Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hard To Remove Winfixer: Kindly Help


  • Please log in to reply
29 replies to this topic

#16 ankur

ankur

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 03 August 2007 - 11:15 AM

Hi Rigacci..

unfortunately i have already uninstalled that ISM thing

If it shows up again can I have a copy of it before you delete it again. Hope it doesn't :wavey: come back.

as for now there is no popup or anything.. but i think if i visit that site (that i mentioned earlier) the things will again show up after browsing few minutes.. (that doesnt happen in my other compu though), other than that the long booting (about 4 min) and lil long time taken while loading programs, these two probs are still there..

    Advertisements

Register to Remove


#17 ankur

ankur

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 03 August 2007 - 11:52 AM

as earlier, there is no pop ups or anything but i think if i go to that site i mentioned earlier, that thing will again show up after browsing few minutes. other than that the booting is slow (about 4min) and the programs load slower, and the system gets lil slow even if two everyday used programs are running (like yahoo messenger and a music player).

here is the HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:45:00 PM, on 08/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\HJT\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [PRONoMgrWired] "C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [LVCOMS] "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://unmcnotes02.unmc.edu/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60DD1C44-DA41-49CD-A4C3-7E0C9C2E5A8F}: NameServer = 68.13.16.30,68.13.16.25
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - C:\Program Files\Invitrogen\Vector NTI Advance 9\Ncbi.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Many thanks for your help !!!

#18 rigacci

rigacci

    Silver Member

  • Authentic Member
  • PipPipPip
  • 489 posts

Posted 05 August 2007 - 04:55 AM

It looks like you might have managed to clean everything but I'd like to search a bit deeper. <_<

Next, please download F-Secure Blacklight from HERE.
  • Click I ACCEPT and download the graphical user interface version to your Desktop.
  • Double click the file to run it, choose I accept the agreement then press Scan.
  • It will create the fsbl-xxxxxxx.log on your desktop.
  • The log will have a list of all items found.
Do not choose to rename any yet! I want to see the log first because legitimate items can also be present.

Exit Blacklight and post the contents of the log in your next reply.

Thanks.

B)

#19 ankur

ankur

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 05 August 2007 - 06:55 PM

Hi Rigacci i will send the F-secure log in the next post.. this post is to inform you that while surfing that site i got that ISM thing auto-installed in my system today again (this time in the other PC), and this time i have send the entire ISM folder as a zip file to the e-mail ID you gave earlier..

#20 rigacci

rigacci

    Silver Member

  • Authentic Member
  • PipPipPip
  • 489 posts

Posted 06 August 2007 - 05:33 AM

That's good and bad news. :scratch:

For the time being, you should download HostsXpert 4.0

http://www.funkytoad...ent/view/13/31/

run it and add this line

127.0.0.1 http://zredirector.com

This should stop the redirections and then we can continue to analyze the ISMmodule.

I'll let them know you sent the file up. :thumbup:

B)


PS: what was the site again please, that this happens with?

Edited by rigacci, 06 August 2007 - 05:37 AM.


#21 ankur

ankur

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 06 August 2007 - 08:08 AM

the site is: www.xboard.us/bbb i talked in their forum and they say there is no bug in their webpages.. wat do you say?

#22 rigacci

rigacci

    Silver Member

  • Authentic Member
  • PipPipPip
  • 489 posts

Posted 06 August 2007 - 11:31 AM

No reflection on yourself but I don't think anything good can come from that site. I realize there is a lot of neat stuff there but the risks are too great. In the less than 10 minutes I was looking around, I was approached to download Drivecleaner more than once. I now feel like I need to run a system cleaner. :rant2: People who put links into their signature or post, especially on a site like that, can NEVER be trusted. Everything you click on is suspicious. What you need to do is to run a Virtual PC program that will allow you to take a snapshot of your OS before you go onto a site like that and then you can revert back to that snapshot after leaving, thereby staying safe. Otherwise you will most certainly be infected again. As far as them not thinking they have a problem. It may be true that they don't know anything about an infection but it can also be true that they just don't know period! Many boards are put up by persons with minimal talents and they may be unwittingly infected. Don't forget the F-Secure Blacklight log. B)

Edited by rigacci, 06 August 2007 - 11:33 AM.


#23 ankur

ankur

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 06 August 2007 - 12:50 PM

here is the F-secure log: 08/06/07 13:03:08 [Info]: BlackLight Engine 1.0.64 initialized 08/06/07 13:03:08 [Info]: OS: 5.1 build 2600 (Service Pack 2) 08/06/07 13:03:11 [Note]: 7019 4 08/06/07 13:03:11 [Note]: 7005 0 08/06/07 13:03:31 [Note]: 7006 0 08/06/07 13:03:32 [Note]: 7011 436 08/06/07 13:03:32 [Note]: 7026 0 08/06/07 13:03:32 [Note]: 7026 0 08/06/07 13:03:40 [Note]: FSRAW library version 1.7.1022 08/06/07 13:46:29 [Note]: 7007 0

#24 rigacci

rigacci

    Silver Member

  • Authentic Member
  • PipPipPip
  • 489 posts

Posted 07 August 2007 - 04:28 AM

Great. Thanks very much.

They are analyzing the files you sent but in the meantime, it would be a good idea to scan again, at Panda.


Please go HERE for an online AV scan (requires IE to run).

If your AV alerts you while the scan installs ignore this - Panda's Active Scan method is often mistaken for infection activity.

Scan "Local Disks" and when finished save the scan log and then post the log here.

To save the log first select the See Report button, then select the Save report button, and post that log back here, along with a new HijackThis log please.

Thanks for your perserverance.

B)

#25 ankur

ankur

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 11 August 2007 - 05:10 PM

i did the panda active scan and it says it got 2 virus and 25 spywares. but i cannt save any log. the scan window that popups is partially viewable and you cannt maximize it. after scan there is no button that says "see report" or save report". something called "disinfect now" is only there and after u click it you get a page to pay money.. :(

    Advertisements

Register to Remove


#26 ankur

ankur

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 11 August 2007 - 09:08 PM

ok i did the Panda scan again and this time could save the result.. Incident Status Location Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Simanta Pathak\Application Data\Mozilla\Firefox\Profiles\ub36el5j.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@2o7[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@ad.yieldmanager[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@adrevolver[1].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@adrevolver[3].txt Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@ads.addynamix[2].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@ads.pointroll[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@advertising[1].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@apmebf[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@atdmt[2].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@burstnet[2].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@casalemedia[2].txt Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@citi.bridgetrack[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@com[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@doubleclick[1].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@ehg.hitbox[1].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@fastclick[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@mediaplex[2].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@overture[1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@questionmarket[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@realmedia[1].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@statcounter[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@tribalfusion[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@www.burstbeacon[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Simanta Pathak\Cookies\simanta pathak@zedo[2].txt Virus:Trj/Downloader.MDW Not disinfected C:\RECYCLER\S-1-5-21-1191022879-1295308138-1990782366-1006\Dc70.tmp[BndDrive.dll] Virus:Trj/Downloader.MDW Not disinfected C:\RECYCLER\S-1-5-21-1191022879-1295308138-1990782366-1006\Dc72.zip[5A.tmp][BndDrive.dll]

#27 rigacci

rigacci

    Silver Member

  • Authentic Member
  • PipPipPip
  • 489 posts

Posted 12 August 2007 - 10:27 AM

Great. :thumbup:

Everything looks good. Those last items that Panda found will be deleted when you perform the next step.

Please download ATF Cleaner by Atribune.
ATF Cleaner

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.


(If you use FireFox or Opera, in order to keep saved passwords, click No at the prompt.)


It's normal after running ATF cleaner that the PC will be slower to boot the first time.


Then you will want to create a new restore point.
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn OFF System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.


And finally, to help you avoid problems.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

B)

PS: I don't know how much memory you have but if it's less than 1GB, you can use more. That should make things run faster.

You can also go to PCPitstop and take the Full Test Suite. It will give you suggetsions on making your machine run better.

#28 ankur

ankur

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 21 August 2007 - 08:48 AM

Hi Rigacci thanks a lot for all the time you gave. i really appreciate it. by the way, did your tech guys analyze the files i had send.. just curious..

#29 rigacci

rigacci

    Silver Member

  • Authentic Member
  • PipPipPip
  • 489 posts

Posted 23 August 2007 - 06:58 AM

Thanks for the compliments. I will ask them again what they found in those files. I'll send you an email about what they say as the post will be closed. Take care and stay clean. B)

#30 ankur

ankur

    New Member

  • Authentic Member
  • Pip
  • 16 posts

Posted 24 August 2007 - 02:10 PM

Thanks for the compliments.

I will ask them again what they found in those files. I'll send you an email about what they say as the post will be closed.

Take care and stay clean.

B)

ok thanks i will wait for the mail.. my guess is this is a relatively new spyware and none of the antispywares detect it yet..

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users