|
Spyware : Chinese pop up keeps appearing - to www.u8u.com
|
|
Newbie
|
5. July 2007 @ 06:08 |
Link to this message
|
i keep getting a Chinese pop-up in internet explorer.
i use Win XP pro SP2 with IE6 SP2
i can close the page and carry on using my machine but i cannot find this bug anywhere to remove it. i have used Spybot, Ad-Aware and trend AV office scan.
i have looked in windows startup and the registry startup.
can someone please help ?
|
|
Advertisement
|
|
|
|
Member
|
5. July 2007 @ 07:48 |
Link to this message
|
Usually that's called adware - a program which generates ads.
Download HijackThis using the link provided - but do not download v2.0, please click to download the last stable version, which is 1.99.1. Once you have donwloaded it, save it and run it. Click on "Do a system scan and save a logfile". Post ALL of that logfile in a reply for me to look at.
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
Newbie
|
6. July 2007 @ 01:23 |
Link to this message
|
|
heres the logfile,
This message has been edited since posting. Last time this message was edited on 25. June 2008 @ 10:04
|
Member
|
6. July 2007 @ 08:01 |
Link to this message
|
Hello,
Glad you told me about that - I might have identified it as malware!
Do you know what the following are:
* ManageSoft
* OfficeScan NT
* Ecutel
* ProfileFix
* CFGDownload
There are quite a few things in your log that I need your input on. First of all - do you know these websites?
Originally posted by HijackThis log:
removed by admin
Next, please pay a visit to http://www.virustotal.com to upload a file. In the textbox at the top, next to the "Browse" button, copy and paste the following text:
C:\WINNT\wuauclt.exe
Hit "Send". You may have to wait for quite a while due to the queue. When scanning of the file begins, don't interrupt it! It may take up to ten minutes to scan a large file. When the scan is done, the "status box" at the top should say "STATUS: FINISHED". Your file will be scanned with more than 30 antivirus engines for a comprehensive result. When the scan is done, there will be two tables - one with your results and one with information like the MD5 Checksum. Ignore the smaller table - just copy all the text in the larger one and paste it into your reply.
This message has been edited since posting. Last time this message was edited on 3. July 2008 @ 07:49
|
Newbie
|
7. July 2007 @ 12:19 |
Link to this message
|
|
hi,
This message has been edited since posting. Last time this message was edited on 25. June 2008 @ 10:15
|
Newbie
|
7. July 2007 @ 12:26 |
Link to this message
|
|
oh yeah, one more thing
This message has been edited since posting. Last time this message was edited on 25. June 2008 @ 10:06
|
Member
|
12. July 2007 @ 09:15 |
Link to this message
|
Since it's been a couple of days (sorry), could you post a fresh HijackThis log to refresh my memory? Thanks :)
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
Newbie
|
17. July 2007 @ 06:51 |
Link to this message
|
|
hello again,
This message has been edited since posting. Last time this message was edited on 25. June 2008 @ 10:09
|
Member
|
17. July 2007 @ 06:55 |
Link to this message
|
Let's get a close look at your system. Please download Deckard's System Scanner (formerly ComboScan) from the link provided. Save it to your Desktop.
Note: This program will clear your temporary files.
Please do a scan with dss.exe. It will only take about five minutes. If it cannot find HijackThis on your computer, it will prompt you to look for it. Please press "yes" and tell the scanner where it is located. If the scanner asks you to download HijackThis, please answer "yes" to that as well. During the scan, your firewall may warn you about a .exe file attempting to connect to the Internet; please allow it. Your antivirus may also detect Deckard's System Scanner as a Possible Threat or RiskTool; it may be better for you to temporarily disable your antivirus.
Once the scan is done, it will produce two logfiles for you: a "main.txt" (which you see) and an "extra.txt" (which is minimized). Please copy the contents of both these logfiles into your next reply.
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
Newbie
|
18. July 2007 @ 00:31 |
Link to this message
|
|
here are the log files you asked for:
main.txt
This message has been edited since posting. Last time this message was edited on 25. June 2008 @ 10:10
|
Newbie
|
18. July 2007 @ 00:40 |
Link to this message
|
|
Deckard's
This message has been edited since posting. Last time this message was edited on 25. June 2008 @ 10:10
|
Member
|
18. July 2007 @ 06:14 |
Link to this message
|
Whew! That was a lot of information, but hopefully now we have the information we need to kill these pop-ups.
There is no user on this computer by the name of "david.bowen old", correct?
I will get back to you in a few moments - need to run a couple of errands first :)
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
Newbie
|
18. July 2007 @ 07:02 |
Link to this message
|
|
hi again,
This message has been edited since posting. Last time this message was edited on 25. June 2008 @ 10:11
|
Member
|
18. July 2007 @ 07:30 |
Link to this message
|
|
No, I didn't think it would. The nasty bugger is in most of your user profiles x_x
Give me a second to look over your log again and I will be back with a fix.
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
Newbie
|
18. July 2007 @ 07:41 |
Link to this message
|
|
bbyb.exe , bbybs.exe and sxs.exe are looking suspicious arent they...
|
Member
|
18. July 2007 @ 07:47 |
Link to this message
|
Originally posted by Deckard's System Scanner:
-- Files created between 2007-06-18 and 2007-07-18 -----------------------------
2007-07-18 09:20:08 0 d------c- H:\Deckard
2007-07-18 09:17:27 0 d-------- C:\Program Files\Trend Micro
2007-07-17 14:37:05 0 d-------- C:\Documents and Settings\david.bowen old\Application Data\ICAClient
2007-07-17 14:32:26 19571 ---hs---- C:\Documents and Settings\david.bowen old\sxs.exe
2007-07-17 14:29:53 0 d-------- C:\Documents and Settings\david.bowen old\Application Data\Real
2007-07-17 14:29:53 0 d-------- C:\Documents and Settings\david.bowen old\Application Data\Adobe
2007-07-17 14:29:42 0 d-------- C:\Documents and Settings\david.bowen old\Application Data\Sun
2007-07-17 14:29:23 2 --ahs---- C:\Documents and Settings\david.bowen old\RECYCLER
2007-07-17 14:29:11 0 d--h----- C:\Documents and Settings\david.bowen old\Local Settings
2007-07-17 14:29:09 0 d-------- C:\Documents and Settings\david.bowen old\Templates
2007-07-17 14:29:09 0 d-------- C:\Documents and Settings\david.bowen old\Start Menu
2007-07-17 14:29:09 0 d-------- C:\Documents and Settings\david.bowen old\SendTo
2007-07-17 14:29:09 0 dr------- C:\Documents and Settings\david.bowen old\Recent
2007-07-17 14:29:09 0 d-------- C:\Documents and Settings\david.bowen old\PrintHood
2007-07-17 14:29:09 0 d-------- C:\Documents and Settings\david.bowen old\NetHood
2007-07-17 14:29:09 0 dr------- C:\Documents and Settings\david.bowen old\My Documents
2007-07-17 14:29:09 0 dr------- C:\Documents and Settings\david.bowen old\Favorites
2007-07-17 14:29:09 0 d-------- C:\Documents and Settings\david.bowen old\Desktop
2007-07-17 14:29:09 0 d---s---- C:\Documents and Settings\david.bowen old\Cookies
2007-07-17 14:29:09 0 d-------- C:\Documents and Settings\david.bowen old\Application Data
2007-07-17 14:29:09 0 d-------- C:\Documents and Settings\david.bowen old\Application Data\Microsoft
2007-07-17 14:29:08 1048576 --ah----- C:\Documents and Settings\david.bowen old\ntuser.dat
2007-07-17 14:14:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-07-17 14:14:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-07-17 14:07:47 0 d-------- C:\Documents and Settings\instxp_sbs\Application Data\Real
2007-07-06 09:52:16 19571 ---hs---- C:\Documents and Settings\instxp_sbs\sxs.exe
2007-07-06 07:58:48 458 --a------ C:\WINNT\bbybs.exe
2007-07-06 07:58:47 458 --a------ C:\WINNT\bbyb.exe
2007-07-05 10:58:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-07-04 16:00:47 75776 --a------ C:\WINNT\system32\DWRCShell64.dll
2007-07-04 16:00:45 69632 --a------ C:\WINNT\system32\DWRCShell.dll
2007-07-04 16:00:42 225280 --a------ C:\WINNT\system32\DWRCSET.DLL
2007-07-04 16:00:37 71680 --a------ C:\WINNT\system32\DWRCST.EXE
2007-07-04 16:00:36 53248 --a------ C:\WINNT\system32\DWRCK.DLL
2007-07-04 16:00:31 208384 --a------ C:\WINNT\system32\DWRCS.EXE
2007-07-03 11:56:54 0 d-------- C:\Documents and Settings\david.bowen\Application Data\Lavasoft
2007-07-03 11:56:35 0 d-------- C:\Program Files\Lavasoft
2007-06-28 09:39:46 19571 ---hs---- C:\Documents and Settings\david.bowen\sxs.exe
2007-06-28 09:39:42 19571 ---hs---- C:\WINNT\wuauclt.exe
Hey, you replied before I replied :D The lines I've "redded" are bad. There is a chunk of bolded stuff near the end, too, which I will explain. Since this is a corporate computer, I'm going to ask if you know of a program called "DameWare Utilities". This program is for the remote access of your computer, but is usually installed in C:\Program Files\DameWare Development\DameWare NT Utilities\. Since it is a remote access tool, and is not installed where it is supposed to be, there is likely something suspicious going on. The entries in bold are the DameWare files.
sxs.exe and friends are the files that are causing your troubles.
