pls help me check this log file...PC infected with ads and spyware

iHatePopUpsiHatePopUps Singapore
edited October 2005 in Spyware & Virus Removal
Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:39:02 PM, on 9/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\ORiNOCO\ComboCard 11b USB\Utility\wlanutil.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\mysql\bin\winmysqladmin.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\yuuki\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ProPort StartUp] C:\Documents and Settings\yuuki\Desktop\ProPort.exe /StartUp
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BestCrypt\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [Lan11bWireless] C:\Program Files\ORiNOCO\ComboCard 11b USB\Utility\wlanutil.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools_NT\STARTNT.EXE
O4 - Global Startup: Iomega Icons.lnk = ?
O4 - Global Startup: Refresh.lnk = C:\Program Files\Iomega\Tools_NT\REFRESH.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-pc-asia.com
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O23 - Service: ewido security suite control - ewido networks - C:\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\Program Files\Iomega\Tools_NT\IOMEGAACCESS.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe

Comments

  • lemonlimelemonlime Canada Member
    edited September 2005
    Hello,

    There are definitely some items of concern in your log. Before we address any advertising or other issues, I'd recommend a full anti-virus scan of your machine. This running process is likely a Trojan:

    C:\WINDOWS\System32\intmonp.exe

    From a google search on initmonp.exe:

    Description:
    Intmonp.exe is a process which is registered as the Puper-D Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process

    There are also some other items of interest, including the following:
    C:\WINDOWS\popuper.exe

    Try to end both of these processes from the Task Manager (Hit CTRL+ALT+DEL, Select Task Manager, Select 'Processes Tab'. Select each of the mentioned processes, and hit the 'End Process' button)

    If you do not have an anti-virus application installed, you can check out the following 'online' scanning tools:

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    http://housecall.trendmicro.com/housecall/start_corp.asp

    Good luck, and let us know how that goes :thumbsup:
  • mmonninmmonnin Centreville, VA
    edited October 2005
    Other than what lemonlime mentioned I dont really see much either.

    Also before you do any fixing with HJT, the exe in its own folder as it will create some backup files and I dont think you will want those all over your desktop.
  • iHatePopUpsiHatePopUps Singapore
    edited October 2005
    Okay...Thanks for helping me out.. Really appreciate it... I've done what you've said, and some stuff can't be deleted when I ran PandaScan... It gave me the message "Unable to clean up the program as it is in use".. The following files are the ones:

    C:\WINDOWS\system32\intmomp.exe --> TROJ PUPER.E --> CanNotAccess
    C:\WINDOWS\system32\__delete_on_<something> -->TROJ PUPER.E --> Non Cleanable
    C:\WINDOWS\base64.tmp -->WORM.NetSky.Dam --> Non Cleanable
    C:\WINDOWS\popuper.exe -->TROJ PUPER.E -->CanNotAccess
  • iHatePopUpsiHatePopUps Singapore
    edited October 2005
    erm...i think you guys missed this thread????? kinda waiting for a reply...thanks...
  • SpywareShooterSpywareShooter 127.0.0.1
    edited October 2005
    Boot into Safe Mode (press F8 at the BIOS screen when booting) and delete these files:
    C:\WINDOWS\system32\intmomp.exe
    C:\WINDOWS\base64.tmp
    C:\WINDOWS\popuper.exe

    Then reboot your computer, do another scan, and post a new log.
Sign In or Register to comment.