|
| ||
| Adware/Malware Hacked! Expertise Needed. Hello, I have to make this brief as possible,before more popups come, and close out my post. I was halfway done with another post before popups ruined it PROBLEM: Popups come every 1-6 minutes while browsing the net, Usually Advertisements, Like "Scan Computer Now" "Blackberry" But One is not a advertisement Its just some annoying "Blnk Page" Sequence. It will open up IE on its own and it will load about 10-25 different tabs with the same link of some IP Adress Coming up "Blank Page" Which forces me to end non-responding program closing my other webpage out. NOTICES : I captured the IP of the links "85.17.166.181" and "85.149.15.148" Sometimes my spysweep says "Blocked Access to 85.149.15.148" WHAT IM DOING: Ive been sending my error reports , and spy sweeping my computer, That does nothing ive clearing browser history and cookies as well. IT DOES NOTHING AT ALL. I tried restoring to a earlier point, but my comp created a restore point for the 25th of November (Yesterday) And nothing was changed. MY SYSTEM: Windows XP, SP2 I also noticed that someone has had the exact same problem as me before. Please Help Me Experts. |
| ||
| Re: Adware/Malware Hacked! Expertise Needed. Start with this: ==Please download Malwarebytes' Anti-Malware from: http://www.majorgeeks.com/Malwarebyt...are_d5756.html or: http://www.besttechie.net/tools/mbam-setup.exe =Dclick that file, mbam-setup.exe, to install the application, -ensure that it is set to update and start, else start it via the icon. Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps. ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected. If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button. When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing. Post the Notepad log [it is also saved under Logs tab in MBAM]. Then: ==download hijackthis: http://www.majorgeeks.com/download5554.html -copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe -in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis. -click the Scan and Save a Logfile button. Post the log here. |
| ||
| Re: Adware/Malware Hacked! Expertise Needed. gerbils method should solve it, but to stop the popups wiping you out, type into notepad first (start menu-all programs-accessories-notepad), then when complete, select all, (crtl-a) copy (ctrl-c). open your web browser, open a dialog, click in the box and hit paste (ctrl-p) hope this helps. if so, will you add to my reputation, please? Gerbil gets the credit for solving this one though. ;_o |
| ||
| Re: Adware/Malware Hacked! Expertise Needed. moved to the malware subboard |
| ||
| Re: Adware/Malware Hacked! Expertise Needed. Man Oh man, I did a full scan the first time it was on-going 7 hours!! It found like 23 objects in the first few minutes. It froze up i had to restart my computer!!! So I did a quick scan and got the 23 infected objects - And the aborted after about 3 minutes. HERES the MBAM LOG: Malwarebytes' Anti-Malware 1.30 Database version: 1428 Windows 5.1.2600 Service Pack 2 11/27/2008 5:35:29 PM mbam-log-2008-12-27 (17-35-29).txt Scan type: Quick Scan Objects scanned: 19058 Time elapsed: 3 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 5 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 10 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\jqeceyns.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\qoMdEUkj.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\enryfm.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\nggmsy.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\lwoaxz.dll (Trojan.Vundo) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2bbc4235-05b0-44ad-8eb0-3dab3848d57d} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2bbc4235-05b0-44ad-8eb0-3dab3848d57d} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{e73a1984-c4aa-4b54-8f2b-b6d7a2fe0652} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{742c5cda-f106-43e4-921a-9a13195de065} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{57bccb1d-e6ac-4899-aefc-c051b5e95b34} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2bbc4235-05b0-44ad-8eb0-3dab3848d57d} (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\qomdeukj -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomdeukj -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\qoMdEUkj.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\jkUEdMoq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\jkUEdMoq.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\cirvnwye.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\eywnvric.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\jqeceyns.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\snyeceqj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\enryfm.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\nggmsy.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\lwoaxz.dll (Trojan.Vundo) -> Delete on reboot. |
| ||
| Re: Adware/Malware Hacked! Expertise Needed. HERES MY HI JACK THIS LOG: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:48:33 PM, on 11/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe c:\Program Files\Common Files\Symantec Shared\ccProxy.exe c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\HP\HP Software Update\HPwuSchd2.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\arservice.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\dllhost.exe c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINDOWS\System32\alg.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\HP\KBD\KBD.EXE c:\windows\system\hpsysdrv.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\DISC\DISCover.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\DISC\DiscUpdMgr.exe C:\Program Files\DISC\DiscStreamHub.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [ftutil2] "rundll32.exe" ftutil2.dll,SetWriteCacheMode O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [b89e6646] "rundll32.exe" "C:\WINDOWS\system32\jqeceyns.dll",b O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKCU\..\Run: [Search Protection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user') O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://*.trymedia.com (HKLM) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O20 - AppInit_DLLs: enryfm.dll idoape.dll nggmsy.dll lwoaxz.dll pfpfyb.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 10973 bytes |
| ||
| Re: Adware/Malware Hacked! Expertise Needed. great. has that solved it? |
| ||
| Re: Adware/Malware Hacked! Expertise Needed. Believe it or not, It did spy sweeper doesnt pick up the malware like this freeware software... But for now I have had no pop-ups! So thats good, but Im waiting for gerbils reply so I can finish up. |
| ||
| Re: Adware/Malware Hacked! Expertise Needed. Its easier to do anti-malware stuff in safemode(press F8 at the splash screen) which turns off everything but essential services |
| ||
| Re: Adware/Malware Hacked! Expertise Needed. Alright, well pls don't abort the scan... Leave it to run overnight or something... or when you go to work and let it run a full scan! Follow the instructions given by gerbil, or follow the instructions in the quote below. Quote:
Thankyou :) Cohen |
| All times are GMT -4. The time now is 2:46 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC