Popup half removed

By gt3911
Oct 6, 2008
  1. Hi guys,

    First time here, I found loads of sites but decided to join up here – I’m interested in this stuff and want to learn more to help out where I can, so took an extra bit of time to find a community I’d like to return the favour too.

    Anyway, cut to the chase. I have a friends laptop here that is infected with what I think is a version of the Worm.Win32.Netbooster Giving the popup “Attention, ! Some dangerous torjan horses detected in your system. Microsoft Windows XP files corrupted. This may lead to the destruction of important files in C:\Windows. Download protection software now! Click OK to download antispyware software. (Recommended). This is not the exact message – As I’m now unable to see the message. It was almost identical to this but I’m 99% sure that this infect gave the the message “attention,
  2. BillAllen55

    BillAllen55 TS Maniac Posts: 368

  3. gt3911

    gt3911 TS Rookie Topic Starter Posts: 19

    I removed O16 and O2 which has now solved this problem,

  4. BillAllen55

    BillAllen55 TS Maniac Posts: 368

    thanks for the follow up.
    You might find this website interesting when it comes to an automatic
    hijackthis! evaluation.

  5. gt3911

    gt3911 TS Rookie Topic Starter Posts: 19

    Excellent thanks a lot for that link, that’s interesting…

    I’m not sure about the items its picked up though, would anyone care to confirm the results below as being “bad”

    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    "CoolWebSearch Ctfmon32 parasite variant"

    This isn’t legit? Can anyone confirm this – I know there is a legit CTFMON.EXE spawn via MS Office… Is this defiantly false?

    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    "Added by the SouthBeachTel premium rate adult content dialer"

    Again… I think this is legit….
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Where are you getting the information about cftmon and Adobe?

    For ctfmon.exe:
    The Adobe Reader needs to be updated but it isn't malware.

    Wherever you're getting your information about what you see is not accurate,

    It's difficult to evaluate a system with just a couple of files being given. Please see this for:
    "How to attach the HijackThis log:

    I suggest you also run Malwarebytes and SuperAntispyware and include those logs also. See Step 4 and 5 here:
  7. gt3911

    gt3911 TS Rookie Topic Starter Posts: 19


    Sorry it seems i totally missed the attachment option when making my first post, which is why I included it as a pastebin. I've now attached it again if you find it easier.

    The information is from the site given from billallen55 previously.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The site BillAllen left is for the process of malware cleaning. In addition to HijackThis, it includes running Malwarebytes and SuperAntispyware, AFTER which you should run HojackThis. This is the only way we can see what was on the stsrem and what has been cleaned.
    Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.
    Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis*and*reboot. into Safe Mode:

    Go to My Computer->Tools->Folder Options->View tab:
    [*]Under the Hidden files and folders heading:
    [*]Select - Show hidden files and folders.
    [*]Uncheck- Hide protected operating system files (recommended) option.
    [*]Also, make sure there is no checkmark beside Hide file extensions for known file types.
    [*] Click OK. (Remember to Hide files and folders once done)

    Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold
    After that, Reboot, and post a new HijackThis log here in a reply

    Your version of Adobe Reader is out of date.
    \Reader 9.0 <--current version
    # Please go to this link Adobe Acrobat Reader Download Link
    **Untick Adobe Media Player and Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.(UNcheck google if you don't want it.)
    # Click the Continue button
    # Click Run, and click Run again
    # Next click the Install Now button and follow the on screen prompts
    After the install, go to Add/Remove PRograms in the Contorl Panel and uninstall Adobe v7
    (make sure Adobe isn't on the Startup menu before the uninstall)

    Go to Start > Control Panel > Internet Options
    In the General tab, Temporary Internet Files, click:Delete Files When prompted, check:Delete all offline content
    You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
    Click OK

    For I.E. 7 - under Browsing History, click delete... Under Temporary Internet Files, click Delete files...

    Then, go to Start >Run and enter: cleanmgr
    Select the drive to clean: C:\
    Check the following boxes and then press OK to remove:
    Temporary Files
    Temporary Internet Files
    Agree to the prompt to perform the action...

