Thread: Winfirewall Popups
View Single Post
Old 05-27-2005, 01:48 PM   #1 (permalink)
snub
Registered User
 
Join Date: May 2005
Posts: 35
OS: Win 2000


Winfirewall Popups
A computer within our company is getting the winfirewall popups and then IE shuts down. Ran AVG 7, found nothing - ran Housecall Trend Micro, found 6 items: ksidca.dat, s.dat, logtask.exe, wms.exe, catsys.exe and avrms.exe; deleted them - ran Adaware and found 4 items of Virtumonde, deleted them. The computer still has the same symptoms: Winfirewall popups and IE shuts down. AVG and Adaware were both updated prior to running. Posting my Hijackthis log that has been analyzed by the Hijackthis analyzer recommeded here:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.97.7
Scan saved at 1:46:34 PM, on 5/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Speech\playeula.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.dealertrack.com/creditbureau/CBArchive.asp
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nualue.dat (file missing)
O2 - BHO: (no name) - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vaniw.dat (file missing)
O2 - BHO: (no name) - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sndniam.dat
O2 - BHO: (no name) - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alueyalp.dat
O2 - BHO: (no name) - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kabbew.dat
O3 - Toolbar: DealerTrack Toolbar - {A6790AA5-C6C7-4BCF-A46F-0FDAC4EA90EB} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [tcpnut] C:\WINNT\Fonts\tcpnut.exe
O4 - HKLM\..\Run: [sysexp] C:\WINNT\Web\sysexp.exe
O4 - HKLM\..\Run: [*tcpnut] C:\WINNT\Fonts\tcpnut.exe
O4 - HKLM\..\Run: [*avodbc] C:\WINNT\system\avodbc.exe
O4 - HKLM\..\Run: [*vsswave] C:\WINNT\msagent\vsswave.exe
O4 - HKLM\..\Run: [*fontip] C:\WINNT\Tasks\fontip.exe
O4 - HKLM\..\Run: [*netplay] C:\WINNT\addins\netplay.exe
O4 - HKLM\..\Run: [*acdisk] C:\WINNT\Cursors\acdisk.exe
O4 - HKLM\..\Run: [*cabsvr] C:\WINNT\msagent\chars\cabsvr.exe
O4 - HKLM\..\Run: [*waves] C:\WINNT\java\TrustLib\waves.exe
O4 - HKLM\..\Run: [*dbmfc] C:\WINNT\repair\dbmfc.exe
O4 - HKLM\..\Run: [*accmp3] C:\WINNT\Speech\accmp3.exe
O4 - HKLM\..\Run: [*cat] C:\WINNT\Driver Cache\cat.exe
O4 - HKLM\..\Run: [*wms] C:\WINNT\repair\wms.exe
O4 - HKLM\..\Run: [*urlxml] C:\WINNT\addins\urlxml.exe
O4 - HKLM\..\Run: [*vbtapi] C:\WINNT\inf\vbtapi.exe
O4 - HKLM\..\Run: [*dbkey] C:\WINNT\Windows Update Setup Files\dbkey.exe
O4 - HKLM\..\Run: [*playinfo] C:\WINNT\Speech\playinfo.exe
O4 - HKCU\..\Run: [tcpnut] C:\WINNT\Fonts\tcpnut.exe
O4 - HKLM\..\RunOnce: [*playeula] C:\WINNT\Speech\playeula.exe rerun
O9 - Extra button: Click to toggle the DealerTrack Toolbar (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: PrintTemplateViewerCab - http://salespoint.dealerconnection.c...lateViewer.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://206.93.126.238/apps/common/in...NFIG-CHECK.CAB
O16 - DPF: {57453726-BB83-11D2-9047-00105ACE49EC} (PhotoLoad Control) - http://www.dmotorworks.com/activex/IA/PhotoLoad.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7862.517662037
O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://salespoint.dealerconnection.c...ridControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {DAEB8818-608B-40D2-8AD6-193753623CEB} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD39F89D-F845-4F60-82FB-8494BD4DA072}:


End of KRC HijackThis Analyzer Log.
====================================================================
snub is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here