anit virus advertising virus

View previous topic View next topic Go down

anit virus advertising virus

Post by ericshin on Sun Nov 15, 2009 8:52 am

some antivirus ad popped up when i opened firefox and clicked into a site i know well. so i used mbam and avira. that thing hasnt popped up ever since but my internet has slowed down to a crawl. im not sure if its the work of the virus, maybe its just the service provider. i don't know what this thing is called coz i panicked and did a virus scan right away. but just in case heres the mbam log:

Malwarebytes' Anti-Malware 1.41
Database version: 3168
Windows 5.1.2600

14/11/2009 10:28:24 p.m.
mbam-log-2009-11-14 (22-28-24).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 165505
Time elapsed: 29 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\User\Local Settings\Temp\BNeB.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\BNeF.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


thanks


Last edited by ericshin on Sun Nov 15, 2009 10:30 am; edited 2 times in total (Reason for editing : forgot to thank)

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Nazzgull on Sun Nov 15, 2009 11:11 am

Hi,
please read [You must be registered and logged in to see this link.] post, and post your HijackThis log file in this topic.

Wait for instructions given only by [You must be registered and logged in to see this link.], [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]



Nazzgull
Top Dog
Top Dog

Posts Posts : 2343
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : Windows 7 Professional
Points Points : 40435
# Likes # Likes : 1

View user profile

Back to top Go down

hijackthis log

Post by ericshin on Sat Nov 21, 2009 6:05 am

My nvidia firewall says there's a high risk. Then it says theres an application called svchost - Microsoft Windows operating system. Then it gives me the opton to allow or deny. What do i do?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:57 p.m., on 21/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\DAEMON Tools\daemon.exe
D:\Documents and Settings\User\My Documents\winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Documents and Settings\User\Desktop\New Folder (2)\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Documents and Settings\User\My Documents\Real player\rpbrowserrecordplugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] "D:\Documents and Settings\User\My Documents\winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE /FU "C:\WINDOWS\TEMP\E_S86.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe

--
End of file - 6216 bytes

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Sat Nov 21, 2009 9:23 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Sun Nov 22, 2009 1:24 am

Malwarebytes' Anti-Malware 1.41
Database version: 3210
Windows 5.1.2600 Service Pack 3

22/11/2009 2:18:59 p.m.
mbam-log-2009-11-22 (14-18-58).txt

Scan type: Quick Scan
Objects scanned: 106029
Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I did a scan before with mbam in my first post and it said there were two infected files but now there isn't now but my avira detected something called op[1] only a few days ago and said it was a virus or trojan or something like that. Should i allow svchost through my firewall even though it says high risk?

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Sun Nov 22, 2009 2:07 am

Hello.
No, block it..for now, it may be for something else.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

DDS

Post by ericshin on Sun Nov 22, 2009 7:35 am

DDS (Ver_09-10-26.01) - NTFSx86
Run by User at 20:32:44.40 on Sun 22/11/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.64.1033.18.1023.622 [GMT 13:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: NVIDIA Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\DAEMON Tools\daemon.exe
D:\Documents and Settings\User\My Documents\winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - d:\documents and settings\user\my documents\real player\rpbrowserrecordplugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nTrayFw] c:\program files\nvidia corporation\networkaccessmanager\bin\nTrayFw.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [DAEMON Tools] "d:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [WinampAgent] "d:\documents and settings\user\my documents\winamp\winampa.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [EPSON Stylus CX3900 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibep.exe /fu "c:\windows\temp\E_S86.tmp" /EF "HKLM"
mRun: [avgnt] "d:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - d:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvappfilter.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\5reuey1j.default\
FF - component: d:\documents and settings\user\my documents\real player\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: d:\documents and settings\user\my documents\real player\netscape6\nppl3260.dll
FF - plugin: d:\documents and settings\user\my documents\real player\netscape6\nprjplug.dll
FF - plugin: d:\documents and settings\user\my documents\real player\netscape6\nprpjplug.dll
FF - plugin: d:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll

============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-5-28 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-5-28 45416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\avira\antivir desktop\sched.exe [2009-5-28 108289]

=============== Created Last 30 ================


==================== Find3M ====================

2009-11-21 05:50:51 96384 ----a-w- c:\windows\system32\drivers\sptd8717.sys

============= FINISH: 20:33:14.29 ===============

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Sun Nov 22, 2009 7:36 am

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/15/2007 10:26:05 PM
System Uptime: 11/22/2009 8:25:57 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | A8N5X
Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 939 | 2010/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 10 GiB total, 2.959 GiB free.
D: is FIXED (NTFS) - 65 GiB total, 2.457 GiB free.
E: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_10DE&DEV_005B&SUBSYS_815A1043&REV_A3\3&2411E6FE&0&11
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_10DE&DEV_005B&SUBSYS_815A1043&REV_A3\3&2411E6FE&0&11
Service:

==== System Restore Points ===================

RP68: 11/21/2009 6:44:31 PM - Installed Windows XP Service Pack 3.

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Age of Empires III
Age of Empires III - The Asian Dynasties
Avira AntiVir Personal - Free Antivirus
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Dawn of War - Soulstorm
Diablo II
Doom 3
Earth's Special Forces
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESCX3900 User's Guide
ESF Bot 3.1
Fable - The Lost Chapters
GameSpy Arcade
GOM Player
Grand Theft Auto Vice City
Half-Life
HijackThis 2.0.2
Hitman Blood Money
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Halo
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.15)
MSXML 4.0 SP2 Parser and SDK
Neverwinter Nights 2
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
PIF DESIGNER
POD-Bot 2.5
RealPlayer
Realtek AC'97 Audio
Sierra Utilities
TypeFaster Typing Tutor
WebFldrs XP
Winamp
Windows XP Service Pack 3
WinRAR archiver
Xfire (remove only)

==== Event Viewer Messages From Past Week ========

11/21/2009 6:52:49 PM, error: Service Control Manager [7023] - The Portable Media Serial Number service terminated with the following error: The specified module could not be found.
11/21/2009 6:37:24 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 bfb22cf7, parameter3 b2067b28, parameter4 00000000.
11/21/2009 6:37:00 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 bfb22cf7, parameter3 b998fb28, parameter4 00000000.
11/15/2009 1:04:29 AM, error: Dhcp [1002] - The IP address lease 10.1.1.3 for the Network Card with network address 0013D4871E03 has been denied by the DHCP server 10.1.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Sun Nov 22, 2009 7:16 pm

Still having problems?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Mon Nov 23, 2009 12:36 am

yeah, i'm pretty sure me internet speed has decreased by a lot ever since that advertising thing has popped up coz it takes me like 10 minutes to watch a 4 1/2 minute video off youtube or metacafe.

And also when i check on line for the internet usage the i've used, it says that i haven't used any at all for the last week or so even though i've been coming on here and played a few online games.

My internet also cuts off after a while so i can't open firefox until i restart the computer. This never happend before.

I've also got 2 "trojans.agents" in the quarantine of mbam. should i delete them?

thanks

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Tue Nov 24, 2009 12:08 am

bump

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Tue Nov 24, 2009 12:57 am

Nah, leave them for now, the quarantined items are dead.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Tue Nov 24, 2009 8:28 am

ComboFix 09-11-23.02 - User 24/11/2009 21:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.64.1033.18.1023.704 [GMT 13:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: NVIDIA Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-10-24 to 2009-11-24 )))))))))))))))))))))))))))))))
.

2009-11-22 01:11 . 2009-09-10 01:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 01:11 . 2009-09-10 01:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 05:52 . 2009-11-21 05:52 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2009-11-21 05:50 . 2009-11-21 05:50 -------- d-s---w- c:\windows\system32\Microsoft
2009-11-21 05:46 . 2008-04-13 16:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2009-11-21 05:44 . 2007-08-10 07:46 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-11-21 05:33 . 2008-04-13 13:30 103424 ----a-w- c:\windows\system32\dpcdll.dll
2009-11-21 05:31 . 2008-04-13 16:42 188416 ----a-w- c:\windows\system32\msh261.drv
2009-11-14 08:37 . 2009-11-14 08:37 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-11-14 08:37 . 2009-11-14 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-14 07:00 . 2009-11-14 07:00 -------- d-----w- c:\documents and settings\User\Application Data\EPSON