    Remove ld System Restore points:
    Contorl PAnel> System System restore tab> CHECK 'turn off System Restore'>Apply> OK> Reboot
    Then go back in and UNCHECK 'turn off System Restore;> Apply> OK.
    Create a new restore point.

    I would have preferred to see what Malwarebytres and SuperAntispyware found and removed.
  9. gt3911

    gt3911 TS Rookie Topic Starter Posts: 19

    Hi bobbye,

    Thanks for that,

    As i said i already cleaned up O2 gjopli.dll

    But the site i was saying billalen recomended wasnt the 8 step process i ment the other site,

    I'm not allowed to post the link so i cant just show u he called it the hijack this evaluation. (i think you thought i was refering to his 8step link) - which flagged up what I mentioned in the previous post that I feel is probably a false result.

    Thanks for your suggestions though, but I've already done all this.

    I was just posting out of curiosity to the results of the above...
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Am I correct in thinking you don't require any more help for this matter, then?

    By the way, you can post links now.
  11. gt3911

    gt3911 TS Rookie Topic Starter Posts: 19


    I was just looking for confirmation that reporting

    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

    as 'bad' to be false information
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Ctfmon.exe vs ctfmon32:
    About those entries: I don't know that I understand the information: ctfmon.exe is an Office start frequently found on the startup menu. It is shown as 'ctfmon.exe'. But if the process shows ctfmon32.exe, THEN it's malware! Yours doesn't.

    From Techspot:
    CTFMON32 should not be running at startup. It is likely a virus, spyware, Trojan, or some other sort of malicious program. Use a virus scanner, and/or spyware removal tool to remove it.
    Additional Info: CoolWebSearch Ctfmon32 parasite variant - also detected as the CWS-E TROJAN!

    CTFMON32 is NOT what you're seeing.You're seeing CTFMON.exe in the System32 folder.
    I have ctfmon.exe in my windows System 32 folder. IT is not malware- the only difference is that I don't have it on Startup.
    Frankly, I am confused by the information here:

    Now, IF you have a CLSID, then we should be able to confirm the entry as normal or malware.

    Same for the Adobe line: From Bleeping Computer:
    Command: C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    Description: Installed with Adobe products to check for updates and prompt you to install them as needed.
    File Location: C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
    Again, if a CLSID is given and it is not the one for the process, possibly it would be suspect, but there is no indication of this.
    If I had seen either of these entries in a HijackThis Log, I would not have have flagged either as malware- I would have suggest an Adobe update. or better replaced with FoxIT.

    The bottom line- I consider both of these entries to be legitimate. You can stop the autoload and autoupdate, that would be my recommendation, by the files is valid. I don't know what criteria were used to make it otherwise.
  13. gt3911

    gt3911 TS Rookie Topic Starter Posts: 19


    thanks alot thats what I hoped and thought you'd of said, I was just looking for a bit of reasurance on that. Many thanks for your time.

    Just a quick question if you dont mind - You talked about CLSID's can you explain to me breifly how I can check what the CLSID is and if its valid or not? This sounds quite handy...
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Example: From your HijackThis log:
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} is the CLSID:
    Copy and paste it into this site:
    You will get the following information:
    NOTE: this is the page for CLSID and BHO. To get the full selection of databases, go here:
    Look for the proper database on the left and click. When the page comes up, type in the CLSID.

    There's no magic to this. Data is available to identify almost everything. If it can't be identified, it is suspicious. This is one of the frequently used databases- there are others.
  15. BillAllen55

    BillAllen55 TS Maniac Posts: 368

    For further spyware trojan scans

    If you need to scan further for alternate spyware trojan concerns go to this website and follow the directions.
    This is an excellent resource to performing a full scan for both trojan and rootkit investations.
  16. gt3911

    gt3911 TS Rookie Topic Starter Posts: 19

    thats brilliant thanks guys interesting stuff...

    that castlecops site is excellent, thanks!
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...