• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
huilill

Win32.AdWare.Cinmus

6 posts in this topic

I'm having trouble to remove Win32.AdWare.Cinmus from my pc. I'm using Ad-Aware 2007 free version and it can detect the adware, but failed to remove it. Any solution for this?

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:38:46 AM, on 10/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\inf\MsnSvc64.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint\Apntex.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\3eff1.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\WINDOWS\system32\RoamMgr.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\Program Files\Intel\Switching\User\RoamSvc.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe

C:\Program Files\Opera\Opera.exe

C:\WINDOWS\system32\Svchost.exe

C:\WINDOWS\TEMP\1001m_setup.exe

C:\WINDOWS\TEMP\is-PM72P.tmp\is-4OFPD.tmp

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\svchostb.exe

C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for HiJackThis.zip\HijackThis.exe

C:\Program Files\Internet Explorer\PLUGINS\SysWin6k.Jmp

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir....&bm=ms_home

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R3 - Default URLSearchHook is missing

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {2F429BA5-3EF4-40BD-AE4B-5561C8AF3E72} - C:\WINDOWS\system32\bshsecrpavjoh.dll

O2 - BHO: Invoke Class - {3AA0903B-1E13-4865-B114-15792D413C41} - C:\WINDOWS\system32\63e1.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {8F776B2A-72DF-40C1-BD69-EDB642A706D7} - C:\WINDOWS\system32\4LfGsn\BHO.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

O4 - HKLM\..\Policies\Explorer\Run: [agl8] rundll32 "C:\WINDOWS\Downlo~1\agl8.dll",Run

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\sqmapi32.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\sqmapi32.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193358826420

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193358810017

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DNS Service (DNService) - Unknown owner - C:\WINDOWS\inf\MsnSvc64.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\system32\RoamMgr.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Yahoo Service (YahooSvr) - Unknown owner - C:\WINDOWS\system32\svchostb.exe

 

--

End of file - 10810 bytes

Share this post


Link to post
Share on other sites

Hi,

 

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.

Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.

So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

 

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Also keep in mind that all your passwords are currently known, so only use this computer to follow my instructions. Don't do anything else on it. Leave it disconnected from the internet as much as possible.

To be honest, if that was my system - and so severly infected as in your case, I would backup my important data and then format and reinstall, because in your case, even if you clean the malware manually, you will never be able to trust this system anymore, because it's so badly compromised.

So it's up to you to decide how to proceed with this.

If you want to deal with this manually (but as I already said, we won't be able to solve all your problems), then perform next steps:

 

I see you have Ad-Watch running. Please disable it since it may interfere with the fixes.

 

Please perform next instructions in the right order..

 

Go to this page.

Enter the url of this thread in the first field.

Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

 

C:\WINDOWS\system32\4LfGsn\BHO.dll

 

Select it and click ok.

Then click the Send File button below.

 

Then, Please download LSPfix and save it to the Desktop and unzip it.

* Run LSPfix and place a check against the I know what I am doing checkbox.

 

Highlight every instance of the following name: c:\windows\system32\sqmapi32.dll and move it from the Keep to the Remove panel.

Be sure to move nothing else or you will loose your internet connection!!!

 

When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!

 

Then, * Download ComboFix from here.

**Save it to your desktop**

 

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

 

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

 

* Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

 

When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.

Post the contents of this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites

Thanks a lot for your helping, But when I went to C:\WINDOWS\system32\4LfGsn, I found nothing there, I can't find BHO.dll file. anyway, I will think about your suggestion to format my system and reinstall. thanks again.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0