Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

please, please help me?!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

please, please help me?!

Unread postby fpalsson » July 20th, 2005, 1:35 am

Hi. I have something (maybe several things) wrong with my system, and I'm out of ideas.
It started with pop-ups and then there were some icons that appeared.
I have run spybot and ad aware. First they came up with some stuff and I removed it. But then after reboots it came up again. So then I ran each one in safe mode.
It seemed like it cleared up the problem.
However, I wanted to use Firefox instead of IE and noticed that I couldn't get it to run. So I worried. Then suddenly a few more pop-ups and icons.
Ran Spybot and Ad-aware again in safe mode. They didn't find anything!
So I panicked. Tried to follow microsoft's instructions for reinstalling IE. changed the registry per their instructions. it didn't help, b/c i couldn't install IE. so then i changed it back.
NOW I notice that in addition to all of this, Outlook Express is missing!
I'm in real trouble. I need my email to come back.
This makes me want to cry.
Also, I need to be able to be online safely....
I am an online student and my ability to get my master's degree on time could be in jeopardy.
Here's my Hijack log, if anyone can help me I will be forever in your debt....!!!!!!!!!
Logfile of HijackThis v1.99.1
Scan saved at 10:23:10 PM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\pqoppa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\atledir.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Felicia Palsson\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thedent.com/tourlist05.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqoppa.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Z3x6RXJmO] atledir.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Felicia
fpalsson@slis.sjsu.edu
fpalsson
Active Member
 
Posts: 10
Joined: July 20th, 2005, 1:29 am
Advertisement
Register to Remove

Unread postby askey127 » July 20th, 2005, 6:11 am

Hi fpalsson,

Welcome to the forum!
I'm checking your log and will be back with you shortly.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby askey127 » July 20th, 2005, 6:55 am

fpalsson,

I would suggest printing this out, or copying it into a notepad file, as you will not have internet access during some of this fix.
-----------------------------------------------------------
Set Your Computer to Show All Files
Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. In addition, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, Check the following entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqoppa.exe reg_run
O4 - HKCU\..\Run: [Z3x6RXJmO] atledir.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

Make sure all other windows except HJT are closed, and Click Fix Checked.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list. In some systems, this may be the F5 key, so try that if F8 doesn't work. Extra instructions are here if you need them.
-----------------------------------------------------------
File and Folder Deletion.
In Windows Explorer (My Computer), navigate to these files. Use find (F3) or Start, Search if the folder is not shown; then Delete the files, if present:
C:\WINDOWS\SYSTEM\blank.htm
C:\WINDOWS\system32\richedtr.dll
C:\WINDOWS\system32\pqoppa.exe
atledir.exe
<== most likely location is either C:\WINDOWS\ or C:\WINDOWS\SYSTEM32\
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Cas\Client\casmf.dll


If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
Note the name and location of any file you cannot delete.

Find and Delete these folders, if present:
C:\Program Files\Cas\Client\
C:\Program Files\Cas\

Note any folder you cannot delete.
You may have to delete all the underlying files and folders before a target folder can be deleted.

If there were any files you found but could not delete, then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop. You will probably have to reboot to download.
Run killbox, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste the full path of each file to delete, one at a time, into the box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say "No" each time until the last one has been pasted in, whereupon you should answer "Yes".
Let the system reboot.
-----------------------------------------------------------
Run Windows Cleanmgr.
Go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Right click the Recycle Bin icon and Empty the Recycle Bin

Now in Windows Explorer, delete all the files in the following folders. Please do NOT delete the folders themselves, just all the files that they contain
C:\Windows\Prefetch\
C:\Windows\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

------------------------------------------------------------
Run Hijackthis and click Misc tools, then Open Uninstall manager.
Click save list. Copy and paste the saved list into your next reply, along with your new log.
-----------------------------------------------------------
Post a New HJT Log
Reboot your computer into Normal mode. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Do System Scan and Save a Log File. When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

okay, here's what happened

Unread postby fpalsson » July 20th, 2005, 2:04 pm

first of all, thanks for helping me!
so i followed all your instructions and here's what happened. i had no trouble deleting most of the files. except 'qoppa.exe' which it stated was currently in use. so i tried running killbox. i followed all the instructions. when it was time to reboot i got the error message "PendingFileRenameOperations Registry Data has been Removed by External Process!"

i rebooted anyway and went on with the rest of the instructions.
Outlook Express is still missing, by the way.
Here are the logs - the first one is from the Hijack this Uninstall Manager and the last one is the new Hijack this scan logfile.

Ad-Aware SE Personal
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop CS
Adobe Reader 7.0
Adobe SVG Viewer 3.0
Ahead InCD
Altova XMLSpy 2005 Professional Edition
CC_ccStart
ccCommon
Eudora
Eudora 5.2 Setup Files
HijackThis 1.99.1
HTML-Kit
Intel(R) 537 Modem
J2SE Runtime Environment 5.0 Update 3
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
MA111 Configuration Utility
MA111 Configuration Utility
Macromedia Shockwave Player
Microsoft Data Access Components KB870669
Microsoft Office Standard Edition 2003
MSRedist
Nero - Burning Rom
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
Office Animation Runtime
QuickTime
RealPlayer
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
SiS 900 PCI Fast Ethernet Adapter Driver
Sound Blaster PCI
Spybot - Search & Destroy 1.3
Symantec Script Blocking Installer
SymNet
TightVNC 1.2.9
TopStyle Lite (Version 3.0)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
VX2 Cleaner plug-in for Ad-Aware SE
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Windows XP Uninstall
WoLoSoft SuperEdi 3.4

[end of uninstall_list.txt]

[begin hijack this new scan log file]
Logfile of HijackThis v1.99.1
Scan saved at 10:58:51 AM, on 7/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\pqoppa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Felicia Palsson\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thedent.com/tourlist05.html
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqoppa.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[end]
how does it look now??? i can't make sense of this at all....
thanks again, for all the help
Felicia
fpalsson@slis.sjsu.edu
fpalsson
Active Member
 
Posts: 10
Joined: July 20th, 2005, 1:29 am

Unread postby askey127 » July 20th, 2005, 3:38 pm

fpalsson,

Your log is already much better. Good job so far.

Using Windows Explorer, got to C:\ drive and make a new folder called Submit if you don't already have one.
You should then see C:\Submit\ in Windows Explorer.
-----------------------------------------------------------
Stop Process Prior to Deletion
Close ALL open windows. Use Ctrl-Alt-Delete together to bring up the task manager.
Under the processes tab, if it is visible, check the box 'Show processes from all users'.
One at a time, highlight this and "End Process":
C:\WINDOWS\system32\pqoppa.exe
Then check task manager and make sure it's gone. If not, End it again.
-----------------------------------------------------------
Since I can't find anything about this file, I am quite sure it's malware. In order not to burn our bridges, however,
go into C:\Windows\System32\ and copy the file pqoppa.exe into C:\Submit\
Then delete the file from C:\windows\system32\
-----------------------------------------------------------
Download and install CCleaner from here.
Run CCleaner. Choose the Windows tab. Check everything EXCEPT cookies and the Advanced part of the menu. Choose Run Cleaner. This process could take a while. When cleaning is finished, click Exit.
-----------------------------------------------------------
Post a New HJT Log
Reboot your computer. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Do System Scan and Save a Log File. When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.

let me know how it goes.
By the way, if we wanted to use MS system file checker to attempt a repair of Outlook Express, do you have an original system CD? If so, is it SP2?

