Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Winantispyware Pro, Security Alerts, Bestsellerantivirus, Etc...

  • This topic is locked This topic is locked
2 replies to this topic

#1 Allykins


  • Members
  • 7 posts
  • Local time:08:46 PM

Posted 19 November 2007 - 07:53 AM

Awhile back, WinAntiSpyware Pro popups kept showing up. I did my best to get rid of them and everything was okay for awhile. But now, I'm getting almost constant popups of SOME sort. Including:

System performance monitor/Security Alert/System Alert: it's disguising itself as a Windows app and showing up in my taskbar. Telling me I should download software.

A 'Security Center' IE window that pops up. Address leading to: securityonpage.com.
'Internet Explorer Alert!' popup telling my that my computer is infect with 'spyware that displays advertisement'. And asking me if I want to download additional software to protect against it.

There's also two shortcuts that've shown up on my desktop that read 'Online Security Guide' and 'Live Safety Center'. They look just like the official WinXP safety center icons. But they lead to 'http://kukkakreck.com/cehpmoin/?cmp=h&lid=1_1' and 'http://kukkakreck.com/cehpmoin/?cmp=h&lid=1_2', respectively.

And other popups similar to 'Security warning: New variant of SpyBot@MXt', each usually displaying something different whenever they come up. All asking my to download software. Clicking on them bring up an installation window for 'BestsellerAntivirus Installer'.

Needless to say, I'm peeved. I'm generally good about cleaning these things out and keeping them out, but no one's really 100% secure. At this point, I'd do a whole reformat, but that's another issue all together. I've tried using pretty much EVERYTHING and nothing seems to work. And if it does work, it doesn't last for long and the viruses/malware/whatever have re-installed themselves back onto my system while I'm at work. And, it seems like every time I run a scanner, more icons pop up on my desktop. Which makes me feel like I'm getting NOWHERE by even bothering to scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:49, on 2007-11-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\Virus Scanners\Ad-Aware 2007\aawservice.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Avedesk\AVEDESK.EXE
D:\Program Files\Rainlendar\Rainlendar.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
D:\Setup Files\IE7-WindowsXP-x86-enu.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Virus Scanners\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\eyoxbcfm.dll
O4 - HKLM\..\Run: [PrimaLauncher] D:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTDrive] rundll32.exe D:\WINDOWS\system32\drvtem.dll,startup
O4 - HKLM\..\Run: [avp] D:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AVEDESK] "D:\Program Files\Avedesk\AVEDESK.EXE"
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Rainlendar.lnk = D:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: TabUserW.exe.lnk = D:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: Trillian.lnk = D:\Program Files\Trillian\trillian.exe
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Copy to Semagic - D:\Program Files\Livejournal\copy.htm
O8 - Extra context menu item: Semagic - D:\Program Files\Livejournal\link.htm
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\VIRUSS~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\VIRUSS~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O20 - AppInit_DLLs: d:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Virus Scanners\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - cmd.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

End of file - 4962 bytes

BC AdBot (Login to Remove)


#2 Rosty


    Skydive junkie

  • Malware Response Team
  • 1,220 posts
  • Local time:06:46 AM

Posted 23 November 2007 - 02:32 PM

welcome to Bleepingcomputer. My name is Rosty and I'm going to help you with your log.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please post hte log from Smitfraudfix, combofix and an new HijackThis log in your next reply.


Posted Image
Proud member of ASAP since 2007

#3 Rosty


    Skydive junkie

  • Malware Response Team
  • 1,220 posts
  • Local time:06:46 AM

Posted 06 December 2007 - 01:21 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


Posted Image
Proud member of ASAP since 2007

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users