Jump to content


Photo

Something making popups after spyware removed


  • Please log in to reply
4 replies to this topic

#1 jashh

jashh

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 30 June 2004 - 10:11 AM

I am trying to fix a computer that I don't have in front of me. Original problem was a Searchwww page as home page. I had the person who I am trying to help run AdAware and S.bot Search and Destroy. It removed this and a slew of other spy programs, but now all of a sudden popups are coming up randomly.

Looking at their HijackThis log, I see a "Clock Open" that I am sure is maleware...and something called "byte bore"? Just curious if these 2 items and/or anything else is bad. Thanks.

Here is the HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 9:32:48 AM, on 6/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\hpb2ksrv.exe
C:\WINNT\System32\hpbhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\WINNT\System32\hpstatus.exe
C:\WINNT\System32\hpnra.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\phone eggs delete\vc bows.exe
C:\WINNT\System32\WScript.exe
C:\WINNT\System32\HPBSPSVR.EXE
C:\WINNT\System32\HPBJDSNT.EXE
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Craig\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Clock Open - {A8987A59-AD6E-4FE5-0D4D-D365717890AE} - C:\PROGRA~1\1camp\byte bore.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [HP Status] C:\WINNT\System32\hpstatus.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [trust free] C:\PROGRA~1\phone eggs delete\vc bows.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Search.vbs
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3ECF916F-A5DE-4DD4-A142-B35A29DC2EDB} - http://www.dinerotic...,1,0/cabdll.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8099.3696759259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{368D8E04-3716-455D-AA87-3BC86E67B0C2}: NameServer = 192.168.3.199
O17 - HKLM\System\CCS\Services\Tcpip\..\{C396622D-B1E4-4A71-AE7A-26141646C3F5}: NameServer = 192.168.3.199
O17 - HKLM\System\CS1\Services\Tcpip\..\{368D8E04-3716-455D-AA87-3BC86E67B0C2}: NameServer = 192.168.3.199
O17 - HKLM\System\CS2\Services\Tcpip\..\{368D8E04-3716-455D-AA87-3BC86E67B0C2}: NameServer = 192.168.3.199

#2 jashh

jashh

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 30 June 2004 - 02:20 PM

*bumpers* :)

#3 jashh

jashh

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 01 July 2004 - 08:35 AM

*bump*

#4 Rootkit

Rootkit

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 01 July 2004 - 09:19 AM

Hi,jashh

There is a new Ver, of HJT you should download it & run new scan

http://www.spywarein.../hijackthis.zip

Gday :bounce:

#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 01 July 2004 - 09:28 AM

Hi,
Posted Image Important! Create a folder via Windows Explorer for HijackThis, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O3 - Toolbar: Clock Open - {A8987A59-AD6E-4FE5-0D4D-D365717890AE} - C:\PROGRA~1\1camp\byte bore.dll
O4 - HKLM\..\Run: [trust free] C:\PROGRA~1\phone eggs delete\vc bows.exe
O4 - Global Startup: Search.vbs
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O16 - DPF: {3ECF916F-A5DE-4DD4-A142-B35A29DC2EDB} - http://www.dinerotic...,1,0/cabdll.cab


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\PROGRAM FILES\phone eggs delete <--this folder
C:\PROGRAM FILES\1camp <--this folder

Restart normally and then ...

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button. Under "Log-file detail", select all options.

Click the "Tweaks" button. Under "Scanning Engine", select the following:
1) "Include additional Ad-aware settings in logfile"
2) "Unload recognized processes during scanning."

Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on Proceed to save these Preferences.
Note: make sure that you activate IN-DEPTH scanning before you proceed.

After the above ... update HijackThis

Download Posted Image HijackThis! 1.98

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button