Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

False Windows Security Center Alerts

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 3 posts
I have spent most of last night ridding my PC of the SpySheriff Malware; as Illustrated on a previous thread.


After following the removal instructions to the 'T', I have found some small amounts of this malware still on my machine.

I have ran Norton Anti-virus 2005, Adaware 6.0, Spybot S&D, Registy Mechanic & Spyware Blaster (Infections repair to the sugestion of the program).

Three main problems occur;

My homepage keeps changing to 'about:blank' (WinPatrol keeps telling me is changing; seems to occur once every five mins, I keep canceling it so it stays to the one I want.),

A false Windows Security Center Window appears; (False because the red sheild with the 'X' doesn't appear in the taskbar, and when I click yes to the question ,Do you want to learn how to protect you computer?, it goes to a insecure webpage,

And lucky last; Small pop-up ad windows occur, even when there is no activity happening on the computer (This hasn't happen for a while. I could of clean this problem, or, Zone Alarm Pro is stopping it.)

As per previous thread (mentioned above), I will paste a Hijackthis log to the end (Log recored before the post was typed).

Any help will be greatfull,

Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 6:11:27 PM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Documents and Settings\Gohan.SSJ-GOHAN\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://renewalcenter...&p_cversion=241
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {55BB1C72-35FF-4882-7685-FF7BB31538C8} - C:\WINDOWS\netzz32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115783623875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125754852296
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab36107.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O20 - Winlogon Notify: style32 - C:\WINDOWS\
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\d3in32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0




    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
In an attempt to give you some more information to go off of, I will post the ewido scan report at the end of this reply.

I have started to get pop-up ads, again, but only when I am using IE.

If there is any other information you need, please let me know so I can arrange it for you.

Thank you.

The five file that are located on the F: drive are actually files I know of and are .zip or .rar file.

ewido security suite - Scan report

+ Created on: 12:42:56 PM, 12/10/2005
+ Report-Checksum: FAF67EFB

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{43372D0D-6EAD-977A-99EE-8DFB043153ED} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9320654E-9DD7-7B4E-FD11-BE169AC706F5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C47A8D54-394B-A651-BDA6-E93204990AC2} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1715567821-823518204-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C47A8D54-394B-A651-BDA6-E93204990AC2} -> Spyware.CoolWebSearch : Cleaned with backup
[1764] C:\WINDOWS\d3in32.exe -> Trojan.Agent.bi : Cleaned with backup
[456] C:\WINDOWS\system32\ipwz.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
[3320] C:\WINDOWS\netzz32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Cookies\[email protected][1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Cookies\[email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Cookies\[email protected][1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Cookies\[email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Local Settings\Temporary Internet Files\Content.IE5\CDA7O5IB\ysb_prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Local Settings\Temporary Internet Files\Content.IE5\KDCLIF4D\prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Local Settings\Temporary Internet Files\Content.IE5\Y1W7UHM1\ibar[1].js -> TrojanDownloader.IstBar.ad : Cleaned with backup
C:\WINDOWS\apirc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlbn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\cccp106.ini:ezuumt -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\COM+.log:fwvnlf -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3in32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\KB899587.log:lphjvy -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\KB899588.log:xeqzyh -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ocgen.log:agzttz -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ocmsn.log:uvbehb -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ODBCINST.INI:eahvob -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\system32\dwoki.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\system32\eipgs.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\txp-lcn.ini:lkwngi -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winre.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_vmtxp.INI:dqfgai -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_vmtxp.INI:fjcmok -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\_vmtxp.INI:lywjcc -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\_vmtxp.INI:nhzbvl -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_vmtxp.INI:xcdgfq -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_vmtxp.INI:xmbtxc -> Spyware.SearchPage : Cleaned with backup
F:\APPS\Burning\2_DVDIdle.Pro. -> Backdoor.Agobot.rz : Error during cleaning
F:\APPS\Games\Warhammer 40k Dawn Of War\Warhammer_40000_Dawn_Of_War_KEYGEN-VENGEANCE\vng-w40k.rar/keygen.exe -> Trojan.Steam.a : Error during cleaning
F:\APPS\Hacking\Apps\LINUX_WinRARWinRAR Passwort knacker.rar/play.bat -> Worm.Klez.H : Error during cleaning
F:\APPS\Programs\Clone CD - Clony XXL - CloneDVD.v2.4.3.5 - SlySoft AnyDVD v3.6.2.4 Multilanguage - crack&keygen.rar/CloneDVD.v2.4.3.5 + Keygen\reg.exe -> TrojanDropper.Delf.fl : Error during cleaning
F:\APPS\Programs\Symantec Norton Internet Security 2005 Proper Keygen Only-Ssg.rar/KGNIS.EXE -> TrojanDropper.Delf.fd : Error during cleaning

::Report End
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP