Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I get a random pop up screen that covers the whole page and is using the IE browser..the URL says "Dialeradmin.com" and then a long string of stuff I cant begin to understand. In the middle of the screen it says "Sorry but you can not continue, ect, ect" or something like that..The only way I can get the page off my deaktop is to X out of it.It closes the browser..Then I am back at my deaktop..Its bad when I am on the Internet because it closes Internet Explorer when I have to X out of this pop up screen..Can anyone tell me how to deal with this problem..I have tried Ad Aware, Spybot, CW Shredder, and I have run a HiJackThis scan and have a log file but I cant understand it..I have run the logfile analyzer but no help...Any help would be appreciated..Thanks..
Try pasting log into this one first. It gives you a start because it lists all the baddies known to that website at the top under "malicious" and has less about the general stuff (suspicious - below):
HJT DETECTIVEIf you fix the malicious stuff then repaste your log on these websites there will be a lot less to wade through and hopefully the main nasties will have gone - much easier. Google will help and don't forget Google "Groups".
Derek.W
0 
Thanks Derek..Here is the final log file..
The computer still has a problem though..
I will fix the temporary file problem..Logfile of HijackThis v1.99.1
Scan saved at 4:17:15 PM, on 3/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTserv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ehim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\spywareguard\sgmain.exe
C:\Program Files\spywareguard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Ken Wind\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.houstonchronicle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\ehim.exe
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\ehim.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\spywareguard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LXBTCustomerConnect - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTserv.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
0
I can't find info on this file ehim.exe
Upload and scan it here
http://virusscan.jotti.dhs.org/
if found bad, delete in safe mode.O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\ehim.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\ehim.exeRun a couple of online scans;
http://windowsxp.mvps.org/Scanners.htm
0
Gee, that looks a lot better. The only things that looked a bit weird to me were the two entries for ehim.exe
I assume this means nothing to you? There is a perfectly valid file svchost.exe (often appears more than once, don't delete any) which this apparently can be linked with if you have the Worm W32.Welchia
See if someone else comes along who knows this one (sounds like some worm that keeps changing the file name). In the meantime try this freebie, it might unearth it:
As an aside, because of these logs the web is littered with them. If you are not already aware it sometimes helps in Google to type -hijackthis after the search entry (you then loose all the log entries).
Derek.W
0
Firstly, don't forget to get the updates to A2FREE once it is installed.
Found this link, which gives removal instructions for worm I mentioned (treat this possibility as just a suspicion):
W32.Welchia.WormOne more thing. I have to admit to being a W98SE person (they are still about LOL). I therefore forgot to say that when removing viruses and the like from XP you should turn off system restore. Otherwise there is a danger that something will be lurking in the backup.
See how you get on. That's probably about as far as I can go, but post back by all means if necessary because someone else should be able to help you fix any loose ends.
Derek.W
0
... why do I always think of something else...
When (and only when) you are satisified that your machine is clean, run HJT, tick the lot and tell it to ignore them all. From then on it will only bring up "new additions" which are much easier to recognise or investigate.
For some reason I feel I might be one of only a few who does that - it helps.
Derek.W
0
Thank you so much for the response and suggestions..I will follow up on each of these..I'll get back as soon as possible and give a report on this..Thanks again..
0
Well, I waited a day to make sure the problem did't resurface..It didn't..I think the pest is gone..Thanks for the help..Hey Derek and Abnormal, you guys were right..The ehim.exe file was bad..I deleted it in Safe Mode as you suggested..It would not even delete in regular Windows..I also found references to it in the registry (Run)..It was loading at startup..Anyway it was the bad guy..Thanks so much..Thats all for now..
0
Very sensible to wait a while before reporting back to say you had fixed it, so often these things pop back.
Download, Update, and Run SpywareBlaster. This prevents some of this stuff from taking hold in the first place rather than fixing it afterwards, and uses no resources (puts kill bits in registry).
Thx for popping back, it's always nice to know how things turned out.
Abnormal
Hope you appreciated that my #4 overlapped your #3 and was not intended to undermine it in any way. I've seen your posts long enough to learn to respect them.Derek.W
0
The computer that was infected (a work computer)has SpywareBlaster installed now..Thanks..I have had it on my home computer for some time now..OK Derek and Abnormal, you guys were right about ehim.exe but my question now is how did you figure it out? Are you two guys programmers? Seriously!! Who can know the file system well enough to look at a log file and know what its all about? I dont know of any hardware guy who can do that. Especially a beginner tech..Thanks for giving me your time and help..The computer at work that had the problem was the very computer that the owner of the company I work for uses..Well, he uses them all and owns them all but this one is at his desk..I'm not a tech guy but it sure made me look good..Thanks to you guys..
0
For my part there was nothing clever about it whatsoever. I must admit that I have got rather used to recognising "valid" files (just been at it rather a long time that's all).
I did also check to make sure that file didn't exist on my own system.So after that I bunged it in Google - no hits. I then tried Google Groups, still no hits. You then start wondering why.
With a complete and utter lack of information existing anywhere about this file it was very easy to assume it was likely to be something nasty (but nothing is absolutely certain). After all, you could have had some obscure program on your system that used ehim.exe
So, in summary, experience plus a bit of intuition. Abnormal may have used some more clever method, but all I can say is that having read many of his posts, whatever it is he is darned good at it.
Derek.W
0
... should have said that even if that file had turned out to have been of some value it was very clear (from the process given) that it was by no means essential to running Windows, so could be tackled without any significant risk. If it had been of value then you would have just had to reload that oscure program.
Derek.W
0
No problem Derek, spotting something that
does not belong in xp caught my eye.
Had to jump in.
Note:
I do not have xp.BSides, when you search for a file and
find no results on the internet, chances
are its up to no good.
Thats why I gave the link to test and
they submit it to anti-virus venders.Some links to help analize, like Derek gave
helps in the fight.
(nice site)
For Myself, reading a log is something I will
not do 24/7. Everything I learned has been
posted somewhere.We need others to want to learn, not get
a free ride. I only had to ask one question
in 31/2 yearsLogs do tell alot, but most are not as
clean and easy to read as yours.Take care and stay clean.
Edit: Derek, I see post 11&12 befor I hit submit.
0
Thanks Derek and Abnormal for the quick reply.."When you search for a file and find no results on the internet, chances are its up to no good". Thats a good rule to go by. I found no results when I tried it on Google search. "I did also check to make sure that file didn't exist on my own system". I'll do that on a clean machine next time..Very good advice..I've learned some things the past few days..I've never used HiJackThis or a log file before now..I had to this time..Thanks so much..I have to let you in on this..My boss picked up that garbage from a sleezy website..Yep, Porn..I looked at his history and cookies record to see where he had been..I didn't say anything to him about my doing that though..I did tell him that junk like that usually comes from going to certain websites,ect..I think he got the idea...Anyway,Best of luck in the future. BSides
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
