[bizzt]

When logging onto a computer about 8 popups come up saying "Yay" both as the Body and Title of the Pop-up. Subsequently it also opens up an IExplore Process but no Window. This also happens when you open an IE window. I do not have the Hijackthis log at this time but It did not appear to show too much when I checked it out. It happens on everyones profile so it is not an individual User problem. Adaware, Spybot, Mcaffee (Enterprise Version with Spyware Detection) have not picked the problem up. I checked to see if it was caused by someone mucking around in Group Policies or maybe a Script running in the Background but nothing. I will try to get a Hijackthis log soon and post it. Any help would be appreciated
Thanks

 

[sjpritch25]

Welcome to TSG

Please download HJT setup.exe Here
Let it Place Hijackthis in C:\Program Files\Hijackthis
Open Hijackthis.exe
Click on Do a System Scan and Save log file
Don't Fix any Items!!!
Just copy and paste the contents of the log file to your reply.

 

[bizzt]

Here is that Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 5:15:43 PM, on 10/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\nslsvice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\LDClient\LOCALSCH.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Network Associates\Remote Desktop 32\CONNSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\LDClient\wuser32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\dla\tfswctrl.exe
C:\WINNT\system32\internat.exe
C:\WINNT\webshots.scr
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Network Associates\Remote Desktop 32\remag.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\KHirsch\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124129654248
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CAN.BJS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CAN.BJS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = can.bjs,usa.bjs,ear.bjs,apr.bjs,lar.bjs
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CAN.BJS
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = can.bjs,usa.bjs,ear.bjs,apr.bjs,lar.bjs
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = can.bjs,usa.bjs,ear.bjs,apr.bjs,lar.bjs
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\LDClient\LOCALSCH.EXE
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINNT\system32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RemoteDesktop Connection Manager (RemoteDesktopConnectionManager) - Magic Solutions, A Network Associates Company - C:\Program Files\Network Associates\Remote Desktop 32\CONNSRV.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe
O23 - Service: Intel Remote Control Service (Wuser32) - LANDesk Software, Ltd. - C:\LDClient\wuser32.exe

 

[bizzt]

Welcome to TSG

Please download HJT setup.exe Here
Let it Place Hijackthis in C:\Program Files\Hijackthis
Open Hijackthis.exe
Click on Do a System Scan and Save log file
Don't Fix any Items!!!
Just copy and paste the contents of the log file to your reply.

Hey I have been here longer then you have LOL

 

[bizzt]

Oh and don't worry about those TCPIP parameters they are supposed to be there

 

[sjpritch25]

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/zh/BetaB/combofix.exe

Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[bizzt]

Thanks... I put that into my list of Programs

Good Info too but nothing I can see in the Log

"byergens" - Thu 11/01/2007 9:17:05 Service Pack 4
ComboFix 07-01-10 - Running from: "C:\Documents and Settings\byergens\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\command.com

((((((((((((((((((((((((((((((( Files Created from 2006-12-11 to 2007-01-11 ))))))))))))))))))))))))))))))))))

