Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Trickery Hidden In Plugins


  • Please log in to reply
8 replies to this topic

#1 Omega Knight

Omega Knight

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 26 December 2006 - 01:38 PM

already disabled mwsbar, and mwsoemon. that improved my computer performance a lot. Ran adaware, and my antivirus. deleted 3 viruses, and 22 critical spyware (total of over 48 with non-critical spyware). My computer still seems to have an anti-virus spam file somewhere though, as i am still getting a popup in my system tray telling me I have a virus, and to click the balloon to dl critical system scanning utilities. Tell me what i need to do to help you guys help me please.

BC AdBot (Login to Remove)

 


#2 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:04:44 AM

Posted 26 December 2006 - 01:42 PM

Post what the pop up says and what the name of the virus is, if you know it.
"2007 & 2008 Windows Shell/User Award"

#3 Omega Knight

Omega Knight
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 26 December 2006 - 03:16 PM

It's hidden under system alert. it lists one of 3 different trojans. next time it pops up with them I'll post the virus here. Also, I have been running Adaware, and F-secure back to back for a few hours now. have deleted quite a few viruses, and one of the system packs that were installed advertizing spyware/virus removal programs. My computer is almost back to normal, but is still having problems with one of the popups on my desktop.

also, just accidently clicked on one of the popups in my system tray. as before it seems to favor antivermins. Hope that helps some.

Edited by Omega Knight, 26 December 2006 - 03:17 PM.


#4 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:03:44 AM

Posted 26 December 2006 - 06:25 PM

Follow These Instructions on How To Remove Antivermins.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#5 Omega Knight

Omega Knight
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 26 December 2006 - 07:11 PM

I hope I don't sound stupid, but I have smitfraud on my desktop and don't remember how to use it.....

Here's my full Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 7:11:37 PM, on 12/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
D:\Charter\backweb\3528733\Program\SERVIC~1.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Charter\Anti-Virus\fsgk32st.exe
D:\Charter\Anti-Virus\FSGK32.EXE
D:\Charter\backweb\3528733\program\fsbwsys.exe
D:\Charter\Common\FSMA32.EXE
C:\WINDOWS\system32\nvsvc32.exe
D:\Charter\Common\FSMB32.EXE
D:\Charter\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\svchost.exe
D:\Charter\Common\FCH32.EXE
C:\WINDOWS\Explorer.EXE
D:\Charter\Common\FAMEH32.EXE
D:\Charter\Anti-Virus\fsqh.exe
D:\Charter\Anti-Virus\fsrw.exe
D:\Charter\FSPC\fspc.exe
D:\Charter\FWES\Program\fsdfwd.exe
D:\Charter\FSGUI\ispnews.exe
D:\Charter\Common\FSM32.EXE
D:\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Charter\Anti-Virus\fsav32.exe
D:\Creative\mediasource\Detector\CTDetect.exe
D:\Charter\ANTI-S~1\fsaw.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Charter\FSGUI\fsguidll.exe
D:\Charter\backweb\3528733\Program\fspex.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [News Service] "D:\Charter\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [F-Secure TNB] "D:\Charter\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "D:\Charter\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure Manager] "D:\Charter\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [CTSysVol] D:\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Creative Detector] D:\Creative\mediasource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Charter High-Speed Security Suite.lnk = D:\Charter\backweb\3528733\Program\fspex.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Block this popup - D:\Charter\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Charter\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Charter\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Charter\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Charter\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Charter\Anti-Spyware\ieshield.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156884357637
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156884336137
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - C:\WINDOWS\system32\cthkpcv.dll
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - D:\Charter\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - D:\Charter\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - D:\Charter\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Charter\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - D:\Charter\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Charter\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Edited by Omega Knight, 26 December 2006 - 07:12 PM.


#6 Omega Knight

Omega Knight
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 26 December 2006 - 08:06 PM

Ok, I ran smitfraud. And unfortunately the system alert spyware is still in my system tray. Here's the result of the scan.

SmitFraudFix v2.84

Scan done at 19:56:36.82, Tue 12/26/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}"="buprestidae"

[HKEY_CLASSES_ROOT\CLSID\{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}\InProcServer32]
@="C:\WINDOWS\system32\cthkpcv.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}\InProcServer32]
@="C:\WINDOWS\system32\cthkpcv.dll"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}"="buprestidae"

[HKEY_CLASSES_ROOT\CLSID\{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}\InProcServer32]
@="C:\WINDOWS\system32\cthkpcv.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}\InProcServer32]
@="C:\WINDOWS\system32\cthkpcv.dll"



End

Edited by Omega Knight, 26 December 2006 - 08:07 PM.


#7 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:03:44 AM

Posted 26 December 2006 - 10:38 PM

Please read thru the Preparation Guide For Use Before Posting A Hijackthis Log.

Post your Hijackthis log Here .
Please be patient,as they are a very busy group and will answer your post.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#8 Omega Knight

Omega Knight
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 27 December 2006 - 11:46 AM

I understand they are busy, there are a lot of folks who have issues with their computers. I respect everyone on this site who does their best to help people who are at their wits end.

#9 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:03:44 AM

Posted 27 December 2006 - 12:24 PM

Good Luck Omega Knight,I see you have posted a new Hijackthis Log.
If you have not received a response in five days,you may inquire Here.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users