isoasa

Members
  • Content count

    8
  • Joined

  • Last visited

About isoasa

  • Rank
    New Member

Contact Methods

  • ICQ
    0
  1. Hello Jean, I have run panda again and delete manually file from previous report as panda was not able to delete them: Here the last scan report. This only flag now id combofix which I deleted now. combofix Incident Status Location Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\admin\Desktop\ComboFix.exe[nircmd.exe] And here is last HJT log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:56:05 PM, on 8/18/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\tp4mon.exe C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = devetsil.vse.cz:5555 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183431816907 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.csa.cz/dana-cached/setup/JuniperSetup.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{81F10BD9-BDCD-4149-9F39-EBDEA3A9C80D}: NameServer = 85.255.115.61,85.255.112.97 O17 - HKLM\System\CCS\Services\Tcpip\..\{DA9342F5-C1E9-4F77-B355-EB5C4289FF19}: NameServer = 85.255.115.61,85.255.112.97 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 5528 bytes ========================================================================== I have also updated Java runtime and Acrobat. Is combofix a save tool to use? When I used it he quarantined the following files and the popup disapeared C:\Program Files\myglobalsearch C:\Program Files\myglobalsearch\bar\History\search C:\Program Files\myglobalsearch\bar\Settings\settings.dat C:\Program Files\myglobalsearch\bar\Settings\settings.dat.bak C:\Program Files\myglobalsearch\bar\Settings\settings.htm C:\Program Files\myglobalsearch\bar\Settings\settings.htm.bak C:\WINDOWS\system32\{F9432661-AC0B-4A75-AF1A-AD9650B284DD}.exe C:\WINDOWS\system32\nvs2.inf C:\WINDOWS\system32\repewb.dat C:\WINDOWS\system32\repewb.exe C:\WINDOWS\system32\repewb_nav.dat C:\WINDOWS\system32\repewb_navps.dat C:\WINDOWS\system32\winphc32.dll The strange things is that for example the file repewb.exe was not visible on c drive. I used before icesword which found it in the report, but impossible to find it on the drive to delete it. How these malwares can hide on file system? Thank you
  2. Since I run combofix at the begining, I don't have any popup anymore. So it's better now. I have no more unwanted adds. Everthing looks okay now. What's strange is that Panda wants to remove combofix. Anyway I will get the last HJT and post the new panda and hjt log.
  3. Hi there, I have removed everything that spybot found. Avg has found cookies. Panda has found things, right, but do not offer the posiblity to remove, will do manually for some of them because not everything is dangerous. Someof the software I still use them. I'm using the same HJT version from the begining of this topic. I didn't this version was wrong.
  4. Hello Jean, Here are the AVG, Panda and HJT logs Thanks AVG: --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 10:25:10 PM 8/13/2007 + Scan result: C:\Documents and Settings\admin\Cookies\admin@estat[1].txt -> TrackingCookie.Estat : No action taken. :mozilla.66:C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\srgxoby0.default\cookies.txt -> TrackingCookie.Seznam : No action taken. :mozilla.67:C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\srgxoby0.default\cookies.txt -> TrackingCookie.Seznam : No action taken. C:\Documents and Settings\admin\Cookies\admin@seznam[1].txt -> TrackingCookie.Seznam : No action taken. C:\Documents and Settings\admin\Cookies\admin@weborama[1].txt -> TrackingCookie.Weborama : No action taken. ::Report end Panda: Incident Status Location Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\srgxoby0.default\cookies.txt[.metriweb.be/] Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\admin\Cookies\admin@toplist[1].txt Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\admin\Cookies\admin@weborama[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\admin\Cookies\admin@xiti[1].txt Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\admin\Desktop\ComboFix.exe[nircmd.exe] Adware:Adware/SpyVampire Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\{F9432661-AC0B-4A75-AF1A-AD9650B284DD}.exe.vir Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe Potentially unwanted tool:Application/MyWebSearch Not disinfected D:\Logiciels\To install\Multimedia\Cdvd.exe[mgsSetp.ClipRex.exe] Adware:Adware/SaveNow Not disinfected D:\Logiciels\To install\Multimedia\Cdvd.exe[Cliprex_WhenUSave_InstallerInst.exe] Virus:Trj/Banker.SW Not disinfected D:\Logiciels\To install\Multimedia\Cdvd.exe[Capthumb.dll] And HJT: Logfile of HijackThis v1.99.1 Scan saved at 8:17:52 AM, on 8/14/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\tp4mon.exe C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = devetsil.vse.cz:5555 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183431816907 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.csa.cz/dana-cached/setup/JuniperSetup.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{81F10BD9-BDCD-4149-9F39-EBDEA3A9C80D}: NameServer = 85.255.115.61,85.255.112.97 O17 - HKLM\System\CCS\Services\Tcpip\..\{DA9342F5-C1E9-4F77-B355-EB5C4289FF19}: NameServer = 85.255.115.61,85.255.112.97 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  5. Hello, Thanks will follow your WI. The seznam.cz is a Czech search engine that I choose at home page. Will post the logs later, on Monday as I'm off town for the week-end. Regards
