Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 49

Thread: HELP!! Severe Problems with Pop Ups & freezing

  1. #21
    Member
    Join Date
    Oct 2007
    Posts
    36

    Default

    and... C:\WINDOWS\System32\ezSP_Px.exe

  2. #22
    Emeritus- Malware Team __RiP_ChAiN_'s Avatar
    Join Date
    Sep 2007
    Location
    U.S.A
    Posts
    480

    Default

    Hello panicden,

    This is the description for what that file does:

    Engine that allows PrimoDVD from Veritas (was Prassi) and Drag'n Drop CD from Easy Systems (and maybe others) to record and protects against other software overwriting the settings

  3. #23
    Member
    Join Date
    Oct 2007
    Posts
    36

    Default

    ok, I have been using the machine now and while it is much better it is stil a little buggy, gone are the speed monitor zedo pop ups but now I notice that my spybot alerts are very frequent, like for instance right now I am looking at one that reads:
    Category change: "User-specific browser toolbar
    Change: Value added
    Entry {01E04581 - 4EEE - 11D0-00AA005B4383}
    Old Data:
    New Data: hex:81,45,E0,01,EE,4E,D0,11BFE9,00,AA,00,58 YADA YADA
    Allow Change Deny Change
    I have been hitting deny and clicking "remember this decision"
    but sometimes the teat timer boxers start stacking up on the right side of my screen like they are doing battle with something, While i have been able to still surf through this I did have a situation this morning where my system froze up, I could still surf and click and open folders on my desktop but I could not access anything inmy taskbar , that includes my start collum.

    I just ran adaware and it found 1 registry value identified

    Type:RegData
    Data:
    Rootkey: HKEY_CURRENT_USER
    Object: Software\Microsoft\MediaPlayer\Player\Settings
    Value: Client ID
    I sent it to Quarentine

    Question: should I tell my spybot to immunize my system?

  4. #24
    Emeritus- Malware Team __RiP_ChAiN_'s Avatar
    Join Date
    Sep 2007
    Location
    U.S.A
    Posts
    480

    Default

    Hello panicden,

    Question: should I tell my spybot to immunize my system?
    It can't hurt anything

    Could you please post a new HijackThis log?

  5. #25
    Member
    Join Date
    Oct 2007
    Posts
    36

    Default

    Here you go Rip:

    HJT Log 10/10/07

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:52:08 AM, on 10/10/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
    C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
    C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\AcroDist.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
    C:\Program Files\Sony\Giga Pocket\shwserv.exe
    C:\Program Files\Sony\USBSircs\usbsircs.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
    C:\Program Files\Sony\Giga Pocket\gps.exe
    C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
    C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Sony\Giga Pocket\RM_SV.exe
    C:\WINDOWS\System32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Sertificate Infj - {C777CF73-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\Media\CertMgr.dll
    O2 - BHO: (no name) - {CFE15135-C591-4000-A55E-A50E5F9F82BC} - (no file)
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Remocon Driver.lnk = ?
    O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O21 - SSODL: OleExport - {C777CF73-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\Media\CertMgr.dll
    O22 - SharedTaskScheduler: chinned - {a47e7ce0-263d-40aa-86bc-27c1f6433143} - C:\WINDOWS\System32\gdrtul.dll (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\Sony\Giga Pocket\shwserv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
    O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
    O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
    O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
    O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Giga Pocket\GPVSvr.exe
    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 11066 bytes

  6. #26
    Security Expert TonyKlein's Avatar
    Join Date
    Oct 2005
    Location
    The Netherlands
    Posts
    138

    Default

    My apologies for gatecrashing this thread, but there's a file we'd like to have a closer look at:

    C:\WINDOWS\Media\CertMgr.dll

    It looks to be a new parasite, so we'd like to receive a sample for analysis!

    Could I ask you to please go to this forum

    There's no need to register. Just start a new topic, titled "File for TonyKlein".

    In the topic, simply refer to this SB forum thread, and use the Attachment box to upload the file.

    In fact there's not even a need to actually browse to the file: just copy the full path to the file, in this case:

    C:\WINDOWS\Media\CertMgr.dll

    ... and paste it in in the attachment box, then press the 'Post' button. The file will be found and uploaded.


    NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorized users who can download them


    After that I'll be happy to leave you in Rip's most capable hands!

    Thanks!
    Last edited by TonyKlein; 2007-10-10 at 16:33.

  7. #27
    Member
    Join Date
    Oct 2007
    Posts
    36

    Default

    Quote Originally Posted by TonyKlein View Post
    My apologies for gatecrashing this thread, but there's a file we'd like to have a closer look at: C:\WINDOWS\Media\CertMgr.dll
    It looks to be a new parasite, so we'd like to receive a sample for analysis!
    Hi Tony, done deal, I just uploaded it. I knew that something still was not quite right with my computer even though the pop ups are gone as while it seems to surf ok I still run into some strange snafus that I never exoerienced such as pages freezing mostly when I click on links (case in point, when I clicked on the link to your site everything froze up and I had to close the page using cntrl+alt+del since the page itself wouldn't respond to the normal close tab) I should also add this to what I just wrote, I normally would click on such a link by first holding down my shift key to open it in another window and this seems to be where I am now experiencing most freezing in IE (I can still do this trick in Firefox with no freezing) where I never did before. I am wondering if maybe this might be the result of one of the spybot Tea Timer registry access change prompts that I may have clicked "deny" to. (I never used tea timer until after starting this thread) Or maybe my snafu could be from some Zone Alarm gear grinding (I just started using ZA since this thread started as I switched over from AVG, am thinking that maybe I should have stuck with them, at least then I would be now comparing apples to apples if I had). Cheers and thanks for the extra help. And yes, Rip is doing a bang up job, I have been much impressed.

  8. #28
    Security Expert TonyKlein's Avatar
    Join Date
    Oct 2005
    Location
    The Netherlands
    Posts
    138

    Default

    Thanks for uploading the file. It's malware for sure: a keylogger/password stealer, by the looks of it...

  9. #29
    Security Expert TonyKlein's Avatar
    Join Date
    Oct 2005
    Location
    The Netherlands
    Posts
    138

    Default

    .. as a consequence, you want to close all instances of IE, then run HijackThis, and check, then have it fix the following items:

    O2 - BHO: Sertificate Infj - {C777CF73-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\Media\CertMgr.dll

    O21 - SSODL: OleExport - {C777CF73-124F-3562-44AC-E685D962C63C} - C:\WINDOWS\Media\CertMgr.dll
    After that, restart your computer, then investigate the contents of the C:\WINDOWS\Media folder and delete the CertMgr.dll in case it should still be present there.

    NOTE: the CertMgr.dll files in the System32, DllCache and ServicePackFiles folders are legitimate Windows files and must not be removed!

    When done, please run HijackThis once again and post a (hopefully final) log for Rip to analyze.

    Thanks again for your cooperation!
    Last edited by TonyKlein; 2007-10-10 at 20:12.

  10. #30
    Member
    Join Date
    Oct 2007
    Posts
    36

    Default

    I did as you instructed, after which i checked the media folder and indeed it was still there, but I cannot delete it, I tried twice, I right clicked on it to delete but before I could it opened up an installation box and appeared to begin installing, no matter how many times I hit it's cancel button it regenerated and initiated installation again like something from T2. I Each time I had to use ctrl+alt+del to get out of the situation. It also has text that labels it a Macromedia certificate Snap in (surely bogus) any ideas as to how I can kill it? I could probably use a killbox like software to delete it on the rebot unless you have a better idea

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •