PDA

View Full Version : Virus popup problem


ReXiX
2008-08-31, 22:02
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:36:38, on 2008-08-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\TEMP\NVC00\Ginstall.exe
C:\WINDOWS\TEMP\NVC20\Ginstall.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TEMP\NVC30\Ginstall.exe
C:\WINDOWS\TEMP\NVC40\Ginstall.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\NVC50\Ginstall.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\TEMP\NSE00\Ginstall.exe
C:\WINDOWS\TEMP\NSE21\Ginstall.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\TEMP\NSE22\Ginstall.exe
C:\WINDOWS\TEMP\NSE20\Ginstall.exe
C:\WINDOWS\TEMP\NSE30\Ginstall.exe
C:\WINDOWS\TEMP\QTN00\Ginstall.exe
C:\WINDOWS\TEMP\QTN20\Ginstall.exe
C:\WINDOWS\TEMP\QTN80\Ginstall.exe
C:\WINDOWS\TEMP\ZAN01\Ginstall.exe
C:\WINDOWS\TEMP\ZAN00\Ginstall.exe
C:\WINDOWS\TEMP\ZAN21\Ginstall.exe
C:\WINDOWS\TEMP\ZAN20\Ginstall.exe
C:\WINDOWS\TEMP\NVC00\Ginstall.exe
C:\WINDOWS\TEMP\NVC20\Ginstall.exe
C:\WINDOWS\TEMP\NVC30\Ginstall.exe
C:\WINDOWS\TEMP\NVC40\Ginstall.exe
C:\WINDOWS\TEMP\NVC50\Ginstall.exe
C:\WINDOWS\TEMP\NVC60\Ginstall.exe
C:\WINDOWS\TEMP\NSE00\Ginstall.exe
C:\WINDOWS\TEMP\NSE21\Ginstall.exe
C:\WINDOWS\TEMP\NSE22\Ginstall.exe
C:\WINDOWS\TEMP\NSE20\Ginstall.exe
C:\WINDOWS\TEMP\NSE30\Ginstall.exe
C:\WINDOWS\TEMP\QTN00\Ginstall.exe
C:\WINDOWS\TEMP\QTN20\Ginstall.exe
C:\WINDOWS\TEMP\QTN80\Ginstall.exe
C:\WINDOWS\TEMP\ZAN01\Ginstall.exe
C:\WINDOWS\TEMP\ZAN00\Ginstall.exe
C:\WINDOWS\TEMP\ZAN21\Ginstall.exe
C:\WINDOWS\TEMP\ZAN20\Ginstall.exe
C:\WINDOWS\TEMP\ZAN30\Ginstall.exe
C:\WINDOWS\TEMP\NVC00\Ginstall.exe
C:\WINDOWS\TEMP\NVC20\Ginstall.exe
C:\WINDOWS\TEMP\NVC30\Ginstall.exe
C:\WINDOWS\TEMP\NVC40\Ginstall.exe
C:\WINDOWS\TEMP\NVC50\Ginstall.exe
C:\WINDOWS\TEMP\NVC60\Ginstall.exe
C:\WINDOWS\TEMP\NVC70\Ginstall.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Norman\Npm\bin\ZLH.EXE
C:\WINDOWS\system32\lphc5p6j0e787.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\philips\Philips SNU5600 Wireless USB Adapter Utility\PHUSBBGMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tradera.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [lphc5p6j0e787] C:\WINDOWS\system32\lphc5p6j0e787.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "c:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background
O4 - HKCU\..\Run: [A00F31BD6.exe] C:\DOCUME~1\LARS-K~1\LOCALS~1\Temp\_A00F31BD6.exe
O4 - HKCU\..\Run: [A00FC4F591.exe] C:\DOCUME~1\LARS-K~1\LOCALS~1\Temp\_A00FC4F591.exe
O4 - HKCU\..\Run: [A00F453F8.exe] C:\DOCUME~1\LARS-K~1\LOCALS~1\Temp\_A00F453F8.exe
O4 - HKCU\..\Run: [A00FA863D9.exe] C:\DOCUME~1\LARS-K~1\LOCALS~1\Temp\_A00FA863D9.exe
O4 - HKCU\..\Run: [A00F2698D.exe] C:\DOCUME~1\LARS-K~1\LOCALS~1\Temp\_A00F2698D.exe
O4 - HKCU\..\Run: [A00F4BBDA.exe] C:\DOCUME~1\LARS-K~1\LOCALS~1\Temp\_A00F4BBDA.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Philips SNU5600 Wireless USB Adapter.lnk = C:\Program Files\philips\Philips SNU5600 Wireless USB Adapter Utility\PHUSBBGMonitor.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O20 - Winlogon Notify: c730b83382 - C:\WINDOWS\system32\__c00B5790.dat
O20 - Winlogon Notify: __c005EC55 - C:\WINDOWS\system32\__c005EC55.dat
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7347 bytes
pskelley
2008-09-01, 14:52
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

1) I see Norman Virus Control in services but no antivirus program in running programs, why is that?

2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

3) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks