Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

A community of volunteers who share their knowledge, and answer your tech questions. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message, and all ads will be removed once you have signed in.

Create an Account Login to Account


Photo

Pop-up Problems


  • This topic is locked This topic is locked
7 replies to this topic

#1 sims2j

sims2j

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 16 April 2004 - 07:03 AM

Logfile of HijackThis v1.97.7
Scan saved at 7:49:48 AM, on 4/16/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\local\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\local\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\starter.exe
C:\WINNT\shrayobo.exe
C:\WINNT\Wast.exe
C:\RIMS6.0\Apps\Rims.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\SysAI\SysAI.exe
X:\My Stuff\Tech Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://terminus.mod....com/tc4/dhtml/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 192.207.163.171 intranet
O1 - Hosts: 192.207.163.171 intranet.scott.disa.mil
O1 - Hosts: 192.207.163.171 intranet.ditco.disa.mil
O1 - Hosts: 192.207.163.172 www.scott.disa.mil
O1 - Hosts: 192.207.163.172 www.ditco.disa.mil
O1 - Hosts: 192.207.163.172 www.acquireit.disa.mil
O1 - Hosts: 209.22.65.2 ims-ditco-nch-server
O1 - Hosts: 209.22.65.19 idmrm-test-nch-server
O1 - Hosts: 209.22.91.104 panback
O1 - Hosts: 209.22.91.102 panavue5
O1 - Hosts: 209.22.91.116 spx1
O1 - Hosts: 209.22.91.112 spx2
O1 - Hosts: 209.22.91.116 vcx2
O1 - Hosts: 209.22.91.112 vcx1
O1 - Hosts: 209.22.91.82 conbtms.jdcs.scott.disa.mil
O1 - Hosts: 164.117.145.51 tmsiso.ncr.disa.mil
O1 - Hosts: 209.22.91.100 panmain
O1 - Hosts: 214.4.143.117 tmscol.csd.disa.mil tmscol
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - u:\adobe\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8AEC07E9-7DD9-40C5-9EAA-DA08F090292E} - C:\WINNT\ruljeop.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [lcfep] "C:\local\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [SNPZVCNXF] C:\WINNT\SNPZVCNXF.exe
O4 - HKLM\..\Run: [qybuuu] C:\WINNT\shrayobo.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Wast] C:\WINNT\Wast
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINNT\ARUpdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\plugins\npvdo32.dll
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab

Advertisement


#2 Daemon

Daemon

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPipPip
  • 3,521 posts

Posted 16 April 2004 - 10:41 AM

Could you go here and run online scans (all), allow them to delete whatever they find:

TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done, rescan with HJT and post a new log here so that any remnants can be removed manually.

#3 sims2j

sims2j

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 19 April 2004 - 09:27 AM

Daemon,

I have followed your directions to the letter regarding the Ad-Aware program. Here are the results of the new HijackThis scan:

Logfile of HijackThis v1.97.7
Scan saved at 10:23:41 AM, on 4/19/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\local\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\MsiExec.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\local\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\starter.exe
C:\WINNT\shrayobo.exe
C:\WINNT\Wast.exe
C:\Program Files\SysAI\SysAI.exe
X:\My Stuff\Tech Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://terminus.mod....com/tc4/dhtml/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 192.207.163.171 intranet
O1 - Hosts: 192.207.163.171 intranet.scott.disa.mil
O1 - Hosts: 192.207.163.171 intranet.ditco.disa.mil
O1 - Hosts: 192.207.163.172 www.scott.disa.mil
O1 - Hosts: 192.207.163.172 www.ditco.disa.mil
O1 - Hosts: 192.207.163.172 www.acquireit.disa.mil
O1 - Hosts: 209.22.65.2 ims-ditco-nch-server
O1 - Hosts: 209.22.65.19 idmrm-test-nch-server
O1 - Hosts: 209.22.91.104 panback
O1 - Hosts: 209.22.91.102 panavue5
O1 - Hosts: 209.22.91.116 spx1
O1 - Hosts: 209.22.91.112 spx2
O1 - Hosts: 209.22.91.116 vcx2
O1 - Hosts: 209.22.91.112 vcx1
O1 - Hosts: 209.22.91.82 conbtms.jdcs.scott.disa.mil
O1 - Hosts: 164.117.145.51 tmsiso.ncr.disa.mil
O1 - Hosts: 209.22.91.100 panmain
O1 - Hosts: 214.4.143.117 tmscol.csd.disa.mil tmscol
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - u:\adobe\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8AEC07E9-7DD9-40C5-9EAA-DA08F090292E} - C:\WINNT\ruljeop.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [lcfep] "C:\local\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [SNPZVCNXF] C:\WINNT\SNPZVCNXF.exe
O4 - HKLM\..\Run: [qybuuu] C:\WINNT\shrayobo.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Wast] C:\WINNT\Wast
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINNT\ARUpdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\plugins\npvdo32.dll
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab

#4 Daemon

Daemon

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPipPip
  • 3,521 posts

Posted 19 April 2004 - 11:09 AM

OK, well we've got some manual stuff to do still. Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {8AEC07E9-7DD9-40C5-9EAA-DA08F090292E} - C:\WINNT\ruljeop.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O4 - HKLM\..\Run: [SNPZVCNXF] C:\WINNT\SNPZVCNXF.exe
O4 - HKLM\..\Run: [qybuuu] C:\WINNT\shrayobo.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Wast] C:\WINNT\Wast
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINNT\ARUpdate.exe
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab

Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, reboot into safe mode by tapping F8 after the BIOS has loaded, find and delete the following:

C:\WINNT\SNPZVCNXF.exe
C:\WINNT\shrayobo.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\Wast
C:\WINNT\ARUpdate.exe

Reboot back into normal mode, rescan with HJT and post a new log here for a final check over.

#5 sims2j

sims2j

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 20 April 2004 - 07:23 AM

Daemon,

Followed your directions with some exceptions. I scanned again w/HijackThis, then selected & deleted all the files you mentioned. However, I could not log on in the safe mode so I brought my computer up in normal mode, scanned again using HijackThis and saw that all of the files I deleted after the previous scan did not return. I then went to my C: drive and found/deleted 3/5 files you mentioned. Could not find the SNPZVCNXF.exe file and the AutoUpdate.exe files. Below is my latest scan after deleting the files on the C: drive.

Logfile of HijackThis v1.97.7
Scan saved at 8:17:47 AM, on 4/20/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\local\tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\local\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\starter.exe
X:\My Stuff\Tech Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://terminus.mod....com/tc4/dhtml/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 192.207.163.171 intranet
O1 - Hosts: 192.207.163.171 intranet.scott.disa.mil
O1 - Hosts: 192.207.163.171 intranet.ditco.disa.mil
O1 - Hosts: 192.207.163.172 www.scott.disa.mil
O1 - Hosts: 192.207.163.172 www.ditco.disa.mil
O1 - Hosts: 192.207.163.172 www.acquireit.disa.mil
O1 - Hosts: 209.22.65.2 ims-ditco-nch-server
O1 - Hosts: 209.22.65.19 idmrm-test-nch-server
O1 - Hosts: 209.22.91.104 panback
O1 - Hosts: 209.22.91.102 panavue5
O1 - Hosts: 209.22.91.116 spx1
O1 - Hosts: 209.22.91.112 spx2
O1 - Hosts: 209.22.91.116 vcx2
O1 - Hosts: 209.22.91.112 vcx1
O1 - Hosts: 209.22.91.82 conbtms.jdcs.scott.disa.mil
O1 - Hosts: 164.117.145.51 tmsiso.ncr.disa.mil
O1 - Hosts: 209.22.91.100 panmain
O1 - Hosts: 214.4.143.117 tmscol.csd.disa.mil tmscol
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - u:\adobe\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [lcfep] "C:\local\tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\plugins\npvdo32.dll

#6 Daemon

Daemon

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPipPip
  • 3,521 posts

Posted 20 April 2004 - 01:36 PM

Well you nailed them anyway, that's a clean log - well done :D How is it running now?

#7 sims2j

sims2j

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 21 April 2004 - 08:04 AM

Daemon, Thank you, thank you, thank you for your help. No more pop-ups. Computer is running great.

#8 Daemon

Daemon

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPipPip
  • 3,521 posts

Posted 21 April 2004 - 01:13 PM

You're welcome - glad to help :D

As this problem has been resolved the topic will be closed. If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)

The subject of the email must be "Reopen". Include your post username and details about why you need it reopened, with a valid link to your post.


Advertisement




Similar Topics: Pop-up Problems     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users