Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV Security Suite pop ups won't go away


  • This topic is locked This topic is locked
38 replies to this topic

#1 Tiko

Tiko

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 13 July 2010 - 02:56 PM

The pop ups keep coming up randomly, even when I'm not on the internet (Zone Alarm stop internet activity was enabled). I tried system restores, Malware bytes (several times, and the last one didn't find anything) but they just keep popping up. I am able to stop the website from loading by closing the browser or tab, and put that website in AdBlock Plus to filter out, but different one's keep popping up.

DDS only opened as a notepad file with gibberish in it except for the first line which says "This program cannot be run in DOS mode."

Here is the GMER file.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-13 12:46:00
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\David\LOCALS~1\Temp\kwrcqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB1615534]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB160F782]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB162E6DC]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB1615CC0]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB1628EB4]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB16292A2]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB1632916]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB1615DF6]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB1610398]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB162FFE4]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB162F93C]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB1627DF0]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB163093C]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB1630B44]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB160FFAA]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB162B1CE]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB162ADF8]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB16318D2]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB1631208]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB16150F4]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB16322A4]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB16157DC]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB161075C]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xB1631E12]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB162F0C4]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB1629F0A]
SSDT \??\C:\WINDOWS\system32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB1629C86]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [C0, 5C, 61, B1, B4, 8E, 62, ...]
.rsrc C:\WINDOWS\system32\drivers\disk.sys entry point in ".rsrc" section [0xF87D9514]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[864] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[864] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[864] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[864] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[864] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00D5000A
.text C:\WINDOWS\System32\svchost.exe[864] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D3000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1344] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104505FE C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 011D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 011E000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 011C000C
.text C:\WINDOWS\explorer.exe[3236] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\explorer.exe[3236] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\explorer.exe[3236] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\wuauclt.exe[3680] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\wuauclt.exe[3680] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\wuauclt.exe[3680] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device -> \Driver\atapi \Device\Harddisk0\DR0 82EE8EC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\disk.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:35 PM

Posted 19 July 2010 - 06:00 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  1. Double click on RSIT.exe to run RSIT.
  2. Click Continue at the disclaimer screen.
  3. Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  1. Reply to this thread; do not start another!
  2. Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  3. Do not run any other tool until instructed to do so!
  4. Let me know if any of the links do not work or if any of the tools do not work.
  5. Tell me about problems or symptoms that occur during the fix.
  6. Do not run any other programs or open any other windows while doing a fix.
  7. Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 Tiko

Tiko
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 19 July 2010 - 10:18 AM

Here's the log file. Thank you for helping me.

Logfile of random's system information tool 1.08 (written by random/random)
Run by David at 2010-07-19 08:13:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 57 GB (75%) free of 76 GB
Total RAM: 504 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:13:31 AM, on 7/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reade

Here's the log file. Thank you for helping me.

Logfile of random's system information tool 1.08 (written by random/random)
Run by David at 2010-07-19 08:13:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 57 GB (75%) free of 76 GB
Total RAM: 504 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:13:31 AM, on 7/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Java\j

Here's the log file. Thank you for helping me.

Logfile of random's system information tool 1.08 (written by random/random)
Run by David at 2010-07-19 08:13:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 57 GB (75%) free of 76 GB
Total RAM: 504 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:13:31 AM, on 7/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Java\j

Here's the log file. Thank you for helping me.

Logfile of random's system information tool 1.08 (written by random/random)
Run by David at 2010-07-19 08:13:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 57 GB (75%) free of 76 GB
Total RAM: 504 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:13:31 AM, on 7/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Java\j

Here's the log file. Thank you for helping me.

Logfile of random's system information tool 1.08 (written by random/random)
Run by David at 2010-07-19 08:13:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 57 GB (75%) free of 76 GB
Total RAM: 504 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:13:31 AM, on 7/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Java\jre6\bin\jusched

Here's the log file. Thank you for helping me.

Logfile of random's system information tool 1.08 (written by random/random)
Run by David at 2010-07-19 08:13:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 57 GB (75%) free of 76 GB
Total RAM: 504 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:13:31 AM, on 7/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Java\jre6\bin\jusched

Here's the log file. Thank you for helping me.

Logfile of random's system information tool 1.08 (written by random/random)
Run by David at 2010-07-19 08:13:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 57 GB (75%) free of 76 GB
Total RAM: 504 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:13:31 AM, on 7/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Java\jre6\bin\jusched

#4 Tiko

Tiko
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 19 July 2010 - 10:19 AM

Sorry for this second post. It initially wasn't letting me post anything saying the connection was reset when I was clicking add reply, but then I saw it did post the log (twice). So I just edited this post because I'm not sure how to delete it.

Edited by Tiko, 19 July 2010 - 10:54 AM.


#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:35 PM

Posted 19 July 2010 - 02:14 PM

I need the complete HijackThis log which includes entries such as:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#6 Tiko

Tiko
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 19 July 2010 - 03:38 PM

Sorry about the previous post, I didn't realize it copied the same thing multiple times. I also noticed that when I click on links from search engines, they get redirected (I close them before they load). My browser or internet connection isn't letting me download HijackThis, so I will post this from the last scan, then the new scan that doesn't have it.




