Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help


  • Please log in to reply
5 replies to this topic

#1 bluelurker

bluelurker

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:06:01 PM

Posted 13 February 2005 - 05:25 AM

Hello

Ok not computor confident but am prepared to try and fix things if I can. I have a problem that has been plauging me for about 5 weeks now, Im not sure what it is but its becomming a pain. First some background info.

Using windows XP pro V2002
AGV anti virus free addition
GoldTach fire wall
Web Window Killer


AMD Athlon ™ XP2500+
1.82GHz
1Gigram


I have three different but related windows pop up on my screen. Following is the information on the first window that pops up.
Posted Image
1. This one opens up in a grey box, not unlike a windows message window.
2. The top section reads, “Windows Security Center”
3. (White X in red cycle) Warning: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information such as credit card numbers, electronic mail accounts, financial data or passwords.
4. Do you want to download certificated software and protect your computer.


After about 20 to 30 minutes the next message follows.
Posted Image
This takes shape in the icon tray with a yellow ballon and a text bubble above, with the following information

Your computer might be at risk

*your virus protection is bad
* Spy activity detected

Click this ballon to fix this problem.

Posted Image
The third is a browser hijack and additions to my favorites:

Phentermine
Play with Girls
Spyware
Viagra
Work at home
Xanax Online
Free Online Dating
XXX personal photos
Block popups

I have run Adware many times and it finds bugs and I remove them only to have them back again, the same goes with stopzilla and spybot. I use systems macanic to clean out my junk files and also to clean the registry.

Adware report
Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Trusted zone presumably compromised : 63.219.181.7

Possible Browser Hijack attempt Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\63.219.181.7


Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 1
Objects found so far: 1


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Tracking Cookie Object recognized!
Type : File
Data : andrew@linksynergy[1].txt
Object : C:\Documents and Settings\ANDREW\Cookies\

Created on : 2/13/2005 9:22:19 AM
Last accessed : 2/12/2005 4:00:00 PM
Last modified : 2/13/2005 9:22:20 AM



Tracking Cookie Object recognized!
Type : File
Data : andrew@tribalfusion[1].txt
Object : C:\Documents and Settings\ANDREW\Cookies\

Created on : 2/13/2005 9:25:16 AM
Last accessed : 2/12/2005 4:00:00 PM
Last modified : 2/13/2005 9:25:18 AM


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 3


5:41:32 PM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:08:00:437
Objects scanned :47608
Objects identified :3
Objects ignored :0
New objects :3

hijackthis report
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Matinsoft\GoldTach\GoldTach.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\aalku\Web Window Killer\WebWindowKiller.exe
C:\Program Files\iolo\Common\Task Agent\task_agent.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\AOL 7.0\waol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\ANDREW\Desktop\SYSTEM TOOLS\HijackThis.exe
C:\Program Files\Wisdom-soft ScreenHunter\ScreenHunter.exe
C:\WINDOWS\System32\usrshutd.exe
C:\WINDOWS\System32\winmsdc.exe
C:\WINDOWS\System32\vwipxspnt.exe
C:\WINDOWS\System32\tlntadmnx.exe

O4 - HKLM\..\Run: [GoldTach] C:\Program Files\Matinsoft\GoldTach\GoldTach.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /CompleteCache
O4 - HKCU\..\Run: [Web Window Killer] "C:\Program Files\aalku\Web Window Killer\WebWindowKiller.exe" hidden
O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\task_agent.exe
O4 - HKCU\..\Run: [Clean Registry at StartUp] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /RegistryClean
O4 - HKCU\..\Run: [Erase History at StartUp] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /CleanHistory
O4 - HKCU\..\Run: [Clean Junk Files at StartUp] C:\Program Files\iolo\System Mechanic\SysMechanic.exe /CleanJunk
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DDDF690-A10D-4EDB-9CEB-DF751735276B}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{31862759-D854-42BC-90C4-98C021A16757}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Hope you can help me with this problem.


Well I hope some one somewhere out there can help me with this problem.
Thanks in advance

Blue

BC AdBot (Login to Remove)

 


#2 pip22

pip22

  • Banned
  • 341 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 AM

Posted 13 February 2005 - 10:25 AM

First two messages related to Windows Security Centre --- I think it's simply a case of it not recognising your Firewall , and probably isn't able to detect that your AVG Antivirus is up to date even when it is. In any case, since you have your own third-party firewall and you have an antivirus prog installed, I would just disable the warning-system in the Windows Security Centre (that's responsible for the yellow shield in the system tray). Don't ask me how to disable it, I took SP2 off my PC weeks ago, but I know it's possible to disable this feature --- more trouble than it's worth if you know what your doing and have your own security applications in place.

As for the third problem --- browser hijack. They are not picked up or effectively removed by either ad-aware or spybot. It requires a specialised
browser-hijack tool called 'HijackThis' Find it with Google. Download it. Run it. Post the log to the 'HijackThis Logs and Analysis' forum for further instructions.

#3 bluelurker

bluelurker
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:06:01 PM

Posted 13 February 2005 - 11:09 AM

Thanks for the help pip22

Now can anyone tell me how to disable the warning-system in the Windows Security Centre.

Whilst Im here how do you remove ignore items from Hijackthis, cause I made the mistake of ignoring a known problem and now I cant get it out of hijackthis ignore list.

#4 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:03:01 PM

Posted 13 February 2005 - 12:24 PM

From your desktop:
Start-->Control Panel-->Security Centre-->Firewll section (top)-->recommendation button
Posted Image

You can set all three features "to monitor yourself" and cancel the alerts by using the various buttons in the various sections.

About HJT... you might want some detailed guidance when using it.
We provide that here.
How to post a Hijack This log is a brief tutorial about the significant details of what we need to help you.
patiently patrolling, plenty of persisant pests n' problems ...

#5 bluelurker

bluelurker
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:06:01 PM

Posted 14 February 2005 - 10:24 AM

Thanks phawgg, but I have no Security Centre in control panal, I dont know if it is because Im running XP pro. I did a search for windows security center and it came up with nothing.

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:03:01 PM

Posted 14 February 2005 - 11:36 AM

Service Pack 2 installs the Security Center onto winXP pro.
I should have looked closer at your log.

I see the header that provides that information is clipped, though.
Update status is recorded in the top four lines of HJT.
The rest of it is thrown into doubt if any of it is gone.

We do not use ad-aware reports here, either.
It is helpful information, but uneeded.
It slows the analysis down when posted in the way it is,
so please read the information How to post HJT
Follow up with a reply & new (complete) log (by itself) and perhaps comments,
although what you have provided clearly states your problem.

We can move this thread to the Security/HijackThis log analysis section
and help you work out the detailed deletions/changes then.

You do have malware on your PC.
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users