• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
schans00

Fake alerts like [email protected]

39 posts in this topic

Hello,

 

On my computer I have now a virus that is giving fake virus found messages:

- downright with a small triangle and a balloon

- popup message which look like a virus message from MS

- internet pages of fake anti-virus programs

 

Because I don't use the anti virus from Windows XP it is clear that those messages are fake.

 

My Symantec Norton 360 doesn't find the virus. At the end of a full scan I did get the warning message that there is an internal problem and that I'm not protected against virusses. The message is red. After I click repair it is Norton 360 green again. And down right the yellow circle has a green v-circle as if everything is alright.

 

At the same time of the full scan by Norton 360 I made a scan with Ad-Aware 2007 Free version.

Ad-Aware did find a virus. The files found seems to be quarantined. However it shows that some registry keys are not removable.

 

The files Quarantined by Ad-Aware 2007:

 

File:C:\System Volume Information\_restore{DED4DAAA-E26A-4F44-BCA4-B56C182760B}\RP481\A0284328.exe

File:C:\System Volume Information\_restore{DED4DAAA-E26A-4F44-BCA4-B56C182760B}\RP481\A0284330.exe

File:C:\System Volume Information\_restore{DED4DAAA-E26A-4F44-BCA4-B56C182760B}\RP481\A0284628.exe

 

The regestry keys which keep coming back in the Ad-Aware 2007 scan:

Infections Found

===========================

Family Id: 1006 Name: Win32.TrojanDownloader.Agent Category: Virus TAI:10

Item Id: 300021307 Value: Root: HKLM Path: system\controlset001\services\ccevtmgr

Item Id: 300021311 Value: Root: HKLM Path: system\controlset001\services\symevent

Item Id: 300021312 Value: Root: HKLM Path: system\controlset001\services\symtdi

Item Id: 300021314 Value: Root: HKLM Path: system\currentcontrolset\services\ccevtmgr

Item Id: 300021318 Value: Root: HKLM Path: system\currentcontrolset\services\symevent

Item Id: 300021319 Value: Root: HKLM Path: system\currentcontrolset\services\symtdi

 

It look the same like

http://www.lavasoftsupport.com/index.php?showtopic=13323

 

 

As long I keep the cable out of my modem and I don't start up the Internet Explorer the virus seems not active. I don't get any fake messages then.

 

When I start Internet Explorer without my cable into the modem I also don't get any fake messages.

 

After I insert the cable to the modem I receive the message:

 

System Alert: [email protected] (bold; yellow triangle with ! in front)

Type: Spyware/Trojan

Vulnerable: Windows 95/98/ME/NT/2003/Windows XP/Windows Vista

Description: Spyware program that sends confidential information to a remote attacker

Protection: Click this baloon to download official security software

 

==================

 

After some minutes I receive a popup which seems form MS:

A square in the top blue

The 4-color shield (red-green-blue-yellow)

With the message

Antispyware Protection. Your need to download and install new security software

In the grey area:

Antispyware Protection warns you when your Internet security level is low.

 

green shield with radiobutton

Enable antispyware protection (recommended).

Download and install antisppyware application. Your system will be immune to spyware and malware threats.

 

red shield with white cross with radio button

Rud disk cleaning tool

Download and run disk cleaning tool. It will find and remove threads from your disk, but your system will be still vulnerable to online viruses.

 

left

Continue button

 

===========================

 

Can someone help me on this?

 

Henricus

Edited by Raziel v. Nosgoth

Share this post


Link to post
Share on other sites

The Ad-Aware log of the scan in which the virus was found:

 

 

Ad-Aware 2007 Build

Log File Created on: 2008-03-18 05:54:06

Using Definitions File: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\core.aawdef

Computer name: ZWARTE_PC

Name of user performing scan: SYSTEM

 

System information

===========================

Number of processors: 2

Processor type: Intel® Pentium® 4 CPU 3.00GHz

Memory Available: 46%

Total Physical Memory: 1072934912 Bytes

Available Physical Memory: 483819520 Bytes

Total Page File Size: 2580123648 Bytes

Available On Page File: 2028818432 Bytes

Total Virtual Memory: 2147352576 Bytes

Available Virtual Memory: 1899900928 Bytes

OS: Microsoft Windows XP Service Pack 2 (Build 2600)

 

Ad-Aware 2007 Settings

===========================

Skipping files larger than 1048576 kB

Ignoring infections with lower TAI than: 3

 

 

Extended Ad-Aware 2007 Settings

===========================

Unloading known modules during scan

Ignoring spanned files when scanning cab archives

Reanalyzing results after scanning before displaying results

Trying to unload modules prior to removal

Let Windows remove files currently in use at next reboot

Removing quarantined objects after restore

Deactivating Ad-Watch during scans

Writeprotecting system files after repairs

Include info about ignored objects in log file

Including basic settings in log file

Including advanced settings in log file

Including user and computer name in log file

Create and save WebUpdate log file

 

Databaseinfo

===========================

Version number: 62

Build Number: 0

Build Date and Time: 2008/03/17 14:28:45

 

Scan Statistics

===========================

Method: Smart

Scan tracking cookies.............................: On

Scan ADS filestreams..............................: Off

 

Item Scanned: 205064

Infections Detected: 6

Infections Ignored: 0

 

Scan detailed statistics

===========================

Type Critical Total

Process Scan....: 0 0

Registry Scan...: 6 6

Registry PE Scan: 0 0

Hosts File Scan.: 0 0

File Scan.......: 0 0

Folder Scan.....: 0 0

LSP Scan........: 0 0

ADS Scan........: 0 0

Cookie Scan.....: 0 0

File Hash Scan..: 0 0

 

Infections Found

===========================

Family Id: 1006 Name: Win32.TrojanDownloader.Agent Category: Virus TAI:10

Item Id: 300021307 Value: Root: HKLM Path: system\controlset001\services\ccevtmgr

Item Id: 300021311 Value: Root: HKLM Path: system\controlset001\services\symevent

Item Id: 300021312 Value: Root: HKLM Path: system\controlset001\services\symtdi

Item Id: 300021314 Value: Root: HKLM Path: system\currentcontrolset\services\ccevtmgr

Item Id: 300021318 Value: Root: HKLM Path: system\currentcontrolset\services\symevent

Item Id: 300021319 Value: Root: HKLM Path: system\currentcontrolset\services\symtdi

 

Items Ignored During Scan

===========================

Edit by CalamityJane: snipped list of running processes to shorten length of log

 

 

 

End of Scan Section

===========================

 

Cleaned Infections

===========================

 

End of Cleaned Infections

===========================

Edited by LS CalamityJane
snipped content to shorten log

Share this post


Link to post
Share on other sites

Hallo,

 

Here a screenshot of a fake message I received today.

 

keywords:

Critical System Warning - Spyware CyberLog-X

 

post-65-1206034872.gif

Edited by LS CalamityJane
Replaced .bmp attachment with .gif to reduce file size

Share this post


Link to post
Share on other sites

I add a screenshot of the popup I described below.

 

 

==================

 

After some minutes I receive a popup which seems form MS:

A square in the top blue

The 4-color shield (red-green-blue-yellow)

With the message

Antispyware Protection. Your need to download and install new security software

In the grey area:

Antispyware Protection warns you when your Internet security level is low.

 

green shield with radiobutton

Enable antispyware protection (recommended).

Download and install antisppyware application. Your system will be immune to spyware and malware threats.

 

red shield with white cross with radio button

Rud disk cleaning tool

Download and run disk cleaning tool. It will find and remove threads from your disk, but your system will be still vulnerable to online viruses.

 

left

Continue button

 

post-65-1206035083.gif

Share this post


Link to post
Share on other sites

When I try to close the popup I receive the message:

 

NOTICE: You have not completed the spyware scan! If your computer is infected, you could suffer data loss, erratic PC behavior, PC freezed and crashes.

 

Do you want to install AntiSpy Gold software to scan yor PC now? (Recommended)

 

OK button

===========

I enclose a screenshot

 

post-65-1206035275.gif

Edited by LS CalamityJane
Replaced .bmp attachment with .gif to reduce file size

Share this post


Link to post
Share on other sites

Screenshot of popup

 

System Security Caution - Trojan TJ/BZ infection attempt was detected!

 

post-65-1206035437.gif

Edited by LS CalamityJane
Replaced .bmp attachment with .gif to reduce file size

Share this post


Link to post
Share on other sites

When I try to close the popup "System Security Caution - Trojan TJ/BZ infection attempt was detected!"I receive the message:

 

NOTICE: You have not completed the spyware scan! If your computer is infected, you could suffer data loss, erratic PC behavior, PC freezed and crashes.

 

Do you want to install WinSpy Control software to scan yor PC now? (Recommended)

 

OK button

===========

I enclose a screenshot

 

 

It is the same message as before only replacement of

AntiSpy Gold

by

WinSpy Control

 

This has to come from the same source.

 

post-65-1206035622.gif

Edited by LS CalamityJane
Replaced .bmp attachment with .gif to reduce file size

Share this post


Link to post
Share on other sites

Hi Henricus :(

seems you're system is infected.

Pls download and install HijackThis from TrendMicro's , run a scan and post the logfile in your next reply.

Pls be patient.

Raziel B)

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:54:37, on 20-3-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\NetProject\scit.exe

C:\Program Files\NetProject\scm.exe

C:\Program Files\NetProject\sbmntr.exe

C:\Program Files\NetProject\sbsm.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\hphmon05.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Infotriever\Agent\infoclient.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft Office\Office\EXCEL.EXE

C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\WINDOWS\system32\mspaint.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

 

http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

 

http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

 

http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

 

Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

 

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common

 

Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: (no name) - {6860A44B-5D3E-433D-A7B5-D517F810D0E7} - C:\Program Files\NetProject\sbmdl.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

 

Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

 

Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: Visa Norton-verktygsfältet - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program

 

Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [snelkoppeling naar eigenschappenvenster voor High Definition Audio]

 

HDAudPropShortcut.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HPHUPD05] C:\Program

 

Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application

 

Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter

 

Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

 

8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec

 

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common

 

Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop

 

Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe

O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - S-1-5-18 Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe (User

 

'SYSTEM')

O4 - .DEFAULT Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe (User

 

'Default user')

O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital

 

Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Snelstart.lnk = C:\Program Files\Hewlett-Packard\Digital

 

Imaging\bin\hpqthb08.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop

 

Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

 

Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

 

Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} -

 

http://www.safeiegate.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} -

 

http://www.safeiegate.com/redirect.php (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

 

Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

 

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -

 

http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

 

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (PIXACO Drag and Drop upload plugin) -

 

http://www.pixaco.nl/static/download/pixacodndupload.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

 

Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) -

 

https://download.infotriever.com/bin/ifhelper.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

 

http://www3.snapfish.nl/SnapfishActivia.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

 

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -

 

http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) -

 

https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

 

http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

 

http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) -

 

http://a532.g.akamai.net/f/532/6712/4h/pla...5/Installer.exe

O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) -

 

https://www.linkedin.com/cab/wabctrl.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program

 

Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware

 

2007\aawservice.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

 

Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

 

Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common

 

Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common

 

Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program

 

Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec

 

Shared\VAScanner\comHost.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

 

C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

 

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file

 

missing)

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program

 

Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation -

 

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common

 

Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

 

C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program

 

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec

 

Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 14310 bytes

Share this post


Link to post
Share on other sites

Hello Raziel,

 

Thank you for your reply.

I posted the HijackThis log.

I hope you can find the infection.

 

This a lot of programs and settings!

Beside the infection I like to remove some of those programs (or at least prevent them from running, while I or my family starts them by ourselfs).

 

Thank in advance!

 

Henricus

Share this post


Link to post
Share on other sites

Other popups I received:

 

Security Center - Virus Protection - NOT FOUND

WinSecure Antivirus message after closing popup Security Center - Virus Protection - NOT FOUND

Privacy Waarschuwing Uw privacy is in gevaar AdvancedCleaner

Install new security software - Virus Ranger - recommended

Unwanted Popups Detected - attention - Adware popus detected

Security Help Center - Tired of annoying toolbars in Internet Explorer

Attention Virus Detected - TrojanSPM LX

System Defender - Keeps your PC protected - Remote PC is trying to access private information - Spyware - SpyWorm Win32

 

This last one seems to have personal info on my pc like IP-address and "time of investigation"

Share this post


Link to post
Share on other sites
Hello Raziel,

 

Thank you for your reply.

I posted the HijackThis log.

I hope you can find the infection.

 

This a lot of programs and settings!

Beside the infection I like to remove some of those programs (or at least prevent them from running, while I or my family starts them by ourselfs).

 

Thank in advance!

 

Henricus

 

Hello again

the problem is causing in NetProject.

I'm not savvy with cleaning.

I just asked for help so pls be patient ( the most of us are volunteers ).

Cheerio

Raziel

Edited by Raziel v. Nosgoth

Share this post


Link to post
Share on other sites

hello Raziel,

 

NetProject ???

 

I don't know that program. However maybe my children are using it.

Do you know what kind of program it is?

 

Best Regards,

 

Henricus

Share this post


Link to post
Share on other sites
hello Raziel,

 

NetProject ???

 

I don't know that program. However maybe my children are using it.

Do you know what kind of program it is?

 

Best Regards,

 

Henricus

 

Hi

It's a BHO ( BrowserHelpObject).

This is the specification by CastleCops >> (BHO: (no name) - {6860A44B-5D3E-433D-A7B5-D517F810D0E7} ) Adware downloader causing false spyware warnings and connecting to rogue "security sites", a member of the Trojan-Downloader.Zlob.Media-Codec aka NewMediaCodec malware family.

 

Be carefully with all kinds of BHO's and Toolbars !.

Cheerio

Raziel

Share this post


Link to post
Share on other sites

Hello Raziel,

 

My startpage for Internet Explorer is now hijacked by secureinvites.com.

 

When I search for information, I find

 

http://www.windowsvistaplace.com/secureinv...are-removal/nl/

This is in Dutch. However the level of Dutch is that bad that is probably someone who has made this with a translation tool.

At that page they recommend SpyHunter. From other entries on this site I know that this is not against SPAM, but probabaly to promote SPAM.

 

http://removal-tool.com/secureinvitescom/

This is in English. But the same nonsense, just to make you download their product. The site is full of contradictions.

 

SecureInvites.com is a very aggressive technology contrived by Zlob.Trojan developers.

.....

Here you may download reliable really working tool to check whether you are infected with SecureInvites.com and other malware and remove SecureInvites.com and other dirt from your PC in a safe mode.

....

Finally you get a download button

Share this post


Link to post
Share on other sites

Hello Henricus,

 

Raziel asked me to come in and lend a hand. You have some new variant of the pest described here:

Defeating the Ever-Present Zlob

http://www.lavasoft.com/company/newsletter...1/article3.html

 

Beware: Fake Codecs

http://www.lavasoft.com/company/blog/?p=251

 

I'm here to help you with this malware removal.

 

First, please open Notepad and check *format* at the top. Make sure that the option for wordwrap is unchecked

 

That will fix the formatting of your logs posted so I can read them.

 

Next, 1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

 

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

 

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Fresh HijackThis log

 

Warning : running option #2 on a non infected computer will remove your Desktop background.

Share this post


Link to post
Share on other sites

SmitFraudFix v2.305

 

Scan done at 22:28:32,21, do 20-03-2008

Run from C:\Documents and Settings\Henricus\Bureaublad\SmitfraudFix

OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

 

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

 

S!Ri's WS2Fix: LSP not Found.

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\Program Files\Helper\ Deleted

C:\Program Files\NetProject\ Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

 

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BE1DB1EB-4470-4282-94C9-7D0595B7ADD8}: DhcpNameServer=195.121.1.34 195.121.1.66

HKLM\SYSTEM\CS1\Services\Tcpip\..\{BE1DB1EB-4470-4282-94C9-7D0595B7ADD8}: DhcpNameServer=195.121.1.34 195.121.1.66

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=195.121.1.34 195.121.1.66

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=195.121.1.34 195.121.1.66

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:52:43, on 20-3-2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\hphmon05.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Infotriever\Agent\infoclient.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: Visa Norton-verktygsfältet - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - S-1-5-18 Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe (User 'Default user')

O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Snelstart.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (PIXACO Drag and Drop upload plugin) - http://www.pixaco.nl/static/download/pixacodndupload.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.infotriever.com/bin/ifhelper.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www3.snapfish.nl/SnapfishActivia.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...5/Installer.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 12647 bytes

Share this post


Link to post
Share on other sites
Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Fresh HijackThis log

 

Warning : running option #2 on a non infected computer will remove your Desktop background.

 

Hello Jane,

 

After SmitFraudFix the photo on my Desktop background was removed (totally blue background now).

 

I've been some 20 minutes online since SmitFraudFix has cleaned my PC. Until now I haven't had any fake warnings any more. So it seems that SmitFraudFix killed the virus. Can you agree that from those 2 last logs?

Share this post


Link to post
Share on other sites
After SmitFraudFix the photo on my Desktop background was removed (totally blue background now).

 

But that is of course no problem. Just find the picture back. Or maybe time for a new one?

Share this post


Link to post
Share on other sites

Hello Jane,

 

I still have more printscreens of the fakemessages. Do you like to have them to complete this thread?

The combination gives a clue to others who get the same messages.

 

I see that you prefer gif-format. I can "save as" them to gif.

 

Some of the messages are with adult content. I'll leave them out.

 

Thanks for your help!

And Raziel too!

 

Best Regards,

 

Henricus

Share this post


Link to post
Share on other sites

Hello Henricus,

 

Thanks, but no, we don't need any more screen shots. This pest changes quite frequently - those will be out of date soon.

 

As for your desktop background, yes go ahead and change that to anything you prefer. The program erases the background to clear the hijacker's setting left in your computer. It has no way of knowing what your background was before the infection, so now that it is cleared you can go ahead and set it to whatever you like.

 

I haven't reviewed your last log yet. I'll go do that and report back if I think we need to do more steps.

 

Are you now still seeing everything clear and ok on your end, or do you mean you are still gettting popups (that is possible, I'll have to review your logs too).

Share this post


Link to post
Share on other sites

I have now reviewed your logs and they look clear. :D

 

I just need to know now how your machine is acting at this point. Seeing any remaining symptoms?

Share this post


Link to post
Share on other sites

Hello Jane,

 

This is the first time on my PC since the clean up.

 

However my children and wife have used it. They didn't get symptoms of the virus again. And me neither in this first minutes.

 

Thank you for your help!

 

Best Regards,

 

Henricus

Share this post


Link to post
Share on other sites

Hello Jane,

 

Is there a way to help to found the sites / organisation behind this virus / worm ?

 

I've the feeling that they make enough traces to be found.

 

Could I help by searching for sites which ask to download their program?

 

Best Regards,

 

Henricus

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0