problem pop-ups

Hi

Ok...I'll have a look at the log you uploaded.
I highly doubt you or anyone has been to a pile of skin sites. This is part of what this "trustIn" junk is.--displays popups and re-directs searches.
You must have had a bunch of p0rn popups as well.
Some of those strings is likely a "log" of sorts of what pages/popups that were displayed when you were actively infected.

Anyway when I see the log I'll attach here the reg fix to use. I don't want to post it in the forums because the forum software & bad word filters (if applicable) will mangle the script and render it useless.

See you in a bit

We are in the same time zone it seems
Likely be tomorrow before I come up with fix. That is one huge log!

Norton 2003...
Might want to consider upgrading to newer version. The newer versions have a more advanced scan engine & better heuristics than the older versions.
Newer versions of Norton does take more resorces to run though.
Another alternative is to uninstall Norton & install a newer AV program.
There are a few free ones out there that work quite well. (AVG, Avast, AntiVir)

Tammy

 

ok!
thanks!

 

Hey,

Sooner than we both thought

As you can see I'm new at this forum so hopefully the whole attaching thing goes alright.

Attached should be a file called "fix.zip "
Save this file to your desktop.
Right click fix.zip> choose "extract all ", follow the wizzard to extract it.
You will now have a folder called fix. Inside should be a file called fix.reg. (looks like stacked blue blocks)
Don't run this yet please.

Boot to SAFE mode & log into your normal account.

Open the "fix" folder and right click "fix.reg" then choose merge
When asked if yoiu want to add the contents of fix.reg to your registry answer yes.
You should get success message.
OK the messege and reboot.

Post a fresh hijackthis log please.
Let me know if problems with that reg file.

Thanks

 

OK! the merge was a success!!!
so here is the latest hjt log you asked for.. so are all those **** sites off my reg! is that what the fix was?
anyway here it is and everything seemes to be working good. and as soon is i get the ok from you i am ghosting my drive cause i don't want to do this again


Logfile of HijackThis v1.99.1
Scan saved at 11:11:48 PM, on 28/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Keith & Carrie\My Documents\HijackThis\Keith & Carrie.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe "
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170519494906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170524756093
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

 

Hi

Good to hear.
Yes that is what that reg fix did was remove the remanents of "TrustIn" including those **** links.

If you run regsearch again & import the options.txt I had you create on desktop there should only be 4 items that turn up.
Those are all legit. The "ActiveX comaptibility" is what is supposed to block ActiveX installs for these threats. (SpywareBlaster put those there)
Not sure how your TrustIn got installed.

If there are more please post log or upload it where you did the last one.

You can delete Options.txt I had you create
You can delete that fix.zip and fix folder that holds fix.reg.

You have an older version of Java that should be removed.
Please go to add/remove programs and uninstall:

J2SE Runtime Environment 5.0 Update 10

You can leave Update_11

See with older versions of Java installed malware exploits can call up old versions of java that are exploitable to install nasties.
Whenever updating your Java always uninstall the older version. (I have no clue why sun java does not do this)

Reboot to finish uninstall.

One empty item in your log you can have Hijackthis fix:

Open Hijackthis, run system scan and check:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

Close all open windows and hit "fix checked ", then OK.
Shouldn't need to reboot.
Rescan with Hijackthis and if that line is gone...no need to post new log.

REcycle bin with Norton stuffs in it: I don't think there is anything there to worry about. It should contain stuff Norton backed up from the D drive.

Few items you may want to stop from running at boot to speed things up a little:

BigFix:
Should be able to disable it from starting at boot from within the program. I would just run this once in a while to check on things.

Limewire:
Can disable this from running at boot up. Run as desired from desktop shortcuts or start menu.
And please be careful what you download from p2p sites. Using p2p programs without being careful can lead to spyware/virus infections.
Lots of people think its funny uploading infected shares and some don't even realise its happening because they are infected themselves.

Office:
Quite the resorce hog to run at boot.
You can start office components manually from desktop shortcuts or the start menu.
To disable:
Click start> run> type: msconfig and hit enter.
Click Startup tab
Uncheck "Microsoft Office "
Hit "apply" and "close ".

Go ahead & reboot.

When you get the msconfig nag warning at boot just check the box that says "don't tell me this again" and click OK.

The rest of your starts should be alright.

Before you ghost your drive...

Make sure your security software is up to date.
Make sure you are Imunized/protected against the new threats via the "immunize" in Spybot and "Enable all protection" in SpywareBlaster.

After a few reboots and checking to see that all is well; it is highly recommended to reset your system restore to remove any possible backed up infected files there.

Right click "my computer "
Click "properties "
Click "system restore" tab
Checkmark "turn off system restore "
Hit apply> ok> ok.

Reboot

Go back and turn system restore back on by removing the check, hit apply, and OK.

A new restore point is created at this time.
You will not be able to restore computer to any earlier than today.

Some reading to do as there are several good tips/programs you can use to help keep your computer safe.

http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I
http://boards.cexx.org/index.php?topic=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Keep well & surf safe!

Tammy

 

hi tammy
thanks again! i'm just working on your last post and the regsearch looks good
i will do a final thankyou post when i'm done

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 01/03/2007 10:08:01 AM for strings:
; '0edc6c20-a31c-11db-8ab9-0800200c9a66'
; 'cdfviewb.dll'
; '3aac4c68-afc8-11db-80ef-8af955d89593'
; '631f7200-642e-11db-bd13-0800200c9a66'
; 'f67eeb12-ab09-11db-a6f1-260856d89593'
; 'mscoriezb.dll'
; 'cliconfgs.dll'
; 'cewmdma.dll'
; 'trustin'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}]
"$Function "= "CertTrustInit "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0EDC6C20-A31C-11DB-8AB9-0800200C9A66}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3AAC4C68-AFC8-11DB-80EF-8AF955D89593}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F67EEB12-AB09-11DB-A6F1-260856D89593}]

; End Of The Log...

 

hi tammy
well everything is fine except 1 thing!
i went to my e-mail client which is "incredimail" and my address book was gone, i was devistated did we delete something wrong, oh well i'm sure i'll survive but please take a look at what we did
thanks again keith

 

Hi Kieth,

I can't see what we did would cause your address book to not work. Unless the incredimail address book is partly dependant on Office.

Did you disable Office via msconfig as suggested?

Try going back to msconfig, re-enabling office & rebooting.

See if the address book comes back.

Let me know please.

Tammy

 

hi tammy
well i don't know what happened but it came back, all addresses are back, and everything is working fine
was the last hjt report i sent all clean, cause if it was then i think this session is CLOSED
and i thank you with all my heart again and again
thanks very much
keith

 

Hi Kieth,

Glad to hear all is working well.

Keep well & surf safe!

Tammy

 

Due to resolution this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.