2007-01-10 16:47 d-------- C:\DOCUME~1\KHirsch\Application Data\Sun
2007-01-10 16:47 d-------- C:\DOCUME~1\KHirsch\Application Data\Sonic
2007-01-10 16:47 d-------- C:\DOCUME~1\KHirsch\Application Data\Real
2007-01-10 16:47 d-------- C:\DOCUME~1\KHirsch\Application Data\Leadertech
2007-01-10 16:47 d-------- C:\DOCUME~1\KHirsch\Application Data\InterVideo
2007-01-10 16:47 d-------- C:\DOCUME~1\KHirsch\Application Data\Help
2007-01-10 16:47 d-------- C:\DOCUME~1\KHirsch\Application Data\Google
2007-01-10 16:47 d-------- C:\DOCUME~1\KHirsch\Application Data\AdobeUM
2007-01-10 16:47 d-------- C:\DOCUME~1\KHirsch\Application Data\Adobe
2007-01-10 13:38 d-------- C:\DOCUME~1\TBISSO~1\Application Data\Sun
2007-01-10 13:38 d-------- C:\DOCUME~1\TBISSO~1\Application Data\Sonic
2007-01-10 13:38 d-------- C:\DOCUME~1\TBISSO~1\Application Data\Real
2007-01-10 13:38 d-------- C:\DOCUME~1\TBISSO~1\Application Data\Leadertech
2007-01-10 13:38 d-------- C:\DOCUME~1\TBISSO~1\Application Data\InterVideo
2007-01-10 13:38 d-------- C:\DOCUME~1\TBISSO~1\Application Data\Help
2007-01-10 13:38 d-------- C:\DOCUME~1\TBISSO~1\Application Data\AdobeUM
2007-01-10 13:38 d-------- C:\DOCUME~1\TBISSO~1\Application Data\Adobe
2007-01-10 13:25 d-------- C:\DOCUME~1\byergens\Application Data\Lavasoft
2007-01-10 13:24 d-------- C:\Program Files\Lavasoft
2007-01-09 21:36 d-------- C:\WINNT\system32\bak
2006-12-24 13:02 d-------- C:\DOCUME~1\BKREZE~1\Application Data\CyberLink
2006-12-15 06:24 d-------- C:\Program Files\McAfee
2006-12-15 06:24 d-------- C:\DOCUME~1\ALLUSE~1\Application Data\McAfee

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-09 21:36 37388 --a------ C:\WINNT\system32\igfxtray.exe
2007-01-09 21:36 37388 --a------ C:\WINNT\system32\igfxpers.exe
2007-01-09 21:36 37388 --a------ C:\WINNT\system32\hkcmd.exe
2006-12-26 19:41 -------- d-------- C:\Program Files\network associates
2006-12-07 21:03 -------- d-------- C:\DOCUME~1\byergens\Application Data\google
2006-12-06 16:33 -------- d--h----- C:\Program Files\installshield installation information
2006-12-06 16:33 -------- d-------- C:\Program Files\google
2006-12-01 13:58 -------- d-------- C:\Program Files\theweathernetwork
2006-11-15 20:09 -------- d---s---- C:\DOCUME~1\byergens\Application Data\microsoft

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="atiptaxx.exe"
"PCTVOICE"="pctspk.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\system32\\NvMcTray.dll,NvTaskbarInit"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"Persistence"="C:\\WINNT\\system32\\igfxpers.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"dla"="C:\\WINNT\\system32\\dla\\tfswctrl.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"McAfeeUpdaterUI"="\"C:\\Program Files\\McAfee\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
WmdmPmSN

Completion time: Thu 2007-01-11 9:17:58

 

[sjpritch25]

That one deletion is normally from a worm infection. Lets make sure your clean

Panda Activescan
http://www.pandasoftware.com/products/activescan.htm

1. Once you are on the Panda site click the Scan your PC button
2. A new window will open...click the Check Now button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
10. When download is complete, click on Local Disks to start the scan
11. When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

 

[bizzt]

Oooppsss good one I missed that Command.com (right at the top.) The eyes Deceived me

I will do the Scan ASAP

 

[bizzt]

here you go

Incident Status Location

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\BKrezeminski\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\BKrezeminski\Cookies\[email protected][2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\BKrezeminski\Cookies\[email protected][1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\BKrezeminski\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\BKrezeminski\Cookies\[email protected][1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\BKrezeminski\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\byergens\Cookies\[email protected][1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\byergens\Cookies\[email protected][2].txt

 

[bizzt]

Ok so I did some more investigating and decided to logon to the Computer as myself. They Yay popups started etc... I checked the Temp Directory and found a file abc123.pid. So I decided to do some research on this particular Culprit.
http://forum.sysinternals.com/forum_posts.asp?TID=7906&PN=1&TPN=2

http://www.symantec.com/security_response/writeup.jsp?docid=2006-091612-5500-99&tabid=2

Nonetheless I am on the way of solving this thing. I will keep you posted to what I did.

 

[sjpritch25]

Download GMER's application from here:
http://www.majorgeeks.com/GMER_d5198.html
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.

 

[kalypso]

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ZONEBAC.F

so it's a trojan that you picked up.

here's the clean that they provide for it.
It'd have to be done manually.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ZONEBAC.F&VSect=Sn