Jump to content


Photo

Help !!!


  • Please log in to reply
7 replies to this topic

#1 Stem

Stem

    Member

  • New Member
  • Pip
  • 3 posts

Posted 17 June 2004 - 05:49 AM

Basically, the automove.exe file appeared on a system at work a couple of days ago and won't go away.

Now, frustratingly, Ad Aware comes up clean, AntiVirus comes up clean, i've removed the file from MSConfig, the registry and physically removed it from the System32 folder. I've also cleared System Restore and yet the file keeps coming back after a few minutes.

It's not harming anything, just putting an annoying popup on the screen every few minutes.

Help me please.

Edited by Stem, 17 June 2004 - 05:50 AM.


#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 17 June 2004 - 06:39 AM

Hi,
Download "Hijack This!"
http://www.spywarein.../hijackthis.zip

Create a folder via Windows Explorer for HijackThis, unzip, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

Double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click: "Save Log" (generates: "hijackthis.log")

Copy and Paste the entire log into your next post.

Note: do not attempt to "Fix" anything, as we need to see the entire log.
Also if you have any Startup items unchecked in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup.

Hint: after posting your log click "Track this topic" at the top of the page, this way you will be notified (email) when a response is made to your post.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 Stem

Stem

    Member

  • New Member
  • Pip
  • 3 posts

Posted 17 June 2004 - 07:18 AM

Logfile of HijackThis v1.97.7
Scan saved at 13:16:02, on 17/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\workshop\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsour...onn_5.2.0.8.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_41.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


Hmm, spy sweeper seemed to get rid of it but it just came back again.

Ah well.

#4 Stem

Stem

    Member

  • New Member
  • Pip
  • 3 posts

Posted 17 June 2004 - 07:27 AM

And by the way, not sure if it matters or not, the popups are coming from 680180.net and are for ringtones.

Edited by Stem, 17 June 2004 - 07:28 AM.


#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 17 June 2004 - 08:36 AM

Hi,
First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:


C:\WINDOWS\System32\SWin32.dll <--this file
C:\WINDOWS\System32\automove.exe <--this file
C:\WINDOWS\System32\ADStartUP.exe <--this file
C:\WINDOWS\System32\AdUpdater.exe <--this file
C:\WINDOWS\System32\adupdmanager.xml <--this file
C:\WINDOWS\System32\data.xml <--this file
C:\WINDOWS\System32\IEEnhancer.dll <--this file

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#6 blasherke

blasherke

    Member

  • New Member
  • Pip
  • 4 posts

Posted 21 June 2004 - 01:04 PM

Hi,

I've had the same problem, i posted my log about a week ago. The solutions provided by WinHelp are usefull, yet temporary: the pop-ups keep coming back. To me, the 680180.net pop-up caused IE5.5 to crash, so i HAD to find a definitive solution. I think I found one: try downloading SPyware-guard and SpywareBlaster.
http://www.javacools...ywareguard.html
I've been running these programs for four days now, and my computer still seems clean and the pop-ups gone, whereas with the manual removal the automove.exe-file (and the other stuff) always came back. Another usefull spyware removal tool is BPS SPyware remover, which provides an indepth-scan of your computer (it takes a bit longer than other programs, but it always detects more than programs like ad-aware and spybot).

The origin of all these problems lays in Curacao, check this link:
http://antivirus.abo...y/aa071403a.htm
If anyone succeeds in hacking their server i would gladly buy him a beer :p

Hope this helps you!

Greetz,

Blasherke

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 21 June 2004 - 03:25 PM

blasherke,
If you go back to the post I was helping you with ... you never finished up or followed the posted instructions.

Another usefull spyware removal tool is BPS

That product is banned here, matter of fact SpyBot targets that for removal!
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#8 blasherke

blasherke

    Member

  • New Member
  • Pip
  • 4 posts

Posted 21 June 2004 - 03:36 PM

As a matter of fact, i think i did! I posted my last log June 15 8.48 am. I updated my system, as far as possible because for a particular reason i'm unable to update to IE6, the installation always fails.

Concerning BPS, i didn't understand completely: do you mean BPS is spyware itself???

greetz,

Blasherke




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button