TechSpot

Need some help, cant fix this one.

By zaraspooker
Feb 22, 2006
Topic Status:
Not open for further replies.
  1. Got alot of stuff on this computer. Its a company computer so someone was clicking "yes" to the popups. I use this computer as a register so it kinda sucks when I am trying to ring someone up and im getting popups. Thanks in advance guys. :)

    Attached Files:

  2. Greeno

    Greeno Newcomer, in training Posts: 394

    www.google.com

    get their Popup blocker...

    Also, I'd look at getting things like Microsoft Antispyware and Spybot etc... to make sure you're clean of spyware and stuff to...

    You didn't agree to any ActiveX controls you? (That you can remember)

    Look in your computers Add/Remove programs list too and remove anything that looks a bit dodgy, or things you know you didnt install, like shopping helpers and search agents etc...
  3. kirock

    kirock Newcomer, in training Posts: 1,598

    Boot in Safe Mode: Run HiJackThis again.

    Fix these entries:
    R3 - URLSearchHook: (no name) - {91DF094B-C9A0-BB26-A2AD-E2CB59EB5EB5} - C:\WINDOWS\system32\alsjtcd.dll (file missing)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp80A9.tmp

    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab36107.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

    Run Spybot (dwnload freeware). Then run the immunize portion of Spybot. (IE only)

    Good luck.
  4. zaraspooker

    zaraspooker Newcomer, in training Topic Starter

    Wow, worked like a charm, thanks alot guys.
  5. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    Your system is infected with at least 2 trojans.

    Boot into safe mode. See how HERE.

    Turn off system restore. See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by pressing the ctrl/alt/delete keys together.

    Click on the processes tab, and end process for(if there).

    nvctrl.exe
    mssearchnet.exe
    wuauboot.exe
    SkateParkPOS.exe

    Close task manager.

    Click start/run, and type regsvr32 /u C:\WINDOWS\SYSTEM32\winpsa32.dll and press the enter key.

    Run HJT with no other programmes open, and have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - {91DF094B-C9A0-BB26-A2AD-E2CB59EB5EB5} - C:\WINDOWS\system32\alsjtcd.dll (file missing)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp80A9.tmp

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)

    O4 - HKCU\..\Run: [Zfcwnzxl] C:\WINDOWS\system32\?icrosoft\wuauboot.exe

    Fix all 016 DPF entries.

    O20 - Winlogon Notify: winpsa32 - C:\WINDOWS\SYSTEM32\winpsa32.dll

    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)

    Now click on the fix checked button.

    Close HJT.

    Locate, and delete the following bold files(if there).

    C:\WINDOWS\SYSTEM32\winpsa32.dll
    C:\WINDOWS\system32\nvctrl.exe
    C:\WINDOWS\system32\mssearchnet.exe
    C:\WINDOWS\system32\hp80A9.tmp


    Reboot into normal mode and turn system restore back on.

    Then, go HERE and follow the instructions.

    Then, post a fresh HJT log.

    Regards Howard :wave: :wave:
  6. zaraspooker

    zaraspooker Newcomer, in training Topic Starter

    Ok, I did what Kirock suggested and it worked just fine until this morning. I will am trying to follow howard's instructions but in the system restore window there are no buttons at the bottom so I cant click apply. I have never seen anything like this before. I swear to you im not a noob. :D
  7. Peddant

    Peddant Newcomer, in training Posts: 1,644

  8. zaraspooker

    zaraspooker Newcomer, in training Topic Starter

    Ok, here is the new HijackThis log, for some reason its still messed up and for some reason I could not delete C:\WINDOWS\SYSTEM32\WINPSA32.dll. I am amazed at this one.....Never seen anything like it. I thought I was good when I could get the "worm" bug off of my home computer about a year or so ago. lol.
  9. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Go and download the pocket killbox programme from HERE.

    Download this file, extract it, and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

    This is the path to the file you need to kill.

    C:\WINDOWS\SYSTEM32\winpsa32.dll

    Once you`ve done that. please post a fresh HJT log.

    Regards Howard :)
  10. zaraspooker

    zaraspooker Newcomer, in training Topic Starter

    Thank you for bearing with me howard. Killbox is not able to delete the file either. When I try to delete it, everything except the wallpaper disappears. Not only that but everything came back that was popping up in the first place. I have no idea what is going on.
  11. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Go HERE and follow the instructions exactly.

    Regards Howard :)
     
  12. zaraspooker

    zaraspooker Newcomer, in training Topic Starter

    Wow, I think the best solution would be to smash my head aginst the computer and see which one of us stops working first. I followed the directions exactly how they are printed and still no bueno. Here is my new HijackThis log.
  13. kirock

    kirock Newcomer, in training Posts: 1,598

    Fix this:
    O4 - Global Startup: BounceBack Launcher.lnk = ?

    The rest looks ok, but I defer to Howard on this he's the expert. Wait for his reply.

    cheers.
  14. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    You HJT log is fine apart from this entry. O20 - Winlogon Notify: winpsa32 - C:\WINDOWS\SYSTEM32\winpsa32.dll

    I believe this is what is causing your problems. Unfortunately I can only find one example of this file winpsa32.dll
    on the entire net, and that`s not in english.

    Run HJT, and click on the config button, then the misc tools button.

    Click on the delete file on reboot button, and type the path, or browse to this file. C:\WINDOWS\SYSTEM32\winpsa32.dll
    Click on the open button, and HJT will ask you if you want to restart your system. Click yes.

    Post a fresh HJT log.

    BTW the bounceback entry is safe. See HERE

    It usually comes with external hard drives.

    Regards Howard :)
  15. zaraspooker

    zaraspooker Newcomer, in training Topic Starter

    Ok, here is the new HijackThis log. Im still getting the balloon at the bottom that says my computer is infected and I am still getting tons of popups. I believe the winpsa32 file was deleted as intended but Im still having problems.
  16. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    I was hoping the removal of the 020 entry would`ve helped.

    O4 - HKCU\..\Run: [Pcprr] C:\Program Files\?ymbols\nslookup.exe. Do you recognise this entry?

    If not have HJT fix it.

    I`d like you to try something. It`s called Look2me destroyer. It a perfectly legit programme, that might just help.

    Go HERE and follow the instructions.

    Let me know if it helps.

    Regards Howard :)
  17. zaraspooker

    zaraspooker Newcomer, in training Topic Starter

    Ok, that program tells me that mswinsck.ocx is not registered or cant be found.
  18. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

  19. zaraspooker

    zaraspooker Newcomer, in training Topic Starter

    I found this on the web, seems to be working so far. I will let you know if something goes wrong. Thanks for all of your help. You might want to check this out and keep it in mind for future situations. http://www.ewido.net/en/
  20. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    The Ewido programme is used in the "How to remove trojans, and it`s ilk!" thread, that I linked to in reply #5 lol.

    Regards Howard :)
  21. zaraspooker

    zaraspooker Newcomer, in training Topic Starter

    lol, it is isnt it. I just searched for the text that was in the popup box that I was getting.
  22. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Oh well at least you know now.

    Hopefully your problems are now solved.

    Good luck.

    Regards Howard :)
  23. DragonMaster

    DragonMaster Newcomer, in training Posts: 430

    Here's a link in case some other persons have similar problems :

    hijackthis.de

    You copy/paste your hijackthis log in there.
  24. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    The problem of HijackThis.de is it`ll give you an idea of what`s bad, or good. But it won`t tell you how to get rid of the bad entries.

    Also, some of the results really do need to be checked, and are a little unreliable.

    Simply letting HijackThis fix something doesn`t necessarily get rid of it from your system. You can then be left with an infected system. Then, when you post a Hijackthis log it may look clean, because the bad entries have been fixed, without the necessary other steps being done.

    So, unless a person knows what they are doing, they can do more damage rather than good.

    I would urge anyone who is not familiar with HijackThis, and malware removal to leave well alone.

    Regards Howard :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.