isoasa Posted August 8, 2007 ID:7329 Share Posted August 8, 2007 Good evening to all of you,I have the following problem on my personal PC: I keep having the AVSystemCare popup.I have attached a screen shot of the popup.The AVsystemcare is not installed but the popup keeps appearing. I read few of your forum and try couple of things but still here.I got probably infected as I was not keeping Windows up to date.So Far now I have Windows up to date, ran Avg Antivirus, AVg AntiSpyware and AdAware2007, which did not find anything.I have also ZoneAlarm and SpyWareblaster installed.I did not update yet the Java 1.4 version which you mentionned as hole of secutity, but will do.I have run a HJT and here the log:Thanks for your timeLogfile of HijackThis v1.99.1Scan saved at 9:46:40 PM, on 8/7/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\tp4mon.exeC:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Java\j2re1.4.2_13\bin\jusched.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\winhlp32.exeC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = devetsil.vse.cz:5555O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exeO4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLYO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dllO10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183431816907O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.csa.cz/dana-cached/setup/JuniperSetup.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{81F10BD9-BDCD-4149-9F39-EBDEA3A9C80D}: NameServer = 85.255.115.61,85.255.112.97O17 - HKLM\System\CCS\Services\Tcpip\..\{DA9342F5-C1E9-4F77-B355-EB5C4289FF19}: NameServer = 85.255.115.61,85.255.112.97O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\O20 - Winlogon Notify: winphc32 - C:\WINDOWS\SYSTEM32\winphc32.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeAVSystemCare.docAVSystemCare.docAVSystemCare.docAVSystemCare.doc Link to post Share on other sites More sharing options...
isoasa Posted August 8, 2007 Author ID:7340 Share Posted August 8, 2007 Hello Again,I have just run a combofix and here is the log, since then look like I have the popup goneDo you think I need to check more things?ThanksComboFix 07-08-08 - "admin" 2007-08-08 20:39:36.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.84 [GMT -4:00]((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))C:\Program Files\myglobalsearchC:\Program Files\myglobalsearch\bar\History\searchC:\Program Files\myglobalsearch\bar\Settings\settings.datC:\Program Files\myglobalsearch\bar\Settings\settings.dat.bakC:\Program Files\myglobalsearch\bar\Settings\settings.htmC:\Program Files\myglobalsearch\bar\Settings\settings.htm.bakC:\WINDOWS\system32\{F9432661-AC0B-4A75-AF1A-AD9650B284DD}.exeC:\WINDOWS\system32\nvs2.infC:\WINDOWS\system32\repewb.datC:\WINDOWS\system32\repewb.exeC:\WINDOWS\system32\repewb_nav.datC:\WINDOWS\system32\repewb_navps.datC:\WINDOWS\system32\winphc32.dll Link to post Share on other sites More sharing options...
JeanInMontana Posted August 8, 2007 ID:7348 Share Posted August 8, 2007 Hi and welcome to Malwarebytes. Please post the entire ComboFix log and a new HJT log also. Link to post Share on other sites More sharing options...
isoasa Posted August 9, 2007 Author ID:7394 Share Posted August 9, 2007 Good Evening Jean,Here I have the full combofix log and new HJT.Thank youCombofix log:ComboFix 07-08-08 - "admin" 2007-08-08 20:39:36.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.84 [GMT -4:00]((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))C:\Program Files\myglobalsearchC:\Program Files\myglobalsearch\bar\History\searchC:\Program Files\myglobalsearch\bar\Settings\settings.datC:\Program Files\myglobalsearch\bar\Settings\settings.dat.bakC:\Program Files\myglobalsearch\bar\Settings\settings.htmC:\Program Files\myglobalsearch\bar\Settings\settings.htm.bakC:\WINDOWS\system32\{F9432661-AC0B-4A75-AF1A-AD9650B284DD}.exeC:\WINDOWS\system32\nvs2.infC:\WINDOWS\system32\repewb.datC:\WINDOWS\system32\repewb.exeC:\WINDOWS\system32\repewb_nav.datC:\WINDOWS\system32\repewb_navps.datC:\WINDOWS\system32\winphc32.dll((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))2007-08-08 20:38 51,200 --a------ C:\WINDOWS\nircmd.exe2007-07-15 10:43 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Juniper Networks2007-07-09 23:23 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys2007-07-09 23:17 <DIR> d-------- C:\HJT(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))2007-08-08 20:53 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\Skype2007-08-07 18:44 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\AdobeUM2007-08-01 23:20 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\Juniper Networks2007-07-10 00:11 --------- d-------- C:\Program Files\Enigma Software Group2007-07-06 19:10 --------- d-------- C:\Program Files\SpywareBlaster2007-07-06 18:46 1156 --a------ C:\WINDOWS\mozver.dat2007-07-06 18:34 0 --a------ C:\WINDOWS\nsreg.dat2007-07-02 22:33 --------- d-------- C:\Program Files\Messenger2007-06-29 20:22 --------- d-------- C:\Program Files\Juniper Networks2007-06-29 17:07 --------- d-------- C:\Program Files\Lavasoft2007-06-29 17:06 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\Lavasoft2007-06-29 17:05 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard2007-06-29 16:45 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat2007-05-16 11:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll2007-05-16 11:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll2007-05-16 11:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll2007-05-16 11:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll2007-05-16 11:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))*Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TrackPointSrv"="tp4mon.exe" [2004-08-03 20:56 C:\WINDOWS\system32\tp4mon.exe]"PRISMSVR.EXE"="C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.exe" [2004-04-26 15:26]"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-02-09 23:52]"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 08:42]"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe" [2006-10-18 12:42]"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-28 22:56]"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-11-24 18:16]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-04-01 08:00][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"DisableRegistryTools"=0 (0x0)R1 NEOFLTR_550_11711;Juniper Networks TDI Filter Driver (NEOFLTR_550_11711);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_550_11711.SYSR3 3C154G;3Com OfficeConnect 802.11g PC Card Driver;C:\WINDOWS\system32\DRIVERS\3C154G72.sysR3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sysS3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys**************************************************************************catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2007-08-08 20:49:09Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden registry entries ...scanning hidden files ...scan completed successfullyhidden files: 0**************************************************************************Completion time: 2007-08-08 20:57:02 - machine was rebootedC:\ComboFix-quarantined-files.txt ... 2007-08-08 20:56C:\ComboFix2.txt ... 2007-07-06 18:25 --- E O F ---===========================================================================HJT log:Logfile of HijackThis v1.99.1Scan saved at 8:14:05 PM, on 8/9/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\tp4mon.exeC:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXEC:\Program Files\Java\j2re1.4.2_13\bin\jusched.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = devetsil.vse.cz:5555O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exeO4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLYO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dllO10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183431816907O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.csa.cz/dana-cached/setup/JuniperSetup.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{81F10BD9-BDCD-4149-9F39-EBDEA3A9C80D}: NameServer = 85.255.115.61,85.255.112.97O17 - HKLM\System\CCS\Services\Tcpip\..\{DA9342F5-C1E9-4F77-B355-EB5C4289FF19}: NameServer = 85.255.115.61,85.255.112.97O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Link to post Share on other sites More sharing options...
JeanInMontana Posted August 9, 2007 ID:7397 Share Posted August 9, 2007 Hi there, please get these programs, update and run a complete scan removing all items found. You already have AVG but I would like to see the log please.Spybot Search & DestroyAVG AntiSpywareThen go here and run a scan PandaActive ScanPost the logs from the Panda and AVG scans please, along with a log from this program HiJack This!I will analyze the logs and give you further instructions. Please do not take action other than instructed.You must update the Java and Adobe, these are major security risks right now and you can be reinfected at anytime because of them.Did you choose this homepage? R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/ it gets mixed reviews remove with HJT if you didn't choose it and choose a new homepage. Link to post Share on other sites More sharing options...
isoasa Posted August 10, 2007 Author ID:7434 Share Posted August 10, 2007 Hello,Thanks will follow your WI. The seznam.cz is a Czech search engine that I choose at home page.Will post the logs later, on Monday as I'm off town for the week-end.Regards Link to post Share on other sites More sharing options...
isoasa Posted August 14, 2007 Author ID:7630 Share Posted August 14, 2007 Hello Jean,Here are the AVG, Panda and HJT logsThanksAVG:---------------------------------------------------------AVG Anti-Spyware - Scan Report--------------------------------------------------------- + Created at: 10:25:10 PM 8/13/2007 + Scan result: C:\Documents and Settings\admin\Cookies\admin@estat[1].txt -> TrackingCookie.Estat : No action taken.:mozilla.66:C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\srgxoby0.default\cookies.txt -> TrackingCookie.Seznam : No action taken.:mozilla.67:C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\srgxoby0.default\cookies.txt -> TrackingCookie.Seznam : No action taken.C:\Documents and Settings\admin\Cookies\admin@seznam[1].txt -> TrackingCookie.Seznam : No action taken.C:\Documents and Settings\admin\Cookies\admin@weborama[1].txt -> TrackingCookie.Weborama : No action taken.::Report endPanda:Incident Status Location Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\srgxoby0.default\cookies.txt[.metriweb.be/] Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\admin\Cookies\admin@toplist[1].txt Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\admin\Cookies\admin@weborama[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\admin\Cookies\admin@xiti[1].txt Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\admin\Desktop\ComboFix.exe[nircmd.exe] Adware:Adware/SpyVampire Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\{F9432661-AC0B-4A75-AF1A-AD9650B284DD}.exe.vir Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe Potentially unwanted tool:Application/MyWebSearch Not disinfected D:\Logiciels\To install\Multimedia\Cdvd.exe[mgsSetp.ClipRex.exe] Adware:Adware/SaveNow Not disinfected D:\Logiciels\To install\Multimedia\Cdvd.exe[Cliprex_WhenUSave_InstallerInst.exe] Virus:Trj/Banker.SW Not disinfected D:\Logiciels\To install\Multimedia\Cdvd.exe[Capthumb.dll] And HJT:Logfile of HijackThis v1.99.1Scan saved at 8:17:52 AM, on 8/14/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\tp4mon.exeC:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXEC:\Program Files\Java\j2re1.4.2_13\bin\jusched.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\internet explorer\iexplore.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\WINDOWS\system32\NOTEPAD.EXEC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = devetsil.vse.cz:5555O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exeO4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLYO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dllO10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183431816907O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.csa.cz/dana-cached/setup/JuniperSetup.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{81F10BD9-BDCD-4149-9F39-EBDEA3A9C80D}: NameServer = 85.255.115.61,85.255.112.97O17 - HKLM\System\CCS\Services\Tcpip\..\{DA9342F5-C1E9-4F77-B355-EB5C4289FF19}: NameServer = 85.255.115.61,85.255.112.97O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Link to post Share on other sites More sharing options...
JeanInMontana Posted August 14, 2007 ID:7636 Share Posted August 14, 2007 You did not follow my instructions. Nothing was removed and you are using the wrong HiJack This. Link to post Share on other sites More sharing options...
isoasa Posted August 14, 2007 Author ID:7643 Share Posted August 14, 2007 Hi there,I have removed everything that spybot found.Avg has found cookies.Panda has found things, right, but do not offer the posiblity to remove, will do manually for some of them because not everything is dangerous. Someof the software I still use them.I'm using the same HJT version from the begining of this topic. I didn't this version was wrong. Link to post Share on other sites More sharing options...
JeanInMontana Posted August 14, 2007 ID:7645 Share Posted August 14, 2007 Re-read my first reply. There is a link to the correct HJT program there. Panda will remove without buying. It won't remove cookies, but it shows a trojan that it should remove. I would like to see another log from Panda at this point, because ComboFix may have removed it. So we need a log from the TrendMicro HJT and Panda please. How is it running? Feed back is also important. Link to post Share on other sites More sharing options...
isoasa Posted August 14, 2007 Author ID:7649 Share Posted August 14, 2007 Since I run combofix at the begining, I don't have any popup anymore. So it's better now.I have no more unwanted adds. Everthing looks okay now.What's strange is that Panda wants to remove combofix.Anyway I will get the last HJT and post the new panda and hjt log. Link to post Share on other sites More sharing options...
JeanInMontana Posted August 14, 2007 ID:7650 Share Posted August 14, 2007 Panda can't tell that the "good" things in CF are not from malware. Since the technology can be used either way, Panda is just doing it's job. You can delete the Combo Fix file, most programs are going to flag it as bad. Link to post Share on other sites More sharing options...
isoasa Posted August 18, 2007 Author ID:7757 Share Posted August 18, 2007 Hello Jean,I have run panda again and delete manually file from previous report as panda was not able to delete them:Here the last scan report. This only flag now id combofix which I deleted now. combofixIncident Status Location Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\admin\Desktop\ComboFix.exe[nircmd.exe] And here is last HJT logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 12:56:05 PM, on 8/18/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\tp4mon.exeC:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\internet explorer\iexplore.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = devetsil.vse.cz:5555O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dllO4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exeO4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLYO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183431816907O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.csa.cz/dana-cached/setup/JuniperSetup.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{81F10BD9-BDCD-4149-9F39-EBDEA3A9C80D}: NameServer = 85.255.115.61,85.255.112.97O17 - HKLM\System\CCS\Services\Tcpip\..\{DA9342F5-C1E9-4F77-B355-EB5C4289FF19}: NameServer = 85.255.115.61,85.255.112.97O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 5528 bytes==========================================================================I have also updated Java runtime and Acrobat.Is combofix a save tool to use? When I used it he quarantined the following files and the popup disapearedC:\Program Files\myglobalsearchC:\Program Files\myglobalsearch\bar\History\searchC:\Program Files\myglobalsearch\bar\Settings\settings.datC:\Program Files\myglobalsearch\bar\Settings\settings.dat.bakC:\Program Files\myglobalsearch\bar\Settings\settings.htmC:\Program Files\myglobalsearch\bar\Settings\settings.htm.bakC:\WINDOWS\system32\{F9432661-AC0B-4A75-AF1A-AD9650B284DD}.exeC:\WINDOWS\system32\nvs2.infC:\WINDOWS\system32\repewb.datC:\WINDOWS\system32\repewb.exeC:\WINDOWS\system32\repewb_nav.datC:\WINDOWS\system32\repewb_navps.datC:\WINDOWS\system32\winphc32.dllThe strange things is that for example the file repewb.exe was not visible on c drive.I used before icesword which found it in the report, but impossible to find it on the drive to delete it.How these malwares can hide on file system?Thank you Link to post Share on other sites More sharing options...
JeanInMontana Posted August 18, 2007 ID:7758 Share Posted August 18, 2007 Did you update Java after you posted the HJT log? Because what shows in the log is not the current version. You should not use tools like ComboFix without the supervision of someone that knows how to read the logs. The reason we use these tools is to show the malware that hides on the system. You may not have your system set to show hidden files and folders either. But it is common for malware to hide on the system.You were supposed to post the Panda log.Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All reccommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsFor an excellent list of reliable free firewalls and antivirus programs see here .Since this issue appears to be resolved I will close this thread. Should you need further assistance please start a new topic.The instructions in this thread are specifically for this system. Applying them to your system can be utter ruination. Start your own topic and receive help specific to your system. Link to post Share on other sites More sharing options...
Recommended Posts