|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
Adware Insanity!!
Hi,
My first post Just today, IE starts up by itself and displays some ad page at random. This happens even if I'm in another application (IE closed). I've tried : - Scan for viruses (McAfee v 7 - updated) - Currently running the ActiveScan from PandaWare (found 8 infected and fixed) - Ran Spybot and removed all that it found - Ran NoAdware and cleared it's findings. - Cleared a few items using the HijackThis progam. - Ran LSPFIX. Any help appreciated - this is VERY annoying. Current HijackThis log is shown below: "Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\etlisrv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe C:\Program Files\Saitek\Software\Profiler.exe C:\Program Files\Saitek\Software\SaiSmart.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe C:\Program Files\Logitech\ImageStudio\LogiTray.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe C:\Program Files\Creative\TaskBar\CTLTray.exe C:\Program Files\Creative\TaskBar\CTLTask.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\DvzCommon\DvzMsgr.exe C:\WINDOWS\system32\etlitr50.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe C:\Program Files\Palm\HOTSYNC.EXE C:\WINDOWS\System32\cidaemon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Michael\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hispeed.rogers.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=gateway.bns:8000;https=gateway.bns:443 R3 - URLSearchHook: CnfSearch Class - {D7CD08F0-D691-11D8-9669-0800200C9A66} - c:\windows\system32\ConfuSearch.dll F2 - REG:system.ini: Shell=Explorer.exe O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe" O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe" O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe" O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe" O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\TaskBar\CTLTray.exe" O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\TaskBar\CTLTask.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background O4 - HKCU\..\Run: [RHSI Update Manager] "C:\Program Files\Rogers Hi-Speed Internet\RHSI Update Manager\RHSIUpdateManager.exe" /background O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe O4 - Global Startup: Entrust.lnk = C:\WINDOWS\system32\etlitr50.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: The Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downl...19/CTSUEng.cab O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/s...are/awswax.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director6/cabs/sw.cab O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downlo...?1093302042381 O16 - DPF: {237F3A38-E718-4FE3-AB18-BCF0AF75B34A} (DownloadScanEngine.ctlDSE300663) - http://downloads.rogershelp.com/updates.cab O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.co...veX/winrep.cab O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/patch/EARTPX.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...649.5334837963 O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/ang...Downloader.cab O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/updater//Maxis...y4PatcherX.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...58/mcfscan.cab O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downl...2119/CTPID.cab " |
#2
|
||||
|
||||
Welcome to CTH jureidinim.
Before we start, please create a dedicated folder for Hijack This on on your drive and copy it across. If you do not, you will end up with backups scattered all over your Desktop. You have a startup that I am not familiar with. What can you tell me about the below entry? O4 - Global Startup: Entrust.lnk = C:\WINDOWS\system32\etlitr50.exe If you dont know what it is and there is no identifying information in Properties, could you make sure that you can view hidden files and folders and run a search for etlitr50.exe. When you find it, copy it to a new folder, zip it up (this is important) and email it to me (include a link to this thread). My address is annmarie@cybertechhelp.com. I will post back when I have checked it out. In the meantime, close IE and all open windows and run Hijack This again. Check the below entries and click on Fix Checked. R3 - URLSearchHook: CnfSearch Class - {D7CD08F0-D691-11D8-9669-0800200C9A66} - c:\windows\system32\ConfuSearch.dll F2 - REG:system.ini: Shell=Explorer.exe Reboot and post a new log. |
#3
|
|||
|
|||
Adware Insanity - Fixed!
Sorry - I'm just getting back to this site..
I had downloaded AdAware and found this same problem mentioned on their forums. Apparently it was caused by a malware program called VX1 (I think that's the name). Anyway, the host site for AdAware had a VX1 plugin which was made specifically for this. I downloaded it, installed and ran the AdAware program. It WORKED!! No more hijack!! Thanks for your response though. I have another problem (DirectX and sound/voice problems) which i may be posting on soon. Thanks again!! |
#4
|
||||
|
||||
You are welcome jureidinim, I'm glad its all sorted.
|
Bookmarks |
«
Previous Topic
|
Next Topic
»
Topic Tools | |
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
Pop-up Insanity.. Help | helpplease34 | Malware Removal | 1 | May 16th, 2007 07:15 AM |
Pop-up Insanity.. Help | helpplease34 | Windows XP | 1 | May 15th, 2007 07:41 PM |
DV capture driving me to insanity | magic_steve | Hardware | 9 | March 6th, 2006 12:37 PM |
The Warning Signs of Insanity... | IamOne | Jokes Forum | 5 | January 6th, 2006 02:49 PM |
adobe reader or xp insanity | max221 | Windows XP | 4 | April 13th, 2005 04:36 PM |
All times are GMT +1. The time now is 02:00 PM.