scientistsahai Posted December 19, 2005 Posted December 19, 2005 Hi, While my PC was online which is generally(due to Google Folding! ), my computer just got a new problem. There are popup windows/webpages that link to advertising wesites and adwares. They also removed the installed Google Toolbar. Now when ever I open a new page i am redirected to another page and this happens even while a site is open. I have tried the 'scanspyware' 'Spybot S&D' 'Hijackthis' and 'Ad-Aware' tools but it does'nt help!! Can anyone helpme with this asap?
insane_alien Posted December 19, 2005 Posted December 19, 2005 mm i had this happen a few years ago. i ended up resetting my comp to factory settings. apparently it is a virus that causes it.
Dak Posted December 19, 2005 Posted December 19, 2005 If you post the HijackThis log up, it should be possible to figure out what virus you have.
scientistsahai Posted December 21, 2005 Author Posted December 21, 2005 PLease check the log file of HJT. Tell me whatshud be done !! _________________________________________________ Logfile of HijackThis v1.97.7 Scan saved at 12:40:48 PM, on 12/21/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: E:\WINNT\Explorer.EXE E:\WINNT\system32\rundll32.exe E:\Program Files\GoogleDCC\GoogleDCC.exe E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe E:\Program Files\AIM\aim.exe E:\Program Files\Sify Broadband\BBImpSec.exe E:\Program Files\WordWeb\wweb32.exe E:\Program Files\Folding@Home\winfah.exe E:\Program Files\GoogleDCC\GoogleFah\GoogleFah.exe E:\Program Files\Sify Broadband\BBClient.exe E:\Program Files\GoogleDCC\GoogleFah\GoogleFahCore_65.exe E:\Program Files\Internet Explorer\iexplore.exe E:\Program Files\Folding@Home\FahCore_65.exe E:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\TEMP\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.logogle.com/ggl.php?hl=ja&lo=scientist R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.logogle.com/ggl.php?hl=ja&lo=scientist O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NeroCheck] E:\WINNT\system32\\NeroCheck.exe O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [] E:\WINNT\system32\myproxy.exe O4 - HKCU\..\Run: [GoogleDCClient] E:\Program Files\GoogleDCC\GoogleDCC.exe -startup O4 - HKCU\..\Run: [spySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [spyware Doctor] "E:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [sifyBB] E:\Program Files\Sify Broadband\BBImpSec.exe O4 - Startup: WordWeb.lnk = E:\Program Files\WordWeb\wweb32.exe O4 - Startup: Folding@Home 5.03.lnk = E:\Program Files\Folding@Home\winfah.exe O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://E:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://E:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://E:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://E:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AIM (HKLM) O9 - Extra button: Flash (HKCU) O15 - Trusted Zone: *.frame.crazywinnings.com O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{14CA75C9-36F6-4917-A442-6E2AA9493554}: NameServer = 202.144.50.4,202.144.13.50 O17 - HKLM\System\CS1\Services\Tcpip\..\{14CA75C9-36F6-4917-A442-6E2AA9493554}: NameServer = 202.144.50.4,202.144.13.50 O17 - HKLM\System\CS2\Services\Tcpip\..\{14CA75C9-36F6-4917-A442-6E2AA9493554}: NameServer = 202.144.50.4,202.144.13.50
Dak Posted December 21, 2005 Posted December 21, 2005 I have a feeling that you might have look2me, but I can't tell from the old HijackThis log... Download the latest version of HJT from here (scroll down and click the button with a flashing green light next to it), extract it, and whack up a new log from HJTv1.99.1 please Also, do any of your anti-spyware programs detect anything? If so, what do they say you're infected with?
Daecon Posted December 21, 2005 Posted December 21, 2005 Every so often this computer has pop-ups (in an Internet Explorer window) about casinos and such titled "Cassava". I know this is adware because I use Firefox on this computer, not IE. Is there a way of knowing which tasks you can safely 'end process' in the Task Manager control dialogue box when pressing CTRL+ALT+DEL?
scientistsahai Posted December 21, 2005 Author Posted December 21, 2005 thanks Dak! here are the log files of Hijackthis and Scanspyware. One more thing that I noticed is that even when I am offline the new ad pages keep on poping up!! Can u please help:confused: Logfile of HijackThis v1.99.1 Scan saved at 9:14:54 PM, on 12/21/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: E:\WINNT\Explorer.EXE E:\WINNT\system32\rundll32.exe E:\Program Files\GoogleDCC\GoogleDCC.exe E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe E:\Program Files\AIM\aim.exe E:\Program Files\Sify Broadband\BBImpSec.exe E:\Program Files\WordWeb\wweb32.exe E:\Program Files\Folding@Home\winfah.exe E:\Program Files\GoogleDCC\GoogleFah\GoogleFah.exe E:\Program Files\GoogleDCC\GoogleFah\GoogleFahCore_65.exe E:\Program Files\Folding@Home\FahCore_65.exe E:\Program Files\Sify Broadband\BBClient.exe E:\Program Files\Internet Explorer\iexplore.exe E:\Program Files\Mozilla Firefox\firefox.exe E:\Documents and Settings\abhinav1\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.logogle.com/ggl.php?hl=ja&lo=scientist R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.logogle.com/ggl.php?hl=ja&lo=scientist O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NeroCheck] E:\WINNT\system32\\NeroCheck.exe O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [] E:\WINNT\system32\myproxy.exe O4 - HKCU\..\Run: [GoogleDCClient] E:\Program Files\GoogleDCC\GoogleDCC.exe -startup O4 - HKCU\..\Run: [spySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [spyware Doctor] "E:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [sifyBB] E:\Program Files\Sify Broadband\BBImpSec.exe O4 - Startup: WordWeb.lnk = E:\Program Files\WordWeb\wweb32.exe O4 - Startup: Folding@Home 5.03.lnk = E:\Program Files\Folding@Home\winfah.exe O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://E:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://E:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://E:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://E:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU) O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\..\{14CA75C9-36F6-4917-A442-6E2AA9493554}: NameServer = 202.144.50.4,202.144.13.50 O17 - HKLM\System\CS1\Services\Tcpip\..\{14CA75C9-36F6-4917-A442-6E2AA9493554}: NameServer = 202.144.50.4,202.144.13.50 O17 - HKLM\System\CS2\Services\Tcpip\..\{14CA75C9-36F6-4917-A442-6E2AA9493554}: NameServer = 202.144.50.4,202.144.13.50 O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - E:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - E:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe O23 - Service: McShield - Network Associates, Inc. - E:\WINNT\myCIO\VScan\McShield.exe O23 - Service: McAfee Agent (myAgtSvc) - Network Associates, Inc. - E:\WINNT\myCIO\Agent\myAgtSvc.Exe O23 - Service: Workstation NetLogon Service (O?’ŽrtñåȲ$Ó) - Unknown owner - E:\WINNT\devnez.dat.exe (file missing) O23 - Service: SmartLinkService (SLService) - - E:\WINNT\SYSTEM32\slserv.exe Application Information ======================= Application Version: ScanSpyware v3.8 build 3.8.0.4 Original Database: pests07-27-05.db Updated Database: ssdb120205.db Current Date: Wednesday, December 21, 2005 09:21:04 PM __________________________________________________ Directories recognized: ======================= [WindUpdates] E:\Program Files\DeskAd Service __________________________________________________ Files recognized: ================= [7AdPower] E:\WINNT\system32\objsafe.tlb [Alexa] E:\WINNT\web\related.htm [bargain Buddy] E:\WINNT\system32\basexinfo.txt [MediaMotor] E:\WINNT\system32\objsafe.tlb [YourSitebar] E:\WINNT\downloaded program files\YSBactivex.inf __________________________________________________ Registry keys recognized: ========================= [instant Access] HKEY_CURRENT_USER\Software\livesvc __________________________________________________ Registry values recognized: =========================== __________________________________________________ Cookies recognized: =================== [Tracking Cookies] e:\documents and settings\abhinav1\cookies\abhinav@20050428[2].txt [Tracking Cookies] e:\documents and settings\abhinav1\cookies\abhinav@adrevolver[2].txt [Tracking Cookies] e:\documents and settings\abhinav1\cookies\abhinav@adrevolver[2].txt [Tracking Cookies] e:\documents and settings\abhinav1\cookies\abhinav@adrevolver[3].txt [Tracking Cookies] e:\documents and settings\abhinav1\cookies\abhinav@adrevolver[3].txt [Tracking Cookies] e:\documents and settings\abhinav1\cookies\abhinav@ad01.adonspot[2].txt __________________________________________________
Dak Posted December 21, 2005 Posted December 21, 2005 O23 - Service: Workstation NetLogon Service (O?’ŽrtñåȲ$Ó) - Unknown owner - E:\WINNT\devnez.dat.exe (file missing) That looks like a variant of CWS.A:B, but i dont see any of the other entries that should be assosciated with it... Before i look through your log properly, could you tell me wether the HJT scan was made in safe mode or normal mode? Also, is your account an administrator account or a limited user account? hmm... also, when IE loads up, is the phrase 'about:blank' present anywhere, like in the adress bar or the blue bar right up the top of the IE window? by-the-way, if this is CWS.A:B, then poking at it will cause it to reinstall and sometimes delete system files, so I'd suggest leaving the service alone for now.
scientistsahai Posted December 21, 2005 Author Posted December 21, 2005 The scan was run in normal mode. I have a power user account. No, 'about blank' is never there. I have also tried the MS Malicious Tools remover, and it did'nt detect any trojan/virus.
Dak Posted December 21, 2005 Posted December 21, 2005 Could you go to http://virusscan.jotti.org/ and upload the file E:\WINNT\system32\myproxy.exe and copy/paste the results of the jottiscan into this thread please. Can you also confirm that you recognise either 'Sify Broadband' and/or 'Value Added Network service provider in India' as your internet service provider?
scientistsahai Posted December 22, 2005 Author Posted December 22, 2005 Could you go to http://virusscan.jotti.org/ and upload the file E:\WINNT\system32\myproxy.exe[/b'] and copy/paste the results of the jottiscan into this thread please. I cannot find any file as above in my system Can you also confirm that you recognise either 'Sify Broadband' and/or 'Value Added Network service provider in India' as your internet service provider? yes Sify Broadband is my ISP. What do I do next? Any other file that I may upload to virusscan....??
Dak Posted December 23, 2005 Posted December 23, 2005 'cos CWS.A:B is a bitch to remove when its properly dug-in, I'd suggest doing the following to ensure that its completely removed from your computer (Dont worry, theres not nearly as much here as there looks like there is): Could you extract HJT from its zipped file and into a permanant folder please. Also, show hidden files/folders by doing this: * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK. Step#1: Download CWShredder Do Not Use Yet 1. Please Download the most recent version of CWShredder, from CWSInstall.exe 2. Check for Updates but please Do NOT use it yet Step#2: Download About Buster Do Not Use Yet 1. Please download About:Buster from here: http://www.malwarebytes.biz/AboutBuster5.zip. 2. Once it is downloaded extract it to c:\aboutbuster. 3. Check to make sure it is up-to-date. Please Do NOT use it yet Step#3: Download Ewido Security SuiteDo Not Use Yet Download and install Ewido security suite Right Click on the “E” icon in your taskbar and open Ewido Security Suite then click “update” to get the most recent definitions for it to use. When it prompts you to update, click the OK button. download the updates and when they are finished installing, close the window Please Do Not Use It Yet Step#4: Download A Registry File to Remove Registry Entries Do Not Use Yet Please download the following zip file to your desktop:HSfix Double Click on HSfix.zip and it will unzip to a new folder it makes on your desktop, called HSfix Do Not Use It Yet Step#5: remove bad service Run HijackThis, and click on the 'open misc tools section' button. click 'delete an NT service' Copy/paste the following into the box: [b]Workstation NetLogon Service[/b] And then click OK. Step#6: Reboot into safe-mode Reboot your computer. As it is loading up, continually poke the F8 button. This should bring up a menu; use the keyboard arrows to select 'safe mode', and press enter. step#6.5: The bit that I nearly forgot. Delete the following file, if it is present. E:\WINNT\devnez.dat.exe Then run HijackThis and put a check-mark next to the following entry: O23 - Service: Workstation NetLogon Service (O?’ŽrtñåȲ$Ó) - Unknown owner - E:\WINNT\devnez.dat.exe (file missing) then, with all other windows shut, click on 'fix checked'. Step#7: Use the HSfix.reg file Navigate to the HSfix folder on your Desktop Then double-click on the HSfix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process. if you have a popup from any of your protection programs asking if you want to make a change to the registry, say Yes or Accept it Step#8: Fixing With CWShredder CLOSE ALL WINDOWS except CWShredder Run the program by clicking 'fix' and letting it fix all CWS remnants. Step#9: Fixing With About Buster This is the step where we will use About:Buster that you had downloaded previously. Navigate to the c:\aboutbuster directory double-click on aboutbuster.exe When the tool opens press the OK button, then Start button, then the OK button then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply Step#10: Scan With Ewido Security Suite Launch Ewido again Click on Scanner>Complete System Scan. Let the program scan your PC. When the scan asks to clean files click OK. When scan is completed, click Save report. to your desktop. Post the report in your next reply. step#11: Reboot your computer back to normal mode Step#12: Scan and Post a New HJT log with other logs Scan again with HijackThis. Post your logs from HijackThis, About Buster, and Ewido Security Suite here in this thread with any questions or problems that you have run into. In addition, could you try doing this again: go to http://virusscan.jotti.org/ and upload the file E:\WINNT\system32\myproxy.exe and copy/paste the results of the jottiscan into this thread please. It should work now that 'show hidden files' is switched on.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now