Please copy the contents of this portion of the fix into a word processing document as we will be in Safe Mode and therefore unable to access the Internet.
Reboot your computer into Safe Mode:
1. Reboot your computer.
2. As soon as it starts booting, press the F8 key. You may get an error if this is done too soon, just reboot and try again.
3. You may get a message about boot drivers, just press ESC and keep tapping F8.
4. At the Advanced Options menu, use the arrow keys and navigate to Safe Mode. Press Enter and log in as you usually would.
Right-click on your Start Menu and select "Explore". Then, explore to these files and delete them (press Shift-Delete, will cause your files to skip the recycle bin and be deleted permanently):
C:\Documents and Settings\david.bowen old\sxs.exe
C:\Documents and Settings\instxp_sbs\sxs.exe
C:\WINNT\bbybs.exe
C:\WINNT\bbyb.exe
C:\Documents and Settings\david.bowen\sxs.exe
Also delete C:\Documents and Settings\david.bowen old using the Control Panel > User Accounts if it is not needed anymore.
Reboot back to normal.
Do another Deckard's System Scanner scan and post back (there will only be three sections to it this time).
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
Newbie
|
31. July 2007 @ 09:04 |
Link to this message
|
|
Deckard's
This message has been edited since posting. Last time this message was edited on 25. June 2008 @ 10:11
|
Newbie
|
31. July 2007 @ 09:08 |
Link to this message
|
|
and one more thing, we use dameware remote control as our corp support tool. i also noticed a sxs.dll in the c:\winnt\system32 directory which i renamed as well and also an sxs****.pf file in the same dir.
|
Member
|
31. July 2007 @ 09:48 |
Link to this message
|
I would format your HDD and reinstall windows to make sure you get rid of all the spy/adware you may have more spyware then what just antispyware programs are telling you, also spyware has gotten so bad lately that they can attach themselves to system files and if they are deleted sometimes they it can cause your computer to not function right. So the best thing to do is format your HDD reinstall windows, apply all the latest updates, download ie7/firefox, download some antispyware software I recommend Windows Defender which you can get at microsoft.com/spyware, Adaware Free Edition which you can get at lavasoft.com, and Spybot Search and Destroy, also I would recommend getting the Free AVG antivirus which you can get at free.grisoft.com. Some other things I should point out are the best defense to keep these nasty things off your system is not all this software but your behavior like not opening attachments in emails, downloading music/etc from p2p sites, using firefox with the no script add-on instead or ie, applying all the windows updates. Oh and if you want a recommendation for a good firewall if you have a rputer you already have a great firewall, if you don't I would suggest going out to circuit city/ bestbuy and buying one. Also if you do download music from p2p sites I would suggest downloading the files to a second HDD so that if there is spyware/viruses it will be trapped on that other drive and will not affect your computer.
Kindle Fire 1st Gen running Jelly Bean
Nexus S 4G running 4.1.1 Jelly Bean
PS3 Slim 3000 Model 4.3.1
PS3 ID: killbarney1123
|
Member
|
31. July 2007 @ 15:08 |
Link to this message
|
Don't listen to him... formatting is not the best way to go, and your files are not safe if you keep the infected ones on another drive.
Hehehe... C:\New Folder\dss.exe
Nasty little devils, those viruses are :) Since one of your worms (sxs.exe) spreads through removable devices and networks, please disconnect this computer from the others whenever possible, and please check all removable storage devices (USBs, floppies, etc). I also take it, that since this is a company laptop, that you have many restrictions present, such as Control Panel and Active Desktop?
Please select (highlight) everything in the box below. Right-click it and select "Copy".
Quote:
C:\WINNT\Temp\BJ1C2A.EXE
C:\WINNT\wuauclt.exe
C:\Documents and Settings\david.bowen\sxs.exe
C:\Documents and Settings\david.bowen old\sxs.exe
C:\Documents and Settings\instxp_sbs\sxs.exe
C:\WINNT\bbybs.exe
C:\WINNT\bbyb.exe
E:\sxs.exe
%SystemDrive%%HOMEPATH%\Desktop\FixReg.reg
Then, download The Killbox.
In the event that you already have the Killbox, this is a new version that I need you to download.
Once you have saved it to your desktop, double-click the Killbox to open it. Go to the "File" menu and click "Paste from Clipboard". Note: Do not paste manually, because that way only one file will be registered. At the bottom, select "Delete on Reboot, and select the button on the right saying "All files" (it will flash green to let you know you've done it right). If you can, place a checkbox beside the "Unregister .dll" box. Press the button that looks like the Killbox logo - a red circle with white cross. When asked if you would like to reboot now, please select "No".
Next, copy and paste all the text in the box below into a blank Notepad document:
Quote:
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Microsoft"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{08866435-dab0-11db-b050-000cf12fca1a}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{146e2aca-3112-11dc-b0c5-000b5d302146}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{46f87061-dc4b-11db-b052-000b5d302146}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77b45901-f2ff-11db-b06b-000b5d302146}]
Go to File > Save As. In the menu that says "Save as type" select "All files". Save it to your Desktop as "FixReg.reg". Double-click on "FixReg.reg" and when asked whether you want to merge the information into the registry press Yes.
Now, reboot your computer. Killbox will have made a log after you log in successfully - copy and paste that log into your reply, as well as a new HijackThis log.
Geeks to Go - Trusted Helper
Please do not PM for help - please post on the forums.
|
Member
|
31. July 2007 @ 15:39 |
Link to this message
|
what fredil is saying might work but you never know how compromised your system is so you might be able to get rid of this piece of spyware but the only way to be 100% sure you are clean is by backing up your data formatting your hdd and reinstall windows, and fredil your if you download "suspicious stuff" like music, and etc from p2p to an external drive the files on your main drive are safe because the virus/spyware whatever can't jump over to your main drive, do some research before you start giving advice, start listening to leo laporte's podcasts on twit.tv and you will learn a lot the one's i listen to mainly are security now, the tech guy, and TWIT a.k.a This Week and Tech. I am not saying your method won't work but as I said you might get rid of this problem but you don't know what else he might have on his system there are spyware/viruses out there that some av's and anti-spyware programs won't even pick up even if you do keep them updated regularly.
Kindle Fire 1st Gen running Jelly Bean
Nexus S 4G running 4.1.1 Jelly Bean
PS3 Slim 3000 Model 4.3.1
PS3 ID: killbarney1123
|
Member
|
31. July 2007 @ 15:42 |
Link to this message
|
|
marcuk03 it is up to you though I really wouldn't want to format a work laptop, especially with a lot of important documents etc but if you have system recovery disks, and a way to backup your data i would suggest doing so
Kindle Fire 1st Gen running Jelly Bean
Nexus S 4G running 4.1.1 Jelly Bean
PS3 Slim 3000 Model 4.3.1
PS3 ID: killbarney1123
|
Member
|
31. July 2007 @ 15:50 |
Link to this message
|
oh marcuk03 don't use ie6 upgrade to ie7 ie6 is very dangerous because it runs active scripts, get Mozilla Firefox http://www.getfirefox.com then once you get firefox google no-script addon and install that it will block out scripts which and cause spyware and viruses + it takes off those google spam ads.
Kindle Fire 1st Gen running Jelly Bean
Nexus S 4G running 4.1.1 Jelly Bean
PS3 Slim 3000 Model 4.3.1
PS3 ID: killbarney1123
|
Member
|
31. July 2007 @ 15:53 |
Link to this message
|
|
oh and if possible make another account for yourself as a limited user to do your browsing on this will also help keep some spyware off your system because spyware only has the power that the user has so if you were on a limited user and accidentally downloaded it it can't install itself because limited users can't install programs. Only use your admin account to install stuff.
Kindle Fire 1st Gen running Jelly Bean
Nexus S 4G running 4.1.1 Jelly Bean
PS3 Slim 3000 Model 4.3.1
PS3 ID: killbarney1123
|
|
Advertisement
|
|
|
Newbie
|
31. August 2007 @ 04:44 |
Link to this message
|
|
ALL FIXED AT LAST !!!
Fredil,
just wanted to finally say a big thank you for you help and patience on this matter as i have finally resolved with your help.
. I just needed to wait for a pattern file update.
thanks again
This message has been edited since posting. Last time this message was edited on 25. June 2008 @ 10:13
|
