Options
Pop-Up Horror
Hi, there must be some kind of trojan or something on my PC, I have run Hijackthis, spybot and ad-aware, yet I am still getting pop-ups like
http://popunder.paypopup.com/links.php?data=rSe_2%2F%FE%2B-%293%7D00%2A%24S%5C77sX%5CfZUKj_%FEq_ZcY%3B%7B%2B1-0%F3lcY%3B%FE%29-%282%7E%2C2%2B3&serverfile=popdirect&id=BundleWare&subid=23782&tid=1133454865&clater=&m=3&o=1&c=1&a=32767&q=3&s=%3C%3D&ah=10&al=0&l=english&campaign=&rurl=&defurl=
www.ad-w-a-r-e.com
http://adserver.softwareonline.com/AdServer/RegClean/NewLanding/newdownload.asp?download=http://adserver.sharewareonline.com/adserver/regclean_ell.exe&Scroll=No
in IE and Opera
HJT-Log:
Logfile of HijackThis v1.99.1
Scan saved at 17:37:05, on 01.12.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
D:\Spy Sweeper\WRSSSDK.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe
C:\Programme\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
C:\PROGRA~1\Softwin\BITDEF~2\bdnagent.exe
C:\PROGRA~1\Softwin\BITDEF~2\bdswitch.exe
D:\Java\bin\jusched.exe
D:\a-squared\a2guard.exe
D:\Longhorn Inspirat\ObjectDock\ObjectDock.exe
D:\Longhorn Inspirat\YzToolBar\YzToolBar.exe
D:\Profi-Dialer\ProfiDialer.exe
D:\Miranda IM\miranda32.exe
D:\Netscape\Netscp.exe
F:\DL programme\HijackThis.exe
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~2\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~2\bdswitch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Java\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [a-squared] "D:\a-squared\a2guard.exe"
O4 - Startup: Stardock ObjectDock.lnk = D:\Longhorn Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z Toolbar.lnk = D:\Longhorn Inspirat\YzToolBar\YzToolBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{710B2728-80E0-420B-AD9F-8E08D7AD33E6}: NameServer = 217.237.151.161 217.237.151.33
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\hr0605dse.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\tuneup\WinStylerThemeSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Programme\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)
O23 - Service: Windows Time Sync (wservtime) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
ideas, someone?
kad
http://popunder.paypopup.com/links.php?data=rSe_2%2F%FE%2B-%293%7D00%2A%24S%5C77sX%5CfZUKj_%FEq_ZcY%3B%7B%2B1-0%F3lcY%3B%FE%29-%282%7E%2C2%2B3&serverfile=popdirect&id=BundleWare&subid=23782&tid=1133454865&clater=&m=3&o=1&c=1&a=32767&q=3&s=%3C%3D&ah=10&al=0&l=english&campaign=&rurl=&defurl=
www.ad-w-a-r-e.com
http://adserver.softwareonline.com/AdServer/RegClean/NewLanding/newdownload.asp?download=http://adserver.sharewareonline.com/adserver/regclean_ell.exe&Scroll=No
in IE and Opera
HJT-Log:
Logfile of HijackThis v1.99.1
Scan saved at 17:37:05, on 01.12.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
D:\Spy Sweeper\WRSSSDK.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe
C:\Programme\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
C:\PROGRA~1\Softwin\BITDEF~2\bdnagent.exe
C:\PROGRA~1\Softwin\BITDEF~2\bdswitch.exe
D:\Java\bin\jusched.exe
D:\a-squared\a2guard.exe
D:\Longhorn Inspirat\ObjectDock\ObjectDock.exe
D:\Longhorn Inspirat\YzToolBar\YzToolBar.exe
D:\Profi-Dialer\ProfiDialer.exe
D:\Miranda IM\miranda32.exe
D:\Netscape\Netscp.exe
F:\DL programme\HijackThis.exe
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~2\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~2\bdswitch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Java\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [a-squared] "D:\a-squared\a2guard.exe"
O4 - Startup: Stardock ObjectDock.lnk = D:\Longhorn Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z Toolbar.lnk = D:\Longhorn Inspirat\YzToolBar\YzToolBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{710B2728-80E0-420B-AD9F-8E08D7AD33E6}: NameServer = 217.237.151.161 217.237.151.33
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\hr0605dse.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\tuneup\WinStylerThemeSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Programme\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)
O23 - Service: Windows Time Sync (wservtime) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
ideas, someone?
kad
0
Comments
===============
Run HiJackThis, click "Scan", then check(tick) the following, if present:
R3 - Default URLSearchHook is missing
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
...(Unless you've set these with an anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe
O23 - Service: Windows Time Sync (wservtime) - Unknown owner - C:\WINDOWS\csrss.exe
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
files...
C:\WINDOWS\System32\dfrgfat32.exe
C:\WINDOWS\System32\Netlib.exe
C:\WINDOWS\system32\wincntrl.exe
C:\WINDOWS\csrss.exe
-
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
-
Reboot.
===============
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
Thx for help
Logfile of HijackThis v1.99.1
Scan saved at 13:04:58, on 02.12.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
D:\Spy Sweeper\WRSSSDK.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe
C:\Programme\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
C:\PROGRA~1\Softwin\BITDEF~2\bdnagent.exe
C:\PROGRA~1\Softwin\BITDEF~2\bdswitch.exe
D:\Java\bin\jusched.exe
D:\Longhorn Inspirat\ObjectDock\ObjectDock.exe
D:\Longhorn Inspirat\YzToolBar\YzToolBar.exe
F:\DL programme\HijackThis.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~2\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~2\bdswitch.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Java\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - Startup: Stardock ObjectDock.lnk = D:\Longhorn Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z Toolbar.lnk = D:\Longhorn Inspirat\YzToolBar\YzToolBar.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\tuneup\WinStylerThemeSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Programme\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)
O23 - Service: Windows Time Sync (wservtime) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
===============
Run HiJackThis, click "Scan", then check(tick) the following, if present:
O23 - Service: Defragmentation Management Handler (FAT Defragmentation) - Unknown owner - C:\WINDOWS\System32\dfrgfat32.exe (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe (file missing)
O23 - Service: Windows Time Sync (wservtime) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
After rebooting, rescan with hijackthis and see if those entries are still there. If they are, do the following;
Go to;
Start>>Run and type regedit
Press enter.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Defragmentation Management Handler (FAT Defragmentation)
If Defragmentation Management Handler (FAT Defragmentation) exists , right click on it and choose delete from the menu.
Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Defragmentation Management Handler (FAT Defragmentation)
If LEGACY_Defragmentation Management Handler (FAT Defragmentation) exists then right click on it and choose delete from the menu.
Repeat for these;
Net Functions Library (Netlib)
MS Dns Service (WinNet)
Windows Time Sync (wservtime)
==
Reboot and post another log please.