from between these dotted lines underneath to between the dotted lines of that post.
    Make sure to follow ALL instructions in SEQUENCE, and in HiJackThis tick/fix ALL lines indicated here!
    ...................................................................................................
    R3 - Default URLSearchHook is missing
    /R/ O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
    /P/U/ O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
    O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119652319625
    Unless these IP-numbers are from your ISP, fix this O17
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1841E1FF-BAC0-4999-B722-6BBB27478B84}: NameServer = 10.10.1.22,10.10.1.19
    /R/ O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\irl4l53q1.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VG9tbXk\command.exe (file missing)
    ...................................................................................................

    STOP using that crappy IE (other than for Windows-updates) and install Firefox from www.getfirefox.com
     
  3. Chronus

    Chronus TS Enthusiast Topic Starter Posts: 118

    It is in the program files, i just save the txt file to my desctop for easy access, thanks for the help i'l try and let you know.

    Seems to have fixed the problem i was having, thank you verry much, however there were 2 problems i encountered.

    /R/ O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\irl4l53q1.dll

    Couldn't unregester it. it might be a result of following the directions in WebSearch-Removal.

    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VG9tbXk\command.exe (file missing)

    I tried to delete this folder, however i could not locate this. I looked with windows explorer, and also in cmd. using both i could get into this folder, but could not delete it because windows could not find it. I've tried to fix it with hjt, but it always comes back.

    Here is the updated hjt file. Once again i save the txt to the desctop the rest is in program files.
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Go to http://forums.spywareinfo.com/index.php?showtopic=40153

    * Download FindIt9Xme.zip here: http://www.thatcomputerguy.us/downloads/findit9xme.zip
    * Unzip the contents of FindIt9Xme.zip to a convenient location.
    * Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
    * A command prompt will open and it will search your computer for malicious files.
    * Once it has finished a Notepad window will pop up with output.txt.
    * Copy/paste the entire contents of output.txt into your next post.

    PLEASE DO NOT REBOOT or power down the computer, until I reply back or the infected file names will change!!!
     
  5. Chronus

    Chronus TS Enthusiast Topic Starter Posts: 118

    ok first of all the popups still poped up my brothers account so i tried following the information you gave ne earlyer, it is still there.

    Second the popups are now coming up on firefox, and replaciong the page that i am working on, is this usual?

    ok here is the result of findit.

    ...........................................................................................................
    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    ------- System Files in System Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 30B6-87CB

    Directory of C:\WINDOWS\System


    ------- Hidden Files in System Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 30B6-87CB

    Directory of C:\WINDOWS\System


    ---------------- User Agent ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{A2ABDCDD-C2C0-6F90-F7CE-336A915AABA0}"=""


    ------------------ Locate.com Results ------------------

    No matches found.

    ------------ Strings.exe Qoologic Results ------------


    -------------- Strings.exe Aspack Results -------------


    ----------------- HKLM Run Key ------------------

    -------------- Strings.exe Umonitor Results -------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIModeChange"="Ati2mdxx.exe"
    "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
    "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
    "RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"
    ..........................................................................................................................

    Thank oyu for the time.
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Click Start/Run, type regedit and click OK.
    Go to this key and delete the highlighted part
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{A2ABDCDD-C2C0-6F90-F7CE-336A915AABA0}"=""
    by rightclicking it, and select Delete.
     
  7. Chronus

    Chronus TS Enthusiast Topic Starter Posts: 118

    Ok i've done this, but my origonal problem seems to have come back, i've attached the most recent hjt log anything i can do?
     
  8. toymachine2009

    toymachine2009 TS Rookie

    wow

    alright for popups you do not need hijackthis you can just download the program adaware se and use the browser firefox.. get rid of ur adaware and spyware with scanners for free... and get rid of toolbars clear ur internet cache. but change to the browser firefox and u will never have an adaware problem again

    just keep running scans end process that are like toolbars go to ur C drive and program files now look for folders that is adaware its obvious which ones are cause they are called like save money. Or casio this or that.. or protect ur pc so get rid of files u see that arent anything and just run scans if you still have problems with popups contact me

    i had many problems with my computer i ran the program adaware se and it fixed a lot of stuff.. it works really good
     
  9. Chronus

    Chronus TS Enthusiast Topic Starter Posts: 118

    Ok, I’ve completely updated Norton, Microsoft ad remover, adware se, and spybot search and destroy. In safe mode I ran each of there scans and cleaned out a few things. The "Popup" as still here, slowed down a bit but here none the less. I say "Popup" for lack of a better term, all I have to do is plug in the internet and the "Popups" come, if I am in firefox it replaces the page I am on, some of them come up as flash media, I cannot find any changes in the running programs and I’ve checked the startup, I even got rid of some questionable files. One I’m not sure of is "laveting" it had, my guess around 500 things in a cache file; I say had because now that I look at it all the files in it are gone????? I moved it from program files to my desktop to see if it would have any affect, but all the file are gone from within it????? Not hidden, but gone. Later I’ll reboot in safe mode to see if they can only be seen in safe mode??? Any info on this would help.

    Pleas anything you can think of to get rid of this "Popup" would greatly help.
     
  10. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    First Read: Only use these HJT-instructions when asked!
    /R/ unRegister the xxx.DLL in that line
    Transfer the text from between these dotted lines underneath to between the dotted lines of that post.
    Make sure to follow ALL instructions in SEQUENCE, and in HiJackThis tick/fix ALL lines indicated here!
    ...................................................................................................
    /R/ O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\hrl4053qe.dll <<== filename may have changed, remove whatever!
    ...................................................................................................

    STOP using that crappy IE (other than for Windows-updates) and install Firefox from www.getfirefox.com
     
  11. Chronus

    Chronus TS Enthusiast Topic Starter Posts: 118

    cant /r/ it, in use in safe mode. cant end proccess. so now what, fixing it won't help ither.

    here is the most recent find it and hjt logs
     
  12. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  13. Chronus

    Chronus TS Enthusiast Topic Starter Posts: 118

    Been a wile, i was having problems with the popups, then one day i got some type of error when loging on to my computer. Afret the error the computer restarted and i havent had any problems with thoughs popups and i don't know why.

    my only guess is the kill box i dowloaded was still in affect and the file tried to load with one of its old names. kill box might have deleted it.

    Here is my most recent hjt log file.
     
  14. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Run HJT in Safe Mode and FIX these. You don't trust ANY website, OK?
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\guard.tmp (file missing)
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VG9tbXk\command.exe (file missing)
     
  15. Chronus

    Chronus TS Enthusiast Topic Starter Posts: 118

    Well I'm back and have some weird problems. First of al I tried using Microsoft AntiSpyware (Beta) and came up with some errors, so I uninstalled it and re installed it. With doing both I came up with errors, so i tried again. all 3-4 times i tried i kept comming u pwith these errors.

    When uninstalling I couldn’t unregistered these files, when installing I couldn't register these files. Each one coming up as a deffrent error.

    C:\program files\microsoft antispyware\gcAntispywarelibrary.dll hresult -2147220472
    C:\program files\microsoft antispyware\gcASPrivacyLib.dll hresult -2147220472
    C:\program files\microsoft antispyware\gcASSoaplib.dll hresult -2147220472
    C:\program files\microsoft antispyware\gcTCPObjlib.dll -2147220472
    C:\program files\microsoft antispyware\gcASThreatAudit.dll hresult -2147220472
    C:\program files\microsoft antispyware\gcSoftwareUpdatelib.dll hresult -2147220472

    Finally I’m having some O15 that I can’t fix. Thanks for the Help.
     
  16. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    In IE, click on Tools/Internet Options/Security tab
    Make a note of any settings you have changed yourself, then for Internet and Local Intranet click on the Default button, then put the changes (you noted down) back in if you think they are needed.

    I told you before, and I say it again: STOP using that crap IE, get Firefox instead!
     
  17. Chronus

    Chronus TS Enthusiast Topic Starter Posts: 118

    Ever since you told me about FF all computers in my house now use it.

    The're already at default :confused:

    Any sujestions about MA problem?
     
  18. Chronus

    Chronus TS Enthusiast Topic Starter Posts: 118

    OK, its time for another checkup. here is my most recent HT log
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    sp2update00.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe

    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\windows\sp2update00.exe

    Reboot into normal mode and turn system restore back on.


    Regards Howard :)
     
  20. Chronus

    Chronus TS Enthusiast Topic Starter Posts: 118

    Someone's gotten into my brothers checking account, hes reported it to the athorities. wondering if it's some type of key logger. anyways here's a hjt file there's a lot more things than should be in my opinion. any help would be appreciated.

    Thanks for the help,

    Chronus

    Once again the hjt is in program files, i just save the txt to desktop for easy access.
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please rename HijackThis.exe to HijackThis1991.exe and post a fresh HJT log. This is because some malware can hide from HijackThis.exe.

    Regards Howard :)

    This thread is for the use of Chronus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  22. Chronus

    Chronus TS Enthusiast Topic Starter Posts: 118

    Ok, here's the result.
    I'm also attaching the log i made while in safe mode before changing name to 1991.
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    PowerReg Scheduler V3.exe
    PowerReg Scheduler.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - Startup: PowerReg Scheduler V3.exe

    O4 - Startup: PowerReg Scheduler.exe

    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone

    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone

    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone

    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    PowerReg Scheduler V3.exe

    PowerReg Scheduler.exe

    Search your system for the above files and delete all instances of them.

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log from normal mode and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of Chronus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  24. Chronus

    Chronus TS Enthusiast Topic Starter Posts: 118

    Ok, I’ve done what you have asked. Just a few comments

    Note:
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

    These have never been affected by fixing them. They were here since at leas my last hjt file and no one wsa able to help.

    The only record I’ve found for

    PowerReg Scheduler V3.exe
    PowerReg Scheduler.exe

    Were in the back up that HJT made. However I found some record of them in the regedit. Since you said nothing about it I left these alone.

    Side Note:
    I can not install Microsoft antispyware. I get these errors:
    C:\program files\microsoft antispyware\gcAntispywarelibrary.dll hresult -2147220472
    C:\program files\microsoft antispyware\gcASPrivacyLib.dll hresult -2147220472
    C:\program files\microsoft antispyware\gcASSoaplib.dll hresult -2147220472
    C:\program files\microsoft antispyware\gcTCPObjlib.dll -2147220472
    C:\program files\microsoft antispyware\gcASThreatAudit.dll hresult -2147220472
    C:\program files\microsoft antispyware\gcSoftwareUpdatelib.dll hresult -2147220472

    It has a problems with these files and can not add or remove files in the registry when install/uninstall happens. Wondering if you had any ideas.

    When trying to get onto http://www.google.com all I get is a blank page saying "Do you yahoo?"
    Code:
    <html><head><title>do you yahoo?</title></head>
    <body>
    <h1>do you yahoo?</h1>
    </body></html>

    Even if I disable the internet I get this page.

    Thanks for your help

    ~Chronus
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Try this to get rid of the 015 entries.

    Copy and paste the contents of the following quote box into Notepad:

    Save it to the desktop as fixme.reg

    Close all browsers and programmes.

    Now <double-click> the fixme.reg file on the desktop.

    You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

    Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

    Post a fresh HJT log, only after doing the above and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of Chronus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.


    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...