Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

jlu

73 Posts

1959

March 31st, 2005 17:00

ads poping up and adware problems....

my friend is having a lot of problems with his computer..can you please check it out. I have compaq presario 2100 windows XP SP2.   I already ran AVG, ADWARE, NORTON, TREND MICRO, SPYBOT and all show that I have ILookup.Begin2Search popping as HIGH sec..but i am unable toget rid of it.  Here is my hijackthis log:
 
 
Logfile of HijackThis v1.99.1
Scan saved at 12:27:47 PM, on 3/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\mdrpdev.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: MSProxy Support Dll - {830DE650-EBE7-434F-99AA-8DCBCDACBD7B} - C:\WINDOWS\system32\msprxcore.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - blank (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

zbestwun2001

4 Apprentice

 • 

8.8K Posts

March 31st, 2005 18:00

Hi and welcome
I'm looking over you log now and will get back to you soon.

Steve

zbestwun2001

4 Apprentice

 • 

8.8K Posts

March 31st, 2005 19:00

Hi
Before we get into the log I would like you to upload this file:
mdrpdev.exe to this file scanner. Here is the site of the scanner I would like you to upload it to Online Scanner

After you have uploaded this file please post back the results.

Also I would like you to right click on that file and tell me what it says in properties.

Thanks,
Steve

Message Edited by zbestwun2001 on 03-31-2005 02:00 PM

jlu

73 Posts

March 31st, 2005 20:00

Thank you for responding....here is what it said:
Service load:0%  100%File:mdrpdev.exeStatus:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected:
-
 AntiVir
No viruses found
Avast
No viruses found
AVG Antivirus
No viruses found
BitDefender
No viruses found
ClamAV
No viruses found
Dr.Web
No viruses found
F-Prot Antivirus
No viruses found
Fortinet
No viruses found
Kaspersky Anti-Virus
No viruses found
mks_vir
No viruses found
NOD32
No viruses found
Norman Virus Control
No viruses found
VBA32
No viruses found
 StatisticsLast piece of malware found was Win32.P2P.SpyBot.A7210432 in ass2.exe, detected by:

ScannerMalware nameAntiVir XAvast XAVG Antivirus XBitDefenderWin32.P2P.SpyBot.A7210432ClamAV XDr.WebBackDoor.IRC.SdbotF-Prot Antivirus XFortinet XKaspersky Anti-VirusBackdoor.Win32.SdBot.genmks_vir XNOD32probably unknown NewHeur_PENorman Virus ControlSandbox: W32/BackdoorVBA32 X

Service statistics:

333 files (308 of those unique) have been uploaded & scanned since 31/03/2005, the day of the last database purge.
109 of those 308 files contained a virus or any other form of malware.
This page has been visited 1006 times in this time period.
This service managed to spot 6 pieces of malware no vendor used knew about at the time of uploading.
The service also warned against 159 suspicious files without any help from scanner results.
However, 0 files reported to be OK were found out to be malware later (this is checked daily).
As far as can be told, all this together makes this service 100.00% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism.

No I am not sitting still! A new, better version of this service is being developed.
If you have suggestions and/or comments, please send me them!Most popular malware:

RankMalware nameUploadedLast known filename1win32.p2p.spybot.a721043214 timesass2.exe2trojan.mosucker.077 timesCopie de a.exe3worm/dasodt5 timesCopie de Sx.exe4security risk or a "backdoor" program5 timesGip1131.exe5dropper.small.14.bo4 timesstub.exe-OB.exe6worm/procil.a.13 timesMapleBypassPrivate032.exe7tr/spy.perfect.22 timesi_bpk2003.exe8worm/bagle.be2 timesvirus.rar9tr/dldr.agent.bq1.b2 timesatlib.exe10worm/sumom.c.22 timesMy piccy.pif11tr/pws.small.bk2 timesthun32.dll12win32/small.a2 times0.7 server.exe13startpage.19.x2 timesjrwm1ahady.dll14trojan.agent-332 timesLALA.exe15win32.hllw.mybot2 timesTFTP3720
 
 
ANd the properties on that file are:
 
file version: 6.01.2600
location:C:\WINDOWS\system32
size:28.0 KB (28,672 bytes
created:Today, March 31, 2005, 4:34:49 PM
 
 
if you need more i will be online...thanks again

jlu

73 Posts

March 31st, 2005 22:00

hey steve....just wondering if what i did helped you...or if did it wrong.....or if u need me to do anything.

zbestwun2001

4 Apprentice

 • 

8.8K Posts

March 31st, 2005 22:00

What you did was perfect.
I am waiting for someone to get back to me on it.
As soon as I have that information we will proceed.

You're log isn't bad, it's just that one file we wanted to double check.

Steve

zbestwun2001

4 Apprentice

 • 

8.8K Posts

April 1st, 2005 19:00

We need to inspect this one file:

Please to this address: here and read on how to submit a file for inspection.

Thanks,
Steve

zbestwun2001

4 Apprentice

 • 

8.8K Posts

April 1st, 2005 19:00


EDIT: FORGET THE BELOW AND WAIT FOR ME TO GET BACK TO YOU.
Steve


That website is run by a excellent malware specialist.

Don't post a new log, he just would like you to send him a copy of that one file, mdrpdev.exe.

We will take it from there after he has analyzed that file. Because I am very tempted, as is he, to delete it but he just want's to make sure. There is little information on it that we can find out.

So if you can upload the file to that site, that would be great.

Sorry for the hassle.

Steve

Message Edited by zbestwun2001 on 04-01-2005 01:29 PM

Message Edited by zbestwun2001 on 04-01-2005 01:34 PM

jlu

73 Posts

April 1st, 2005 19:00

i am not sure i understand...i went to the web site and it is another fourm....should i do another hijack this there....i looked all over to see how i can submit the file...if u could piont me in the right direction....thanks again for readin it

zbestwun2001

4 Apprentice

 • 

8.8K Posts

April 1st, 2005 19:00

OK here are the instuctions for sending the file, in your case we are just needing one file.


You have a number of files that we would like copies of - to check out and play with.

1. Using Windows Explorer, go to . Locate the first file you want to zip.

c:\windows\system\xxxxxx.exe

2. Right click on the file and select "Send To" and "Compressed (zipped) Folder".

3. Then locate and right click on


c:\windows\system\xxxxxx.exe

4. Select "Copy".

5. Right click on the compressed folder and select "Paste". The copied files will be compressed and pasted in.

6. Repeat steps 3. to 5. for the following files

c:\windows\system\xxxxxx.exe
c:\windows\system\xxxxxx.exe
c:\windows\system\xxxxxx.exe
c:\windows\system\xxxxxx.exe
c:\windows\system\xxxxxx.exe

Note that the folder should have NN files in it if you found them all.

7. Right click on the zipped folder and select "Explore".

8. In "File" menu select "Add a Password". Enter the password infected and confirm the password.

9. Please email to cjwd-subAThostingatessex.com (Please replace the 'AT' with an '@' )

Please copy the following to the email and attach the zipped file(s) :

The password is "infected".
The thread is found here. add address of topic you are using

Paste it in the text field.

and send please.

If you have any question please ask.

Thanks
Steve

zbestwun2001

4 Apprentice

 • 

8.8K Posts

April 1st, 2005 20:00

Great!

We will be able to proceed shortly and get you all fix up.

Steve

jlu

73 Posts

April 1st, 2005 20:00

hey steve..thank you so much...i think i got it right....i did what u asked....ummm....i sent only that
mdrpdev.exe file.....i sent it to that email u wanted....if u need me to do anything else...thank u again

zbestwun2001

4 Apprentice

 • 

8.8K Posts

April 2nd, 2005 13:00

Hi
To begin with let's rename that file.
Let's call it mdrpdevold.exe

Open HJT this and tick these entries if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - blank (file missing

With all applicatiions closed except the HJT program hit the FIX button.


Reboot, rescan and repost a new log.
Steve

Message Edited by zbestwun2001 on 04-02-2005 07:48 AM

jlu

73 Posts

April 2nd, 2005 15:00

hey steve....i did what u asked and here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 11:50:02 AM, on 4/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: MSProxy Support Dll - {830DE650-EBE7-434F-99AA-8DCBCDACBD7B} - C:\WINDOWS\system32\msprxcore.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

 

zbestwun2001

4 Apprentice

 • 

8.8K Posts

April 2nd, 2005 16:00

Esta muy bien!
Very good!!!

Do a disk CleanUp .

You are all clean and you did excellent.

I'm here if you have any problems

Steve
SpyBoT AVG7-AntiVirus SygateFirewall AdAwareSE SpywareBlaster CleanUp HiJackThis About Buster MWAV CWShredder.exe SpyGuard

jlu

73 Posts

April 2nd, 2005 16:00

THAnk YOU So much Steve...i really appreciate it....bf i go why did u have me rename that file and should it still be in that systems32 folder....when u get time....thanks again...

Was this post helpful?

View All

No Events found!

Top