1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IE malware

Discussion in 'Windows - Virus and spyware problems' started by krp1, May 14, 2007.

  1. krp1

    krp1 Member

    Joined:
    Dec 1, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    Hello

    My IE6 pops up by itself and goes to some web pages (advertising)
    I run ad-aware, but it did not help.

    I also run Hijackthis and here is results, can anybody help me to
    check is there anything that normally should not be there?

    Thanks4help!


    Logfile of HijackThis v1.99.1
    Scan saved at 17:34:46, on 14.5.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Altiris\AClient\Aclient.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINNT\system32\PROT_SRV.EXE
    C:\WINNT\system32\pagents.exe
    C:\WINNT\system32\PSTARTSR.EXE
    C:\Program Files\TiFiC\TiFiC System Service\TiFiC System Service.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\WINNT\system32\CCM\CcmExec.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\hkcmd.exe
    C:\WINNT\system32\igfxpers.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINNT\stsystra.exe
    C:\WINNT\system32\igfxsrvc.exe
    C:\WINNT\system32\rundll32.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Altiris\AClient\AClntUsr.EXE
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Pointsec\P95tray.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\PROGRA~1\MESSEN~1\Msmsgs.exe
    C:\Program Files\Power DVD Player\PowerDVDPlayer.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
    C:\WINNT\system32\proquota.exe
    C:\WINNT\system32\rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\DATA\lataus\hijackthis_sfx.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINNT\system32\NOTEPAD.EXE
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [PeregrineStart] wscript.exe "C:\WINNT\Script\PeregrineStart.vbs"
    O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
    O4 - HKLM\..\Run: [startup_local] C:\Program Files\Startup_Local\startup_local.vbs
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
    O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background
    O4 - HKCU\..\Run: [Power DVD Player] "C:\Program Files\Power DVD Player\PowerDVDPlayer.exe" hmw
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
    O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
    O4 - Global Startup: VPN Client.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &Highlight - C:\WINNT\Web\HIGHLI~1.HTM
    O8 - Extra context menu item: &Web Search - C:\WINNT\Web\SELSEA~1.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\Web\frm2new.htm
    O8 - Extra context menu item: View Partial So&urce - C:\WINNT\Web\source.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.Microsoft.com

    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - ...
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
    O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tcad.telia.se
    O17 - HKLM\Software\..\Telephony: DomainName = tcad.telia.se
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tcad.telia.se
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
    O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\Aclient.exe
    O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\PROT_SRV.EXE
    O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINNT\system32\pagents.exe
    O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINNT\system32\PSTARTSR.EXE
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: TiFiC System Service - TiFiC AB - C:\Program Files\TiFiC\TiFiC System Service\TiFiC System Service.exe
     
    Last edited: May 15, 2007
    krp1, May 14, 2007
    #1
  2. krj15489

    krj15489 Active member

    Joined:
    Jan 2, 2007
    Messages:
    1,606
    Likes Received:
    1
    Trophy Points:
    66
    try the windows virus and spyware section, they can help you more. also switch to firefox, better for internet
     
    krj15489, May 14, 2007
    #2
  3. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,158
    Likes Received:
    134
    Trophy Points:
    143
    moved to correct forum
     
    ddp, May 14, 2007
    #3
  4. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    Thank you, ddp; I'll take it from here :)

    In your HijackThis, do a scan only. Place checks beside the following:

    O4 - HKLM\..\Run: [startup_local] C:\Program Files\Startup_Local\startup_local.vbs
    O4 - HKCU\..\Run: [Power DVD Player] "C:\Program Files\Power DVD Player\PowerDVDPlayer.exe" hmw
    O8 - Extra context menu item: &Web Search - C:\WINNT\Web\SELSEA~1.HTM
    O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\Web\frm2new.htm
    O8 - Extra context menu item: View Partial So&urce - C:\WINNT\Web\source.htm

    Take a look at all the O15 entries and all the O17 entries. Did you add them/Do you know them? If not, place checks beside them as well.

    Press "Fix Checked".

    There's no known virus that uses these files, as all websites say that they are being identified:

    C:\WINNT\system32\PROT_SRV.EXE
    C:\WINNT\system32\pagents.exe
    C:\WINNT\system32\PSTARTSR.EXE

    If you use Pointsec Hard Disk Encryption, those should be safe.
     
    Fredil, May 14, 2007
    #4
  5. krp1

    krp1 Member

    Joined:
    Dec 1, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    11
    thanx 4 help.

    My friend solved problem with Spybot search & destroy.

    -krp-
     
    Last edited: May 15, 2007
    krp1, May 15, 2007
    #5

Share This Page