False Windows Security Center Alerts

I have spent most of last night ridding my PC of the SpySheriff Malware; as Illustrated on a previous thread.

http://www.geekstogo...showtopic=68490

After following the removal instructions to the 'T', I have found some small amounts of this malware still on my machine.

I have ran Norton Anti-virus 2005, Adaware 6.0, Spybot S&D, Registy Mechanic & Spyware Blaster (Infections repair to the sugestion of the program).

Three main problems occur;

My homepage keeps changing to 'about:blank' (WinPatrol keeps telling me is changing; seems to occur once every five mins, I keep canceling it so it stays to the one I want.),

A false Windows Security Center Window appears; (False because the red sheild with the 'X' doesn't appear in the taskbar, and when I click yes to the question ,Do you want to learn how to protect you computer?, it goes to a insecure webpage,

And lucky last; Small pop-up ad windows occur, even when there is no activity happening on the computer (This hasn't happen for a while. I could of clean this problem, or, Zone Alarm Pro is stopping it.)

As per previous thread (mentioned above), I will paste a Hijackthis log to the end (Log recored before the post was typed).

Any help will be greatfull,

Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 6:11:27 PM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\d3in32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
C:\WINDOWS\system32\ipwz.exe
C:\Documents and Settings\Gohan.SSJ-GOHAN\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\eipgs.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://renewalcenter...&p_cversion=241
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {55BB1C72-35FF-4882-7685-FF7BB31538C8} - C:\WINDOWS\netzz32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115783623875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125754852296
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab36107.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O20 - Winlogon Notify: style32 - C:\WINDOWS\
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\d3in32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

In an attempt to give you some more information to go off of, I will post the ewido scan report at the end of this reply.

I have started to get pop-up ads, again, but only when I am using IE.

If there is any other information you need, please let me know so I can arrange it for you.

Thank you.

The five file that are located on the F: drive are actually files I know of and are .zip or .rar file.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:42:56 PM, 12/10/2005
+ Report-Checksum: FAF67EFB

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{43372D0D-6EAD-977A-99EE-8DFB043153ED} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9320654E-9DD7-7B4E-FD11-BE169AC706F5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C47A8D54-394B-A651-BDA6-E93204990AC2} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1715567821-823518204-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C47A8D54-394B-A651-BDA6-E93204990AC2} -> Spyware.CoolWebSearch : Cleaned with backup
[1764] C:\WINDOWS\d3in32.exe -> Trojan.Agent.bi : Cleaned with backup
[456] C:\WINDOWS\system32\ipwz.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
[3320] C:\WINDOWS\netzz32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Cookies\gohan@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Cookies\gohan@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Cookies\[email protected][1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Cookies\gohan@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Cookies\[email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Local Settings\Temporary Internet Files\Content.IE5\CDA7O5IB\ysb_prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Local Settings\Temporary Internet Files\Content.IE5\KDCLIF4D\prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Gohan.SSJ-GOHAN\Local Settings\Temporary Internet Files\Content.IE5\Y1W7UHM1\ibar[1].js -> TrojanDownloader.IstBar.ad : Cleaned with backup
C:\WINDOWS\apirc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlbn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\cccp106.ini:ezuumt -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\COM+.log:fwvnlf -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3in32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\KB899587.log:lphjvy -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\KB899588.log:xeqzyh -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ocgen.log:agzttz -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ocmsn.log:uvbehb -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ODBCINST.INI:eahvob -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\system32\dwoki.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\system32\eipgs.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\txp-lcn.ini:lkwngi -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winre.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_vmtxp.INI:dqfgai -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_vmtxp.INI:fjcmok -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\_vmtxp.INI:lywjcc -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\_vmtxp.INI:nhzbvl -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_vmtxp.INI:xcdgfq -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_vmtxp.INI:xmbtxc -> Spyware.SearchPage : Cleaned with backup
F:\APPS\Burning\2_DVDIdle.Pro.3.6.0.6.Cracked-FFF.ShareConnector.rar/DVDIdle.Pro.3.6.0.6_CRKEXE-FFF.zip/DVDIdlePro.exe -> Backdoor.Agobot.rz : Error during cleaning
F:\APPS\Games\Warhammer 40k Dawn Of War\Warhammer_40000_Dawn_Of_War_KEYGEN-VENGEANCE\vng-w40k.rar/keygen.exe -> Trojan.Steam.a : Error during cleaning
F:\APPS\Hacking\Apps\LINUX_WinRARWinRAR Passwort knacker.rar/play.bat -> Worm.Klez.H : Error during cleaning
F:\APPS\Programs\Clone CD 4.4.3.1.0 - Clony XXL 2.0.0.6 - CloneDVD.v2.4.3.5 - SlySoft AnyDVD v3.6.2.4 Multilanguage - crack&keygen.rar/CloneDVD.v2.4.3.5 + Keygen\reg.exe -> TrojanDropper.Delf.fl : Error during cleaning
F:\APPS\Programs\Symantec Norton Internet Security 2005 Proper Keygen Only-Ssg.rar/KGNIS.EXE -> TrojanDropper.Delf.fd : Error during cleaning

::Report End

#1
Razgriz_3

Posted 12 October 2005 - 06:52 AM

Advertisements

#2
Razgriz_3

Posted 12 October 2005 - 10:49 PM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us