Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop popup


  • This topic is locked This topic is locked
18 replies to this topic

#1 CCS @ mdc

CCS @ mdc

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 03 January 2009 - 12:22 PM

I am woking on a Compaq Presario desktop computer, Windows XP SP3. When I started on it it had too many spyware and viruses to list here, I have removed all of them with AVG Free 8.0, spybot Search and destroy, Malwarebytes Anti malware, and smitfraud fix, however I still have a desktop pop up after windows boot, I am including a snapshot of the pop up below. It does not appear to be causing any reinfection, but I cannot get rid of it, I have searched the registry with regedit for the contained text within the window, but was unable to find anything related to it in the registry. I can usually clean most systems that I help with, but I am unable to figure this one out. any help or suggestion would be greatly appreciated. If you need more information please let me know. Apparently I am not able to attach a snapshot to this post, I will reply to it with the snapshot included.

BC AdBot (Login to Remove)

 


#2 CCS @ mdc

CCS @ mdc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 03 January 2009 - 12:27 PM

Ok, maybe I am not supposed to add the snapshot here, the popup is a list of porn sayings, i.e.
cute cherry in a white bikini, blonde teen girls attack and fight violently
busty teen s gitting wet and naughty, etc.....
This is just a box, no properties to pull up, the only options right click gives me is to move or close the box, I did try to copy and paste it here, but was unable. I copied and pasted it into a internet explorer window and had the active x bar drop down from the top of the window, I did not allow the active x script to run. I hope this makes sense to some one, thanks for any information you may be able to give.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:02 PM

Posted 03 January 2009 - 09:03 PM

Hi, The MBam log is back all 0's? Lets's get one more.


Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot to normal mode.

By the way I am closing the HJT log topic you've posted. Unless you prefer to work there. Forum plicy prohobits working in 2 forums. Let me know,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 CCS @ mdc

CCS @ mdc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 05 January 2009 - 11:29 PM

Ok, it is too late tonight and I have not had a chance to even look at it today, I will rescan after an update and let you know what is there. Yes please close the other post, I am new here and no one ever replied to it any way.
Thanks for the help,
Dane

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:02 PM

Posted 05 January 2009 - 11:47 PM

No problem,I'll look for it and thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 CCS @ mdc

CCS @ mdc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 06 January 2009 - 11:00 PM

I cant find a way to post the log here, I can't copy and paste, or import or attach a file to a post. Do I need to be posting this log somewhere else? Sorry for the newbie questions, but I do need some help.
OK after reading about 30 help blogs I figured it out, this is the newest mbam log file, and I have had this back on the internet before running mbam for this log,
after removing all items found and rebooting, the popup has returned, and the winlogin.exe file is back in place in the same file. Hope that helps you to help me.
Thanks,


Malwarebytes' Anti-Malware 1.31
Database version: 1571
Windows 5.1.2600 Service Pack 3

1/6/2009 10:22:29 PM
mbam-log-2009-01-06 (22-22-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 144545
Time elapsed: 1 hour(s), 36 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows logon applicationedc (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Galynn\winlogon.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Galynn\Local Settings\Temporary Internet Files\Content.IE5\ZDQPV2O8\Codec[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Edited by CCS @ mdc, 07 January 2009 - 12:00 AM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:02 PM

Posted 06 January 2009 - 11:59 PM

No .. no special way. You PC won't let yuo copy/ paste??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 CCS @ mdc

CCS @ mdc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 07 January 2009 - 08:34 PM

I did finally figure it out, I was trying to copy and past the file, not just the text. the log is listed in the reply above, but I will repost it with this reply as well, Here it is,

Malwarebytes' Anti-Malware 1.31
Database version: 1571
Windows 5.1.2600 Service Pack 3

1/6/2009 10:22:29 PM
mbam-log-2009-01-06 (22-22-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 144545
Time elapsed: 1 hour(s), 36 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows logon applicationedc (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Galynn\winlogon.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Galynn\Local Settings\Temporary Internet Files\Content.IE5\ZDQPV2O8\Codec[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Let me know what you think, and as I stated above, after removing all infections and a reboot, the desktop pop up is still there, just as it was before.
Thanks,

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:02 PM

Posted 07 January 2009 - 08:44 PM

Hi now uppdate and run a quick scan.

Open MBAM and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 CCS @ mdc

CCS @ mdc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 08 January 2009 - 12:01 AM

Ok,
Updated, ran quick scan with only one item found, log listed below. I have been doing this same thing for a week now, scan and rescan and rescan, use Spy bot, AVG, Malwarebytes, over and over and over, and while I have been able to clean several infections off of the computer none of this has changed the pop up on the desktop. But I will keep at it if that is what you think I need to do. I am open for suggestions. Here is the log,

Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 3

1/7/2009 10:51:37 PM
mbam-log-2009-01-07 (22-51-37).txt

Scan type: Quick Scan
Objects scanned: 66771
Time elapsed: 6 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Logon Applicationedc (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Let me know what to do next.
Thanks

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:02 PM

Posted 08 January 2009 - 11:25 AM

Hi,OK let's look at two more pieces and get the logs.

Part 1 S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Now run SDFix
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 CCS @ mdc

CCS @ mdc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 08 January 2009 - 11:53 PM

Ok,
Here we go, the first log is the Smitfraudfix log that I ran today, here it is,

SmitFraudFix v2.388

Scan done at 18:28:10.15, Thu 01/08/2009
Run from C:\Documents and Settings\Galynn\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
...

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\Program Files\Google\googletoolbar1.dll Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{73C1656D-078C-4453-B898-06202513093A}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FB180674-666A-4225-8C9A-B27F07E1EDB4}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{73C1656D-078C-4453-B898-06202513093A}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FB180674-666A-4225-8C9A-B27F07E1EDB4}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{73C1656D-078C-4453-B898-06202513093A}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FB180674-666A-4225-8C9A-B27F07E1EDB4}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


This next one it the SDFIX log that I have just run in safe mode, finished after restart,

SDFix: Version 1.240
Run by Galynn on Thu 01/08/2009 at 21:33

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 21:51:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\Galynn\Searched\Teen Babe in Her Pink Bra :).avi 45432 bytes hidden from API
C:\Documents and Settings\Galynn\Searched\Let Me Taste Your Tounge :).avi 45432 bytes hidden from API
C:\Documents and Settings\Galynn\Searched\Dirty Busty Milf Asked a Guy to Give Her a Lift with a Car :).avi 45432 bytes hidden from API
C:\Documents and Settings\Galynn\Searched\3 Words : Little Tiny Tits.avi 45432 bytes hidden from API
C:\Documents and Settings\Galynn\Searched\Perfect Thick Body on This Blonde Teen :).avi 45432 bytes hidden from API
C:\Documents and Settings\Galynn\Searched\Happy Go Lucky Teen with Little Boobies :).avi 45432 bytes hidden from API
C:\Documents and Settings\Galynn\Searched\She Will be Your Black Teen Fantasy Girl :).avi 45432 bytes hidden from API
C:\Documents and Settings\Galynn\Searched\I Love Getting Wet At the Pool :p.avi 45432 bytes hidden from API
C:\Documents and Settings\Galynn\Searched\Delightful and Divine Teen Nina Sitting Pretty :).avi 45432 bytes hidden from API
C:\Documents and Settings\Galynn\Searched\Teen in Panties :) H O T .avi 45432 bytes hidden from API
C:\Documents and Settings\Galynn\Searched\Laurel Loves Cum Glazed Doughnuts :).avi 45432 bytes hidden from API
C:\Documents and Settings\Galynn\Searched\Gorgeous Teen Virgin That is as Pure as the Driven Snow :).avi 45432 bytes hidden from API
C:\Documents and Settings\Galynn\Searched\Teen Stripping Nude for a Nice Bath :).avi 45432 bytes hidden from API
C:\Documents and Settings\Galynn\Searched\Shy Hottie Showing Her Pie :).avi 45432 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 14


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"="C:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe:*:Enabled:Sony Ericsson Media Manager 1.2"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:FrostWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Thu 4 Oct 2007 211 ..SH. --- "C:\BOOT.BAK"
Mon 22 Dec 2008 3,112,960 ..SH. --- "C:\Documents and Settings\Galynn\nview.exe"
Tue 9 Jan 2007 146,432 A.SHR --- "C:\Program Files\Kids Cam Show and Share Creativity Center\Setup.exe"
Mon 18 Apr 2005 39,936 A.SHR --- "C:\Program Files\Kids Cam Show and Share Creativity Center\_Setupx.dll"
Sat 23 Aug 2008 6,108,728 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"
Wed 24 Sep 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak"
Tue 18 Nov 2008 1,302,528 A..H. --- "C:\Program Files\VIVA MEDIA\DiamondDropCD\DiamondDrop.exe"
Fri 2 May 2008 183,506 ...H. --- "C:\Documents and Settings\Compaq_Administrator\Desktop\Pet Shop Hop\Uninstall.exe"
Wed 17 Nov 2004 94,458 ...H. --- "C:\Program Files\Ahead\Nero PhotoShow\data\Nero PhotoShow Express.exe"
Sun 18 Sep 2005 788,568 A..H. --- "C:\Program Files\Online Services\Canada\KOL\client.exe"
Wed 17 Aug 2005 13,459,528 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\nsb-install-8-0.exe"
Wed 17 Aug 2005 233,472 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\webutil8.exe"
Wed 17 Aug 2005 389,120 A..H. --- "C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\WinsockFix.exe"
Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\ACST4.DLL"
Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\INSTPH.DLL"
Wed 14 Dec 2005 200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\ACST4.DLL"
Tue 22 Nov 2005 81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005 73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005 88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\INSTPH.DLL"
Sun 18 Sep 2005 77,824 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\AcsInstN.dll"
Sun 18 Sep 2005 6,961,146 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acsnet.zip"
Sun 18 Sep 2005 3,058,888 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\acs\acssetup.exe"
Sun 18 Sep 2005 307,289 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspcheck.dll"
Sun 18 Sep 2005 7,083,361 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\asp\aspsetup.exe"
Wed 21 Sep 2005 1,960,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\autoit\autoit-v3.zip"
Sun 18 Sep 2005 550,488 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\deskbar\deskbr.exe"
Sun 18 Sep 2005 553,984 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\flash\FlashAX.exe"
Sun 18 Sep 2005 2,242,759 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\nisale.exe"
Sun 18 Sep 2005 24,064 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\fw\NISChk.dll"
Sun 18 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpchk.dll"
Sun 18 Sep 2005 748,728 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpinst.exe"
Sun 18 Sep 2005 7,515,304 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\qt.exe"
Sun 18 Sep 2005 86,016 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\qt\QTInsInf.dll"
Sun 18 Sep 2005 45,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealChk.dll"
Sun 18 Sep 2005 5,111,296 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\RealPl8.EXE"
Sun 18 Sep 2005 4,378,673 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\real_upd.exe"
Sun 18 Sep 2005 360,448 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\rp\rp9codec.exe"
Sun 18 Sep 2005 40,960 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SiNdInst.dll"
Sun 18 Sep 2005 473,736 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SinfInst.exe"
Sun 18 Sep 2005 12,288 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbinst.dll"
Sun 18 Sep 2005 516,032 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tb\tbsetup.exe"
Sun 18 Sep 2005 597,080 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\toolbar\toolbr.exe"
Sun 18 Sep 2005 590,688 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\TSsetup.exe"
Sun 18 Sep 2005 57,344 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\tpspd\tsverchk.dll"
Sun 18 Sep 2005 49,152 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\AOLVPChk.dll"
Sun 18 Sep 2005 61,440 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\VPPrePop.exe"
Sun 18 Sep 2005 3,858,056 A..H. --- "C:\Program Files\Online Services\Canada\KOL\comps\vwpt\Vwpt.exe"

Finished!

Also I wanted to mention, that I have discovered a hidden file, found by AVG safemode scan and I have the report from that as well, but it is so long that I hate to post it, I can if you need me to. AVG safemode scan found like 52000 infected files in a hidden folder named " Searched ", they appear to be AVI. files, however AVG reports them all as viruses, all Trojan Horse Downloader Generic_c.AGS, the names of these files are apparently the text withing the pop up that I am trying to get rid of.

after running all your suggestions and rebooting, the popup window is still there unchanged.
I hope the extra information helps some. I have searched the internet for the Generic_c.AGS virus with no results at all.
Thanks,

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:02 PM

Posted 09 January 2009 - 12:10 AM

Hi, very infected machine. It appears you have a load of infected video files. Perhaps from file sharing. Please run the Cleaner,Part 2 next. Tell me if that pop up goese away.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 CCS @ mdc

CCS @ mdc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 09 January 2009 - 07:44 PM

Here is the log after cleaning, and yes the desktop popup remains active, nothing so far has changed it in any way. I am running the free version of AVG 8.0 on this system to clean it, but it is not able to remove the infection. Is there any other free scanner, virus remover that you can recommend. The log follows.

SmitFraudFix v2.388

Scan done at 18:26:23.95, Fri 01/09/2009
Run from C:\Documents and Settings\Galynn\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{73C1656D-078C-4453-B898-06202513093A}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FB180674-666A-4225-8C9A-B27F07E1EDB4}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{73C1656D-078C-4453-B898-06202513093A}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FB180674-666A-4225-8C9A-B27F07E1EDB4}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{73C1656D-078C-4453-B898-06202513093A}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FB180674-666A-4225-8C9A-B27F07E1EDB4}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Let me know, I will try what ever you think may help, Thank you so much for your patience.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:02 PM

Posted 09 January 2009 - 07:57 PM

Hello this is a tough bugger. I think a rootkit may be involved.

Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
Disconnect from the Internet or physically unplug you Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.


Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop.
  • Extract the file to your Desktop (you may then delete the zip file).
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe.
  • Click Next.
  • Highlight the radio button to acceppt the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish (you may now also delete the folder with the extracted files from the zip archive)
You successfully installed Avira AntiRootkit!
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select: Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run
  • Click View report and copy the entire contents into your next reply.

Edited by boopme, 09 January 2009 - 07:59 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users