  6. Good Evening Jean, Here I have the full combofix log and new HJT. Thank you Combofix log: ComboFix 07-08-08 - "admin" 2007-08-08 20:39:36.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.84 [GMT -4:00] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\myglobalsearch C:\Program Files\myglobalsearch\bar\History\search C:\Program Files\myglobalsearch\bar\Settings\settings.dat C:\Program Files\myglobalsearch\bar\Settings\settings.dat.bak C:\Program Files\myglobalsearch\bar\Settings\settings.htm C:\Program Files\myglobalsearch\bar\Settings\settings.htm.bak C:\WINDOWS\system32\{F9432661-AC0B-4A75-AF1A-AD9650B284DD}.exe C:\WINDOWS\system32\nvs2.inf C:\WINDOWS\system32\repewb.dat C:\WINDOWS\system32\repewb.exe C:\WINDOWS\system32\repewb_nav.dat C:\WINDOWS\system32\repewb_navps.dat C:\WINDOWS\system32\winphc32.dll ((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 ))))))))))))))))))))))))))))))) 2007-08-08 20:38 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-07-15 10:43 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Juniper Networks 2007-07-09 23:23 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-07-09 23:17 <DIR> d-------- C:\HJT (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-08 20:53 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\Skype 2007-08-07 18:44 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\AdobeUM 2007-08-01 23:20 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\Juniper Networks 2007-07-10 00:11 --------- d-------- C:\Program Files\Enigma Software Group 2007-07-06 19:10 --------- d-------- C:\Program Files\SpywareBlaster 2007-07-06 18:46 1156 --a------ C:\WINDOWS\mozver.dat 2007-07-06 18:34 0 --a------ C:\WINDOWS\nsreg.dat 2007-07-02 22:33 --------- d-------- C:\Program Files\Messenger 2007-06-29 20:22 --------- d-------- C:\Program Files\Juniper Networks 2007-06-29 17:07 --------- d-------- C:\Program Files\Lavasoft 2007-06-29 17:06 --------- d-------- C:\DOCUME~1\admin\APPLIC~1\Lavasoft 2007-06-29 17:05 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-06-29 16:45 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2007-05-16 11:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll 2007-05-16 11:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll 2007-05-16 11:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll 2007-05-16 11:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll 2007-05-16 11:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrackPointSrv"="tp4mon.exe" [2004-08-03 20:56 C:\WINDOWS\system32\tp4mon.exe] "PRISMSVR.EXE"="C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.exe" [2004-04-26 15:26] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-02-09 23:52] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 08:42] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe" [2006-10-18 12:42] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-28 22:56] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-11-24 18:16] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-04-01 08:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) R1 NEOFLTR_550_11711;Juniper Networks TDI Filter Driver (NEOFLTR_550_11711);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_550_11711.SYS R3 3C154G;3Com OfficeConnect 802.11g PC Card Driver;C:\WINDOWS\system32\DRIVERS\3C154G72.sys R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys S3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-08 20:49:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-08 20:57:02 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-08 20:56 C:\ComboFix2.txt ... 2007-07-06 18:25 --- E O F --- =========================================================================== HJT log: Logfile of HijackThis v1.99.1 Scan saved at 8:14:05 PM, on 8/9/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\tp4mon.exe C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = devetsil.vse.cz:5555 O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183431816907 O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.csa.cz/dana-cached/setup/JuniperSetup.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{81F10BD9-BDCD-4149-9F39-EBDEA3A9C80D}: NameServer = 85.255.115.61,85.255.112.97 O17 - HKLM\System\CCS\Services\Tcpip\..\{DA9342F5-C1E9-4F77-B355-EB5C4289FF19}: NameServer = 85.255.115.61,85.255.112.97 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  7. Hello Again, I have just run a combofix and here is the log, since then look like I have the popup gone Do you think I need to check more things? Thanks ComboFix 07-08-08 - "admin" 2007-08-08 20:39:36.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.84 [GMT -4:00] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\myglobalsearch C:\Program Files\myglobalsearch\bar\History\search C:\Program Files\myglobalsearch\bar\Settings\settings.dat C:\Program Files\myglobalsearch\bar\Settings\settings.dat.bak C:\Program Files\myglobalsearch\bar\Settings\settings.htm C:\Program Files\myglobalsearch\bar\Settings\settings.htm.bak C:\WINDOWS\system32\{F9432661-AC0B-4A75-AF1A-AD9650B284DD}.exe C:\WINDOWS\system32\nvs2.inf C:\WINDOWS\system32\repewb.dat C:\WINDOWS\system32\repewb.exe C:\WINDOWS\system32\repewb_nav.dat C:\WINDOWS\system32\repewb_navps.dat C:\WINDOWS\system32\winphc32.dll
  8. Good evening to all of you, I have the following problem on my personal PC: I keep having the AVSystemCare popup. I have attached a screen shot of the popup. The AVsystemcare is not installed but the popup keeps appearing. I read few of your forum and try couple of things but still here. I got probably infected as I was not keeping Windows up to date. So Far now I have Windows up to date, ran Avg Antivirus, AVg AntiSpyware and AdAware2007, which did not find anything. I have also ZoneAlarm and SpyWareblaster installed. I did not update yet the Java 1.4 version which you mentionned as hole of secutity, but will do. I have run a HJT and here the log: Thanks for your time Logfile of HijackThis v1.99.1 Scan saved at 9:46:40 PM, on 8/7/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\tp4mon.exe C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\winhlp32.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = devetsil.vse.cz:5555 O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_13\bin\npjpi142_13.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll O10 - Unknown file in Winsock LSP: c:\program files\juniper networks\secure application manager\samnsp.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183431816907 O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.csa.cz/dana-cached/setup/JuniperSetup.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{81F10BD9-BDCD-4149-9F39-EBDEA3A9C80D}: NameServer = 85.255.115.61,85.255.112.97 O17 - HKLM\System\CCS\Services\Tcpip\..\{DA9342F5-C1E9-4F77-B355-EB5C4289FF19}: NameServer = 85.255.115.61,85.255.112.97 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.61 85.255.112.97 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O20 - Winlogon Notify: winphc32 - C:\WINDOWS\SYSTEM32\winphc32.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe AVSystemCare.doc AVSystemCare.doc AVSystemCare.doc AVSystemCare.doc