Jump to content

Can not get rid of AVSystemCare popup


Recommended Posts

Good evening to all of you,

I have the following problem on my personal PC: I keep having the AVSystemCare popup.

I have attached a screen shot of the popup.

The AVsystemcare is not installed but the popup keeps appearing. I read few of your forum and try couple of things but still here.

I got probably infected as I was not keeping Windows up to date.

So Far now I have Windows up to date, ran Avg Antivirus, AVg AntiSpyware and AdAware2007, which did not find anything.

I have also ZoneAlarm and SpyWareblaster installed.

I did not update yet the Java 1.4 version which you mentionned as hole of secutity, but will do.

I have run a HJT and here the log:

Thanks for your time

Logfile of HijackThis v1.99.1

Scan saved at 9:46:40 PM, on 8/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\tp4mon.exe

C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\winhlp32.exe

C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = devetsil.vse.cz:5555

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183431816907

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.csa.cz/dana-cached/setup/JuniperSetup.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{81F10BD9-BDCD-4149-9F39-EBDEA3A9C80D}: NameServer = 85.255.115.61,85.255.112.97

O17 - HKLM\System\CCS\Services\Tcpip\..\{DA9342F5-C1E9-4F77-B355-EB5C4289FF19}: NameServer = 85.255.115.61,85.255.112.97

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O20 - Winlogon Notify: winphc32 - C:\WINDOWS\SYSTEM32\winphc32.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

AVSystemCare.doc

AVSystemCare.doc

AVSystemCare.doc

AVSystemCare.doc

Link to post
Share on other sites

Hello Again,

I have just run a combofix and here is the log, since then look like I have the popup gone

Do you think I need to check more things?

Thanks

ComboFix 07-08-08 - "admin" 2007-08-08 20:39:36.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.84 [GMT -4:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\myglobalsearch

C:\Program Files\myglobalsearch\bar\History\search

C:\Program Files\myglobalsearch\bar\Settings\settings.dat

C:\Program Files\myglobalsearch\bar\Settings\settings.dat.bak

C:\Program Files\myglobalsearch\bar\Settings\settings.htm

C:\Program Files\myglobalsearch\bar\Settings\settings.htm.bak

C:\WINDOWS\system32\{F9432661-AC0B-4A75-AF1A-AD9650B284DD}.exe

C:\WINDOWS\system32\nvs2.inf

C:\WINDOWS\system32\repewb.dat

C:\WINDOWS\system32\repewb.exe

C:\WINDOWS\system32\repewb_nav.dat

C:\WINDOWS\system32\repewb_navps.dat

C:\WINDOWS\system32\winphc32.dll

Link to post
Share on other sites

Good Evening Jean,

Here I have the full combofix log and new HJT.

Thank you

Combofix log:

ComboFix 07-08-08 - "admin" 2007-08-08 20:39:36.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.84 [GMT -4:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\myglobalsearch

C:\Program Files\myglobalsearch\bar\History\search

C:\Program Files\myglobalsearch\bar\Settings\settings.dat

C:\Program Files\myglobalsearch\bar\Settings\settings.dat.bak

C:\Program Files\myglobalsearch\bar\Settings\settings.htm

C:\Program Files\myglobalsearch\bar\Settings\settings.htm.bak

C:\WINDOWS\system32\{F9432661-AC0B-4A75-AF1A-AD9650B284DD}.exe

C:\WINDOWS\system32\nvs2.inf

C:\WINDOWS\system32\repewb.dat

C:\WINDOWS\system32\repewb.exe

C:\WINDOWS\system32\repewb_nav.dat

C:\WINDOWS\system32\repewb_navps.dat

C:\WINDOWS\system32\winphc32.dll

((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))

2007-08-08 20:38 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-15 10:43 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Juniper Networks

2007-07-09 23:23 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-07-09 23:17 <DIR> d-------- C:\HJT

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 20:53 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\Skype

2007-08-07 18:44 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\AdobeUM

2007-08-01 23:20 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\Juniper Networks

2007-07-10 00:11 --------- d-------- C:\Program Files\Enigma Software Group

2007-07-06 19:10 --------- d-------- C:\Program Files\SpywareBlaster

2007-07-06 18:46 1156 --a------ C:\WINDOWS\mozver.dat

2007-07-06 18:34 0 --a------ C:\WINDOWS\nsreg.dat

2007-07-02 22:33 --------- d-------- C:\Program Files\Messenger

2007-06-29 20:22 --------- d-------- C:\Program Files\Juniper Networks

2007-06-29 17:07 --------- d-------- C:\Program Files\Lavasoft

2007-06-29 17:06 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\Lavasoft

2007-06-29 17:05 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-06-29 16:45 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2007-05-16 11:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll

2007-05-16 11:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll

2007-05-16 11:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll

2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll

2007-05-16 11:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll

2007-05-16 11:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TrackPointSrv"="tp4mon.exe" [2004-08-03 20:56 C:\WINDOWS\system32\tp4mon.exe]

"PRISMSVR.EXE"="C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.exe" [2004-04-26 15:26]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-02-09 23:52]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 08:42]

"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe" [2006-10-18 12:42]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-28 22:56]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-11-24 18:16]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-04-01 08:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

R1 NEOFLTR_550_11711;Juniper Networks TDI Filter Driver (NEOFLTR_550_11711);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_550_11711.SYS

R3 3C154G;3Com OfficeConnect 802.11g PC Card Driver;C:\WINDOWS\system32\DRIVERS\3C154G72.sys

R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys

S3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-08 20:49:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-08-08 20:57:02 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-08-08 20:56

C:\ComboFix2.txt ... 2007-07-06 18:25

--- E O F ---

===========================================================================

HJT log:

Logfile of HijackThis v1.99.1

Scan saved at 8:14:05 PM, on 8/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\tp4mon.exe

C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE

C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = devetsil.vse.cz:5555

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183431816907

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.csa.cz/dana-cached/setup/JuniperSetup.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{81F10BD9-BDCD-4149-9F39-EBDEA3A9C80D}: NameServer = 85.255.115.61,85.255.112.97

O17 - HKLM\System\CCS\Services\Tcpip\..\{DA9342F5-C1E9-4F77-B355-EB5C4289FF19}: NameServer = 85.255.115.61,85.255.112.97

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Link to post
Share on other sites

Hi there, please get these programs, update and run a complete scan removing all items found. You already have AVG but I would like to see the log please.

Spybot Search & Destroy

AVG AntiSpyware

Then go here and run a scan PandaActive Scan

Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This!

I will analyze the logs and give you further instructions. Please do not take action other than instructed.

You must update the Java and Adobe, these are major security risks right now and you can be reinfected at anytime because of them.

Did you choose this homepage? R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/ it gets mixed reviews remove with HJT if you didn't choose it and choose a new homepage.

Link to post
Share on other sites

Hello Jean,

Here are the AVG, Panda and HJT logs

Thanks

AVG:

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 10:25:10 PM 8/13/2007

+ Scan result:

C:\Documents and Settings\admin\Cookies\admin@estat[1].txt -> TrackingCookie.Estat : No action taken.

:mozilla.66:C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\srgxoby0.default\cookies.txt -> TrackingCookie.Seznam : No action taken.

:mozilla.67:C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\srgxoby0.default\cookies.txt -> TrackingCookie.Seznam : No action taken.

C:\Documents and Settings\admin\Cookies\admin@seznam[1].txt -> TrackingCookie.Seznam : No action taken.

C:\Documents and Settings\admin\Cookies\admin@weborama[1].txt -> TrackingCookie.Weborama : No action taken.

::Report end

Panda:

Incident Status Location

Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\srgxoby0.default\cookies.txt[.metriweb.be/]

Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\admin\Cookies\admin@toplist[1].txt

Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\admin\Cookies\admin@weborama[1].txt

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\admin\Cookies\admin@xiti[1].txt

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\admin\Desktop\ComboFix.exe[nircmd.exe]

Adware:Adware/SpyVampire Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\{F9432661-AC0B-4A75-AF1A-AD9650B284DD}.exe.vir

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

Potentially unwanted tool:Application/MyWebSearch Not disinfected D:\Logiciels\To install\Multimedia\Cdvd.exe[mgsSetp.ClipRex.exe]

Adware:Adware/SaveNow Not disinfected D:\Logiciels\To install\Multimedia\Cdvd.exe[Cliprex_WhenUSave_InstallerInst.exe]

Virus:Trj/Banker.SW Not disinfected D:\Logiciels\To install\Multimedia\Cdvd.exe[Capthumb.dll]

And HJT:

Logfile of HijackThis v1.99.1

Scan saved at 8:17:52 AM, on 8/14/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\tp4mon.exe

C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE

C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = devetsil.vse.cz:5555

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183431816907

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.csa.cz/dana-cached/setup/JuniperSetup.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{81F10BD9-BDCD-4149-9F39-EBDEA3A9C80D}: NameServer = 85.255.115.61,85.255.112.97

O17 - HKLM\System\CCS\Services\Tcpip\..\{DA9342F5-C1E9-4F77-B355-EB5C4289FF19}: NameServer = 85.255.115.61,85.255.112.97

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Link to post
Share on other sites

Hi there,

I have removed everything that spybot found.

Avg has found cookies.

Panda has found things, right, but do not offer the posiblity to remove, will do manually for some of them because not everything is dangerous. Someof the software I still use them.

I'm using the same HJT version from the begining of this topic. I didn't this version was wrong.

Link to post
Share on other sites

Re-read my first reply. There is a link to the correct HJT program there. Panda will remove without buying. It won't remove cookies, but it shows a trojan that it should remove. I would like to see another log from Panda at this point, because ComboFix may have removed it. So we need a log from the TrendMicro HJT and Panda please. How is it running? Feed back is also important.

Link to post
Share on other sites

Since I run combofix at the begining, I don't have any popup anymore. So it's better now.

I have no more unwanted adds. Everthing looks okay now.

What's strange is that Panda wants to remove combofix.

Anyway I will get the last HJT and post the new panda and hjt log.

Link to post
Share on other sites

Hello Jean,

I have run panda again and delete manually file from previous report as panda was not able to delete them:

Here the last scan report. This only flag now id combofix which I deleted now. combofix

Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\admin\Desktop\ComboFix.exe[nircmd.exe]

And here is last HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:56:05 PM, on 8/18/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\tp4mon.exe

C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = devetsil.vse.cz:5555

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183431816907

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.csa.cz/dana-cached/setup/JuniperSetup.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{81F10BD9-BDCD-4149-9F39-EBDEA3A9C80D}: NameServer = 85.255.115.61,85.255.112.97

O17 - HKLM\System\CCS\Services\Tcpip\..\{DA9342F5-C1E9-4F77-B355-EB5C4289FF19}: NameServer = 85.255.115.61,85.255.112.97

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 5528 bytes

==========================================================================

I have also updated Java runtime and Acrobat.

Is combofix a save tool to use? When I used it he quarantined the following files and the popup disapeared

C:\Program Files\myglobalsearch

C:\Program Files\myglobalsearch\bar\History\search

C:\Program Files\myglobalsearch\bar\Settings\settings.dat

C:\Program Files\myglobalsearch\bar\Settings\settings.dat.bak

C:\Program Files\myglobalsearch\bar\Settings\settings.htm

C:\Program Files\myglobalsearch\bar\Settings\settings.htm.bak

C:\WINDOWS\system32\{F9432661-AC0B-4A75-AF1A-AD9650B284DD}.exe

C:\WINDOWS\system32\nvs2.inf

C:\WINDOWS\system32\repewb.dat

C:\WINDOWS\system32\repewb.exe

C:\WINDOWS\system32\repewb_nav.dat

C:\WINDOWS\system32\repewb_navps.dat

C:\WINDOWS\system32\winphc32.dll

The strange things is that for example the file repewb.exe was not visible on c drive.

I used before icesword which found it in the report, but impossible to find it on the drive to delete it.

How these malwares can hide on file system?

Thank you

Link to post
Share on other sites

Did you update Java after you posted the HJT log? Because what shows in the log is not the current version. You should not use tools like ComboFix without the supervision of someone that knows how to read the logs. The reason we use these tools is to show the malware that hides on the system. You may not have your system set to show hidden files and folders either. But it is common for malware to hide on the system.

You were supposed to post the Panda log.

Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of these infections can be avoided with an added layer of prevention. All reccommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

For an excellent list of reliable free firewalls and antivirus programs see here .

Since this issue appears to be resolved I will close this thread. Should you need further assistance please start a new topic.

The instructions in this thread are specifically for this system. Applying them to your system can be utter ruination. Start your own topic and receive help specific to your system.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.