Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Amaena, Winantivirus, Systemdoctor Pop Ups Random


  • Please log in to reply
1 reply to this topic

#1 jigga123

jigga123

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 17 November 2006 - 12:42 AM

Hello, I have an odd problem which is very intermittent.

About once or twice in the entire day I get a browser pop up or a message from amaena, winantivirus or systemdoctor. Very intermittent and sometimes only once the entire day.

I have Norton antivirus, adaware, spybot, spywareguard, and spywareblaster installed. All of them find nothing.

I've run vundofix and virtumundo and they say my system is clean. I've also run the vundo root kit detection and removal procedure and it found nothing.

I've changed the name of hijackthis.exe to hjt.exe and run it, attached.

Logfile of HijackThis v1.99.1
Scan saved at 9:37:46 PM, on 11/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Documents and Settings\jkang\Start Menu\Programs\Startup\vptray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\hijackthis\hjt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [Indexer] "C:\Program Files\Sharp\Sharpdesk\Indexer.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: vptray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - https://ccb.exostar.com/qcbin/Spider80.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114174350711
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.e2open.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.e2open.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.e2open.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.e2open.com,dev.e2open.com,e2open.com,sjcus.prod.e2open.com,denus.prod.e2open.com,sjca.prod.e2open.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.e2open.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.e2open.com,dev.e2open.com,e2open.com,sjcus.prod.e2open.com,denus.prod.e2open.com,sjca.prod.e2open.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.e2open.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = corp.e2open.com,dev.e2open.com,e2open.com,sjcus.prod.e2open.com,denus.prod.e2open.com,sjca.prod.e2open.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.e2open.com,dev.e2open.com,e2open.com,sjcus.prod.e2open.com,denus.prod.e2open.com,sjca.prod.e2open.com
O18 - Protocol: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\Sharp\Sharpdesk\ExplorerExtensions.dll
O20 - AppInit_DLLs:
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe



thanks

Edited by jigga123, 17 November 2006 - 01:07 PM.


BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:08:58 PM

Posted 18 November 2006 - 10:21 AM

Hi jigga123 :thumbsup:

Please post the contents of C:\VundoFix.txt to here.

Download F-Secure Blacklight and save it to your desktop.

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)
UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users