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 05:58 . 2009-11-21 05:58 3398 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-11-21 05:53 . 2008-02-24 10:15 42944 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 05:50 . 2007-12-21 09:11 96384 ----a-w- c:\windows\system32\drivers\sptd8717.sys
2009-11-21 05:49 . 2007-12-15 09:24 70691 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-09-06 00:49 . 2009-09-06 00:49 488968 ----a-w- c:\documents and settings\User\Application Data\Real\Update\temp\~Upg0\setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-11-04 7307264]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-11-04 86016]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-04-29 266240]
"DAEMON Tools"="d:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"WinampAgent"="d:\documents and settings\User\My Documents\winamp\winampa.exe" [2008-08-03 36352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-03 185872]
"avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-11-04 1519616]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [5/28/2009 4:43 PM 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [5/28/2009 4:43 PM 45416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [5/28/2009 4:43 PM 108289]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/21/2007 10:11 PM 664064]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\5reuey1j.default\
FF - component: d:\documents and settings\User\My Documents\Real player\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: d:\documents and settings\User\My Documents\Real player\Netscape6\nppl3260.dll
FF - plugin: d:\documents and settings\User\My Documents\Real player\Netscape6\nprjplug.dll
FF - plugin: d:\documents and settings\User\My Documents\Real player\Netscape6\nprpjplug.dll
FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
AddRemove-HijackThis - d:\documents and settings\User\My Documents\HijackThis.exe
AddRemove-NVIDIA Drivers - c:\windows\System32\NVUNINST.EXE UninstallGUI
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-Sierra Utilities - c:\program files\Sierra On-Line\sutil32.exe uninstall



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-24 21:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2009-11-24 21:26
ComboFix-quarantined-files.txt 2009-11-24 08:25

Pre-Run: 3,057,106,944 bytes free
Post-Run: 3,267,203,072 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - F78BD1C040A82E77BB3AADF52E5BAE52

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Tue Nov 24, 2009 9:36 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Thu Nov 26, 2009 10:27 am

when i did that it opened and ran combofix while my antivirus and firewall was still on. nothing bad will happen from that right?

internet is still running slow it and and still cuts off after a while and still have to restart computer reconnect to the internet. unplugging and replugging the modem doesn't work, i actually have to unplug the modem then restart computer.

thanks

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Fri Nov 27, 2009 5:14 am

bump

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Fri Nov 27, 2009 10:17 am

No, AV/firewall are fine as long as they are active and updated.

Post a new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Sat Nov 28, 2009 3:04 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:49 p.m., on 28/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Documents and Settings\User\My Documents\winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Documents and Settings\User\Desktop\winlogon.scr

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Documents and Settings\User\My Documents\Real player\rpbrowserrecordplugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] "D:\Documents and Settings\User\My Documents\winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe

--
End of file - 5818 bytes

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Sat Nov 28, 2009 7:05 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [WinampAgent] "D:\Documents and Settings\User\My Documents\winamp\winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


  • Press "Fix Checked"
  • Close Hijack This.

Reboot normally.
Any better now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Sun Nov 29, 2009 6:49 am

internet still seems slow so i think it will still cut off after a while

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Sun Nov 29, 2009 6:34 pm

What browser are you using?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Mon Nov 30, 2009 12:52 am

mozilla firefox

oh and the internet does still cut off and when it cuts off i can't play games online so its not just firefox.

and also i figured out that i don't actuall have to unplug and replug the modem. as long as i restart the computer the internet will work again

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Wed Dec 02, 2009 7:31 am

bump

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Wed Dec 02, 2009 8:41 pm

Not too sure what that's about.

I'll ask Doc to drop by.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Thu Dec 03, 2009 8:01 am

ok thanks

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Thu Dec 03, 2009 9:23 pm

Please download [You must be registered and logged in to see this link.] by DragonMaster Jay.
  • Save it to your Desktop.
  • Right-click on the file and select Extract All...
  • Choose a location to save extracted files and keep pressing Next until Finish.
  • Double-click RenewMyDNS folder, then double-click RenewMyDNS.bat to start the program.
  • Follow the prompts, and when finished it will launch a log.
  • Post that log in your next reply.
  • After posting the log, delete the folder RenewMyDNS.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Fri Dec 04, 2009 9:46 am

RenewMyDNS by DragonMaster Jay
DNS Diagnostics and refresher
Version 0.1.4 - November 2009

Microsoft Windows XP [Version 5.1.2600]


(((((((((((((((((((( Network and DNS Information ))))))))))))))))))))




Windows IP Configuration



Host Name . . . . . . . . . . . . : JAMES-U343NIHYF

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : NVIDIA nForce Networking Controller

Physical Address. . . . . . . . . : 00-13-D4-87-1E-03

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.1.1.3

Subnet Mask . . . . . . . . . . . : 255.0.0.0

Default Gateway . . . . . . . . . : 10.1.1.1

DHCP Server . . . . . . . . . . . : 10.1.1.1

DNS Servers . . . . . . . . . . . : 10.1.1.1

Lease Obtained. . . . . . . . . . : Friday, 4 December 2009 10:39:39 p.m.

Lease Expires . . . . . . . . . . : Friday, 4 December 2009 11:39:39 p.m.


(((((((((((((((((((( DNS-Fake Request Testing and Flush ))))))))))))))))))))

... Requests made were successful


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.



(((((((((((((((((((( Speed-test - Ping ))))))))))))))))))))


Pinging yahoo.com [69.147.114.224] with 32 bytes of data:



Request timed out.

Reply from 69.147.114.224: bytes=32 time=316ms TTL=51

Reply from 69.147.114.224: bytes=32 time=312ms TTL=50

Reply from 69.147.114.224: bytes=32 time=308ms TTL=50



Ping statistics for 69.147.114.224:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip times in milli-seconds:

Minimum = 308ms, Maximum = 316ms, Average = 312ms



Pinging geekpolice.net [74.86.239.78] with 32 bytes of data:



Request timed out.

Request timed out.

Request timed out.

Request timed out.



Ping statistics for 74.86.239.78:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),



Pinging facebook.com [69.63.184.142] with 32 bytes of data:



Reply from 69.63.184.142: bytes=32 time=307ms TTL=241

Reply from 69.63.184.142: bytes=32 time=298ms TTL=241

Reply from 69.63.184.142: bytes=32 time=298ms TTL=241

Reply from 69.63.184.142: bytes=32 time=298ms TTL=241



Ping statistics for 69.63.184.142:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 298ms, Maximum = 307ms, Average = 300ms



Pinging microsoft.com [207.46.197.32] with 32 bytes of data:



Request timed out.

Request timed out.

Request timed out.

Request timed out.



Ping statistics for 207.46.197.32:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


********************
EOF

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Fri Dec 04, 2009 9:47 am

Sorry the one above has word wrap on. this log doesn't have word wrap on

RenewMyDNS by DragonMaster Jay
DNS Diagnostics and refresher
Version 0.1.4 - November 2009

Microsoft Windows XP [Version 5.1.2600]


(((((((((((((((((((( Network and DNS Information ))))))))))))))))))))


Windows IP Configuration Host Name . . . . . . . . . . . . : JAMES-U343NIHYF Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : NVIDIA nForce Networking Controller Physical Address. . . . . . . . . : 00-13-D4-87-1E-03 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.1.1.3 Subnet Mask . . . . . . . . . . . : 255.0.0.0 Default Gateway . . . . . . . . . : 10.1.1.1 DHCP Server . . . . . . . . . . . : 10.1.1.1 DNS Servers . . . . . . . . . . . : 10.1.1.1 Lease Obtained. . . . . . . . . . : Friday, 4 December 2009 10:39:39 p.m. Lease Expires . . . . . . . . . . : Friday, 4 December 2009 11:39:39 p.m.
(((((((((((((((((((( DNS-Fake Request Testing and Flush ))))))))))))))))))))

... Requests made were successful
Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.

(((((((((((((((((((( Speed-test - Ping ))))))))))))))))))))
Pinging yahoo.com [69.147.114.224] with 32 bytes of data:Request timed out.Reply from 69.147.114.224: bytes=32 time=316ms TTL=51Reply from 69.147.114.224: bytes=32 time=312ms TTL=50Reply from 69.147.114.224: bytes=32 time=308ms TTL=50Ping statistics for 69.147.114.224: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),Approximate round trip times in milli-seconds: Minimum = 308ms, Maximum = 316ms, Average = 312msPinging geekpolice.net [74.86.239.78] with 32 bytes of data:Request timed out.Request timed out.Request timed out.Request timed out.Ping statistics for 74.86.239.78: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),Pinging facebook.com [69.63.184.142] with 32 bytes of data:Reply from 69.63.184.142: bytes=32 time=307ms TTL=241Reply from 69.63.184.142: bytes=32 time=298ms TTL=241Reply from 69.63.184.142: bytes=32 time=298ms TTL=241Reply from 69.63.184.142: bytes=32 time=298ms TTL=241Ping statistics for 69.63.184.142: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 298ms, Maximum = 307ms, Average = 300msPinging microsoft.com [207.46.197.32] with 32 bytes of data:Request timed out.Request timed out.Request timed out.Request timed out.Ping statistics for 207.46.197.32: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
********************
EOF[b]

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Sat Dec 05, 2009 8:43 am

bump

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Sat Dec 05, 2009 2:21 pm

Hi.
I have not forgotten you, I've been speaking with a colleague who knows more about problems like this than I do.


  1. Disconnect the modem from all three cables so that the modem is completely off (the power cord, the
    ethernet cable and the phone line) -- Also, unplug the Ethernet cable from your computer.
  2. Open up Network Connections (Start, Programs, Accessories, Communications) --> Right-click on the Local Area Connection and select Disable.
  3. Close the Local Area Connection window, and then goto Start --> Run --> type services.msc and press OK. Scroll down until you see the DHCP client, and select Restart the service.
  4. Please shut down the computer and wait two minutes. Reconnect all of the cables to your modem. Wait two minutes, and then reconnect the modem to the computer with your Ethernet cable. Wait another two minutes and then turn on your computer.
  5. Please re-open Network Connections; right-click on your Local Area Connection and select Enable -- restart your computer.

Let me know how you get on or if you have any problems.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Sun Dec 06, 2009 2:06 am

during step 5 a computer screen with a yellow ball popped up on the bottom right of my screen saying it was acquiring network address. after like 5 minutes it dissappeared but the internet didn't work. so i restarted the computer and its working.

Also during step 5, as soon as i clicked on enable that svchost thing with the high risk popped up asking if i would allow or deny. does that have anything to do with this problem?

internet is also slow. according to this site:
[You must be registered and logged in to see this link.]
telecom is the company that we are paying for our internet. and it says our speed is:
Results

Below is the data used to calculate your download speed:

* Download time: 14.335 seconds
* Size of file: 520 Kilobytes
* Estimated line speed: 296 (kilobits/second)
* Estimated line speed: 36.3 (kilobytes/second)
its like right at the end of the bar so i'm assumming that's really slow.

also i forgot to mention before. everytime the internet cuts off, the computer screen with the yellow ball would pop up as it did when i enables the local area connection. and the same thing would happen after and during the time it was there, the internet wouldn't work.

thanks

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Sun Dec 06, 2009 12:00 pm

Not too bad, my connection is only just a little bit faster, but only by about 120kb.

PM'd a colleague, I'll see what he says.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Thu Dec 10, 2009 5:26 am

bump

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Thu Dec 10, 2009 8:33 pm

Hello.
See here on how to change your IP adress.
[You must be registered and logged in to see this link.]

It is usually a problem for multiple computers on a network to have the same static address, so Windows assigns the problem computer a temporary dynamic (dynamic means "changing") address. If they are assigned a Static IP that is unique, their connection is liable to stay correct.

XP SP3 has a fix that was included that dealt with "black hole" router detection algorithm, which prevents computers from receiving invalid network packets.

In plain English, the user's computer has a weak connection, because the IP address may need to be Static instead of Dynamic. The fix in XP SP3 caused quite a few issues with connectivity, and these problems are solved by changing the IP address structure. :o)


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by ericshin on Fri Dec 11, 2009 6:50 am

but this has been happening before i installed sp3. and whats the differnence between a static and dynamic? i know that dynamic changes the ip address from time to time but how is that better or worse?

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29514
# Likes # Likes : 0

View user profile

Back to top Go down

Re: anit virus advertising virus

Post by Belahzur on Fri Dec 11, 2009 10:23 pm

Like you said, dynamic IP's change, and static stay the same, this site will give a better detailed explanation than I could ever give.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum