• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Virus or Bug I can't seem to shake

W

Wariogiant

Member
I have recently been getting a changed error page when a website doesn't load; and it features advertisements. Then, pop-ups come up all the time when I browse and my pop-up stopper does stop some, but the rest just keep coming up. I recently scanned my computer using several virus detection tools and found a W32.Trojan in my system32 folder. I removed it but the problem seems to happen whenever I open up internet explorer and a registry entry is put in the windows registry. Here is my HijackThis Log.

Logfile of HijackThis v1.98.0
Scan saved at 6:58:38 PM, on 12/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServAlert.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Michael P. Chiffolo\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.etxvvnlrmwedqxfk.co...CVX8AhMrSaztyjDyT.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\ashampoo\ASHAMP~2\PopUpKiller.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [once dead] C:\DOCUME~1\MICHAE~1.CHI\APPLIC~1\Program2\nurb bike.exe
O4 - Global Startup: Anti-Virus&Trojan.lnk = C:\Program Files\Anti-Virus&Trojan\Anti-Virus&Trojan.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download Flash files - C:\Program Files\Flash 2 Screensaver\FlashHound.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdl...cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1093270797049
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

^Everything seems normal except for the msessed up Internet Explorer Search Bar entry up top. I delete it with ad-ware se and spybot, and it just keeps popping up again sometimes bringing the search bar itself visible in the browser.

This is seriously getting annoying and if anyone could help it would be most appreciated
 
Ad-Aware Entry:

Vendor:Win32.TrojanDownloader.Swizzor.br
Category:Malware
Object Type: Process
Size:-
Location:c:\docume~1\michae~1.chi\locals~1\temp\glaullko.exe
Last Activity:
Risk Level:High
TAC index:8
Comment: (CSI MATCH)
Description: Distributed through unsolicited installations. Runs in stealth. Downloads and installs various third party malware objects.
 
How about add this info:
  1. What version of Windows and what service pack do you have
  2. Do you have a hardware firewall or not (a router)
  3. Do you have a software firewall or not
  4. Do you have an antivirus software, if so what brand and version is it
  5. Is that Giant Antispyware something you installed yourself? or did it get dragged in somehow without your approval? Maybe it's one of those "antispyware" programs that really is spyware itself.
 
1. Windows XP SP2

2. A router with ZoneAlarm

3. ZoneAlarm

4. Mcafee and a2.

5. Yes, I did install Giant, it's actually decent.

The router is a NEtGear, don't know what model number, and I have also had a problem with getting past the firewall/port blockage that makes it not possible to make a game online. I've tried opening the correct ports to, a while ago, but it didn't seem to work. And I haven't bothered in a while so I forgot how to do it again.
 
What version of McAfee? What is its engine and definition numbers? The current McAfee engines are 4.3.20 and 4.4.00 (may be called 4320 or 4400) and the current DATs are 4413. If your version of McAfee supports detection of adware, spyware, dialers, Trojans, etc, make sure those are enabled, as well as full heuristics and scanning within compressed files.

The next thing that might help is to go to Control Panel > (Performance & Maintenance) > Administrative Tools > Services. In the Services window, click the Status header to get all the Started services on top, slide open their names and descriptions so they're mostly visible (like this picture), and put up a pic of those so I can check out whether you have the type of malware that installs itself as a Windows Service.

Also, understand that if your computer has Administrator-level accounts with default weak/blank passwords, those Admin powers are easily exploited. To change them to strong passwords, go to this page and down a ways you'll see Strong passwords with a quick rundown of how to set strong passwords, including on the system's normally-hidden Administrator account.
 
Internet Explorer is also always running; even when I shut it down, it says two copies of it are running.

I have the latest Mcafee version and the latest DAT files. It hasn't detected anything when running really, and it's on autoscan all the time.

Heres a pic of the services, there were too many for one pic:

Services Page 1

Services Page 2

Services Page 3

Actually I just checked the Mcafee Version and this is what it says:

Product Name: VirusScan Home Edition
Product Version: 7.03.6000
Company Name: Network Associates, Inc.
Legal Copyright: Copyright © 1995-2003 Networks Associates Technology, Inc. All rights reserved
----------------------------------------------------------------------------------------------------
License Name: 'McAfee VirusScan Home Edition' (VSC)
License Type: Retail/OEM
License Started On: Friday, June 11, 2004
Update Days: 184 remaining
----------------------------------------------------------------------------------------------------
Files: Version:

Actilog.dll 7.03.6000
Alogserv.exe 7.03.6000
Avconsol.exe 7.03.6000
Avsynch.dll 7.03.6000
Avsynmgr.exe 7.03.6000
Browsevs.exe 7.00.5000.0
Cfgcom32.dll 7.03.6000
Chrset32.dll 6
Config32.exe 7.03.6000
Edisk.exe 7.03.6000
Hawkalert.dll 7.03.6000
Hawkex.dll 7.03.6000
Hawkscript.dll 7.03.6000
Mcpie.dll 2.00.2002.0
Mcrtl32.dll 1, 0, 0, 10
Mczip32.dll 4.0.3
Medb632.dll 198
Mew800.dll 8022
Mew801.dll 8009
Mfldr32.dll 7.00.5000.0
Newschdll.dll 7.03.6000
Ntclient.dll 6.0.0
S95ext.dll 7.00.5000.0
Scancomp.dll 7.03.6000
Scanemal.dll 7.03.6000
Scanutil.dll 7.03.6000
Sendvir.exe 7.00.5000.0
Syncutil.dll 7.03.6000
Vim32.dll 6.02.00.15
Vmefnw32.dll 6.02.00.15
Vscfgdll.dll 7.03.6000
Vscoffice.dll 7.03.6000
Vscpop.dll 7.03.6000
Vscshellextension.dll 7.03.6000
Vscui.dll 7.03.6000
Vshctrl.dll 7.03.6000
Vshwin32.exe 7.03.6000
Vsmain.exe 7.03.6000

So is this the latest version? Because the virus defs and everything else were up to date friday because I got the autoupdate.
 
So it's VirusScan 9.0, then? Have you had it do a comprehensive scan of all the drives in the system using the latest definitions? If not, that couldn't hurt. And get those passwords fixed up, then run a MBSA scan to make sure you're not missing some of the less-obvious stuffs.

Looking at your HJT logfile, one thing I see is that your HJT is not the latest version. download link (a Zip file). Might want to run it again with the latest version just in case something's new & improved. I'd like to see a screenshot of your Services if possible too... http://pics.bbzzdd.com will host for free if you need. edit: ok, I see you got that posted, cool 🙂
 
New HijackThis Log:

Logfile of HijackThis v1.98.2
Scan saved at 7:38:53 PM, on 12/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServAlert.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
C:\Documents and Settings\Michael P. Chiffolo\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sujuindfofgdnurvydv...uRf4CqsrSaztyjDyT.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\ashampoo\ASHAMP~2\PopUpKiller.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [once dead] C:\DOCUME~1\MICHAE~1.CHI\APPLIC~1\Program2\nurb bike.exe
O4 - Global Startup: Anti-Virus&Trojan.lnk = C:\Program Files\Anti-Virus&Trojan\Anti-Virus&Trojan.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download Flash files - C:\Program Files\Flash 2 Screensaver\FlashHound.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdl...cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1093270797049
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

I once did get the nurb bike registry entry and from experience know that is spyware. I've deleted it before though, and it dissapears from the list but the effects it has still remain so it can come back. Plus, everytime I delete the invalid Internet Explorer search entry, it comes back as something new, like above.
 
Ok, and did you get your Admin accounts secured with strong passwords? Of course, what else would help is if you use a Limited account for daily usage instead of an Administrator account, huge security improvement since the Limited account can't modify the system directory or important parts of the Registry. It isn't easy to sell people on this concept, but it works.
 
What about the hidden Admin account, the one that doesn't show up on the log-on screen?
 
Once you have all the security holes battened down, you are ready to post your HJT logfile in Schadenfroh's thread for surgery 😀 Follow his instructions precisely when he replies to your HJT log post, step-by-step, and don't skip any steps, and you should be good to go 🙂

 
What do you mean? And heres a screen of the Manage window from the My-Computer Icon:

Manage WIndow

I don't have the users and groups folder which is unusual.

Lol, were posting every second. 🙂

EDIT: Ok thanks, I'll re-check some things and go post in the thread. 😀
 
Originally posted by: Wariogiant
What do you mean? And heres a screen of the Manage window from the My-Computer Icon:

Manage WIndow

I don't have the users and groups folder which is unusual.
Click to expand...
Darn! My pic is from Win2000. I guess I'll have to revise that once I've come up with some new pics (my WinXP box lives down at work) 😱

Plan B:

  1. smack mechBgon for assuming stuff 😀
  2. Reboot in Safe Mode. Dude! Now there's Administrator on the Welcome screen! :Q But log on using your regular user account, "Michael" or whatever it's named.
  3. While running in Safe Mode, go to Control Panel > User Accounts and now you see the normally-hidden Administrator account listed. You can set it a password now 😎
  4. Afterwards, you can log on normally again
Be aware that many Trojans these days are packing their own list of likely passwords to try, in order to crack your Admin account beneath the surface and misuse the Admin powers. You don't want it to be easy... not any variant of "password" or "passw0rd" or consecutive letters or symbols on the keyboard, etc. If you want the protection of a really strong password on your own Admin-class account, but don't want to type it all the time, you can set up Auto-logon. Or just use a Limited account.

 
Well well well, I just restarted after configuring my account password and removed everything leftover from the previous incident, and it's not popping up again. Internet Explorer is not always running and Hiajck This and Ad-Aware have found nothing. To think, that a problem like that could have such a simple solution, lol, thanks! 😀 I'll still be scanning and re-checking, but it seems to be gone.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top