Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Uncontrollable Popups And Ad-ware Cannot Be Installed


  • This topic is locked This topic is locked
5 replies to this topic

#1 Qoo

Qoo

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 23 June 2007 - 11:05 AM

Hi, thanks for your help in advance.

I've been having problems with uncontrollable popups like "55 problems detect, visit www.regfix.com" windows popping up every 2-5 minutes. Also, I notice Ad-ware was removed (disabled) on my computer and when I downloaded the new version and tried installing it, an error comes up. I've downloaded from several different sites and the same problem comes up. I think something is blocking the install processes.

Please take a look at the following HJT log and provide advice...

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\UMonit2K.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Ron\LOCALS~1\Temp\Rar$EX71.297\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CFilter Object - {C97EAD04-D1D3-4580-BDAC-EB13B6CB176E} - C:\WINDOWS\fonts\font.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.dotphoto....ageUploader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows InstallService (Removable Storage) - Unknown owner - C:\WINDOWS\System32\serveter.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe

Thanks,

Qoo

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 23 June 2007 - 04:34 PM

Hello and welcome to the forums

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt.Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 Qoo

Qoo

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 26 June 2007 - 12:11 PM

Thanks for the reply. I had problems running the combfix program and after 4 tries, I finally got the log.

((((((((((((((((((((((((( Files Created from
2007-05-26 to 2007-06-26
)))))))))))))))))))))))))))))))


2007-06-24 17:05 1,089,529 --a------
C:\Temp\ComboFix.exe
2007-06-24 03:03 49,152 --a------
C:\WINDOWS\nircmd.exe
2007-06-22 17:17 <DIR> d-------- C:\Program Files\MP3
Player Utilities 3.57
2007-06-21 00:03 76,560 --a------
C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-21 00:00 <DIR> d--------
C:\DOCUME~1\Ron\APPLIC~1\HouseCall 6.6
2007-06-20 23:48 <DIR> d--------
C:\DOCUME~1\Ron\.housecall6.6
2007-06-20 19:39 18,149,584 --a------
C:\Temp\aaw2007.exe
2007-06-09 11:30 18,944 --a------
C:\WINDOWS\system32\WMIApiSrv.dll
2007-06-09 11:28 25,981 ---hs----
C:\WINDOWS\system32\serveter.exe


(((((((((((((((((((((((((((((((((((((((( Find3M
Report
))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-23 17:14:15 -------- d-----w
C:\DOCUME~1\Ron\APPLIC~1\AdobeUM
2007-06-21 14:38:41 -------- d-----w C:\Program
Files\Key
2007-06-21 05:07:41 -------- d-----w C:\Program
Files\Common Files\Wise Installation Wizard


((((((((((((((((((((((((((((((((((((( Reg Loading
Points
))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not
shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-06-06
09:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[2004-12-14 01:56]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
[2005-05-31 01:04]
{C97EAD04-D1D3-4580-BDAC-EB13B6CB176E}=C:\WINDOWS\fonts\font.dll
[2004-10-01 10:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe"
[2002-02-04 22:32]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe"
[2004-08-13 19:05]
"SunJavaUpdateSched"="C:\Program
Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03
22:05]
"QuickTime Task"="C:\Program
Files\QuickTime\qttask.exe" [2004-12-25 20:50]
"nwiz"="nwiz.exe" [2004-10-29 14:50
C:\WINDOWS\system32\nwiz.exe]
"Motive
SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe"
[2006-10-31 00:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe"
[2001-08-23 05:00]
"Google Desktop Search"="C:\Program
Files\Google\Google Desktop Search\GoogleDesktop.exe"
[2005-11-12 20:23]

*Newly Created Service* - CELINDRV

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit
detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 18:46:10
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\huadio1]
"ImagePath"="\??\c:\huadio.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mapmem1]
"ImagePath"="\??\c:\mapmem.tmp"

Completion time: 2007-06-25 18:47:57 - machine was
rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-25 18:47

--- E O F ---


Thanks for your help and please let me know what I need to do next.

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 26 June 2007 - 12:35 PM

The reason combofix didn't run correctly is it looks like you downloaded it to a Temp directory instead of your desktop:

2007-06-24 17:05 1,089,529 --a------
C:\Temp\ComboFix.exe

Delete these Files if listed:
C:\Temp\aaw2007.exe
C:\WINDOWS\system32\serveter.exe

Delete this Folder if listed:
C:\Temp <--Unless you created this folder.


Next:

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


Launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.
Save in: Desktop
File Name: fixme.reg
Save as Type: * files
Click: Save

REGEDIT4

[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\huadio1]

[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mapmem1]




Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 29 June 2007 - 06:36 AM

You still needing help?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 30 June 2007 - 05:23 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users