Non-stop browser pop-ups...HJT log

[lifetimegig]

Please help, below is HijackThis log, began getting these popups couple days ago;

Logfile of HijackThis v1.99.1
Scan saved at 9:04:59 PM, on 6/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\SPAMfighter\SFAgent.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Maven\mavenAgent.exe
C:\Program Files\Maven\mavenUpdater.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefaw32.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\Owner\My Documents\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O4 - HKCU\..\Run: [pxwma] C:\WINDOWS\System32\pxwma.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Start Maven Updater.lnk = C:\Program Files\Maven\mavenUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start Maven Client.lnk = C:\Program Files\Maven\mavenAgent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZZ
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101322650875
O16 - DPF: {6EE39BFC-2FB6-4B69-9D05-CFC10E4F5B3E} (MavenBootInstallerAXControl Class) - http://client.maven.net/client/mavenBootInstaller.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O18 - Protocol: mavencache - {DB47FDC2-8C38-4413-9C78-D1A68BF24EED} - C:\Program Files\Maven\protocolHandlers.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\m4460ehseh460.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[tdeg]

Go to housecall.trendmicro.com and run the beta scan.

You need to be using Internet Explorer to go to the site though.

Then install Ad-Ware and/or your favorite spyware blasting program.

I think this may be the issue

"O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe"

 

[Spike]

Welcome to Techspot

Straight away, I've picked out this...

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe - My Web Search, an adware program.

Please could you precisely follow the instructions provided by RealBlackStuff here, and then post a fresh HJT log as a txt attachment in this thread, and then we can all look again.

I'm afraid Wtta.exe isn't the only problem here, and trendmicro.com probably won't be enough to get your machine clean again.

 

[tdeg]

I've had good luck with the beta scan on Trendmicro, it seems to pick up most of the spyware and remove it. Plus they update it fairly regularly.

That said, them spyware people are tricky buggers and you usually need to use a couple of scanners to clean them all out.

 

[lifetimegig]

Thing will still not quit...

Followed realblackstuff's instructions to a t, ran adaware and spybot in safe mode, also removed wtta.exe and anything related to mywebsearch ...thought I had it but it came back...attached is new hjt log from safe mode after running adaware and spybot again in safe mode....PLEASE HELP....

 

[Steve05]

Hello and welcome to TechSpot Forum

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

I see you have BroadJump on your system. This is the newer name for BroadJump Foundation Client (BJCFD) from BroadJump.com, now Motive. The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit. I suggest that you carry out the fixes indicated below but I would approach your ISP as soon as possible and ask them how to remove it and why they installed it in the first place. Do not attempt to uninstall the program yourself.

Please download CleanUp .CleanUp! is a tool for taking care of all those uuencoded files on your system. This program will find and delete all temporary files that are taking up your disk space. I advised to configure the software for better results and better understanding ( Don’t run it yet )

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Reboot your system in Safe Mode (By continually tapping the F8 key, until the menu appears).

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefaw32.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Please remember to close all other windows, including browsers then click Fix checked.

Run CleaUp and click yes whe asked for log off.

Reboot in normal mode.

If you have broadband or fast internet speed, please run an online scan at Trend Micro or RAV Antivirus.
Please select the “autoclean” option when using Trend Micro.

Please post a fresh Hijack This log so that we can check if your system is clean.

 

[RealBlackStuff]

My list of objectionable items looks slightly different:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefaw32.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\Owner\My Documents\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [pxwma] C:\WINDOWS\System32\pxwma.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\u6ru0g99e6.dll

 

[lifetimegig]

still getting loadingwebsite but better....

the amount of popups has decreased significantly but still the darn loadingwebsite.com...attached is hjt file...

 

[Spike]

VX2/Look2Me or Target Saver - O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE

Unknown - O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\i6nmlg5116.dll



Download L2MFix from http://www.atribune.org/downloads/l2mfix.exe

I'm afraid I don't know this program, but is has apparently been successful for many others.

I would suggest that you read this entire thread...
http://www.short-media.com/forum/showthread.php?t=33544
... before doing anything, or else wait for further instructions here.

(note, If you use the Trojan Hunter scanner, the L2Mfix is reported as a dialler, but is in fact a false positive. see http://forum.misec.net/board/TrojanHunter/1115660474)

 

[RealBlackStuff]

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
n20050308.EXE

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\i6nmlg5116.dll

Now click on the Fix Checked button in HJT.
When done, delete the highlighted bold files.

Attention: the filename in the O20 may have changed. Delete whatever .dll you find there!

If it still fails, get http://www.downloads.subratam.org/VX2Finder.exe and run that.

 

[lifetimegig]

VX2,HJT logs

browser still launching by itself, attached most recent logs from hjt and vx2finder.

020 Winlogon Notify does keep changing, deleting whatever is there.

this thing has been going on way too long, sorry for draggin it out, been away. Help much appreciated....

 

[RealBlackStuff]

Download Ewido Security Suite (trial) from http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Start Ewido. When you run it the first time, you get a warning "Database could not be found!". Click OK.
On the main screen, click on Update in the left menu, then click the Start Update button.
After the Update finishes, the status bar at the bottom will display "Update successful".
-- If you have problems updating see here: http://www.ewido.net/en/download/updates/
Once the updates are installed do the following:
Click on Scanner
Make sure the following boxes are checked before scanning:
- Binder
- Crypter
- Archives
Click on Start Scan and let Ewido scan the PC.
While the scan is in progress, you will be prompted to 'Clean files', click OK
When the scan is done, you'll find a Save report button at the bottom of the screen.
Click 'Save report' and save it to your desktop.
Reboot your PC and post back the Ewido Scanlog as a .txt attachment

 

[lifetimegig]

ewido scan report

attached is scan from ewido however no options for binder, crypter, archives. did remove several though, mostly cookies. still getting single pop-ups...mostly loadingwebsite.com, lately also dirtyhippo.com, etc, random.

 

[RealBlackStuff]

Can you post a new HJT log as .txt attachment?

 

[lifetimegig]

New hjt file

Thanks for staying with this...a real pain recently is 'winfixer' that keeps popping up and tells you it's downloading itself, Zonealarm appears to deny it but still getting icons.

 

[RealBlackStuff]

Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
n20050308.EXE <<== or whatever .EXE name is in that O4 line

Next, try to UNinstall anything to do with (not delete yet!):
C:\Program Files\WinFixer 2005\wfx5.exe

Next, click Start/Run and type in:
cmd and hit Enter
regsvr32 /u dnlu0139e.dll and hit Enter <<== or whatever .DLL name is in that O20 line
Exit the command window.

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122591734093
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\dnlu0139e.dll
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.

Your infection is of the Adware.Look2Me variant. Try this:
http://sarc.com/avcenter/venc/data/adware.look2me.html