Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

nothing work for AD-W-A-R-E.COM

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

nothing work for AD-W-A-R-E.COM

Unread postby strategema » November 15th, 2005, 6:46 pm

HY! im new here and glad i found a place like here. I speak french so ill try to write as good as i can.
I have POPUPSSSSS (lot of pop-up windows) that seem to be from www,ad-w-a-r-e.com. I search this forum for help but it does not works.

1- did a search on the forum but did not find nothing about http://www.ad-w-a-r-e.com

2- i install and use, with a reboot between each : adaware, spybot, trojanhunter, a-squared and microsoft antispyware. They found some, i cleaned but im having those pop-up windows

Please help me because my wife is on my back because of those pop-up.
What do i have to do?
That you very much and have a good day
Strategema
strategema
Active Member
 
Posts: 3
Joined: November 15th, 2005, 6:34 pm
Location: QUÉBEC
Advertisement
Register to Remove

Unread postby Kimberly » November 16th, 2005, 6:32 pm

Hello / Bonjour strategema,

You may write in English or French when you try to explain something. I'll try to translate as much instructions as I can but you have to be aware that many fixes will be in English. I'm sure we will manage to understand each other tho.

Tu peux écrire en Français, je ferais de mon mieux pour traduire certaines instructions, mais il faut que tu sache que beaucoup d’instructions seront en Anglais. Je suis pourtant persuadé qu’on se comprendra.

Download HijackThis from one of the following locations, latest version is 1.99.1
Télécharge HijackThis:

http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
http://downloads.malwareremoval.com/hijackthis.zip

Create a folder for Hijackthis on the C: drive called C:\HJT, do NOT run it from your Desktop or Temporary files folder.
You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it HJT. Extract HijackThis.exe from the zip archive into that folder. Launch HijackThis, follow the instructions below.

Crée un dossier sur ton disque dur C qui s’appelle HJT. Poste de Travail > C:\ > click droit et sélectionne nouveau dossier, nomme le HJT. Décompresse HijackThis.exe de l’archive dans ce nouveau dossier. Lance HijackThis en suivant les instructions ci-dessous.

Run HijackThis, click on Do a system scan and save a log file, Notepad will open with a log. Copy that log and post as a reply.

Dans le Bloc-Notes > Edition > Sélectionner tout
Edition > Copier
CTRL+V dans le topic.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

thanks Kim

Unread postby strategema » November 20th, 2005, 12:25 pm

Just want to say thanks Kim. :wav:
Its ok if everything is in english i understand well, its just that when i write...may have some error in my spelling.
I will do what you said and ill be rigth back
have a very nice day
Strategema :sign2:
strategema
Active Member
 
Posts: 3
Joined: November 15th, 2005, 6:34 pm
Location: QUÉBEC

heres my log from hijackthis

Unread postby strategema » November 20th, 2005, 12:38 pm

Logfile of HijackThis v1.99.1
Scan saved at 11:36:20, on 2005-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
D:\Norton SystemWorks 2004\Norton AntiVirus\navapsvc.exe
D:\Norton SystemWorks 2004\Norton Ghost\Agent\PQV2iSvc.exe
D:\Norton SystemWorks 2004\Norton AntiVirus\IWP\NPFMntor.exe
D:\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
D:\LOGICIELS\Nero Express\InCD\InCD.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
D:\Norton SystemWorks 2004\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr-ca\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton SystemWorks 2004\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\fr-ca\msntb.dll
O3 - Toolbar: Dominic Sigouin toolbar - {f82c046c-6bee-4737-87f4-9dc27dea4e26} - C:\Program Files\Dominic Sigouin\tbDomi.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\LOGICIELS\Nero Express\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] D:\Norton SystemWorks 2004\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "D:\Norton SystemWorks 2004\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\OFFICE~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/c ... blt1_x.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/rap ... loader.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/c ... ywt0_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSIns ... xt360.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/Reflex ... Loader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\q8860ilse8q60.dll
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\gbiokpkl.dll (file missing)
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\igmhgjdg.dll (file missing)
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\njahbnen.dll (file missing)
O21 - SSODL: 0EDIABFD - {0E50578B-34D3-4CC5-257F-69D560B36227} - C:\WINDOWS\system32\Lknijq32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - D:\Norton SystemWorks 2004\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - D:\Norton SystemWorks 2004\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Norton SystemWorks 2004\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Norton SystemWorks 2004\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe

i hope it can help
waiting for reply
have a nice day and thank you again...
Strategema
strategema
Active Member
 
Posts: 3
Joined: November 15th, 2005, 6:34 pm
Location: QUÉBEC

Unread postby Kimberly » November 20th, 2005, 6:10 pm

Hello strategema,

The Look2Me infection put aside (adware popups), you have several trojans on your computer (at least 4 of them). I was able to identify at least one of them ... While we are often able to delete the offending files, you have to be aware that we will not always be able to reverse some registry settings and detect, remove additional spyware downloaded to your computer. Most of these trojans do change your Internet security settings and general security settings. They may prevent you from updating your antivir protection, etc ...

Evidence in your log :

O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\igmhgjdg.dll (file missing)

http://www.sophos.com/virusinfo/analyse ... doorc.html
Troj/Cozdoor-C is a backdoor Trojan for the Windows platform.
Troj/Cozdoor-C includes functionality to access the internet and communicate
with a remote server via HTTP.
When first run Troj/Cozdoor-C copies itself to the Windows System folder with a
random filename eight letters long, and drops a DLL file also with a random name eight
letters long to the same folder. The DLL file contains the backdoor functionality of the Trojan.
The following registry entry is created to run code exported by the Trojan library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
SysTray.Excn
(1722ECFF-4356-4f5b-B534-E67294FE75E9)
The DLL is registered as a COM object, creating registry entries under:
HKCR\CLSID\(1722ECFF-4356-4f5b-B534-E67294FE75E9)
Once running, the backdoor connects to a pre-specified website where it can
receive further commands.
Troj/Cozdoor-C changes settings for Microsoft Internet Explorer by modifying
values under:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
The Trojan also adds the following entries to the computers HOSTS file, to deny
access to the specified websites:
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 download.mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 update.symantec.com

The second Trojan : Trojan-Proxy.Win32.Small variant

Evidence : O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\njahbnen.dll (file missing)

The general description of this family is below
Description

Win32.Galorion are a family of downloading trojans.

Method of Infection
The Galorion family of trojans may be distributed as either a single executable file or as a dropper.

Variants which are a single executable run from their original location and may set one of the following registry entries to execute themselves at Windows start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "<location of execution>"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig Manager = "<location of execution>"

If the variant is distributed as a dropper, when executed, a DLL with a random filename is created in the %System% directory. The trojan modifies the registry to ensure that the DLL is loaded by explorer.exe:

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\JfwnVmklPe = "{182DCF04-B287-65AE-A189-D94855ACEA54}"
HKCR\CLSID\{182DCF04-B287-65AE-A189-D94855ACEA54}\InProcServer32\(Default) = "%System%\<random filename >.dll"
HKCR\CLSID\{182DCF04-B287-65AE-A189-D94855ACEA54}\InProcServer32\ThreadingModel = "Apartment"

Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Payload

Backdoor Functionality
Galorion variants contact predefined websites to obtain instructions. Information, such as the OS version of the affected machine, is sent to these remote hosts. Galorion can be instructed to perform the following actions by a remote controller:

Download and execute arbitrary files
Visit websites
Delete cookies
Start a proxy
Return to top

Additional Information

Some variants of the Galorion family may create mutexes to avoid running multiple copies of themselves simultaneously. Some examples include:

updater
sp1upd
updater3
winproxy

The majority of Galorion variants create a random unique identifier which is stored in the registry. For example:

HKLM\Software\Microsoft\WinUpdate\UID = "<random value>"
HKLM\Software\Microsoft\MSConfigManager\UID = "<random value>"

They may also drop an executable file which reboots the machine after a certain period of time.


While it is possible to remove all the "bad files", I still would recommend a fresh install - You must be aware that if you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications)

If you still wish to clean up the computer, please follow the instructions below :

Please take note of the instructions that follow, print them out for reference as you won't be able to access this page while performing the fix.
Don't use the program yet.
______________________________

Please download WebRoot Spy Sweeper from the following location:
http://www.webroot.com/downloads/
  • Click the Free Trial link under Spy Sweeper to download the program.
  • Install it using the Standard Install option. (You will be asked for your e-mail address, it's safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)
  • Once the program is installed, you will be prompted to check for updated definitions, click Yes. This may take several minutes.
  • Once the definitions are installed, close the program and reboot your computer into Safe Mode
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
  • Launch Spy Sweeper
    • From the left pane, click Options then Sweep Options
      • Check Sweep all Folders on Selected drives.
      • Check Local Disc C.
      • Under What to Sweep, check every box.
    • Click on Sweep and allow it to fully scan your system. If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
    • When the scanning is done, click Remove. Click Select All and then Next. It will remove all of the items found.
    • From Results, select the Session Log tab. Click Save to File and save the log to your Desktop or to a convenient location.
  • Exit Spy Sweeper.
______________________________

Reboot your computer in Normal Mode
  • Open the l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing the Enter key.
This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Post the L2m log back here as a reply along with the Spy Sweeper log and a new HijackThis log please. You may need several replies to post the logs I did request, otherwise they might get cut off.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby NonSuch » December 6th, 2005, 6:36 am

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27215
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware