Jump to content


Photo

Irritating problem


  • Please log in to reply
9 replies to this topic

#1 Stephan0zki

Stephan0zki

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 26 July 2004 - 05:24 PM

Hey, i've got some little irritating pop ups that keep coming back (hijacks like 2nd thought and tv media). When i remove them with ad-aware with the latest installed patch they just keep coming back on the computer. Maybe you guys could help me..
Tnx alot

My HijackThis log look like this..

Logfile of HijackThis v1.98.0
Scan saved at 0:25:24, on 27-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\WINDOWS\Explorer.EXE
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Games\SIERRA\Steam\Steam.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.defaultse...ie/searchmn.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.wanadoo.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.wanadoo.nl;signup.wanadoo.nl;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: SNHELPER - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.nl/
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postb...l/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28177.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28177.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab

Edited by Stephan0zki, 26 July 2004 - 05:25 PM.


#2 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 26 July 2004 - 10:20 PM

It would be a good idea to print out these instructions.

Now download and run LSP Fix
Check 'I know what I'm doing'.
Select all instances of 'lspak.dll'.
Click the right-pointing arrow.
Click 'Finished'.
Restart your computer.
Delete the following file:
c:\windows\system32\lspak.dll
Restart.

The file 'lspak.dll' is sometimes associated with Look2Me (vx2).
Download vx2finder from here http://download.broa...Finder(126).exe and run it. Hit 'click to find vx2betterinternet'. When its finished click 'make log'. Copy and paste the results in this thread. Please note that the results may come back as nothing found.

Run HijackThis and check all of the following – BUT DO NOT FIX YET:
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: SNHELPER - {4E7BD74F-2B8D-469E-C0FB-EF60B19DB42E} - C:\PROGRA~1\Srng\SNHelper.dll (file missing)
O4 - HKLM\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe


All of the following are optional fixes:
The following entry aids in speeding up the starting of Microsoft Office programs, however it uses memory and may slow your system down. ‘Fixing’ this entry will cause no ill effects to Microsoft Office programs or files.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

The following two entries are not malware. They are extra ‘buttons’ and ‘tools’ items in Internet Explorer. I have them listed under optional fixes because they are broken links. (file is missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)


After you have checked everything that needs to be fixed (items in red) and any optional fixes (items in blue), close all open windows including Internet Explorer and Windows Explorer and click the “Fix Checked” button.

Reboot into safemode.


Delete the following files. Let me know if you can’t find or can’t delete any of these files or folders. You might have to set your computer to show hidden files and you may have to use the search function on the start menu.:
C:\PROGRA~1\COMMON~1\tsa\tsm.exe <<This might be in the 'C:\PROGRAM FILES\Common Files\tsa' folder
C:\Program Files\TV Media\Tvm.exe
C:\Program Files\TV Media\Tvm.exe


Delete the following folders (do not delete the C:\PROGRAM FILES or C:\PROGRAM FILES\Common Files folders):
C:\PROGRA~1\COMMON~1\tsa <<This might be the 'C:\PROGRAM FILES\Common Files\tsa' folder
C:\Program Files\TV Media
C:\Program Files\TV Media


Reboot

Post a new log to see if we missed anything.

Regular scans with Ad-Aware and Spybot are a good start. However these tools will not prevent malware from being installed on your computer. For information on preventing or reducing your risk of future malware infections, click here

#3 Stephan0zki

Stephan0zki

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 July 2004 - 08:53 AM

Ok, tnx for the helping i'll post the VX2Finder log here below as you said:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{586BFCED-55D1-4F91-8554-5185C9BF1672}


My HijackThis log look now like this: (note i didn't have any problems deleting the files in safe mode)

Logfile of HijackThis v1.98.0
Scan saved at 15:52:55, on 27-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\Explorer.EXE
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.defaultse...ie/searchmn.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.wanadoo.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.wanadoo.nl;signup.wanadoo.nl;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.nl/
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postb...l/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28177.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28177.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab

#4 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 27 July 2004 - 02:59 PM

You’re right, TV media doesn’t want to disappear.

Fix the following with Hijackthis:
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)

SWI Helper pomp86 also suggests the following:
In the folder where the vx2 finder program should be. There should be a useragent$ file. Run (doubleclick) the useragent$ file to merge it into the registry.

Reboot

Run internet explorer and copy and paste this line into the address bar and hit ‘enter’ or click on ‘go’:
javascript:navigator.userAgent

Copy and paste what is displayed on the screen to this thread and post a new Hijackthis log.

Edited by Trilobite, 27 July 2004 - 03:21 PM.


#5 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 27 July 2004 - 11:12 PM

You should be able to see it Stephan, the user agent$ is a button you press on the actually vx2finder(126) program. Just wanted to tell you in case you get confused.

Also click "restore policy" after you do the user agent$ part.

Edited by pomp86, 27 July 2004 - 11:18 PM.





PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#6 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 28 July 2004 - 12:08 AM

Thanks pomp86

#7 Stephan0zki

Stephan0zki

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 August 2004 - 11:24 AM

K, sorry for the late reply. (It was caused by a holiday trip in Belgium)

I fixed the R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing) like you said Trilobite.

I've got a problem with the user agent$ file. I didnt see a file in the folder where vx2finder(126) is. So I pressed the button on the actually vx2finder(126) program what pomp86 advised. After I've done a reboot there wasn't a useragent$ file in the specific folder.

I hope you guys can help me out with it.

#8 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 07 August 2004 - 10:06 AM

I apologize for the delay too. It’s easy for a thread to get buried quickly on this forum.

Don’t worry about the useragent$ file, clicking on the useragent$ button should have the same affect.

To finish the instructions from the previous post:
Run internet explorer and copy and paste this line into the address bar and hit ‘enter’ or click on ‘go’:
javascript:navigator.userAgent

Copy and paste what is displayed on the screen to this thread, and post a new Hijackthis log to see if we missed anything or if there is anything new.

#9 Stephan0zki

Stephan0zki

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 09 August 2004 - 02:27 AM

I copied your line and i get the following:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

My Hijackthis log looks like this:

Logfile of HijackThis v1.98.0
Scan saved at 9:27:58, on 9-8-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\WINDOWS\Explorer.EXE
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.defaultse...ie/searchmn.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-proxy.wanadoo.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.wanadoo.nl;signup.wanadoo.nl;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.nl/
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postb...l/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28177.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28177.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab28578.cab

Edited by Stephan0zki, 09 August 2004 - 02:28 AM.


#10 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 09 August 2004 - 09:30 AM

Your log looks fairly good, I only see one bad entry.

Close all open windows (including Internet Explorer) and fix the following with Hijackthis:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http ://www.defaultsearch.com/search/B90D4C...ie/searchmn.htm

www.defaultsearch.com is a known CoolWebSearch domain. I apologize that I didn’t spot it earlier as I just updated my CWS domain blacklist. The good news is that this is the only entry related to CWS that I see in your log and after fixing this entry, you should be good to go and your computer should be clean. :thumbsup:

If you should notice any new problems or symptoms, then please post a new log or start a new topic.

If you haven’t already done so, you should take a look at ’how did I get infected’. It contains a wealth of information on protecting your computer from future malware infections.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button