Need some help, cant fix this one.

Status
Not open for further replies.

zaraspooker

Posts: 10   +0
Got alot of stuff on this computer. Its a company computer so someone was clicking "yes" to the popups. I use this computer as a register so it kinda sucks when I am trying to ring someone up and im getting popups. Thanks in advance guys. :)
 

Attachments

  • hijackthis.txt
    8.3 KB · Views: 8
www.google.com

get their Popup blocker...

Also, I'd look at getting things like Microsoft Antispyware and Spybot etc... to make sure you're clean of spyware and stuff to...

You didn't agree to any ActiveX controls you? (That you can remember)

Look in your computers Add/Remove programs list too and remove anything that looks a bit dodgy, or things you know you didnt install, like shopping helpers and search agents etc...
 
Boot in Safe Mode: Run HiJackThis again.

Fix these entries:
R3 - URLSearchHook: (no name) - {91DF094B-C9A0-BB26-A2AD-E2CB59EB5EB5} - C:\WINDOWS\system32\alsjtcd.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp80A9.tmp

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab36107.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

Run Spybot (dwnload freeware). Then run the immunize portion of Spybot. (IE only)

Good luck.
 
Hello and welcome to Techspot.

Your system is infected with at least 2 trojans.

Boot into safe mode. See how HERE.

Turn off system restore. See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by pressing the ctrl/alt/delete keys together.

Click on the processes tab, and end process for(if there).

nvctrl.exe
mssearchnet.exe
wuauboot.exe
SkateParkPOS.exe

Close task manager.

Click start/run, and type regsvr32 /u C:\WINDOWS\SYSTEM32\winpsa32.dll and press the enter key.

Run HJT with no other programmes open, and have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: (no name) - {91DF094B-C9A0-BB26-A2AD-E2CB59EB5EB5} - C:\WINDOWS\system32\alsjtcd.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp80A9.tmp

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)

O4 - HKCU\..\Run: [Zfcwnzxl] C:\WINDOWS\system32\?icrosoft\wuauboot.exe

Fix all 016 DPF entries.

O20 - Winlogon Notify: winpsa32 - C:\WINDOWS\SYSTEM32\winpsa32.dll

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)

Now click on the fix checked button.

Close HJT.

Locate, and delete the following bold files(if there).

C:\WINDOWS\SYSTEM32\winpsa32.dll
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\hp80A9.tmp


Reboot into normal mode and turn system restore back on.

Then, go HERE and follow the instructions.

Then, post a fresh HJT log.

Regards Howard :wave: :wave:
 
Ok, I did what Kirock suggested and it worked just fine until this morning. I will am trying to follow howard's instructions but in the system restore window there are no buttons at the bottom so I cant click apply. I have never seen anything like this before. I swear to you im not a noob. :D
 
Ok, here is the new HijackThis log, for some reason its still messed up and for some reason I could not delete C:\WINDOWS\SYSTEM32\WINPSA32.dll. I am amazed at this one.....Never seen anything like it. I thought I was good when I could get the "worm" bug off of my home computer about a year or so ago. lol.
 
Go and download the pocket killbox programme from HERE.

Download this file, extract it, and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

This is the path to the file you need to kill.

C:\WINDOWS\SYSTEM32\winpsa32.dll

Once you`ve done that. please post a fresh HJT log.

Regards Howard :)
 
Thank you for bearing with me howard. Killbox is not able to delete the file either. When I try to delete it, everything except the wallpaper disappears. Not only that but everything came back that was popping up in the first place. I have no idea what is going on.
 
Wow, I think the best solution would be to smash my head aginst the computer and see which one of us stops working first. I followed the directions exactly how they are printed and still no bueno. Here is my new HijackThis log.
 
Fix this:
O4 - Global Startup: BounceBack Launcher.lnk = ?

The rest looks ok, but I defer to Howard on this he's the expert. Wait for his reply.

cheers.
 
You HJT log is fine apart from this entry. O20 - Winlogon Notify: winpsa32 - C:\WINDOWS\SYSTEM32\winpsa32.dll

I believe this is what is causing your problems. Unfortunately I can only find one example of this file winpsa32.dll
on the entire net, and that`s not in english.

Run HJT, and click on the config button, then the misc tools button.

Click on the delete file on reboot button, and type the path, or browse to this file. C:\WINDOWS\SYSTEM32\winpsa32.dll
Click on the open button, and HJT will ask you if you want to restart your system. Click yes.

Post a fresh HJT log.

BTW the bounceback entry is safe. See HERE

It usually comes with external hard drives.

Regards Howard :)
 
Ok, here is the new HijackThis log. Im still getting the balloon at the bottom that says my computer is infected and I am still getting tons of popups. I believe the winpsa32 file was deleted as intended but Im still having problems.
 
I was hoping the removal of the 020 entry would`ve helped.

O4 - HKCU\..\Run: [Pcprr] C:\Program Files\?ymbols\nslookup.exe. Do you recognise this entry?

If not have HJT fix it.

I`d like you to try something. It`s called Look2me destroyer. It a perfectly legit programme, that might just help.

Go HERE and follow the instructions.

Let me know if it helps.

Regards Howard :)
 
The Ewido programme is used in the "How to remove trojans, and it`s ilk!" thread, that I linked to in reply #5 lol.

Regards Howard :)
 
Here's a link in case some other persons have similar problems :

hijackthis.de

You copy/paste your hijackthis log in there.
 
The problem of HijackThis.de is it`ll give you an idea of what`s bad, or good. But it won`t tell you how to get rid of the bad entries.

Also, some of the results really do need to be checked, and are a little unreliable.

Simply letting HijackThis fix something doesn`t necessarily get rid of it from your system. You can then be left with an infected system. Then, when you post a Hijackthis log it may look clean, because the bad entries have been fixed, without the necessary other steps being done.

So, unless a person knows what they are doing, they can do more damage rather than good.

I would urge anyone who is not familiar with HijackThis, and malware removal to leave well alone.

Regards Howard :)
 
Status
Not open for further replies.
Back