Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

help please, constant popups!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

help please, constant popups!

Unread postby chi_li4u » February 10th, 2006, 6:23 am

Hi,
I need some help with something I picked up. It is a popup screen that appears constantly and shows advertisements.
My current opperating system is windows xp home edition with sp2 already installed, and I use Firefox as my browser. Any help would greatly be appreciated.

Thank you,

Chi

Logfile of HijackThis v1.99.1
Scan saved at 5:14:30 AM, on 2/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\TEMP\Desktop\utorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\TEMP\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\TEMP\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\TEMP\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C77AEA7F-0414-4A92-81F8-6D73BC78BB01} - C:\WINDOWS\system32\cjhi.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SSL] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\TEMP\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Filter: text/html - {5B08C8E5-DD5A-452F-A5F6-2BC4A41A1E77} - C:\WINDOWS\system32\cjhi.dll
O18 - Filter: text/plain - {5B08C8E5-DD5A-452F-A5F6-2BC4A41A1E77} - C:\WINDOWS\system32\cjhi.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
chi_li4u
Active Member
 
Posts: 2
Joined: February 10th, 2006, 6:12 am
Advertisement
Register to Remove

Unread postby Linkmaster » February 10th, 2006, 3:22 pm

Hi chi_li4u, Welcome to MalWare Removal !!

You may wish to print out a copy of these instructions to follow while you complete this procedure

I need you to download some programs to aide in our fix :Do Not Run Them Yet

Download About:Buster© by RubbeRDuckY
Open AboutBuster folder, then double click the AboutBuster.exe
Click "Extract all" in the box that pops up, then "Next"
Choose the location you would like to install AboutBuster, such as My Documents
Make sure "Show extracted files" is checked, then click "Finish"

Download CWShredder© by Trend Micro Inc..
Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

Download SpSeHjfix© by Seeker.
Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Download ATF (Atribune Temp File) Cleaner© by Atribune

Run About:Buster
Open AboutBuster and click the "Begin Removal" button It will shut down all Explorer windows (if open) while it works.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log

Run CWShredder
Click Fix and then Next, Make sure you let it fix all CWS Remnants.

Run SpSeHjfix© by Seeker
Double-click SpSeHjfix.exe
A log will be saved in the same folder that you put the exe into.
Reboot when it asks
After reboot a yellow box will pop up, click to Start Disinfect

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Please run one of these Online Virus Scans :

TrendMicro Housecall
(Note: you must use Internet Explorer, other browsers will not work)
Under "Scan your PC", please click Scan now. It's free!
Select your location and click the Go button.
Click the red magnifying glass button.
Select Complete Scan.
Please be patient while Housecall downloads.
Please allow the ActiveX Control and when prompted click install
Put a check next to My Computer
Leave the following checked:
Scan for Spyware
Check security vulnerabilities

Click the Next button.
It will download the latest scan engine and pattern files.
When the definitions have been downloaded, the scan will start.
After it's done scanning it will take you to the summary page.
Click the Next button.
Click the drop-down to choose delete or remove on each bad guy found, if you receive a prompt click OK.
Click the Next button to move onto the recovery (final) portion of the scan.
After everything has been removed, please click the show button on everything.
Highlight all the of text and press CtrlL + C to copy the text.

OR

Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:
Select My Computer

Then the program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Reboot, run HijackThis and post a fresh HijackThis log, the SpSeHjfix log and the Virus Scan results here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby chi_li4u » February 11th, 2006, 6:15 am

thanks for helping

here are the requeted logs

Logfile of HijackThis v1.99.1
Scan saved at 3:25:27 AM, on 2/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\TEMP\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\TEMP\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\TEMP\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6F349123-2817-47E8-8E6C-0E97030DB3A5} - C:\WINDOWS\system32\cjhi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SSL] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\TEMP\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Filter: text/html - {435047D6-EB8F-45AE-AEB3-F7947C257FFA} - C:\WINDOWS\system32\cjhi.dll
O18 - Filter: text/plain - {435047D6-EB8F-45AE-AEB3-F7947C257FFA} - C:\WINDOWS\system32\cjhi.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




