Popup half removed

Status
Not open for further replies.

gt3911

Posts: 19   +0
Hi guys,

First time here, I found loads of sites but decided to join up here – I’m interested in this stuff and want to learn more to help out where I can, so took an extra bit of time to find a community I’d like to return the favour too.

Anyway, cut to the chase. I have a friends laptop here that is infected with what I think is a version of the Worm.Win32.Netbooster Giving the popup “Attention, [User]! Some dangerous torjan horses detected in your system. Microsoft Windows XP files corrupted. This may lead to the destruction of important files in C:\Windows. Download protection software now! Click OK to download antispyware software. (Recommended). This is not the exact message – As I’m now unable to see the message. It was almost identical to this but I’m 99% sure that this infect gave the the message “attention, [user] some dangerous viruses are detected in your system…” I also see a Yes no dialog rather than a Ok cancel dialog. Click either yes or no would redirect to a porn site.

Firstly I want to state that this computer is now offline, I’m not happy with dirty machines connecting to my network. I’m using latest versions of software mentioned with downloaded updates / definitions via a usb stick.

His viruses software is Mcafee security centre – and completes the scan with no infections. (this is out of date, with the latest update on the 3rd, I haven’t found a manual update file) (I’d rather install AVG, but 2 AV’s at once don’t usually get along, and I don’t want to uninstall his McAfee as its whats he’s used to and I don’t have an install disk)

Spybot S&D with the latest includes picked up a few random infections which it removed successfully, but didn’t find or fix this mentioned issue. This runs a clean scan.

CCleaner also found various things that it cleaned up and didn’t fix the above issue. This runs a clean scan.

FixIEDef.exe ran fixed something, but failed to fix this issue, this now runs a clean scan.

Finally Malwarebytes scanned and fixed a couple of objects – this has now kind of fixed the problem – I’m now left with a completely empty popup box (no text) that now no longer forwards to the website, but its super annoying and I need to finish this clean up to remove this popup box.

Thanks guys my HJT log is below

pastebin.com/f406b7821

Its not allowing me to post my HJT log due to 'linkss or images requiring 5 post count', please excuse the above...
 
Excellent thanks a lot for that link, that’s interesting…

I’m not sure about the items its picked up though, would anyone care to confirm the results below as being “bad”

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
Ctfmon.exe
"CoolWebSearch Ctfmon32 parasite variant"

This isn’t legit? Can anyone confirm this – I know there is a legit CTFMON.EXE spawn via MS Office… Is this defiantly false?

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
UpdateMgr
"Added by the SouthBeachTel premium rate adult content dialer"

Again… I think this is legit….
 
Where are you getting the information about cftmon and Adobe?

For ctfmon.exe: http://support.microsoft.com/kb/282599
The Adobe Reader needs to be updated but it isn't malware.

Wherever you're getting your information about what you see is not accurate,

It's difficult to evaluate a system with just a couple of files being given. Please see this for:
"How to attach the HijackThis log: https://www.techspot.com/vb/topic19133.html

I suggest you also run Malwarebytes and SuperAntispyware and include those logs also. See Step 4 and 5 here: https://www.techspot.com/vb/post645589-1.html
 
Hey,

Sorry it seems i totally missed the attachment option when making my first post, which is why I included it as a pastebin. I've now attached it again if you find it easier.

The information is from the site given from billallen55 previously.
 
The site BillAllen left is for the process of malware cleaning. In addition to HijackThis, it includes running Malwarebytes and SuperAntispyware, AFTER which you should run HojackThis. This is the only way we can see what was on the stsrem and what has been cleaned.
Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ingushi - {E152A086-FC50-436B-9FA7-873E79EBAF60} - C:\WINDOWS\system32\gjopli.dll
Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis*and*reboot. into Safe Mode:

Go to My Computer->Tools->Folder Options->View tab:
[*]Under the Hidden files and folders heading:
[*]Select - Show hidden files and folders.
[*]Uncheck- Hide protected operating system files (recommended) option.
[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.
[*] Click OK. (Remember to Hide files and folders once done)

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold
C:\WINDOWS\system32\gjopli.dll <--delete this file
After that, Reboot, and post a new HijackThis log here in a reply

Your version of Adobe Reader is out of date.
\Reader 9.0 <--current version
# Please go to this link Adobe Acrobat Reader Download Link
https://www.techspot.com/downloads/2083-adobe-reader-dc.html
**Untick Adobe Media Player and Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.(UNcheck google if you don't want it.)
# Click the Continue button
# Click Run, and click Run again
# Next click the Install Now button and follow the on screen prompts
After the install, go to Add/Remove PRograms in the Contorl Panel and uninstall Adobe v7
(make sure Adobe isn't on the Startup menu before the uninstall)

Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click:Delete Files When prompted, check:Delete all offline content
You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
Click OK

For I.E. 7 - under Browsing History, click delete... Under Temporary Internet Files, click Delete files...

Then, go to Start >Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:
Temporary Files
Temporary Internet Files
RecycleBin
Agree to the prompt to perform the action...

Remove ld System Restore points:
Contorl PAnel> System System restore tab> CHECK 'turn off System Restore'>Apply> OK> Reboot
Then go back in and UNCHECK 'turn off System Restore;> Apply> OK.
Create a new restore point.

I would have preferred to see what Malwarebytres and SuperAntispyware found and removed.
 
Hi bobbye,

Thanks for that,

As i said i already cleaned up O2 gjopli.dll

But the site i was saying billalen recomended wasnt the 8 step process i ment the other site,

I'm not allowed to post the link so i cant just show u he called it the hijack this evaluation. (i think you thought i was refering to his 8step link) - which flagged up what I mentioned in the previous post that I feel is probably a false result.

Thanks for your suggestions though, but I've already done all this.

I was just posting out of curiosity to the results of the above...
 
Am I correct in thinking you don't require any more help for this matter, then?

By the way, you can post links now.
 
Thanks,

I was just looking for confirmation that http://hjt.networktechs.com/ reporting

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
Ctfmon.exe


O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
UpdateMgr

as 'bad' to be false information
 
Ctfmon.exe vs ctfmon32:
About those entries: I don't know that I understand the information: ctfmon.exe is an Office start frequently found on the startup menu. It is shown as 'ctfmon.exe'. But if the process shows ctfmon32.exe, THEN it's malware! Yours doesn't.

From Techspot:
CTFMON32 should not be running at startup. It is likely a virus, spyware, Trojan, or some other sort of malicious program. Use a virus scanner, and/or spyware removal tool to remove it.
Additional Info: CoolWebSearch Ctfmon32 parasite variant - also detected as the CWS-E TROJAN!

CTFMON32 is NOT what you're seeing.You're seeing CTFMON.exe in the System32 folder.
I have ctfmon.exe in my windows System 32 folder. IT is not malware- the only difference is that I don't have it on Startup.
Frankly, I am confused by the information here: https://www.techspot.com/startup/1671/

Now, IF you have a CLSID, then we should be able to confirm the entry as normal or malware.

Same for the Adobe line: From Bleeping Computer:
AdobeUpdateManager.exe
Command: C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
Description: Installed with Adobe products to check for updates and prompt you to install them as needed.
File Location: C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Again, if a CLSID is given and it is not the one for the process, possibly it would be suspect, but there is no indication of this.
If I had seen either of these entries in a HijackThis Log, I would not have have flagged either as malware- I would have suggest an Adobe update. or better replaced with FoxIT.

The bottom line- I consider both of these entries to be legitimate. You can stop the autoload and autoupdate, that would be my recommendation, by the files is valid. I don't know what criteria were used to make it otherwise.
 
Bobbye,

thanks alot thats what I hoped and thought you'd of said, I was just looking for a bit of reasurance on that. Many thanks for your time.

Just a quick question if you dont mind - You talked about CLSID's can you explain to me breifly how I can check what the CLSID is and if its valid or not? This sounds quite handy...
 
can you explain to me breifly how I can check what the CLSID is and if its valid or no
Example: From your HijackThis log:
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} is the CLSID:
Copy and paste it into this site: http://www.castlecops.com/CLSID.html
You will get the following information:
Object Name: AcroIEHlprObj Class, Adobe PDF Reader Link Helper
GUID: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Status: L BHO (L means legitimate, BHO is browser helper object (02 entry)
File name: AcroIEhelper.ocx, AcroIEhelper.dll, ACROIE~1.OCX
Description: Adobe Acrobat reader

NOTE: this is the page for CLSID and BHO. To get the full selection of databases, go here:
http://www.castlecops.com/
Look for the proper database on the left and click. When the page comes up, type in the CLSID.

There's no magic to this. Data is available to identify almost everything. If it can't be identified, it is suspicious. This is one of the frequently used databases- there are others.
 
Status
Not open for further replies.
Back