One of the forums that I visit daily has banner ads on it, as a lot of forums do, normally just google ads, but one has started popping up today, and I mean that literally, about "computer security". After the banner ad loads I get a popup saying the "your computer may be infected" thing and it wants me to agree to download winfixer to "fix my computer" and then tries to open a page in another window. I manage to get everything closed with out clicking on the "ok" or even the "cancel" buttons. I'm wondering what my chances are that this thing has installed on my comp despite my best effots to stop it? Or am I panicing as I usually do?
I'm running windows xp sp2 home edition, I have ZA installed, NAV 2005, and AAW, all updated w/ the current patches and updates. I know y'all will probably want to see AAW scan logs as well a possibly a HJT log? I'm running an online Panda Scan right now, and after it's completed, I will download HJT and post a log if I have time tonight. I guess I should've posted this in the HJT forum, huh? The Panda scan looks to be about 2/4 done and so far all is good.... :sos:
EDIT: I should also add that I use Firefox, which is what I was using when the popup occurred.
EDIT #2: The online Panda scan just finished, and it came out clean, I'm off now to scan w/ AAW, will report back on the results tomorrow, most likely.
jat38 , hello :)
I don´t think it´s a reason to panic. If you have enough knowledge of HJT you could look if there are any strange O2-objects in the log. Winfixer first installs a downloader as a BHO, which in turns calls for its buddies.
Please, by all means post a HJT-log here if you are the least uncertain.
Die Hard :)
I am more that happy to leave the HTJ log in your hands, as I have no idea what I'm looking at, lol. I hope I did this right:
Logfile of HijackThis v1.99.1
Scan saved at 4:16:19 PM, on 9/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122698823765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I have an AAW log should anyone need to see that. Also The Panda online scan, AAW scan, and NAV 2005 scans all came out clean.
Thanks for the help, Die Hard! :D
jat38 :)
That´s a perfectly clean log :)
You could run HJT and checkmark and fix this line , just to tidy it up a little. It´s a remnant of MS Moneyviewer.It´s just an orphaned regkey.
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
Regards
Die Hard :)
:gwave: woohoo! Thanks Die Hard! You just took a huge load off my mind. :D
Be advised jat38 , some websites are still practicing the use of the old javascript/HTML exploits to slip a pop-up in that sometimes i find myself after closing all my open windows.
I usually go tracing into the Windows Temporary Internet Files folder, where nothing shows on your screen from the web without landing there first. LoL (heh he)
I snag stuff up all the time, usually a waste of good HTML/Javascript code, but lately i found a few .swf (Shockwave) flash files that they are exercising use of to show those annoying pop-ups. It's really funny after you spend time looking at what ends up there, i have actually snagged those "SPYWARE HAS BEEN DETECTED ON YOUR PC" files and manipulated them to say other stuff. That stuff is easily launched into an IE browser. What you don't want though, is your browser getting re-directed to a malicious site that is set up to secretly download virus/spyware files.
Thanks for the tip, Easter. :D The site I mentioned in the above post has since removed the offending banner ad, which is good. I'll keep in mind what you said, though. I don't use IE anymore unless I absolutely have to, I have been a Firefox convert for sometime.
hi jat 38
do you have any add-ons for firefox? they are safe if downloaded from mozilla
why i ask is i use "no scripts"
it blocks scripts, but will allow you to run the scripts you want at a site
and also blocks the flash adds !!!
free and small
when you allow scripts to run from a site it will auto reload that page and blocks 3 rd party junk
i use it on linux and XP without any trouble !
Thanks mitch! I'll look into that as well. I have a few Firefox ads ons, but don't have the one you mentioned. :)
Quote from: jat38 on September 29, 2005, 07:40:15 AM
Thanks for the tip, Easter. :D The site I mentioned in the above post has since removed the offending banner ad, which is good. I'll keep in mind what you said, though. I don't use IE anymore unless I absolutely have to, I have been a Firefox convert for sometime.
Not a prob, always glad to inform.
IE really doesn't have to be a problem, in fact i use nothing but IE all the time even though i have the much safer OPERA. The thing that pesters me most about IE is it's so slow sometime, i really expected a lot of lightning quick instant page loads from it by now, but i guess they (M$) are more concerned on swaying minds to newer developments then perfecting the IE browser for quicker response. Security is really not much of an issue if they "seal" the breeches the release updates that don't sacrifice speed for safety.
If you have success with FireFox i would stay with it, i'm just pointing out that IE doesn't have to be a problem but it does take some extra utilities to tighten it up.