[hellifiknow]

I was hoping somebody could help me, for about two weeks now I've been getting a fake windows xp pop up.

"Your computer might be at risk. Your virus protection status is bad. Spyware activity detected. Click this baloon to fix this problem."

I've browsed the site in hopes to find a resolution and have came across many others with the same problem. I've downloaded hijackthis and will post the log from the scan...but as far as computer literacy is concerned, i'm illiterate. So please take it easy on me. Any help would be greatly appreciated as this has become a real headache for myself and my household.

I've run anti vir, and ad aware se, and also spy bot search and destroy, I also visited housecall.antivirus.com, and ran their scan which didn't detect any viruses nor trojans... a plus...but that pop ups still there

Thanks in advance,

-hellifiknow-
____________________________________________________________________


Logfile of HijackThis v1.99.1
Scan saved at 1:43:34 AM, on 9/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.c...*http://www.yah

oo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://us.rd.yahoo.c...*http://www.yah

oo.com
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} -

(no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [ISUSPM Startup]

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE

/min
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SECRETMAKER.lnk = C:\Program

Files\Secretmaker\secretmaker.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions

present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel

present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://update.micros...en/x86/client/w

uweb_site.cab?1125829473953
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik

GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner -

[Advertisements]

Hello again, I just finished running a scan with the Panda Active Scan, from this address "http://www.pandasoft...activescan.htm" and one instance of spyware was found as noted in this short log.
____________________________________________________________________

Incident Status Location

Adware:adware/sbsoft No disinfected
C:\WINDOWS\rdt.ini
____________________________________________________________________


Should I reboot and run in safe mode then run the scan again??

Since the scan didn't disinfect, i ran a search to find the file, then deleted it...but it's still in recycle bin if it's needed.

-hellifiknow-

Edited by hellifiknow, 11 September 2005 - 12:35 AM.

[hellifiknow]

Hello again, I just finished running a scan with the Panda Active Scan, from this address "http://www.pandasoft...activescan.htm" and one instance of spyware was found as noted in this short log.
____________________________________________________________________

Incident Status Location

Adware:adware/sbsoft No disinfected
C:\WINDOWS\rdt.ini
____________________________________________________________________


Should I reboot and run in safe mode then run the scan again??

Since the scan didn't disinfect, i ran a search to find the file, then deleted it...but it's still in recycle bin if it's needed.

-hellifiknow-

Edited by hellifiknow, 11 September 2005 - 12:35 AM.

[hellifiknow]

Well the third times a charm aint it!!

Needless to say, I figured it out. No thanks to anyone in particular but from just browsing the site...

For all of you in need heres what i did to remove the pop up..(at least momentarily)

Download the ewido security suite trial, it gives ya 14 days or so of use...which will be plenty of time to clean up the files.

From what i've read, you don't need the background image for automatic updates, so choose not to install that portion,... at least thats what I did.

Start up Ewido, and update the definitions file.

Restart the computer and go into safe mode, (F8 repeatedly at startup) I had to choose Safemode with command prompt, because for some reason my comp just wouldnt boot in plain safe mode...no biggie.

From the Cmd line type..."explorer.exe" and you'll load up the desktop.

Now just click on your Ewido desktop icon, and start your scan. I didn't mess with any of the settings...and I really wouldn't recommend it at this point. Theres plenty of time later.

The scan took me a little over an hour to completein safe mode, resulting in finding 29!!! viruses/trojans/spyware none of which ad aware se, anti vi personnel edition, nor spy bot search and destroy/ housecall.antivirus.com scan/ or even the panda active scan detected

(Majority of which were located in the system restore files...)

Once your scan is complete Ewido will replace or fix your infected files from backup copies if available. Mine were all able to be fixed

Restart back in normal mode and keep an eye out that pop up...as I said mine seems to be gone "momentarily"

I ran Ewido once again in Normal mode and found 2 more trojans...again Ewido and I prevailed

So in short...Go get Ewido Security Suite, update, run in safe mode, restart, run in normal mode...and say good bye to a bunch of stuff the previous programs never even saw coming, and of course that dreadful little pop up


P.S I never used HiJackthis for any reason, other than posting that log...nor have i changed or fixed anything with it. I don't see the need now...but then again [bleep] if i know.


Now doesn't that sound much simpler than all that mumbo jumbo registry stuff?? I mean come on people were here cause at some point we all find ourself saying..."[bleep] IF I KNOW"

And thats the story of how Ewido and me defeated 29 trojans in a night, and 2 in a fight, and popped one pop-up "baloon" without a knife. lmao

Sincerely yours

-Hellifiknow-

Edited by hellifiknow, 11 September 2005 - 02:44 AM.

[hellifiknow]

Okay well its been about 14 hours....and guess what the pop-up is back!!!

So if anyone knows how to really get rid of this thing lol, i'd be much obliged...

(Man i thought we had em ewido )


Heres a new hijackthis log...

___________________________________________________________________


Logfile of HijackThis v1.99.1
Scan saved at 6:03:30 PM, on 9/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125829473953
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

Edited by hellifiknow, 11 September 2005 - 04:06 PM.