Jump to content


Photo

Popups, and Dialler installers popups..


  • Please log in to reply
1 reply to this topic

#1 Exo

Exo

    Member

  • New Member
  • Pip
  • 2 posts

Posted 11 July 2004 - 11:08 AM

Recently, a relative asked me to sort out their computer - as they had been getting lots & lots of popups. She got 7 when she just turned it on!


I used Spybot Search and Destroy to remove some of it, one couldnt be deleted "VX2" i think, Spybot asked if it could run on startup - i said yes, and restarted - but it didnt come up ....

Then i tryed Ad-Aware - same thing, i think VX2 again couldnt be deleted - so ad-aware asked if it could run on startup, i said yes - and restarted - same problem , it didnt run.

Then i tryed loading windows (XP) in safe mode - and ran Spybot & Adaware then, it got rid of everything - it said. So i though it would be fine, but nope - popups still happen, and there IE security warnings asking me if i want to install dialers now...

Help please?



Also there is a "GreatEggs" toolbar in IE.... with search buttons, etc - looks ominous


HJT Log:


CODE
Logfile of HijackThis v1.98.0
Scan saved at 21:42:37, on 09/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\fiona\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Greateggs - {DF43D254-162C-4058-6C6D-4DB65036D3BD} - C:\PROGRA~1\SETUPS~1\help about.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab



Spybot Log:


CODE

--- Search result list ---
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2731309904-2106517767-3757435101-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-06-16 Includes\Cookies.sbi
2004-06-16 Includes\Dialer.sbi
2004-06-17 Includes\Hijackers.sbi
2004-06-16 Includes\Keyloggers.sbi
2004-06-16 Includes\Malware.sbi
2004-06-16 Includes\Revision.sbi
2004-06-16 Includes\Security.sbi
2004-06-16 Includes\Spybots.sbi
2004-06-16 Includes\Trojans.sbi
2004-05-12 Includes\LSP.sbi
2004-06-16 Includes\Tracks.uti


--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ DataAccess: Security Update for Microsoft Data Access Components
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows XP / SP1: Windows XP Service Pack 1a
/ Windows XP / SP2: Windows XP Hotfix - KB821557
/ Windows XP / SP2: Windows XP Hotfix - KB823182
/ Windows XP / SP2: Windows XP Hotfix - KB823559
/ Windows XP / SP2: Windows XP Hotfix - KB824105
/ Windows XP / SP2: Windows XP Hotfix - KB824141
/ Windows XP / SP2: Windows XP Hotfix - KB825119
/ Windows XP / SP2: Windows XP Hotfix - KB828035
/ Windows XP / SP2: Windows XP Hotfix - KB828741
/ Windows XP / SP2: Windows XP Hotfix - KB835732
/ Windows XP / SP2: Windows XP Hotfix - KB837001
/ Windows XP / SP2: Windows XP Hotfix - KB839643
/ Windows XP / SP2: Windows XP Hotfix - KB840374
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329048 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329170
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329390 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329441
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329834 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810565
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810577
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810833
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811493
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811630
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q814033
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q815021
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817287
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817606
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q819696


--- Startup entries list ---
Located: HK_LM:Run, Apoint
command: C:\Program Files\Apoint\Apoint.exe
file: C:\Program Files\Apoint\Apoint.exe
size: 114688
MD5: bdf718b5d64210a9fb54b4fb58931124

Located: HK_LM:Run, AtiPTA
command: Atiptaxx.exe
file: C:\WINDOWS\system32\Atiptaxx.exe
size: 217088
MD5: 97e4aac2061f0f03e8e850a004be211f

Located: HK_LM:Run, Lexmark X74-X75
command: "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
file: C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
size: 57344
MD5: a77b760979886af0be13d2ef5dc404bf

Located: HK_LM:Run, NAV Agent
command: C:\PROGRA~1\NORTON~1\navapw32.exe
file: C:\PROGRA~1\NORTON~1\navapw32.exe
size: 75384
MD5: 89edb06c1ea1a7f4a513ff1dbecbf73b

Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1511453
MD5: c7c3bb611f4c7db5d732edd6aaf684bd

Located: HK_CU:Run, Symantec NetDriver Monitor
command: C:\PROGRA~1\SYMNET~1\SNDMon.exe
file: C:\PROGRA~1\SYMNET~1\SNDMon.exe
size: 95344
MD5: 4d8b98507c15c217d749c8405ba39bd4

Located: Startup (common), CorrectConnect.lnk
command: C:\Program Files\CConnect\CConnect.exe
file: C:\Program Files\CConnect\CConnect.exe
size: 114814
MD5: 85e890498e0e5167861066ae3f5d84df



--- Browser helper object list ---


--- ActiveX list ---
Yahoo! Chat (Yahoo! Chat)
DPF name: Yahoo! Chat
CLSID name:

{31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player)
DPF name:
CLSID name: Cult3D ActiveX Player
Path: C:\WINDOWS\System32\Cult3D\
Long name: IECult.dll
Short name: IECULT.DLL
Date (created): 07/01/2004 16:00:06
Date (last access): 09/07/2004
Date (last write): 07/01/2004 16:00:06
Filesize: 1888256
Attributes: archive
MD5: 422FE2685963C2A83A8FF2139124FF9B
CRC32: 25DD48C0
Version: 0.5.0.3



--- Process list ---
Spybot - Search && Destroy process list report, 09/07/2004 21:51:18

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 476 (1480) C:\Program Files\Apoint\Apoint.exe
PID: 484 (1480) C:\WINDOWS\System32\Atiptaxx.exe
PID: 492 (1480) C:\PROGRA~1\NORTON~1\navapw32.exe
PID: 500 (1480) C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
PID: 528 (1480) C:\Program Files\Messenger\msmsgs.exe
PID: 536 ( 500) C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
PID: 560 (1480) C:\Program Files\CConnect\CConnect.exe
PID: 584 ( 4) \SystemRoot\System32\smss.exe
PID: 648 ( 584) CSRSS.EXE
PID: 672 ( 584) \??\C:\WINDOWS\system32\winlogon.exe
PID: 716 ( 672) C:\WINDOWS\system32\services.exe
PID: 728 ( 672) C:\WINDOWS\system32\lsass.exe
PID: 888 ( 716) C:\WINDOWS\system32\svchost.exe
PID: 932 ( 716) C:\WINDOWS\System32\svchost.exe
PID: 1016 ( 716) C:\Program Files\Norton AntiVirus\navapsvc.exe
PID: 1048 ( 716) SVCHOST.EXE
PID: 1072 ( 716) SVCHOST.EXE
PID: 1348 ( 716) C:\WINDOWS\system32\LEXBCES.EXE
PID: 1480 (1372) C:\WINDOWS\Explorer.EXE
PID: 1500 ( 716) C:\WINDOWS\System32\svchost.exe
PID: 1536 ( 716) C:\WINDOWS\system32\spoolsv.exe
PID: 1540 (1348) C:\WINDOWS\system32\LEXPPS.EXE
PID: 1672 ( 716) C:\WINDOWS\System32\ati2evxx.exe
PID: 1688 (1356) C:\Program Files\Apoint\Apntex.exe
PID: 1952 ( 672) C:\WINDOWS\system32\rundll32.exe
PID: 2660 (1480) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 3284 (1480) C:\Program Files\Internet Explorer\iexplore.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 09/07/2004 21:51:18

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft...=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn...st/srchasst.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/keyword/%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft...=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.msn.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.club-vaio.sony-europe.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft...=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn...st/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn...st/srchcust.htm


--- Winsock Layered Service Provider list ---






Any help would be appreaciated , thanks

#2 Exo

Exo

    Member

  • New Member
  • Pip
  • 2 posts

Posted 11 July 2004 - 05:04 PM

I know all of the volunteers here are probably very busy - but please! Plase could someone take a look at this, on all the forums ive posted on, noone has responded at all :( - please help :!:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button