Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

winantivirus popups.... logs included

  • 15-10-2006 3:09pm
    #1
    Registered Users, Registered Users 2 Posts: 132 ✭✭


    Ok , so I started having problems about a month ago, they have been tolerable, but just downright annoying. Initially the popups were confined to just IE, but then they found their way into Firefox. At one stage, they were popping up and bringing up messages and lots of annoying things, akin to this page http://en.wikipedia.org/wiki/WinFixer

    In the past few days I've been looking round online for a way to get rid of these. I ran scans in Windows Defender, Spybot S&D, AD-AWARE SE and Norton Anti-virus. Some of them found the problems, but none could fix them. My Bit Defender log is here, but bear in mind some of this may be inaccurate due to the work I've done as outlined below. http://www.redbrick.dcu.ie/~pubsoc/2005/other/bdscan.html .

    I then went and got a cracked version of Spy Sweeper, and it managed to find the culprits as evidenced by the log here:
    11:05: Removal process completed. Elapsed time 00:00:34
    11:05: Quarantining All Traces: maxifiles
    11:05: Quarantining All Traces: trojan agent winlogonhook
    11:05: Quarantining All Traces: adperform
    11:05: Quarantining All Traces: virtumonde
    11:05: Removal process initiated
    11:04: Traces Found: 47
    11:04: Full Sweep has completed. Elapsed time 00:14:53
    11:04: File Sweep Complete, Elapsed Time: 00:13:34
    11:04: Warning: Failed to access drive E:
    11:04: Warning: Failed to access drive D:
    11:03: printhook030.dll (ID = 356091)
    11:03: pvmodule.exe (ID = 356093)
    10:58: services.dll (ID = 320790)
    10:58: Found Adware: maxifiles
    10:51: printview (6 subtraces) (ID = 2147531721)
    10:51: Starting File Sweep
    10:51: Cookie Sweep Complete, Elapsed Time: 00:00:00
    10:51: Starting Cookie Sweep
    10:51: Registry Sweep Complete, Elapsed Time:00:00:15
    10:51: HKU\S-1-5-21-1078081533-152049171-1060284298-1004\software\printview\ (ID = 1701420)
    10:51: HKLM\software\classes\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704202)
    10:51: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704193)
    10:51: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{d4e0c464-30ce-4075-9a10-71fd106c2847}\ (ID = 1701537)
    10:51: HKLM\software\classes\typelib\{24723349-c5c0-44c2-837d-84250e6b2a12}\ (ID = 1701527)
    10:51: HKLM\software\classes\printviewbho class\ (ID = 1701524)
    10:51: HKLM\software\classes\printviewbar.printviewbho.1\ (ID = 1701520)
    10:51: HKLM\software\classes\printviewbar.printviewbho\ (ID = 1701519)
    10:51: HKLM\software\classes\printview.printviewbarh.1\ (ID = 1701515)
    10:51: HKLM\software\classes\printview.printviewbarh\ (ID = 1701509)
    10:51: HKLM\software\classes\printview.printviewbar.1\ (ID = 1701505)
    10:51: HKLM\software\classes\printview.printviewbar\ (ID = 1701499)
    10:51: HKLM\software\classes\printview.csinstallinformation_pv.1\ (ID = 1701495)
    10:51: HKLM\software\classes\printview.csinstallinformation_pv\ (ID = 1701489)
    10:51: HKLM\software\classes\clsid\{d4e0c464-30ce-4075-9a10-71fd106c2847}\ (ID = 1701477)
    10:51: HKLM\software\classes\clsid\{90fe6c53-f8b4-4631-b42a-02d63d1c949c}\ (ID = 1701461)
    10:51: HKLM\software\classes\clsid\{51c5191a-9880-442f-897b-e96987522fbc}\ (ID = 1701440)
    10:51: HKLM\software\classes\clsid\{10add1e8-ec8a-4719-b39d-b46dd1d6a65d}\ (ID = 1701424)
    10:51: HKCR\typelib\{24723349-c5c0-44c2-837d-84250e6b2a12}\ (ID = 1701410)
    10:51: HKCR\printviewbho class\ (ID = 1701407)
    10:51: HKCR\printviewbar.printviewbho.1\ (ID = 1701403)
    10:51: HKCR\printviewbar.printviewbho\ (ID = 1701402)
    10:51: HKCR\printview.printviewbarh.1\ (ID = 1701398)
    10:51: HKCR\printview.printviewbarh\ (ID = 1701392)
    10:51: HKCR\printview.printviewbar.1\ (ID = 1701388)
    10:51: HKCR\printview.printviewbar\ (ID = 1701382)
    10:51: HKCR\printview.csinstallinformation_pv.1\ (ID = 1701378)
    10:51: HKCR\printview.csinstallinformation_pv\ (ID = 1701372)
    10:51: HKCR\clsid\{d4e0c464-30ce-4075-9a10-71fd106c2847}\ (ID = 1701360)
    10:51: HKCR\clsid\{90fe6c53-f8b4-4631-b42a-02d63d1c949c}\ (ID = 1701344)
    10:51: HKCR\clsid\{51c5191a-9880-442f-897b-e96987522fbc}\ (ID = 1701323)
    10:51: HKCR\clsid\{10add1e8-ec8a-4719-b39d-b46dd1d6a65d}\ (ID = 1701307)
    10:51: HKLM\software\classes\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697697)
    10:51: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697618)
    10:51: HKLM\software\microsoft\mssmgr\ (ID = 937101)
    10:51: Found Trojan Horse: trojan agent winlogonhook
    10:51: Starting Registry Sweep
    10:51: Memory Sweep Complete, Elapsed Time: 00:00:57
    10:50: Detected running threat: PRINTH~1.DLL (ID = 356091)
    10:50: Found Adware: adperform
    10:50: Starting Memory Sweep
    10:50: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\inprocserver32\ (ID = 1728503)
    10:50: Found Adware: virtumonde
    10:50: Sweep initiated using definitions version 782
    10:50: Spy Sweeper 5.0.7.1608 started
    10:50: | Start of Session, 15 October 2006 |
    ********
    10:50: | End of Session, 15 October 2006 |
    10:49: Program Version 5.0.7.1608 Using Spyware Definitions 782
    10:49: Spy Sweeper 5.0.7.1608 started
    10:49: | Start of Session, 15 October 2006 |
    ********

    I thought this would have solved the problem, but a pretty harmless popup window (no javascript messages pop up now, just the window which can be closed) is still annoying me. It also used to prevent me from typing into fields in webpages once it had popped up, but this problem no longer exists.

    So the basic fact is that something is still remaining, and while it's not that malicious or annoying at present, I'm just concerned that it could turn very messy again.

    Here's my current hijackthis log (and yes I did rename it to something other than hijackthis.exe).
    Logfile of HijackThis v1.99.1
    Scan saved at 15:11:59, on 15/10/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5450.0004)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\SPYWARE REMOVAL\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SPYWARE REMOVAL\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\SPYWARE REMOVAL\Spy Sweeper\SSU.EXE
    C:\Program Files\Mozilla Firefox 2 beta\Mozilla Firefox 2 Beta 2\firefox.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\mmc.exe
    C:\Program Files\SPYWARE REMOVAL\hijackthis\jackme.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\pgemydpg.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {A10A7C5C-D5D3-4F6F-B5C9-96951D41F321} - C:\WINDOWS\Config\svsnifo.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: http://locator.cdn.imageservr.com
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: svsnifo - C:\WINDOWS\Config\svsnifo.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winfzj32 - winfzj32.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\SPYWARE REMOVAL\Spy Sweeper\SpySweeper.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


    Any ideas or tips on what I could get rid of here would be great. Cheers, :)


Comments

  • Closed Accounts Posts: 36,634 ✭✭✭✭Ruu_Old


    Try one of the better, free anti-virus packages (AVG, avast! or Anti-Vir) and scanning in Safe mode. A quick look at the hijackthis log doesn't anything for me yet.


  • Closed Accounts Posts: 620 ✭✭✭spanner


    if you try majorgeeks.com they will help with the hijack this logs, you really do not want to turn anything off on that unless you get advise from sombody who the know what they mean


  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Do the following(also if you can post the logs normally it makes it a lot easier to read).


    We must disable the Real-Time Protection feature of Windows Defender for it may interfere with the changes we need to make.

    To disable Real-Time Protection:
    • Go to "Tools" | "General Settings"
    • Scroll down to "Real-time protection options"
    • Uncheck "Turn on real-time protection (recommended)"
    • Remember to reactivate this feature when we have finished all our work.



    Please download VundoFix.exe to your desktop
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • Now click the Run Scan button on the toolbar.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.


Advertisement