Logfile of random's system information tool 1.08 (written by random/random)
Run by David at 2010-07-19 08:13:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 57 GB (75%) free of 76 GB
Total RAM: 504 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:13:31 AM, on 7/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David\My Documents\Downloads\RSIT.exe
C:\Program Files\trend micro\David.exe

R1 - HKCU\Software%

Edited by Tiko, 19 July 2010 - 03:44 PM.


#7 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:35 PM

Posted 19 July 2010 - 04:11 PM

Still not a complete log.

Let's try this.
  1. Please download Trend Micro - HijackThis, Version 2.0.4. Do not use the beta version. Cannot post the beta version, 2.0.3 HijackThis log.
  2. Double click HJTInstall.exe to begin installation.
  3. Accept the installation location, which by default is C:\Program Files\Trend Micro\HijackThis or click the Browse... button if you want to save it in another location.
  4. Click Install.
  5. A shortcut will be created on your Desktop and HijackThis will run automatically.
  6. You will need to accept the EULA, if it appears, to be able to use the tool.
  7. When HijackThis opens, click on the Do a system scan and save a log file button.
  8. When HijackThis has finished scanning, a window entitled hijackthis.log will open. When you close this window, the log will be saved into the HijackThis folder.
  9. If needed, see TrendMicro™ HijackThis™ Quick Start Guide
  10. Copy and paste this log into your next reply.

If this does not give you a complete log, please rename HijackThis.exe to HijackThis1991.exe and post a fresh HJT log. The reason you need to rename HijackThis.exe is because certain malware can hide from that file name.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#8 Tiko

Tiko
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 19 July 2010 - 11:17 PM

Hello. I'm sorry I couldn't post earlier. I was trying but my browser wasn't letting me, or it would cut off the post as you've seen in previous posts. I'm not on the infected computer right now, but I will try to get a log up tomorrow morning as soon as I can. I'm sorry for the inconvenience and really appreciate your help. I was trying for half an hour to post it up today but the browser either froze on loading or kept saying the connection reset, and by the end of this I had to leave. I will post it as soon as possible. Also, I tried to download HijackThis from cnet, but it wouldn't let me do that either. I hope it was a temporary internet connection issue rather than an ill effect of a malicious program, but I will try again tomorrow morning.

#9 Tiko

Tiko
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 20 July 2010 - 10:36 AM

I'm trying to post the file right now, but it won't allow me to post it in its entirety, and often gives me a problem loading page screen. Should I put the log as an attachment?

Edited by Tiko, 20 July 2010 - 10:41 AM.


#10 Tiko

Tiko
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 20 July 2010 - 10:42 AM

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - (no file)
O2 - BHO: Java

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 -

#11 Tiko

Tiko
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 20 July 2010 - 10:54 AM

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2

#12 Tiko

Tiko
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 20 July 2010 - 11:01 AM

I'm trying to post the 3rd part of the log but it keeps giving me a connection reset page and won't show it.

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

I was somehow able to post these lines, but there are more that aren't letting me post.

Also, I copy and paste the whole log into the reply section, but when it did get posted before, it came out as copies of the same portion of the log.

Edited by Tiko, 20 July 2010 - 11:27 AM.


#13 Tiko

Tiko
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 20 July 2010 - 03:48 PM

This picture has what I have not been able to post by copying and pasting. The top portion that is not included in the pic has already been posted.

http://img338.imageshack.us/img338/2701/piclog.jpg

Edited by Tiko, 20 July 2010 - 04:21 PM.


#14 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:35 PM

Posted 20 July 2010 - 05:28 PM

Please download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "Safe Mode" .
-- Post the log in your next reply.

Perform an anti-rootkit (ARK) scan with one of the following:
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  1. Disconnect from the Internet or physically unplug your Internet cable connection.
  2. Clean out your temporary files.
  3. Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  4. Temporarily disable your anti-virus and real-time anti-spyware protection.
  5. After starting the scan, do not use the computer until the scan has completed.
  6. When finished, enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#15 Tiko

Tiko
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 23 July 2010 - 11:26 PM

Dr. Web

Process in memory: C:\WINDOWS\system32\svchost.exe:592;;BackDoor.Tdss.565;Eradicated.;
MPC-6.4.9.exe\mplayerplgn.dll;C:\Documents and Settings\David\My Documents\Downloads\MPC-6.4.9.exe;Trojan.DNSCache;;
MPC-6.4.9.exe;C:\Documents and Settings\David\My Documents\Downloads;Container contains infected objects;Moved.;
B363C48Dd01;C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\dizmbrc0.default\Cache(3);Exploit.PDF.1061;Incurable.Moved.;


Panda scan

- <REPORT>
- <MALWARE_EVIDENCES>
- <FILE>
<PATH>C:\WINDOWS:AstInfo</PATH>
<IS_HIDDEN>1</IS_HIDDEN>
<IS_ADS_DIRECTORY>1</IS_ADS_DIRECTORY>
</FILE>
</MALWARE_EVIDENCES>
- <DESINFECTION>
- <FILE>
<ACTION>Delete</ACTION>
<PATH>C:\WINDOWS:AstInfo</PATH>
<DONE>1</DONE>
</FILE>
</DESINFECTION>
</REPORT>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users