SPSehJfix logfile

(2/11/06 3:19:17 AM) SPSeHjFix started v1.1.2
(2/11/06 3:19:17 AM) OS: WinXP Service Pack 2 (5.1.2600)
(2/11/06 3:19:17 AM) Language: english
(2/11/06 3:19:17 AM) Win-Path: C:\WINDOWS
(2/11/06 3:19:17 AM) System-Path: C:\WINDOWS\system32
(2/11/06 3:19:17 AM) Temp-Path: C:\DOCUME~1\TEMP\LOCALS~1\Temp\
(2/11/06 3:19:27 AM) Disinfection started
(2/11/06 3:19:27 AM) Bad-Dll(IEP): c:\docume~1\temp\locals~1\temp\se.dll
(2/11/06 3:19:27 AM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\system32\cjhi.dll
(2/11/06 3:19:27 AM) Searchassistant Uninstaller - Keys Deleted
(2/11/06 3:19:27 AM) UBF: 9 - UBB: 4 - UBR: 9
(2/11/06 3:19:27 AM) FilterKey: HKCR\text/html (deleted)
(2/11/06 3:19:27 AM) FilterKey: HKCR\CLSID\{B9A55547-9BA8-4481-90E0-CB32B2DD2BE8} (deleted)
(2/11/06 3:19:27 AM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(2/11/06 3:19:27 AM) FilterKey: HKCR\text/plain (deleted)
(2/11/06 3:19:27 AM) FilterKey: HKCR\CLSID\{B9A55547-9BA8-4481-90E0-CB32B2DD2BE8} (error while deleting)
(2/11/06 3:19:27 AM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(2/11/06 3:19:27 AM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A8CFF80-2D6B-4F44-8F05-628CF110A3EA} (deleted)
(2/11/06 3:19:27 AM) BHO-Key: HKCR\CLSID\{2A8CFF80-2D6B-4F44-8F05-628CF110A3EA} (deleted)
(2/11/06 3:19:27 AM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\TEMP\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(2/11/06 3:19:27 AM) UBF: 7 - UBB: 3 - UBR: 8
(2/11/06 3:19:27 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\temp\locals~1\temp\se.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\temp\locals~1\temp\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(2/11/06 3:19:28 AM) Stealth-String found: c:\windows\system32\sqljo.dll
(2/11/06 3:19:28 AM) File added to delete: c:\windows\system32\sqljo.dll
(2/11/06 3:19:28 AM) File added to delete: c:\windows\system32\cjhi.dll
(2/11/06 3:19:28 AM) File added to delete: c:\docume~1\temp\locals~1\temp\se.dll
(2/11/06 3:19:28 AM) Reboot
(2/11/06 3:21:12 AM) SPSeHjFix 2nd Step
(2/11/06 3:21:12 AM) Stealth-DLL: c:\windows\system32\sqljo.dll (deleted)
(2/11/06 3:21:12 AM) AppInit_DLLs-key: (edited)
(2/11/06 3:21:12 AM) Stealth-String not present. Disinfection succesfully
(2/11/06 3:22:12 AM) Cleaned


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, February 11, 2006 05:05:04
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 11/02/2006
Kaspersky Anti-Virus database records: 176172
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 57677
Number of viruses found: 9
Number of infected objects: 21
Number of suspicious objects: 0
Duration of the scan process: 4842 sec

Infected Object Name - Virus Name
C:\Documents and Settings\TEMP\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5c372228.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\TEMP\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5c372228.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Internet Explorer\ppnolmpg.exe Infected: Trojan-Downloader.Win32.Agent.dk
C:\Program Files\Microsoft AntiSpyware\Quarantine\1BF9A814-469D-47A5-B853-AA34BC\31DCC308-AE8F-43DC-9806-3DA1D8 Infected: Trojan.Win32.StartPage.vr
C:\Program Files\Microsoft AntiSpyware\Quarantine\3B76E041-2C8A-415A-8FDA-640EB5\08B267F4-F714-4B96-BE55-A95EA5 Infected: Trojan.Win32.StartPage.uz
C:\Program Files\Microsoft AntiSpyware\Quarantine\457B6D6F-350D-48AD-98D7-7A54AC\F5B7E841-FE00-443C-92F6-674E17 Infected: Trojan.Win32.StartPage.vr
C:\Program Files\Microsoft AntiSpyware\Quarantine\6698AE51-617A-4E4C-81E9-FA82AE\57BDEFA2-4071-48B9-BDE6-2242FA Infected: Trojan.Win32.StartPage.uz
C:\Program Files\Microsoft AntiSpyware\Quarantine\7F8D023F-AD41-4B9C-8D7B-E8648E\6F949BAF-775A-4C87-92ED-522214 Infected: Trojan.Win32.StartPage.vr
C:\Program Files\Microsoft AntiSpyware\Quarantine\9B879562-3C8E-4346-8AEA-739763\CA5B4E60-3523-4771-BE75-807E8B Infected: Trojan.Win32.StartPage.uz
C:\Program Files\Microsoft AntiSpyware\Quarantine\AA7639EF-FC19-47ED-A178-FCB5B1\C3C5E92B-BD2F-4B76-AB6A-AB224D Infected: Trojan.Win32.StartPage.vr
C:\Program Files\Microsoft AntiSpyware\Quarantine\BDBBE338-EA8C-40EA-A565-0DEF55\1A44B6B7-217A-4DEF-B25A-34F045 Infected: Trojan.Win32.StartPage.uz
C:\Program Files\Microsoft AntiSpyware\Quarantine\E555BB64-1E20-4848-9A1F-5589A5\2C1805CB-1D82-4187-89A3-A405CB Infected: Trojan.Win32.StartPage.uz
C:\Program Files\Microsoft AntiSpyware\Quarantine\EB73CE1D-6B48-48E3-92AA-7AE7F3\E1A296B0-7CEB-4D2A-B1D6-A6DD2C Infected: Trojan.Win32.StartPage.uz
C:\Program Files\Outlook Express\outl32c.exe Infected: Backdoor.Win32.Jeemp.c
C:\Program Files\pl.exe Infected: Trojan-Downloader.Win32.Small.fo
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP119\A0116708.dll Infected: Trojan.Win32.StartPage.vr
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP119\A0116709.dll Infected: Trojan-Downloader.Win32.Agent.j
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP91\A0112325.dll Infected: Trojan.Win32.StartPage.vr
C:\WINDOWS\svchost2.exe Infected: Backdoor.Win32.Delf.lm
C:\WINDOWS\SYSTEM\mcireg.dll Infected: Backdoor.Win32.Delf.kz
C:\WINDOWS\SYSTEM32\Delete Me Infected: Trojan.Win32.StartPage.vr

Scan process completed.
chi_li4u
Active Member
 
Posts: 2
Joined: February 10th, 2006, 6:12 am

Unread postby Linkmaster » February 11th, 2006, 11:44 am

Your log didn't clean up much, so lets try again !!
I may repeat myself but bear with me !

Be sure to do these in this order

Download and Install Ewido Anti-Malware© by Ewido Networks
When installing, under "Additional Options" uncheck :

"Install background guard"
"Install scan via menu"


Launch Ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click Update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido Manual Updates
Close Ewido when updates finish

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Please disable Microsoft Antispyware, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Right click on the Microsoft AntiSpyware icon (looks like a target) and click on :
Security Agents Status (Enabled)
Disable Real-time Protection

To re enable it, you follow the same steps but click on Enable Real-time Protection

Show Hidden Files :
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\TEMP\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\TEMP\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {6F349123-2817-47E8-8E6C-0E97030DB3A5} - C:\WINDOWS\system32\cjhi.dll (file missing)

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\TEMP\LOCALS~1\Temp\se.dll,DllInstall

O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll

O18 - Filter: text/html - {435047D6-EB8F-45AE-AEB3-F7947C257FFA} - C:\WINDOWS\system32\cjhi.dll
O18 - Filter: text/plain - {435047D6-EB8F-45AE-AEB3-F7947C257FFA} - C:\WINDOWS\system32\cjhi.dll


Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked

Run About:Buster
Open AboutBuster and click the "Begin Removal" button It will shut down all Explorer windows (if open) while it works.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log

Run CWShredder
Click Fix and then Next, Make sure you let it fix all CWS Remnants.

Run SpSeHjfix© by Seeker
Double-click SpSeHjfix.exe
A log will be saved in the same folder that you put the exe into.
Reboot when it asks
After reboot a yellow box will pop up, click to Start Disinfect

Open Windows Explorer, locate and Delete the following folders or files in BOLD : (if present)

C:\Program Files\Internet Explorer\ppnolmpg.exe
C:\Program Files\Outlook Express\outl32c.exe
C:\Program Files\pl.exe
C:\WINDOWS\svchost2.exe
(make sure of the spelling!! Not SVCHOST.EXE)
C:\WINDOWS\SYSTEM\mcireg.dll
C:\WINDOWS\SYSTEM32\Delete Me
C:\Documents and Settings\temp\Local Settings\temp\se.dll


Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program

Go to Start, Control Panel
Double-click the Java applet (coffee cup)
Click on the General tab
Under the Temporary Internet Files section, click the Delete Files button.
There are three options on this window to clear the cache - check ALL 3 :

Downloaded Applets
Downloaded Applications
Other Files


Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
Click OK to leave the Java Control Panel

Delete the contents of the Microsoft AntiSpyware\Quarantine folder

Run Ewido Anti-Malware
Click on scanner
Click on Complete System Scan and the scan will begin.
When it finds the first infected item put a check next to "Perform action on all infections", then choose [ b]"remove"[/b]
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report.txt file to your desktop.

Close Ewido Anti-Malware

Reboot to Normal Mode

Run the Kaspersky WebScanner again

Reboot and post a fresh HijackThis log, the Ewido log, the SpSeHjfix log, and the Kaspersky Scan log here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby NonSuch » February 22nd, 2006, 4:54 pm

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum.

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 537 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware