Please help a newbie remove evil ad/spyware!!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DJ Whiley, Jun 14, 2004.

  1. DJ Whiley

    DJ Whiley Private E-2

    So every time I close my last IE window, 2 more automatically pop up with the addresses www.beba-al-agua.com and www.belgiandip.com. They appear for a split second before turning into ads (usually trying to get me to download anti-spyware software) that I can trace back to various ad producers including fastclick.com. The worst part is, when I close the ads, another one replaces it. I have to close about 6 ads before my desktop is clear again.

    I've tried Ad-Aware, Spybot, I use Pop-Up Stopper and nothing so far has gotten rid of it.
    I'm using XP and my homepage is www.hotmail.com. Please help!!
     
    DJ Whiley, Jun 14, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are your versions of Ad-aware and SpyBot up to date? If so download HijaakThis, then shutdown all applications and run it. Post HijaakThis log back here. Get HijaakThis here: http://www.majorgeeks.com/download3155.html
     
    chaslang, Jun 15, 2004
    #2
  3. DJ Whiley

    DJ Whiley Private E-2

    Thanks for the response. Yeah, my Ad-Aware and Spybot software is up to date so I tried Hijackthis and here's what I got:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:17:54 PM, on 6/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\gearsec.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\tpjhcc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\POP-UP~1\PSFree.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
    C:\WINDOWS\System32\cctresa.exe
    C:\WINDOWS\System32\SCTFPM.exe
    C:\WINDOWS\System32\ountryc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us9.hpwis.com/
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll (file missing)
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [hgjgalhlaksd] C:\WINDOWS\System32\tpjhcc.exe
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [cctresa] C:\WINDOWS\System32\cctresa.exe
    O4 - HKLM\..\Run: [ountryc] C:\WINDOWS\System32\ountryc.exe
    O4 - HKLM\..\Run: [SCTFPM] C:\WINDOWS\System32\SCTFPM.exe
    O4 - HKLM\..\Run: [phlpapii] C:\WINDOWS\System32\phlpapii.exe
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFree.exe"
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: PD (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab



    I'm not real sure what any of it means though. What should I delete?
    Thanks for the help!
     
    DJ Whiley, Jun 15, 2004
    #3
  4. DJ Whiley

    DJ Whiley Private E-2

    Ooh, one more question. I have P2P Networking installed and am pretty sure that I don't need it or want it. I tried to remove it using the control panel add/remove but it said that it runs with IE and could affect it. Is it safe to remove it anyway?Thanks for all the help. I love this site!! :D
     
    DJ Whiley, Jun 15, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I would just uninstall it. I don't think it will break IE. It will just cause programs that came with it not to function. See the links below:

    http://www.kephyr.com/spywarescanner/library/p2pnetworking/index.phtml
    http://www.pestpatrol.com/pestinfo/p/p2p_networking.asp

    I'll start looking at the Hijaak This log. See if you can get rid of the P2P stuff.
     
    chaslang, Jun 15, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    One additional note on using HijaakThis. Move HijaakThis.exe to its own non-temporary folder. The program will make backups and put them into folder that it is run from. In your case, it will now end up in a temporary folder that is prone to cleanups.
     
    chaslang, Jun 15, 2004
    #6
  7. DJ Whiley

    DJ Whiley Private E-2

    Thanks for the info. I've successfully removed P2P. Yay!

    Any luck with the log? Thanks for doing that btw, it must take a while to figure it out. Muchly appreciated :)
     
    DJ Whiley, Jun 15, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's good DJ. Yes I have started to look at it. But I have been spending a bunch of time trying to look into this belgiandip stuff. It can spwan all kinds of executable file names. Can you start looking at this link and following some of the steps there:

    http://www.pestpatrol.com/PestInfo/w/winpup32.asp

    I see a bunch of other questionable filenames in your log, like:

    C:\WINDOWS\System32\tpjhcc.exe
    C:\WINDOWS\System32\cctresa.exe <=== mentioned at PestPatrol for Winpup32
    C:\WINDOWS\System32\SCTFPM.exe
    C:\WINDOWS\System32\ountryc.exe
     
    chaslang, Jun 15, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    DJ,

    Please tell me the reference file version you are using for Ad-aware?
     
    chaslang, Jun 15, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    DJ, We are going to work on this belgiandip problem.

    You need to open windows explorer and first make sure you have set it to allow viewing of hidden files and folders. Also make sure you do not have "Hide extensions for known file types" check. This is found in Windows Explorer under Tools, Folder Options, View, then look in the Advanced settings.

    Now go to your C:\windows directory. Click View, Details. Now again click View but this time click Choose Details. In the window that comes up enable the Company selection.
    Now in the right side of your explorer Window sort by Company. Now look for totempole. Move all files matching that company name to a temporary folder (make one for this like c:\backup\windows)

    Do the same in your c:\windows\system and c:\windowssystem32 folders (also move them to the same temp directory in a system and system32 folder respectively).

    If you have problems moving any of these files, boot in safe mode and move them.
     
    chaslang, Jun 15, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 16, 2004
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds