1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

pop up cartomanzia

Discussion in 'Malware and Virus Removal Archive' started by pex3, 2005/04/16.

Thread Status:
Not open for further replies.
  1. 2005/04/16
    pex3

    pex3 Inactive Thread Starter

    Joined:
    2005/04/09
    Messages:
    20
    Likes Received:
    0
    on my win98 pc i've this problem: when i go on-line appear a fastidious pop up with write "cartomanzia e astrologia ".. what i have to do to delete it??

    (pop up url: http://www.cartomanzia-tarocchi.biz/?1727)
     
    Last edited: 2005/04/16
    pex3,
    #1
  2. 2005/04/16
    pex3

    pex3 Inactive Thread Starter

    Joined:
    2005/04/09
    Messages:
    20
    Likes Received:
    0
    Hijackthis Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 11.33.23, on 16/04/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAMMI\RVS\WCOM\SYSTEM\RVSINST.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAMMI\IOMEGA\AUTODISK\ADSERVICE.EXE
    C:\PROGRAMMI\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2004\PSIMSVC.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAMMI\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
    C:\PROGRAMMI\IOMEGA\AUTODISK\ADUSERMON.EXE
    C:\PROGRAMMI\IOMEGA\DRIVEICONS\IMGICON.EXE
    C:\WINDOWS\SYSTEM\LINKSTS.EXE
    C:\PROGRAMMI\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2004\APVXDWIN.EXE
    C:\WINDOWS\APPLICATION DATA\SGRUNT\IE4321.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\WPSPSW.EXE
    C:\PROGRAMMI\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2004\WEBPROXY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    F1 - win.ini: load=WPSLOAD.EXE
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: SponsorAdulto Class - {511F9316-771B-4953-A268-1C36DA667FE9} - C:\WINDOWS\DOWNLO~1\SPONSO~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ADUserMon] C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [Linksts] Linksts.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [Olympic] C:\WINDOWS\Application Data\sgrunt\IE4321.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [RVS Installer] C:\PROGRA~1\RVS\WCOM\SYSTEM\RVSINST.EXE
    O4 - HKLM\..\RunServices: [ADService] C:\Programmi\Iomega\AutoDisk\ADService.exe
    O4 - HKLM\..\RunServices: [PavProc] C:\Programmi\File comuni\Panda Software\PavShld\PavPrS9x.exe
    O4 - HKLM\..\RunServices: [PSIMSVC] "C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe "
    O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O15 - Trusted Zone: www.yeak.net
    O15 - Trusted Zone: www.skymasters.biz
    O15 - Trusted Zone: www.archiviosex.net
    O15 - Trusted Zone: www.sgrunt.biz
    O15 - Trusted Zone: www.linkautomatici.com
    O15 - Trusted Zone: www.master69.biz
    O16 - DPF: {99BDE9B5-0D50-43E8-9981-773C48CF25EF} (Pro_Web899.ProWeb899) - http://67.15.5.151/ProWeb899.CAB
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://deposito.hostance.net/dialer/307193.exe
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file://C:\Programmi\AutoCAD 2002 Ita\AcPreview.ocx
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file://C:\Programmi\AutoCAD 2002 Ita\AcDcToday.ocx
    O16 - DPF: {AE563729-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Programmi\AutoCAD 2002 Ita\InstBanr.ocx
    O16 - DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://C:\Programmi\AutoCAD 2002 Ita\InstFred.ocx
    O16 - DPF: {31F11DFA-3A23-4BC0-89B4-2FB3FB43525B} (Pro_Web016.ProWeb016) - http://67.15.5.151/ProWeb016.CAB
    O16 - DPF: {511F9316-771B-4953-A268-1C36DA667FE9} (SponsorAdulto Class) - http://ip.spacash.com/cab/2/en/SysWebTelecomInt.cab
    O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://www.accessoveloce.com/univ/scd/x/scdsex1x.exe
    O16 - DPF: {869518C3-FBA5-4D75-8A14-7047437E9498} (Jacques Class) - http://htmldialer.parisvoyeur.com/CABSPOLY/cd/1,0,3,8/it/Bernadette.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.99.125.2,151.99.125.3,151.99.125.1
     
    pex3,
    #2

  3. to hide this advert.

  4. 2005/04/18
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Sorry for the delay. :(

    Right click the desktop and choose new>folder. Name it HJT. Move HijackThis.exe to that folder.

    Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

    O2 - BHO: SponsorAdulto Class - {511F9316-771B-4953-A268-1C36DA667FE9} - C:\WINDOWS\DOWNLO~1\SPONSO~1.DLL
    O4 - HKLM\..\Run: [Olympic] C:\WINDOWS\Application Data\sgrunt\IE4321.exe
    O15 - Trusted Zone: www.yeak.net
    O15 - Trusted Zone: www.skymasters.biz
    O15 - Trusted Zone: www.archiviosex.net
    O15 - Trusted Zone: www.sgrunt.biz
    O15 - Trusted Zone: www.linkautomatici.com
    O15 - Trusted Zone: www.master69.biz
    O16 - DPF: {99BDE9B5-0D50-43E8-9981-773C48CF25EF} (Pro_Web899.ProWeb899) - http://67.15.5.151/ProWeb899.CAB
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://deposito.hostance.net/dialer/307193.exe
    O16 - DPF: {31F11DFA-3A23-4BC0-89B4-2FB3FB43525B} (Pro_Web016.ProWeb016) - http://67.15.5.151/ProWeb016.CAB
    O16 - DPF: {511F9316-771B-4953-A268-1C36DA667FE9} (SponsorAdulto Class) - http://ip.spacash.com/cab/2/en/SysWebTelecomInt.cab
    O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://www.accessoveloce.com/univ/scd/x/scdsex1x.exe
    O16 - DPF: {869518C3-FBA5-4D75-8A14-7047437E9498} (Jacques Class) - http://htmldialer.parisvoyeur.com/C.../Bernadette.cab


    Either reboot and repeatedly tap F8 to enable the start menu and select safe mode, or go to start>run and type msconfig, hit enter. On the General tab click the advanced button. Check the box to 'enable start menu' and OK out. Restart and choose safe mode. Logon to your user account.


    You will need to show hidden files and folders.

    Search the drive for the files scdsex1x.exe and 307193.exe and delete if present.
    Open C:\Temp (if present), select all and delete.
    Open C:\Windows\Temp, select all and delete.
    Open C:\Windows\Applog, select all and delete.
    Open C:\WINDOWS\Application Data and delete the folder sgrunt.
    Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.
    Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all boxes and click OK.

    If you used msconfig, uncheck the box to 'enable start menu' and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

    Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

    Run another HijackThis scan and post the log.
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.