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

pqoppa, big problem

Unread postby fpalsson » July 20th, 2005, 4:28 pm

ok, well, when i went to delete pqoppa from the processes in task mgr, it wasn't there. i searched for it (start/search) and couldn't find it.
but i went ahead and ran ccleaner anyway.
and here's my new hijack this log file. it looks like it's still there
Logfile of HijackThis v1.99.1
Scan saved at 1:24:03 PM, on 7/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\pqoppa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Felicia Palsson\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thedent.com/tourlist05.html
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqoppa.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[end of file]
so what now?? this thing is a real **##NZ!!??, isn't it?

btw, yes, i have an xp home edition cd but it's not sp2.
i have sp2 only thru auto. update....
also, i ran sfc/ scannow and it didn't fix outlook express.
unfortunately for me my primary email was all in outlook express.
but i guess that's secondary in terms of problems......

my continued ongoing thanks and appreciation.....
what to do now???
Felicia
fpalsson@slis.sjsu.edu
fpalsson
Active Member
 
Posts: 10
Joined: July 20th, 2005, 1:29 am

Unread postby askey127 » July 20th, 2005, 5:20 pm

fpalsson,

Copy these instructions into a new text document and leave it open.
-----------------------------------------------------------
Remove log item with HighjackThis. Start HijackThis.
Click Scan. When the Scan is complete, Check the following entries:
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqoppa.exe reg_run
Make sure all other windows except HJT are closed, and Click Fix Checked.
-----------------------------------------------------------
In Hijackthis, Open the Misc Tools Section, then Open Process Manager; find and click C:\WINDOWS\system32\pqoppa.exe
HJT IS seeing the file and process, since it's in the log. Click kill process.
Then, click Refresh, check again, and repeat this step if it remains.
-----------------------------------------------------------
Delete Stubborn File with Pocket Killbox
Close all unnecessary program's including the Internet connection and all browsers.
Start Killbox, choose Standard File Kill. Lower down near the yellow triangle use the drop-down to end each rundll32.exe process.
There can be several; end each of them. Use the drop-down again to end the Explorer.exe process(es).
Your desktop will disappear, thats OK.
In the file box, type C:\WINDOWS\system32\pqoppa.exe <== be careful to double-check the spelling
Click the red highlighted X button and say yes to the prompt., wait until a success message appears.
Now go tools, "start explorer shell".
When finished exit Killbox.
-----------------------------------------------------------
Run CCleaner.
-----------------------------------------------------------
Post a New HJT Log
Reboot your computer. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Do System Scan and Save a Log File. When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.

If this doesn't work, we've got other options.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

would you believe this?

Unread postby fpalsson » July 20th, 2005, 6:26 pm

still here... (but see my comments below, i had problems with the instructions in the last post)

Logfile of HijackThis v1.99.1
Scan saved at 3:18:55 PM, on 7/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rutr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Felicia Palsson\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thedent.com/tourlist05.html
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqoppa.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


unfortunately i am leaving in about 2 hours and going out of town for a week and a half. can you believe this situation? i'm going to be so behind in schoolwork. i was really hoping to get this problem fixed before i leave. but it's really stubborn and not going away even though i am following all your instructions. of course,

i should mention i had the following problems with the last instructions:
1. there were no "rundll32" in the list of processes to end
2. explorer.exe would NOT end no matter how many times i told it to (i tried at least a dozen times)
i followed everything else anyway, but,
maybe that's why this last one didn't work.
i'm soooo depressed and scared. and i wish i wasn't leaving town right now, but that's the way it is.

if you don't mind continuing to help me when i get back...??? i will check back here immediately when i return..... this is the coolest site and you're the most helpful person i've "met" (online).

thanks again,
Felicia
fpalsson@slis.sjsu.edu
fpalsson
Active Member
 
Posts: 10
Joined: July 20th, 2005, 1:29 am

Unread postby askey127 » July 20th, 2005, 8:51 pm

Actually, I think you have been successful. The file is no longer showing as an active process at startup.
One more pass at the O4 line with HJT, or CodeStuff Starter and we should be rid of the registry entry as well. Then we can fix up some more security for your machine and you'll be set..

Have a good vacation

You will need to post a new log when you get back, and we will hopefully be able to finish up.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Nick-YF19 » August 14th, 2005, 4:02 am

While we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 297 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware