Pop-up ads after scans

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Sparlanc, Dec 11, 2005.

  1. Sparlanc

    Sparlanc Private E-2

    I followed the steps outlined by major geek. After I reboot-ed in normal mode and launched Internet Explorer, virtual bouncer and BHO.nameshifter both started an installation before I knew it. Iam using Win XP SP2 with most upgrades added. I am posting my hijack this log below. Thanks for your help and let me know if there is anything else you need.



    Edit by chaslang: Inline log attached
     

    Attached Files:

    Last edited by a moderator: Dec 11, 2005
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow the directions given in step 7 of the READ & RUN ME sticky thead. Basically they refer you to install HJT properly (you have not) and to not post inline logs like you did.

    Make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

    Downloading, Installing, and Running HijackThis

    .
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I would recommend getting a better antivirus program installed because your appears to be doing absolutely nothing to protect you. You have a ton of problems. You also need a real firewall.

    Uninstall SurfSideKick 3 using Add/Remove programs if you find it in there. Let me know what is found.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\LinkMaker.exe
    C:\WINDOWS\SYS98.exe
    C:\WINDOWS\jnshfmv.exe
    C:\PROGRA~1\4674041\4674041.exe
    C:\WINDOWS\SYS98.exe
    C:\WINDOWS\ms056603520914.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
    O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsi39.dll
    O2 - BHO: (no name) - {F289E968-6201-B63F-5C25-37B6736845F7} - C:\WINDOWS\Boatfjdo.dll
    O4 - HKLM\..\Run: [LinkMaker.exe] C:\WINDOWS\system32\LinkMaker.exe
    O4 - HKLM\..\Run: [Linker] C:\WINDOWS\system32\LinkMaker.exe
    O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\SYS98
    O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\system32\mmxp2passion.exe
    O4 - HKLM\..\Run: [jnshfmv] C:\WINDOWS\jnshfmv.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [ms056603520914] C:\WINDOWS\ms056603520914.exe
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [redx.exe] C:\Documents and Settings\Sparkes Family\Application Data\System Restore\redx.exe
    O4 - HKCU\..\Run: [zqactx1.exe] C:\Documents and Settings\Sparkes Family\Application Data\System Restore\zqactx1.exe
    O4 - HKCU\..\Run: [mc-110-12-0000122.exe] C:\Documents and Settings\Sparkes Family\Application Data\System Restore\mc-110-12-0000122.exe
    O4 - HKCU\..\Run: [fran-super.exe] C:\WINDOWS\system32\fran-super.exe
    O4 - HKCU\..\Run: [ventbb.exe] C:\WINDOWS\system32\ventbb.exe
    O4 - HKCU\..\Run: [VB1.exe] C:\WINDOWS\system32\VB1.exe
    O4 - HKCU\..\Run: [Setup75.exe] C:\WINDOWS\system32\Setup75.exe
    O4 - HKCU\..\Run: [elts4.exe] C:\Documents and Settings\Sparkes Family\Application Data\System Restore\elts4.exe
    O4 - HKCU\..\Run: [SSK35.exe] C:\WINDOWS\system32\SSK35.exe
    O4 - HKCU\..\Run: [o3mrk.Stub.exe] C:\WINDOWS\system32\o3mrk.Stub.exe
    O4 - HKCU\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
    O4 - HKCU\..\Run: [4674041] C:\PROGRA~1\4674041\4674041.exe
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O15 - Trusted Zone: http://*.update.microsoft.com
    O15 - Trusted Zone: http://download.windowsupdate.com
    O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0036.exe
    O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
    O18 - Filter: text/html - (no CLSID) - (no file)
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete
    :
    C:\Program Files\4674041 <--- the whole folder
    C:\Program Files\SurfSideKick 3 <--- the whole folder
    C:\Documents and Settings\Sparkes Family\Application Data\System Restore <--- the whole folder
    C:\WINDOWS\system32\LinkMaker.exe
    C:\WINDOWS\system32\nsi39.dll
    C:\WINDOWS\system32\mmxp2passion.exe
    C:\WINDOWS\system32\fran-super.exe
    C:\WINDOWS\system32\ventbb.exe
    C:\WINDOWS\system32\VB1.exe
    C:\WINDOWS\system32\Setup75.exe
    C:\WINDOWS\system32\SSK35.exe
    C:\WINDOWS\system32\o3mrk.Stub.exe
    C:\WINDOWS\system32\irasyncd.exe
    C:\WINDOWS\SYS98.exe
    C:\WINDOWS\jnshfmv.exe
    C:\WINDOWS\ms056603520914.exe
    C:\WINDOWS\bxxs5.dll
    C:\WINDOWS\Boatfjdo.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  6. Sparlanc

    Sparlanc Private E-2

    Sorry about the hijack this goof (no soup for me!).
    I have attached the log,
    Thanks again for your help (and patience).
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It does not look like you follow the steps in my other messages. And now some of the bad processes have renamed themselves. Please read and follow all steps. In the previous messages and ad the below to the processes to kill, HJT lines to fix, and files to delete:

    C:\WINDOWS\win32095209146603.exe

    O4 - HKLM\..\Run: [win32095209146603] C:\WINDOWS\win32095209146603.exe
     
  8. Sparlanc

    Sparlanc Private E-2

    would you suggest several antivirus programs. I could see surfsidekick in add/remove programs and delete it, but it keeps coming back. Also, I was using the zonealarm firewall prgram, but it was causing problems with some Windows updates I made, so I started using the Microsoft firewall.
    I do appreciate your help, I want to tackle this problem. Will I be any better off re-formatting the computer and starting over?
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must use only one antivirus program as indicated in the READ ME. The Microsoft Firewall is not a true full firewall. As such, it does not provide adequate protection.

    Please re-run ALL the steps I gave you and include those new filenames. This means re-run all of message # 5 with those filenames and HJT lines added. Then post a new log. Run these steps while you are physically disconnected (unplug your cable) from the internet and do not have any browsers opened. Print the instructions or save them locally in a text file so you can refer to them while offline.
     
  10. Sparlanc

    Sparlanc Private E-2

    I did as you said, here are some things that I found or didn't find.
    I did not find the following to fix or delete:

    C:\WINDOWS\jnshfmv.exe
    O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsi39.dll
    O4 - HKLM\..\Run: [jnshfmv] C:\WINDOWS\jnshfmv.exe
    C:\Program Files\SurfSideKick 3 <--- the whole folder (could not delete, it said that the program was in use)
    C:\Documents and Settings\Sparkes Family\Application Data\System Restore <--- the whole folder (I could not find this folder)
    C:\WINDOWS\system32\o3mrk.Stub.exe
    C:\WINDOWS\jnshfmv.exe
    C:\WINDOWS\bxxs5.dll

    When I re-connected to the modem and re-booted in norma mode, Virtual Bouncer tried to access the internet. Zone Alarm asked me if I wanted to prevent this (I did). I have had a few pop-up ads, not as many however. I am attaching my latest log, let me know what is next.
    Thanks again for the help
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have a bunch of the same problems. Let's do this more slowly. As the everything fix is not getting us a complete solution.

    Goto Add/Remove programs and uninstall the below if found (let me know what you find):
    Virtual Bounce or Vbouncer
    SafeSurfing

    Did you look in Add/Remove programs for SurfSideKick or SurfSideKick3 or SSK as indicated in step 0 of the READ &RUN ME? Please look and uninstall if found. Let me know what you find. If not found or it will not uninstall, try the below:

    SurfSideKick Removal
     
    Last edited: Dec 15, 2005
  12. Sparlanc

    Sparlanc Private E-2

    I followed your latest inputs. It appears that I was ablr to remove surfsidekick. I am attaching my new log.
    I keep getting a request by ZoneAlarm to allow access to msxp- can you tell me what msxp is?
    Also, I assume that if you do not say it, that I should be disconnected from the internet when doing all of these scans and fixes.
    Thanks again for the help
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is always a good idea to be disconnected when doing fixes. Sometime (but rarely) a connection may be require if a tool be run needs internet access to run something.

    One of the malware items you have running (irasyncd.exe) is very bad. Read about it here:

    http://www.liutilities.com/products/wintaskspro/processlibrary/IRASYNCD/

    You should consider changing passwords and check status of all you online accounts (especially financial related ones).

    Please download: Pocket KillBox

    Extract Pocket Killbox to its own folder but do not run it yet. We will need it later.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

    C:\WINDOWS\sys010914660352.exe
    C:\WINDOWS\ms044660352091.exe
    C:\WINDOWS\win32066035209146.exe
    C:\WINDOWS\win32083520914660.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\system32\irasktar.dll
    O4 - HKLM\..\Run: [sys010914660352] C:\WINDOWS\sys010914660352.exe
    O4 - HKLM\..\Run: [ms044660352091] C:\WINDOWS\ms044660352091.exe
    O4 - HKLM\..\Run: [win32066035209146] C:\WINDOWS\win32066035209146.exe
    O4 - HKLM\..\Run: [win32083520914660] C:\WINDOWS\win32083520914660.exe
    O4 - HKLM\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe

    After clicking Fix, exit HJT.

    Now run Pocket Killbox.

    Now, Copy and Paste C:\WINDOWS\sys010914660352.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, Copy and Paste C:\WINDOWS\ms044660352091.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, Copy and Paste C:\WINDOWS\win32066035209146.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, Copy and Paste C:\WINDOWS\win32083520914660.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

    If you get an error message about Pending Operations, just reboot your PC yourself but either way please boot into safe mode. And while in safe mode do nothing but the below:

    - Run Windows Explorer and double check for the below files and delete if found (some of these are double checks to make sure they are gone):
    C:\WINDOWS\sys010914660352.exe
    C:\WINDOWS\ms044660352091.exe
    C:\WINDOWS\win32066035209146.exe
    C:\WINDOWS\win32083520914660.exe

    Now reboot (whether you find them or not) into normal mode.

    Now get a new HJT log and attach it here. And tell us how these steps went and how things are working. See if you can boot in normal mode.
     
  14. Sparlanc

    Sparlanc Private E-2

    I did all of the steps that you listed, except I could not find the following when I did the scan:
    O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\system32\irasktar.dll

    All other items were fixed or deleted per your instructions. I have noticed that I am not getting the pop-up ads so far tonight- it looks like you are making progress. Let me know about the new log I posted and thanks again for your help.
    I hope you will answer the following questions:
    1) is Zone Alarm (the free verison) a good enough firewall
    2) I am using eTrust antivirus, is this also good enough

    If you have several suugestions if the above programs are not robust enough, I would appreciate it. Also, I have tried to keep up with the Microsoft updates. A few months ago, my pc started going very slowly after I did a MS update. I uninstalled ZoneAlarm, and the pc started working muc better again. I am not sure if you are aware of any potential conflicts with zonealarm and win xp.

    Thanks again
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're log is clean!

    Yes ZoneAlarmFree is good enough for most people but if you like it, you would be better off buying the Pro version as it offers more features. The only potential problem with Windows is if you installed ZA but did not disable the WinXP SP2 firewall.

    Choosing and antivirus applications that fits all of your needs can be a tough thing for me to decide. While eTrust is pretty good it is not necessarily high on my list of antivirus applications to choose from. But these programs (like antispyware) change constantly. You will also find great discrepancies when looking at reviews of antivirus applications.

    You must consider which features you may or may not need, effectiveness (ability to detect and also clean), ease of use, and impact on system performance.

    It is a tuff choice! We like to suggest people try some of the free versions of AVs listed in the below link (you need to work thru this link too since your clean now):

    How to Protect yourself from malware!

    Then after trying the antivirus applications for free, you can decide whether you like them or not and then but the full version.

    One common item we do recommend is avoiding Norton and McAfee (especially the new everything security suite packages) as they are massive resource hogs. eTrust is not as bad as them.

    Right now the best I can say is if you like eTrust and pay for it and get constant updates, keep it.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds