Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Power Antivirus2009 Popups


  • This topic is locked This topic is locked
3 replies to this topic

#1 Rick-F

Rick-F

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South FL
  • Local time:12:25 PM

Posted 06 August 2008 - 03:17 PM

I have an infection with "Power Anitvirus 2009". Maybe a partial infection because I don't see any of the files listed as being stored on my harddrive. As soon as I saw the IE popup (see attachment below), I closed the application. Then I see the next image (second atachment). The third image is of the page that loads even if I press 'cancel' or 'close'. My symptoms are when I do a Google search... or even Yahoo search (I first thought it was just Google but seems like any search engine) I see these pop ups (see attachments below). I never let the browser go to the web page listed. I closed the window immediately and engaged my ZoneAlarm Interlock. I don't see these pop-ups until I do a web search. So I think Power-Antivurs-2009 or AV2009 has hooked something into my browser... which is IE-6.

I ran 'Malwarebytes' (latest and up to date) with quick-scan AND full-scan... "no malicious files found"; 'SAS' (Super-Antispyware); 'VundoFix'; 'Trojan-Remove'; 'Avast'; 'AVG-AntiSpyware'; 'SpyBot S+D'; even a rootkit scan by avast and nothing malicious is found. That's what I get for clicking on a link in an email. Should have known better. My MSVP HOSTS file did't stop it either. Doesn't matter what I click on in the pop-up. I'll see a 'FREE scan start' (third image below). Clicking the "interlock" on my Firewall doesn't stop the scan. It just looks like an online scan with IE but it's all a ploy (phishing) to get me to buy their junk.

Oh... even tried a System Restore to 1 week and 2 weeks ago. Didn't help. I really didn't expect it to but was worth a try.

I have a Dell Dimension; Intel-core2 duo; WinXP Media Ctr (SP-2); 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; IE-6.0; OE-6; ZA-7.0.302; avast 4.8.1229 (latest):

I read the "do this before posting". Below are my logs from the DSS scan and HJT ('main.txt') and 'extra.tx' is attached. Hope you guys can help me with this. This is the first time I've ever used HJT. I used to suggest your site (Bleepingcomputer) to users at the McAfee help forum where I was a volunteer moderator for about 3 or 4 years. But I've retired from doing that now. When/if you find something in my logs I hope you can tell me what to do with HJT. Like I said, this is my first time using that utility. Thank you in advance.

Also, I attached the extra.txt as instructed along with some jpg images of my pop-ups.

==========================
Deckard's System Scanner v20071014.68
Run by Rick on 2008-08-06 15:51:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
84: 2008-08-06 19:51:55 UTC - RP436 - Deckard's System Scanner Restore Point
83: 2008-08-06 16:25:36 UTC - RP435 - Restore Operation
82: 2008-08-06 16:14:39 UTC - RP434 - Restore Operation
81: 2008-08-06 16:06:27 UTC - RP433 - Restore Operation
80: 2008-08-06 15:16:17 UTC - RP432 - Restore Operation

-- First Restore Point --
1: 2008-05-08 21:42:20 UTC - RP353 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Rick.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:23 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\LiveState Recovery\Desktop 6.0\Agent\VProSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Symantec\LiveState Recovery\Desktop 6.0\Agent\VProTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Documents and Settings\Rick\Desktop\dss.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rick.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LiveState Recovery Desktop 6.0] "C:\Program Files\Symantec\LiveState Recovery\Desktop 6.0\Agent\VProTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192478761421
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec LiveState Recovery - Symantec Corporation - C:\Program Files\Symantec\LiveState Recovery\Desktop 6.0\Agent\VProSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5832 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 snapman (Acronis Snapshots Manager) - c:\windows\system32\drivers\snapman.sys <Not Verified; Acronis; Acronis Snapshot API>
R0 timounter (Acronis TrueImage Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R2 tifsfilter (Acronis TrueImage FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; TrueImage>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S1 AEC671X - c:\windows\system32\drivers\aec671x.sys <Not Verified; Acard Technology Corp.; Acard® AEC-671X PCI Ultra/W SCSC-3 Controller>
S1 DMX3191 - c:\windows\system32\drivers\dmx3191.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
S2 PV8630 (PV8630 WDM Device Driver) - c:\windows\system32\pv8630.sys <Not Verified; PowerVision Technologies Inc.; USB Image Device>
S3 aswArKrn - c:\docume~1\rick\locals~1\temp\aswarkrn.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 GEARSecurity -
S4 AcrSch2Svc (Acronis Scheduler2 Service) - "c:\program files\common files\acronis\schedule2\schedul2.exe" <Not Verified; Acronis; Acronis Scheduler 2>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Conexant D850 56K V.9x DFVc Modem
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&1B02CB0B&0&18F0
Manufacturer: Conexant
Name: Conexant D850 56K V.9x DFVc Modem
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&1B02CB0B&0&18F0
Service: Modem

-- Files created between 2008-07-06 and 2008-08-06 -----------------------------

2008-08-06 15:53:33 0 d-------- C:\Program Files\Trend Micro
2008-08-06 14:38:01 0 d-------- C:\Documents and Settings\Rick\Application Data\Malwarebytes
2008-08-06 14:37:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-06 14:37:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 13:22:20 0 d-------- C:\ZTomTom_BU_8-1-08

-- Find3M Report ---------------------------------------------------------------

2008-08-06 12:26:31 0 d-------- C:\Program Files\Trojan Remover
2008-08-05 16:32:53 34568 --a------ C:\Documents and Settings\Rick\Application Data\wklnhst.dat
2008-07-16 19:14:59 0 d-------- C:\Documents and Settings\Rick\Application Data\Tyre
2008-06-30 11:44:46 65696 --a------ C:\Documents and Settings\Rick\Application Data\GDIPFONTCACHEV1.DAT
2008-06-29 14:40:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-29 14:40:36 0 d-------- C:\Program Files\Lavasoft
2008-06-24 15:07:31 0 d-------- C:\Documents and Settings\Rick\Application Data\AdobeUM
2008-06-24 14:33:58 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-24 14:33:52 0 d-------- C:\Program Files\Common Files
2008-06-22 14:42:41 0 d-------- C:\Program Files\Sunhawk

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 02:56 PM]
"SigmatelSysTrayApp"="stsystra.exe" [03/20/2006 05:00 PM C:\WINDOWS\stsystra.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/16/2006 11:39 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/19/2008 10:38 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [01/08/2007 02:29 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 05:20 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 04:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 04:50 PM]
"LiveState Recovery Desktop 6.0"="C:\Program Files\Symantec\LiveState Recovery\Desktop 6.0\Agent\VProTray.exe" [04/16/2007 08:57 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap




-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 a9rhiwa.cn #[Google.Warning]
127.0.0.1 www.a9rhiwa.cn
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net

18877 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-08-06 15:55:58 ------------

======================

Attached Files


Edited by Rick-F, 06 August 2008 - 04:12 PM.

Dell Dimension; Intel-core2 duo; WinXP Media Ctr SP-2; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; IE-6.0; OE-6; ZA-7.0.302; avast 4.8.1229 (latest)

Use the most powerful AV product available = "Common sense"

BC AdBot (Login to Remove)

 


#2 Rick-F

Rick-F
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South FL
  • Local time:12:25 PM

Posted 07 August 2008 - 07:00 PM

Well, I wanted to edit the above but can't find the edit button! :thumbsup: It's not there!

Not sure I have this infection now. I only see those popups (see post above) when I google... or use any search engine, for a specific restaurant in our area. All other searches are fine as I've been searching for the listed processes I have running. Hopefully someone can look at my log to see if there is something askew that needs to be corrected.

As suggested in this forum, I'm not going to run 'ComboFix' until someone with more experience than I is here to guide me. I've run MalwareBytes again, SmitFraudFix, SpyBot S+D, avast AV, and nothing is ever found.

<<< edit >>>
On 8-7-08 updated Java by running their Java-RA, (removes old versions of Java and logs) and installed latest JRE 6 u7.

Thanks in advance for your help.

Edited by Rick-F, 08 August 2008 - 09:12 AM.

Dell Dimension; Intel-core2 duo; WinXP Media Ctr SP-2; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; IE-6.0; OE-6; ZA-7.0.302; avast 4.8.1229 (latest)

Use the most powerful AV product available = "Common sense"

#3 Rick-F

Rick-F
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South FL
  • Local time:12:25 PM

Posted 11 August 2008 - 03:47 PM

You can close this thread. I've been told that the log is clean.

Thank You!

Dell Dimension; Intel-core2 duo; WinXP Media Ctr SP-2; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; IE-6.0; OE-6; ZA-7.0.302; avast 4.8.1229 (latest)

Use the most powerful AV product available = "Common sense"

#4 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:25 PM

Posted 15 August 2008 - 01:35 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users