Hey there Afterdawn team! I've been having problems with a "CiD: *popup ad name here*" while i browse the internet, and i know its from something my brother downloaded (im guessing an EXE program he ran), because i found and deleted the virus, and then i ran 3 different spyware scans, and while they found some stuff, they could not get to the source of the problem; any other clean-ups that are possible would be nice too =D Thanks for your great help, heres the log: Logfile of HijackThis v1.99.1 Scan saved at 12:10:34 PM, on 6/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\RAM Idle LE\RAM_XP.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\nvsvc32.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\WgaTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [cdrom upload bat manager] C:\Documents and Settings\All Users\Application Data\FUNK PLUS CDROM UPLOAD\each dupe.exe O4 - HKCU\..\Run: [Onebore] C:\DOCUME~1\Owner\APPLIC~1\STUPID~1\ManagerBookIdle.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148090561171 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148093679578 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi, You have a problem called Lop. A common way to get that used to be from installing messenger plus with the sponsors. (Not sure if that carries through into current versions.) Look in your documents and settings folders for all users on the computer for odd madeup names like these (the names in the last one are abbreviated): C:\Documents and Settings\All Users\Application Data\FUNK PLUS CDROM UPLOAD C:\DOCUME~1\Owner\APPLIC~1\STUPID~1 Delete those two, if you have concerns about deleting others, rename the files and that gives you a recovery option if something shouldn’t have been changed. Allow hijackthis to fix these two lines: O4 - HKLM\..\Run: [cdrom upload bat manager] C:\Documents and Settings\All Users\Application Data\FUNK PLUS CDROM UPLOAD\each dupe.exe O4 - HKCU\..\Run: [Onebore] C:\DOCUME~1\Owner\APPLIC~1\STUPID~1\ManagerBookIdle.exe Then check this one section of the startup log. Hijackthis Misc tools generate startup list log This section of that log: Enumerating Task Scheduler jobs: Should be reviewed for lop tasks. If you see some task names that are long with odd assortments of letters and numbers, post that section of the log and I’ll try to find the instructions for removing them for you. Regards. bc I was doing a little reading after I posted, here is a program I am not familiar with. It apparently deletes the task jobs, and gives file/folder lists to help in finding the Lop ones. Here are instructions I copied from a post elsewhere: Please download NoLop to your Desktop. http://www.spywareedge.net/nolop/NoLop.exe First close any other programs you have running; this will need you to reboot. Double click NoLop.exe to run it Now click the button labelled Search and Destroy <<Your computer will now be scanned for infected files>> When scanning is finished you will be prompted to reboot only if infected, click OK. Now click the REBOOT button. A message should popup from NoLop. If not, double click the program again and it will finish. Please post the contents of C:\NoLop.log in your next reply. Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered", please download mscomctl.ocx to your System32 folder then re-run the program.
thanks for your hasty response! Can i fix these without turning off system restore/safe mode? heres what i found under what u told me to look for, i put them all just in case AED8CB1591E37B45.job Uniblue SpyEraser Nag.job Uniblue SpyEraser.job
The top job is a lop job. Go ahead and try the nolop program, from the other post I looked at, it looks like nolop will remove that. You can reset the restore points after you do the fixes, that still gives you a restart point in case of trouble. Post the nolop log, and we'll see if we can see the lop folder locations. EDIT Are you familiar with this one: O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll It does not give me a lot of hits on google, I don't know if it is good or bad. ENDEDIT
ok great! unfortunately i have to go now, but i'll be be back later tonight with my results, thank you for your help!
Ok, i ran the NoLop program, and everything went as you said it would, but i am still getting those popups (i'm not sure if it was supposed to fix it, i was just letting you know) Here is the log: oLop! Log by Skate_Punk_21 Fix running from: C:\Documents and Settings\Owner\Desktop [6/12/2007] [6:33:04 PM] ---Infection Files Found/Removed--- C:\WINDOWS\tasks\AED8CB1591E37B45.job Beginning Removal... Rebooting... Removing Lop's Leftover Files/Folders... Editing Registry... **Fix Complete!** ---Listing AppData sub directories--- C:\Documents and Settings\All Users\Application Data\Ableton C:\Documents and Settings\All Users\Application Data\Adobe C:\Documents and Settings\All Users\Application Data\Adobe Systems C:\Documents and Settings\All Users\Application Data\Ahead C:\Documents and Settings\All Users\Application Data\Aol C:\Documents and Settings\All Users\Application Data\Aol Downloads C:\Documents and Settings\All Users\Application Data\Aol Ocp C:\Documents and Settings\All Users\Application Data\Funk Plus Cdrom Upload C:\Documents and Settings\All Users\Application Data\Microsoft C:\Documents and Settings\All Users\Application Data\Propellerhead Software C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy C:\Documents and Settings\All Users\Application Data\Symantec C:\Documents and Settings\All Users\Application Data\Viewpoint C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage C:\Documents and Settings\All Users\Application Data\Yamaha C:\Documents and Settings\Localservice\Application Data\Help -- EMPTY Directory C:\Documents and Settings\Localservice\Application Data\Microsoft C:\Documents and Settings\Networkservice\Application Data\Help -- EMPTY Directory C:\Documents and Settings\Networkservice\Application Data\Microsoft C:\Documents and Settings\Owner\Application Data\.bittorrent C:\Documents and Settings\Owner\Application Data\Ableton C:\Documents and Settings\Owner\Application Data\Acccore C:\Documents and Settings\Owner\Application Data\Adobe C:\Documents and Settings\Owner\Application Data\Adobeum -- EMPTY Directory C:\Documents and Settings\Owner\Application Data\Ahead C:\Documents and Settings\Owner\Application Data\Aim -- EMPTY Directory C:\Documents and Settings\Owner\Application Data\Azureus C:\Documents and Settings\Owner\Application Data\Bitdownload C:\Documents and Settings\Owner\Application Data\Divx C:\Documents and Settings\Owner\Application Data\Geniesoft C:\Documents and Settings\Owner\Application Data\Help -- EMPTY Directory C:\Documents and Settings\Owner\Application Data\Identities C:\Documents and Settings\Owner\Application Data\Lavasoft C:\Documents and Settings\Owner\Application Data\Macromedia C:\Documents and Settings\Owner\Application Data\Microsoft C:\Documents and Settings\Owner\Application Data\Propellerhead Software C:\Documents and Settings\Owner\Application Data\Simple Star C:\Documents and Settings\Owner\Application Data\Snapfish -- EMPTY Directory C:\Documents and Settings\Owner\Application Data\Steinberg C:\Documents and Settings\Owner\Application Data\Stupid Rule Second C:\Documents and Settings\Owner\Application Data\Sun C:\Documents and Settings\Owner\Application Data\Teamspeak2 C:\Documents and Settings\Owner\Application Data\Uniblue -- EMPTY Directory C:\Documents and Settings\Owner\Application Data\Ventrilo C:\Documents and Settings\Owner\Application Data\Viewpoint There u go Ok, and as far as: O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll i imagine you did have a hard time findign info on it; its something required for my ISP, so its ok It doesn't let me use their service otherwise Alrighty, so what do i need to do next? Here is my Hijack again just incase u needed it updated: Logfile of HijackThis v1.99.1 Scan saved at 6:50:01 PM, on 6/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\RAM Idle LE\RAM_XP.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [cdrom upload bat manager] C:\Documents and Settings\All Users\Application Data\FUNK PLUS CDROM UPLOAD\each dupe.exe O4 - HKCU\..\Run: [Onebore] C:\DOCUME~1\Owner\APPLIC~1\STUPID~1\ManagerBookIdle.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148090561171 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148093679578 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Well, I hope they are coming from this, because if they aren’t, we are going to be getting beyond what I know to look for. EDIT Googling, CiD popups seem to be lop related, so getting the lop fixed should fix your problem. ENDEDIT Look for these two folders and delete them. (make a note of the date before you delete them) C:\Documents and Settings\All Users\Application Data\Funk Plus Cdrom Upload C:\Documents and Settings\Owner\Application Data\Stupid Rule Second Then, I don’t know if you will see anything there or not, but take a look in crogramfiles for oddly named folders like that too. If you set view to details and then sort by date, if there is anything there it should be pretty close to the top (and the dates of the other folders). EDIT After some more reading, I am expecting you to find a Crogramfiles\Stupid Rule Second\ folder. Please delete that if it exists. ENDEDIT Then have hijackthis fix these lines: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [cdrom upload bat manager] C:\Documents and Settings\All Users\Application Data\FUNK PLUS CDROM UPLOAD\each dupe.exe O4 - HKCU\..\Run: [Onebore] C:\DOCUME~1\Owner\APPLIC~1\STUPID~1\ManagerBookIdle.exe Reboot the system and see where you are with the popups. EDIT If problems continue, run this tool and post the report. It has some file creation information that may be helpful. Download Combofix.exe. http://download.bleepingcomputer.com/sUBs/ComboFix.exe Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix will automatically save the log file to C:\combofix.txt ENDEDIT bc
i can only get as far as my start up screen before a message box with vsmon.exe pops up and stops windows loading?it says unknown application has caused an exceptional error at unknown address Help please
Hey there Bluecoal, real sorry for slow response, its been real busy around here lately :-/ Anyways, first i tried to delete those folders you told me to delete, but C:\Documents and Settings\All Users\Application Data\Funk Plus Cdrom Upload wouldnt let me delete it because it was "in use"; I then used the application "Advanced WindowsCare Personal 2" to look at my starup programs, and found "onebore", which was obviously not supposed to be there. I made it not turn on at startup, and i followed its directory, C:\DOCUME~1\Owner\APPLIC~1\STUPID~1\ManagerBookIdle.exe which led me to C:\Documents and Settings\Owner\Application Data\Stupid Rule Second and then proceeded to delete that. I then ran Hijack and fixed all the directories you told me to fix. I restarted the computer, and i was able to delete the other problem folder as well. I now don't have any popup problems, (yay!!!) and all the related folders should be deleted (unless its something me and you havent already found). I just want it permanently removed from my system if its not already, and i'm not sure how to check that; im afraid to see if its gone by allowing it to start up, because i'm not sure if it will reinstall the files when i allow it at start up if its still there. What should i do from here? Thanks so much for all your help, you guys dont get enough credit around here
Hi, A) you have given me some useful information, I appreciate that. B) You have done what I see folks being asked to do in other threads about this. Based on some experiences sometime ago, I would like for you to check a little further. What I would most like to see is a log from this program, at least the files section. http://www.geekstogo.com/forum/index.php?automodule=downloads&showfile=19 I have not learned how to use this program yet and reviewed a log from it, so you can probably do as good a job reviewing it as I can. If you decide to try running it, but prefer not to post it, you need to review the file sections carefully, looking for those made up type file names to see if there are any left. Because you got on this so quickly, I am not expecting you to find anything other than the thing I mention next. I would particularly like to know, either yes or no, if there is a crogramfiles\Stupid Rule Second. ( If you prefer not to run the program, you can just check for this folder manually.) Because of the presence of the task scheduler job, I am expecting you to find one. Also, check the program files folder for a c2media program or folder. If you find one, lets talk about that. After that, there might possibly be a registry entry or two, but they can no longer call anything so I think you will be ok there. (I appreciate your compliment, there are a lot of new infections I could not help you with, this happens to be one I had a runin with.) Regards. bc