system
December 23, 2005, 9:45pm
1
Ok, here’s the story.
I’m a gamer. That’s basically the only thing I use my computer for.
So I downloaded avast! a few days ago when my other Antivirus program’s free trial ran out, and I’m liking it.
So, today my brother tells me he downloaded the Photoshop CS2 Trial from adobe.com and tried to look online for a serial code (which I know, is totally wrong and I beat him down for it) on those “hacking sites” and tried to make it a full version. Well guess what. I got a popup saying somthing like “Trojan Horse was found!” So I put it in the chest, deleted it from there.
So I go back to playing my game, and now, every 5-10 mins I’m getting the message “Adaware was found!” and then immediatly followed by “Malware was found!” What I don’t understand is, that I’m on the internet, but I wasn’t downloading anything. So when I get these messages (which are really annoying) I just click the “Abort Connection” button and it goes away for a few minutes.
So I downloaded: Ad-Aware SE Personal, and Spybot: Search & Destroy and scanned for spyware and other junk. The first scan with both programs found spyware and adaware, and deleted them. Though I’m still getting the popup from avast that adaware/spyware/malware is being found but when I scan it says there is none.
I scanned for viruses with AVG Free and it said there wasn’t any, and I’m in the process of scanning with avast.
Now…how do I properly fix this!? Where is all the spyware/adware/malware coming from!?
Thanks,
Shane
:-[
system
December 23, 2005, 10:00pm
2
I would recommend you try a boot-time scan with avast since it is the one finding this infection(s).If the problem doesn’t go away just post back here.You can do that by starting avast! then right click somewhere in the GUI or click the menu and then just click Schedule boot time scan then restart see below:
http://img444.imageshack.us/img444/4030/untitled19mx8lq.jpg
P.S:Welcome to the forum!
Cheers
Mikey
system
December 23, 2005, 10:02pm
3
also could you try to remember names of things you delete. it helps us a lot if we have that knowledge
system
December 23, 2005, 10:49pm
4
Ok,
I did the Boot-Time scan and when it was done I logged in normally and there wasn’t anything saying if there was a virus or spyware or anything. When I first got the Trojan warning I put it in the chest and deleted it, and since then havent gotten a virus alert, only the spyware/adware/malware alerts which are constant. Like I said I’ve scanned with other spyware programs and have deleted everything, still nothing.
This is what I’m seeing every 5-10 mins:
http://img305.imageshack.us/img305/1196/ad16hf.jpg
And if this matters…
http://img321.imageshack.us/img321/181/ad28yy.jpg
Shane
??? :-[
system
December 23, 2005, 10:51pm
5
Could you do a scan with HijackThis and post a log?
thanks
Mikey
system
December 23, 2005, 11:00pm
7
This is what I got:
Logfile of HijackThis v1.99.1
Scan saved at 5:59:43 PM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\World of Warcraft\WoW.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Shane\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 “EPSON Stylus C64 Series” /O6 “USB001” /M “Stylus C64”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [UnSpyPC] “C:\Program Files\UnSpyPC\UnSpyPC.exe”
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip..{8A7F5207-1CB0-48E6-AC34-8DCAFFE82324}: NameServer = 85.255.113.150,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip..{D6BD3C13-E20A-428D-8368-721D8EE56467}: NameServer = 85.255.113.150,85.255.112.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
system
December 23, 2005, 11:20pm
8
Well you should definetly remove these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip..{D6BD3C13-E20A-428D-8368-721D8EE56467}: NameServer = 85.255.113.150,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip..{8A7F5207-1CB0-48E6-AC34-8DCAFFE82324}: NameServer = 85.255.113.150,85.255.112.12
Then go to safe mode and run a couple scans with the anti malware tools you have…Report back then to let us know what is going on.
OK it’s 0:30 AM here so i’m going to bed but maybe someone else will be able to help you if this doesn’t solve your problems…See ya tomorrow
P.S: I did a little editting with this post so please re-read it.
Thanks
Mikey
system
December 23, 2005, 11:23pm
9
I forgot to ask you…Are you running multiple resident AV programs at the same time?If so please just use one otherwise you’ll have problems.
Thanks
Mikey
system
December 23, 2005, 11:32pm
10
Nope, not at the same time. Though I do have AVG and avast! installed.
system
December 23, 2005, 11:34pm
11
Ok, I deleted the things listed above, now when I restarted my PC I got the message:
http://img498.imageshack.us/img498/4171/ad35ua.jpg
And whenever I try to do anything about it I get:
http://img248.imageshack.us/img248/9912/ad40wi.jpg
So…going to scan with avast right now, then scan for spyware after.
system
December 23, 2005, 11:39pm
12
It’s like i said you have 2 resident AV’s installed that is why you cannot get rid of this malware(one av locks the file when the other detects it).Please disable AVG’s resident shield if you know how or just uninstall it.
ShaneTerry, like ReVaN said, you shouldn’t use two antivirus at the same time in the same computer.
These kind of programs are not like antispywares (that you can have more than one).
Better if you choose one of them. Think in detection, support, features that you need
system
December 24, 2005, 12:02am
14
ShaneTerry, like ReVaN said, you shouldn’t use two antivirus at the same time in the same computer.
These kind of programs are not like antispywares (that you can have more than one).
Better if you choose one of them. Think in detection, support, features that you need
Ah, I thought he meant running at the same time. My bad.
Ok, so I uninstalled AVG and am thoroughly scanning with avast.
Btw I haven’t gotten the adaware/malware/spyware popup since I deleted the different files in the HijackThis log.
Hope this works…will post back when it’s done.
Good decision
We’ll waiting here to help 8)
DavidR
December 24, 2005, 12:08am
16
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6BD3C13-E20A-428D-8368-721D8EE56467}: NameServer = 85.255.113.150,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip..{8A7F5207-1CB0-48E6-AC34-8DCAFFE82324}: NameServer = 85.255.113.150,85.255.112.12
These entries could be your ISPs IP address (check using a whois search), if you fix them in HJT you may not be able to connect, if that is the case, restore them.
system
December 24, 2005, 12:35am
17
Ok, so…
When I did the scan, I pressed the
http://img460.imageshack.us/img460/4180/av13cg.jpg
option.
And to my surprise…
http://img460.imageshack.us/img460/6325/av21xe.jpg
Should I scan under a different option? If so which one?
Shane
???
system
December 24, 2005, 12:38am
18
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6BD3C13-E20A-428D-8368-721D8EE56467}: NameServer = 85.255.113.150,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip..{8A7F5207-1CB0-48E6-AC34-8DCAFFE82324}: NameServer = 85.255.113.150,85.255.112.12
These entries could be your ISPs IP address (check using a whois search), if you fix them in HJT you may not be able to connect, if that is the case, restore them.
He is here isn’t he?So he is connected wouldn’t you agree? The IP’s are somewhere in the Ukraine…
system
December 24, 2005, 12:41am
19
Apparently you are clean now Shane, but just to be sure you can run an online scan at http://housecall.trendmicro.com/
system
December 24, 2005, 12:48am
20
Awesome. Scanning now. Will post what was up when it’s done.