Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Charity Needs Help To Clear 680180 Popups

Started by helpcharity , Aug 14 2004 02:44 AM

  • This topic is locked This topic is locked
5 replies to this topic

#1 helpcharity

helpcharity

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 14 August 2004 - 02:44 AM

:o please can anyone help, one of the PC's of the charity I work for has got the 680180.net pop-up problem.

I don't know much about IT but from looking at other people's postings you need this log below.


Logfile of HijackThis v1.98.2
Scan saved at 19:14:29, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com...DT/0409/bl7.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {7DAE2C2C-29E1-47E0-AE8F-93234AC907B1} - C:\WINDOWS\System32\opgwx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NastySex] C:\WINDOWS\NastySex.exe -n
O4 - HKLM\..\Run: [opgwxc] C:\WINDOWS\System32\opgwxc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Continuity Client Startup.exe
O4 - Global Startup: E2EAgent.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

    Advertisements

Register to Remove

#2 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 14 August 2004 - 07:27 AM

Greetings and welcome to TomCoyote.com!

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Fix these items with Hijack This!:

O2 - BHO: SDWin32 Class - {7DAE2C2C-29E1-47E0-AE8F-93234AC907B1} - C:\WINDOWS\System32\opgwx.dll

O4 - HKLM\..\Run: [NastySex] C:\WINDOWS\NastySex.exe -n

O4 - HKLM\..\Run: [opgwxc] C:\WINDOWS\System32\opgwxc.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

Reboot in "safe" mode. Use the link in my signature to tell you how if necessary.

Find and delete:

C:\WINDOWS\NastySex.exe <--- file

C:\WINDOWS\System32\opgwx.dll <--- file

C:\WINDOWS\System32\opgwxc.exe <--- file

Some malware files may be "hidden". Use the link in my signature to explain how to show "hidden" files if necessary.

Reboot in normal mode and post a new log file. :)
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#3 helpcharity

helpcharity

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 16 August 2004 - 04:32 AM

Thanks for helping us so far. This is the new log.


Logfile of HijackThis v1.98.2
Scan saved at 11:24:17, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\End2End\E2EAgent\E2EService.exe
C:\Program Files\End2End\E2EAgent\E2EAgent.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Janet\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Continuity Client Startup.exe
O4 - Global Startup: E2EAgent.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

#4 Micah_6:8

Micah_6:8

    Evilware Emancipator

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,060 posts
  • Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 16 August 2004 - 08:21 AM

There are 3 entries in the log I cannot find any info on:

c:\program files\end2end\e2eagent\e2eagent.exe
c:\program files\end2end\e2eagent\e2eservice.exe
continuity client startup.exe

If you know and trust those programs, then you're good to go.

I'll leave you with my list of things to consider to help prevent future infections.

If if you do not recognize those programs, let me know and we'll figure out how best to dispose of them.

M68 :)

P.S. Please let me know if those programs are "OK" so we can close this thread.

Items you may wish to consider to harden your defenses against future infections:

Read "How did I get infected in the first place?" here:

http://boards.cexx.o...topic.php?t=957

Download IE-Spyad here:

https://netfiles.uiu...ww/resource.htm

IE-Spyad puts over 4000 known malicious web sites into IE's "restricted zone" to help prevent you from getting infected.

Check your browser settings here:

http://browsercheck....s.com/index.php

A series of "tests" (and suggested fixes) to help tweak IE's settings to help prevent infections when surfing the web.

Follow safe Internet practices:

1. Keep your virus definitions up to date, and scan your system regularly.

2. Don't open email, or download attachments from unrecognized email addresses.

3. Be careful when downloading email attachments, EVEN FROM PEOPLE YOU KNOW! Many virii, worms, and trojans infect a persons system then immeadiately spread themselves to the people in the infected persons addressbook via email attachments.

4. Be careful downloading files from the Internet. Scan all downloaded files with a reliable UP-TO-DATE antivirus program. Scan "zip" files BEFORE unzipping, and scan all unzipped files BEFORE USING THEM.

5. Keep your Windows and IE current with all the latest patches and updates.


Edited by Micah_6:8, 16 August 2004 - 08:27 AM.

Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#5 helpcharity

helpcharity

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 17 August 2004 - 07:16 AM

Thanks for all that help... the three programmes you noticed are work related programmes so they're OK. I've started going throught the steps you highlighted to minimise future risk.... so touch wood, we'll be a bit more secure. Once again, your help has been very much appreciated. Take Care helpcharity www.haltoncab.org.uk

#6 nellie2

nellie2

    Slyware Huntress

  • Authentic Member
  • PipPipPipPipPip
  • 1,311 posts

Posted 28 August 2004 - 03:02 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
The problem with troubleshooting is that trouble shoots back.

Malware Complaints - Stand Up and Be Counted! ¦ Microsoft MVP - Windows Security ¦ ASAP member since 2004[/color]
Nellie2's Blog

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·