PDA

View Full Version : how to stop popupz and spyware - Kumaguy's log



kumaraguy
17-05-2005, 09:05 PM
Hi
I am also having a problem with the gremlins on a computer
Just scanned with Highjackthis
After removing several hundred greeblies with adaware, spybot and MS Antispyware I get an internet connection for approx. 2 mins, then page not found errors
Used the Winsockxp fix to no avail


Logfile of HijackThis v1.99.1
Scan saved at 7:44:02 p.m., on 17/05/2005
Platform:

Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton

AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\WINDOWS\system32\xpjava.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\htpatch.exe
C:\Program

Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program

Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program

Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program

Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Common Files\Microsoft

Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital

Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital

Imaging\bin\hpohmr08.exe
C:\Program Files\GSP\GSPMENU.EXE
C:\Program

Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program

Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program

Files\Messenger\msmsgs.exe
C:\Program Files\Highjackthis\HijackThis.exe

R1 -

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.google.co
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page = http://www.google.co
R0 -

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtr.co.nz
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [zBrowser

Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC]

C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon]

RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz]

nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run:

[UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program

Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [Microsoft System

Checkup] wnetlogin.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 -

HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [ccApp]

"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run:

[gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 -

HKLM\..\RunServices: [Microsoft System Checkup] wnetlogin.exe
O4 - HKCU\..\Run:

[MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 -

HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4

- Startup: GSP Menu.lnk = C:\Program Files\GSP\GSPMENU.EXE
O4 - Global Startup:

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 -

Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 -

Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup:

EPSON Status Monitor 3 Environment Check.lnk =

C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 3.EXE
O4 - Global Startup:

hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra

context menu item: &Search -

http://bar.mywebsearch.com/menusearch.html?p=ZRzfw003
O8 - Extra context menu

item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9

- Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12

- Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 -

IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF:

{3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) -

file://D:\content\include\XPPatchInstaller.CAB
O23 - Service: Symantec Event

Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -

Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 -

Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 -

HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec

Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service:

ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC

- Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe


Dang these things are big

I can see some obvious errors in there but would appreciate your imput and advice
Thankyou

Jen
17-05-2005, 09:18 PM
kumaraguy - I have split this post out from the other thread as you really should of started a new thread. It would of only detracted from the help lmv4 was getting in that thread and could of gotten confusing to what advice was being given to which person. :)

PS* sorry for spelling your name wrong in the subject heading.

kumaraguy
17-05-2005, 09:22 PM
Humble Apologies
Thanks

Overdrive_5000
17-05-2005, 09:26 PM
Well it looks like you still have some spyware in there I could see mywebsearch listed

tweak'e
17-05-2005, 10:15 PM
looks like you have a worm.

http://www.sophos.com/virusinfo/analyses/w32rbotyc.html

C:\WINDOWS\system32\xpjava.exe
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe

Prescott
17-05-2005, 10:19 PM
ok, these are somethings you will need to do:
update your virus scanner
update windows
get a firewall (zonealarm)
update spybot(there is a new version out too)
update adaware
then run them and these should clean them all out.
install firefox.

by the looks of things you have a few viruses (DONK.B or DONK.C or DONK.L or DONK.M or DONK.O and also OBSORB VIRUS)... so update NAV too

running process. (id53.exe) is a virus/trojan

[edit]
this (http://www.hijackthis.de/logfiles/49d5949bc1254b77fc301c65c30096d1.html) is your log explained better (valid for 3 days)

kumaraguy
17-05-2005, 10:32 PM
Thanks guys
Updating is a little hard to do as wont stay connected long enough.
However we getting there slowly.

tweak'e
17-05-2005, 10:45 PM
do yourself and everyone else a favour and disconect your pc from the net. you will only be infecting someone else and highly likly you will get reinfected.

download the tools/updates from another (clean) pc.

kumaraguy
17-05-2005, 10:48 PM
Ok been deleting things one at a time
Got to id53.exe and now seem to have a stable internet connection
Doing all the updates I can now
Good work guys, you have been a big help
I hopefully can cut back on the Panadol consumption

Quote "download the tools/updates from another (clean) pc."

Thats what I did to get to this stage

Thanks again

kumaraguy
18-05-2005, 12:47 AM
HI
Now we seem to have a couple of stubborn gremlins picked up by Spybot that Spybot cant remove (tried it in safe mode as well)

DyFuCa.InternetOptimiser
ISearchTech.SideFind
n-Case

Googled and seems can only be removed manually from the registry, not a place I want to go right now

Anybody got an idea?

Ravage
18-05-2005, 01:21 AM
Howdy.

My dads laptop had that DyFuCa on it and numerous scans with different adware removers did nothing to remove it.

I finally had to delve into the registry myself to remove it.

It is not too daunting to remove, just remember to back up the registry just in case (or create a restore point in system restore if you have it).

I then went to edit -->find... and typed DyFuCa in the find what box (keys, strings and values ticked) then click find next.

I deleted any folders containing DyFuCA, closed the registry and rescanned with spybot, it was completely removed.

Hope you sort out your problem.

Ravage :thumbs:

Renmoo
18-05-2005, 07:43 AM
Googled and seems can only be removed manually from the registry, not a place I want to go right now

Backup your registry or create a system point, then mess around with your registry. If anything went wrong, undo.

Cheers :)

kumaraguy
18-05-2005, 07:45 AM
Thanks Ravage and Jameskan :)

Those problems seem to be takien care of

Spybot, Ad-aware, Ms AntiSpyware, and Virus scanner all updated and reporting no problems

Its all good, til I return the computer to its owner I guess

Thanks to all

Renmoo
18-05-2005, 07:51 AM
Thanks Ravage and Jameskan :)

Those problems seem to be takien care of

Spybot, Ad-aware, Ms AntiSpyware, and Virus scanner all updated and reporting no problems

Its all good, til I return the computer to its owner I guess

Thanks to all
You might want to give your computer a defragment as well to finish up the job. Try defrag your HDD under safe mode.

Cheers :)