Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Continous "Security Alert" messages , leads to website virprotect.com. Remove please. Continous "Security Alert" messages , leads to website virprotect.com. Remove please.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 12-22-2007, 02:26 PM   #1 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 7
OS: winxp sp 02


Continous "Security Alert" messages , leads to website virprotect.com. Remove please.
have followed the five steps to do before starting a new thread, except the panda active scan cause it dont seem to finish scanning.
I am fairly new at this computer stuff and when I began to get a flashing security alert that wouldn't go away I got worried . I googled the website that it kept referring me to and I realized that I had a malware but now I don't know how to get rid of it. My friends told me that TSF were great at solving various kinds of problem so here i am
my DSS log is as follows:

Deckard's System Scanner v20071014.68
Run by Ägaren on 2007-12-22 22:01:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
44: 2007-12-22 21:01:49 UTC - RP105 - Deckard's System Scanner Restore Point
43: 2007-12-22 19:10:49 UTC - RP104 - Systemkontrollpunkt
42: 2007-12-21 16:37:16 UTC - RP103 - Systemkontrollpunkt
41: 2007-12-20 15:44:31 UTC - RP102 - Systemkontrollpunkt
40: 2007-12-18 19:35:16 UTC - RP101 - Systemkontrollpunkt


-- First Restore Point --
1: 2007-10-31 20:02:16 UTC - RP62 - Systemkontrollpunkt


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-22 22:04:46
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program\Video Add-on\icthis.exe
C:\Program\Video Add-on\isfmntr.exe
C:\Program\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\ESET\nod32kui.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Video Add-on\isfmm.exe
C:\Program\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\alg.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\CheckPoint\ZAForceField\ISWSVC.exe
C:\Program\Video Add-on\icmntr.exe
C:\Program\CheckPoint\ZAForceField\ForceField.exe
C:\Program\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program\CheckPoint\ZAForceField\ISWMGR.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program\iTunes\iTunes.exe
D:\ventrilomixx\Ventrilo 2.1.4.exe
C:\Program\MSN Messenger\usnsvc.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Internet Explorer\iexplore.exe
D:\WINRAR\WinRAR.exe
C:\Documents and Settings\Ägaren\Lokala inställningar\Temp\IswTmp\DwlRun\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {69B98C68-D2B8-4A4E-9CB7-E85B6F3A7014} - C:\Program\Video Add-on\isfmdl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerIEPlugin.dll
O3 - Toolbar: IE Custom Tools - {F2BADA0D-FD61-45EF-A994-64A073FD6613} - C:\Program\Video Add-on\ictmdl.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program\CheckPoint\ZAForceField\ForceField.exe" /start_mode="auto"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program\Video Add-on\icthis.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program\Video Add-on\isfmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZDWlan.lnk = ?
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab Class) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program\Delade filer\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program\Delade filer\Microsoft Shared\Web Components\10\OWC10.DLL
O22 - SharedTaskScheduler: duhr - {3e0cee63-f8bc-4485-a745-cc01b2a0e9d9} - C:\WINDOWS\system32\bdzzzcl.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program\CheckPoint\ZAForceField\ISWSVC.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\ESET\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe


--
End of file - 8401 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
R3 ZDPNDIS5 (ZDPNDIS5 NDIS Protocol Driver) - c:\windows\system32\zdpndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program\delade filer\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 IswSvc (ForceField IswSvc) - "c:\program\checkpoint\zaforcefield\iswsvc.exe" <Not Verified; Check Point Software Technologies; ZoneAlarm ForceField>

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program\winpcap\rpcapd.exe" -d -f "c:\program\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_80261043&REV_10\4&2E98101C&0&28F0
Manufacturer: Realtek
Name: Realtek RTL8139 Family PCI Fast Ethernet NIC #2
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_80261043&REV_10\4&2E98101C&0&28F0
Service: rtl8139


-- Files created between 2007-11-22 and 2007-12-22 -----------------------------

2007-12-22 21:08:16 0 d-------- C:\ZonedOut
2007-12-22 2154 0 d-------- C:\ie-spyad_zo
2007-12-22 21:02:34 0 d-------- C:\Program\SpywareBlaster
2007-12-22 15:07:35 0 dr-h----- C:\Documents and Settings\Ägaren\Recent
2007-12-22 15:04:17 0 d-------- C:\Program\CCleaner
2007-12-22 14:19:29 0 d-------- C:\Documents and Settings\Ägaren\Application Data\CheckPoint
2007-12-22 14:03:41 0 d-------- C:\Program\CheckPoint
2007-12-22 13:56:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-22 13:56:18 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-22 13:56:16 0 d-------- C:\WINDOWS\LastGood
2007-12-22 13:48:15 2524 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-22 13:47:31 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-22 13:47:31 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-12-22 13:47:31 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2007-12-22 13:47:30 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-12-22 13:47:30 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-22 13:47:29 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-12-22 13:39:58 0 d-------- C:\Program\VS Revo Group
2007-12-22 11:08:20 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-22 11:07:50 0 d-------- C:\Program\Video Add-on
2007-11-23 18:02:26 0 d-------- C:\Program\mIRC


-- Find3M Report ---------------------------------------------------------------

2007-12-22 14:34:55 0 d-------- C:\Program\Zoom Player
2007-12-21 17:55:04 0 d-------- C:\Documents and Settings\Ägaren\Application Data\uTorrent
2007-12-12 18:55:21 12800 --a-s---- C:\WINDOWS\system32\bdzzzcl.dll
2007-12-10 17:46:58 0 d-------- C:\Documents and Settings\Ägaren\Application Data\dvdcss
2007-11-25 19:35:40 0 d-------- C:\Documents and Settings\Ägaren\Application Data\Hamachi
2007-11-24 01:14:12 0 d-------- C:\Documents and Settings\Ägaren\Application Data\mIRC
2007-11-16 18:10:24 0 d-------- C:\Program\Cheat Engine
2007-11-09 23:49:29 0 d-------- C:\Program\Ocean Technology
2007-11-09 23:49:26 0 d--h----- C:\Program\InstallShield Installation Information
2007-11-09 23:49:01 0 d-------- C:\Documents and Settings\Ägaren\Application Data\InstallShield
2007-10-30 22:31:55 0 d-------- C:\Program\Activision
2007-10-28 09:31:39 438520 --a------ C:\WINDOWS\system32\perfh01D.dat
2007-10-28 09:31:39 81508 --a------ C:\WINDOWS\system32\perfc01D.dat
2007-10-22 21:30:13 0 d-------- C:\Documents and Settings\Ägaren\Application Data\Leadertech
2007-10-22 21:29:30 0 d-------- C:\Program\ECP


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69B98C68-D2B8-4A4E-9CB7-E85B6F3A7014}]
2007-12-22 13:24 13312 --a------ C:\Program\Video Add-on\isfmdl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}]
2007-12-04 13:02 370136 --a------ C:\Program\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F2BADA0D-FD61-45EF-A994-64A073FD6613}"= C:\Program\Video Add-on\ictmdl.dll [2007-12-22 11:07 73728]
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}"= C:\Program\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll [2007-12-04 13:02 370136]

[-HKEY_CLASSES_ROOT\CLSID\{F2BADA0D-FD61-45EF-A994-64A073FD6613}]

[-HKEY_CLASSES_ROOT\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{80E552F9-F23B-4DD7-A1CD-80AA724529E6}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 14:19]
"nwiz"="nwiz.exe" [2003-07-28 14:19 C:\WINDOWS\system32\nwiz.exe]
"Smapp"="C:\Program\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 07:57]
"NvMediaCenter"="NvMCTray.dll" [2003-07-28 14:19 C:\WINDOWS\system32\nvmctray.dll]
"nod32kui"="C:\Program\Eset\nod32kui.exe" [2007-09-07 17:19]
"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2007-09-07 15:55]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Adobe Reader Speed Launcher"="C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"ISW"="C:\Program\CheckPoint\ZAForceField\ForceField.exe" [2007-12-04 13:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04]
ZDWlan.lnk - C:\Program\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe [2007-09-07 16:48:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"some"=C:\Program\Video Add-on\icthis.exe
"start"=C:\Program\Video Add-on\isfmntr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}"= C:\WINDOWS\system32\bdzzzcl.dll [2007-12-12 18:55 12800]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2834991-5b94-11dc-ad78-806d6172696f}]
AutoRun\command- E:\autoplay.exe

*Newly Created Service* - ICSAK
*Newly Created Service* - ISWSVC
*Newly Created Service* - PROCEXP111



-- End of Deckard's System Scanner: finished at 2007-12-22 22:07:07 ------------

I do know it's christmas so take your time and btw Happy christmas your Swedish friend Nikey
Attached Files
File Type: txt extra.txt (21.6 KB, 1 views)
Nikey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-23-2007, 12:47 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,754
OS: 2000 Pro; XP Pro; XP Home


Re: Continous "Security Alert" messages , leads to website virprotect.com. Remove ple
Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

    * IMPORTANT !!! Place combofix.exe on your Desktop


  2. Disconnect from the internet....pull the plug!
  3. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  4. Go to -> Run -> paste in the following single line command & click OK

    "%userprofile%\desktop\combofix.exe" /killall



  5. Follow the prompts. Type "1" and press Enter to begin the scan.
  6. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  7. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  8. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
  9. Re-establish an internet connection.
  10. Please download HijackThis to your desktop

    Alternate link

    Double-click on the file you just downloaded.
    Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

    Upon install, HijackThis should open for you.

    Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

    1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
    2. If you don't get the intro screen, just hit Scan and then click on Save log.
    3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-23-2007, 03:45 PM   #3 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 7
OS: winxp sp 02


Re: Continous "Security Alert" messages , leads to website virprotect.com. Remove ple
Thank you fot your fast response , here are the logs

ComboFix 07-12-24.6 - Ägaren 2007-12-23 23:27:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1053.18.271 [GMT 1:00]
Running from: C:\Documents and Settings\Ägaren\skrivbord\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program\Video Add-on\icmntr.exe
C:\Program\Video Add-on\icthis.exe
C:\Program\Video Add-on\ictmdl.dll
C:\Program\Video Add-on\ictun.exe
C:\Program\Video Add-on\icun.exe
C:\Program\Video Add-on\isfmdl.dll
C:\Program\Video Add-on\isfmm.exe
C:\Program\Video Add-on\isfmntr.exe
C:\Program\Video Add-on\isfun.exe
C:\Program\Video Add-on\ot.ico
C:\Program\Video Add-on\ts.ico
C:\Program\Video Add-on

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-22 21:08 . 2007-03-31 12:12 <KAT> d-------- C:\ZonedOut
2007-12-22 21:06 . 2007-12-22 21:06 <KAT> d-------- C:\ie-spyad_zo
2007-12-22 21:02 . 2007-12-22 21:05 <KAT> d-------- C:\Program\SpywareBlaster
2007-12-22 21:02 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-22 15:04 . 2007-12-22 15:04 <KAT> d-------- C:\Program\CCleaner
2007-12-22 14:03 . 2007-12-22 14:03 <KAT> d-------- C:\Program\CheckPoint
2007-12-22 13:56 . 2007-12-22 13:56 <KAT> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-22 13:56 . 2007-12-22 13:56 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-22 13:48 . 2007-12-22 13:48 2,524 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-22 13:47 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-22 13:47 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-22 13:47 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-22 13:47 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-22 13:47 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-22 13:47 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-22 13:43 . 2007-12-22 13:43 256 --a------ C:\WINDOWS\adaway.lic
2007-12-22 13:39 . 2007-12-22 15:05 <KAT> d-------- C:\Program\VS Revo Group
2007-12-22 11:08 . 2007-12-22 13:20 <KAT> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 11:53 --------- d-----w C:\Program\Zoom Player
2007-12-22 14:05 --------- d-----w C:\Program\VS Revo Group
2007-11-23 18:25 --------- d-----w C:\Program\mIRC
2007-11-16 17:10 --------- d-----w C:\Program\Cheat Engine
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 22:49 --------- d--h--w C:\Program\InstallShield Installation Information
2007-11-09 22:49 --------- d-----w C:\Program\Ocean Technology
2007-10-31 11:47 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-30 21:31 --------- d-----w C:\Program\Activision
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}]
2007-12-04 13:02 370136 --a------ C:\Program\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}

[HKEY_CLASSES_ROOT\clsid\{ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{80E552F9-F23B-4DD7-A1CD-80AA724529E6}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}"= C:\Program\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll [2007-12-04 13:02 370136]

[HKEY_CLASSES_ROOT\clsid\{ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{80E552F9-F23B-4DD7-A1CD-80AA724529E6}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2006-03-02 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-07-28 14:19 C:\WINDOWS\system32\nwiz.exe]
"Smapp"="C:\Program\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 07:57]
"NvMediaCenter"="RunDLL32.exe" [2006-03-02 13:00 C:\WINDOWS\system32\rundll32.exe]
"nod32kui"="C:\Program\Eset\nod32kui.exe" [2007-09-07 17:19]
"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2007-09-07 15:55]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Adobe Reader Speed Launcher"="C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"ISW"="C:\Program\CheckPoint\ZAForceField\ForceField.exe" [2007-12-04 13:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04]
ZDWlan.lnk - C:\Program\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe [2007-09-07 16:48:51]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}"= C:\WINDOWS\system32\bdzzzcl.dll [2007-12-12 18:55 12800]

R2 IswSvc;ForceField IswSvc;"C:\Program\CheckPoint\ZAForceField\IswSvc.exe" [2007-12-04 12:55]
R3 icsak;icsak;C:\Program\CheckPoint\ZAForceField\AK\icsak.sys [2007-12-04 13:02]
R3 ZDPNDIS5;ZDPNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\ZDPNDIS5.SYS [2004-01-14 10:30]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 23:36:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program\Eset\pr_imon.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\bdzzzcl.dll
.
Completion time: 2007-12-24 23:39:10 - machine was rebooted
.
2007-12-12 17:53:56 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:43:00, on 2007-12-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\CheckPoint\ZAForceField\IswSvc.exe
C:\Program\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program\Eset\nod32kui.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program\Java\jre1.6.0_03\bin\jusched.exe
C:\Program\CheckPoint\ZAForceField\ForceField.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe
C:\Program\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program\CheckPoint\ZAForceField\ForceField.exe" /start_mode="auto"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZDWlan.lnk = ?
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O22 - SharedTaskScheduler: duhr - {3e0cee63-f8bc-4485-a745-cc01b2a0e9d9} - C:\WINDOWS\system32\bdzzzcl.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6880 bytes
Nikey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-23-2007, 03:56 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,754
OS: 2000 Pro; XP Pro; XP Home


Re: Continous "Security Alert" messages , leads to website virprotect.com. Remove ple
Hello, Nikey -

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

IE Custom Tools
IE Safety Features
Information Center

You may be presented with notification that they've already been uninstalled, or are otherwise corrupt, would you like to remove them from the list. Click on Yes, or OK.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Java(TM) 6 Update 2

This is outdated, and a security risk by having it installed still. Unfortunately, Java does not uninstall previous version when you update, nor tell you that you should.

Leave Java(TM) 6 Update 3 alone, as it is the most recent.

---------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
http://www.techsupportforum.com/security-center/hijackthis-log-help/204951-continous-security-alert-messages-leads-website-virprotect-com-remove-please.html

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{3e0cee63-f8bc-4485-a745-cc01b2a0e9d9}"=-
Collect::
C:\WINDOWS\system32\bdzzzcl.dll
C:\WINDOWS\adaway.lic
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-23-2007, 04:43 PM   #5 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 7
OS: winxp sp 02


Re: Continous "Security Alert" messages , leads to website virprotect.com. Remove ple
Your file was successfully submitted.

ComboFix 07-12-24.6 - Ägaren 2007-12-25 0:27:23.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1053.18.112 [GMT 1:00]
Running from: C:\Documents and Settings\Ägaren\Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ägaren\Skrivbord\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\adaway.lic
C:\WINDOWS\system32\bdzzzcl.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-24 23:41 . 2007-12-24 23:41 <KAT> d-------- C:\Program\Trend Micro
2007-12-24 23:39 . 2007-12-24 23:39 <KAT> d-------- C:\WINDOWS\system32\config\systemprofile\Lokala instõllningar
2007-12-24 23:39 . 2007-12-24 23:39 <KAT> d-------- C:\Documents and Settings\NetworkService\Lokala instõllningar
2007-12-24 23:39 . 2007-12-24 23:39 <KAT> d-------- C:\Documents and Settings\LocalService\Lokala instõllningar
2007-12-24 23:39 . 2007-12-24 23:39 <KAT> d-------- C:\Documents and Settings\Default User\Lokala instõllningar
2007-12-23 23:23 . 2007-12-23 23:23 <KAT> d-------- C:\Documents and Settings\Ägaren\Downloads
2007-12-23 23:23 . 2007-12-23 23:23 <KAT> d-------- C:\Documents and Settings\Ägaren\Downloads
2007-12-22 21:08 . 2007-03-31 12:12 <KAT> d-------- C:\ZonedOut
2007-12-22 21:06 . 2007-12-22 21:06 <KAT> d-------- C:\ie-spyad_zo
2007-12-22 21:02 . 2007-12-22 21:05 <KAT> d-------- C:\Program\SpywareBlaster
2007-12-22 21:02 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-22 15:04 . 2007-12-22 15:04 <KAT> d-------- C:\Program\CCleaner
2007-12-22 14:19 . 2007-12-22 14:19 <KAT> d-------- C:\Documents and Settings\Ägaren\Application Data\CheckPoint
2007-12-22 14:03 . 2007-12-22 14:03 <KAT> d-------- C:\Program\CheckPoint
2007-12-22 13:56 . 2007-12-22 13:56 <KAT> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-22 13:56 . 2007-12-22 13:56 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-22 13:48 . 2007-12-22 13:48 2,524 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-22 13:47 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-22 13:47 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-22 13:47 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-22 13:47 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-22 13:47 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-22 13:47 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-22 13:39 . 2007-12-22 15:05 <KAT> d-------- C:\Program\VS Revo Group
2007-12-22 11:08 . 2007-12-22 13:20 <KAT> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 23:22 --------- d-----w C:\Program\Java
2007-12-24 22:34 10,747,904 ---ha-w C:\Documents and Settings\Ägaren\NTUSER.DAT
2007-12-24 22:34 10,747,904 ---ha-w C:\Documents and Settings\Ägaren\NTUSER.DAT
2007-12-23 13:03 --------- d-----w C:\Documents and Settings\Ägaren\Application Data\uTorrent
2007-12-23 11:53 --------- d-----w C:\Program\Zoom Player
2007-12-22 14:05 --------- d-----w C:\Program\VS Revo Group
2007-12-22 13:19 --------- d-----w C:\Documents and Settings\Ägaren\Application Data\CheckPoint
2007-12-10 16:46 --------- d-----w C:\Documents and Settings\Ägaren\Application Data\dvdcss
2007-11-25 18:35 --------- d-----w C:\Documents and Settings\Ägaren\Application Data\Hamachi
2007-11-24 00:14 --------- d-----w C:\Documents and Settings\Ägaren\Application Data\mIRC
2007-11-23 18:25 --------- d-----w C:\Program\mIRC
2007-11-22 15:52 --------- d-s---w C:\Documents and Settings\Ägaren\Application Data\Microsoft
2007-11-16 17:10 --------- d-----w C:\Program\Cheat Engine
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 22:49 --------- d--h--w C:\Program\InstallShield Installation Information
2007-11-09 22:49 --------- d-----w C:\Program\Ocean Technology
2007-11-09 22:49 --------- d-----w C:\Documents and Settings\Ägaren\Application Data\InstallShield
2007-10-31 11:47 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-31 11:47 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-30 22:18 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-10-30 21:31 --------- d-----w C:\Program\Activision
2007-10-29 22:45 1,289,728 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}]
2007-12-04 13:02 370136 --a------ C:\Program\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}

[HKEY_CLASSES_ROOT\clsid\{ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{80E552F9-F23B-4DD7-A1CD-80AA724529E6}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}"= C:\Program\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll [2007-12-04 13:02 370136]

[HKEY_CLASSES_ROOT\clsid\{ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{80E552F9-F23B-4DD7-A1CD-80AA724529E6}]
[HKEY_CLASSES_ROOT\CheckPoint.ForceFieldToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2006-03-02 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-07-28 14:19 C:\WINDOWS\system32\nwiz.exe]
"Smapp"="C:\Program\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 07:57]
"NvMediaCenter"="RunDLL32.exe" [2006-03-02 13:00 C:\WINDOWS\system32\rundll32.exe]
"nod32kui"="C:\Program\Eset\nod32kui.exe" [2007-09-07 17:19]
"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2007-09-07 15:55]
"Adobe Reader Speed Launcher"="C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"ISW"="C:\Program\CheckPoint\ZAForceField\ForceField.exe" [2007-12-04 13:00]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04]
ZDWlan.lnk - C:\Program\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe [2007-09-07 16:48:51]

R2 IswSvc;ForceField IswSvc;"C:\Program\CheckPoint\ZAForceField\IswSvc.exe" [2007-12-04 12:55]
R3 icsak;icsak;C:\Program\CheckPoint\ZAForceField\AK\icsak.sys [2007-12-04 13:02]
R3 ZDPNDIS5;ZDPNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\ZDPNDIS5.SYS [2004-01-14 10:30]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]

*Newly Created Service* - APPMGMT
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-25 00:35:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program\Eset\pr_imon.dll
.
Completion time: 2007-12-25 0:38:43
C:\ComboFix2.txt ... 2007-12-24 23:39
.
2007-12-12 17:53:56 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:42:23, on 2007-12-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\CheckPoint\ZAForceField\IswSvc.exe
C:\Program\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Analog Devices\SoundMAX\SMTray.exe
C:\Program\Eset\nod32kui.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program\CheckPoint\ZAForceField\ForceField.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe
C:\Program\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program\MSN Messenger\usnsvc.exe
D:\ventrilomixx\Ventrilo 2.1.4.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program\CheckPoint\ZAForceField\TrustChecker\Components\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program\CheckPoint\ZAForceField\ForceField.exe" /start_mode="auto"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZDWlan.lnk = ?
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6629 bytes
Nikey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-23-2007, 05:42 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,754
OS: 2000 Pro; XP Pro; XP Home


Re: Continous "Security Alert" messages , leads to website virprotect.com. Remove ple
Looking good now....

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-24-2007, 04:19 AM   #7 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 7
OS: winxp sp 02


Re: Continous "Security Alert" messages , leads to website virprotect.com. Remove ple
Here is the kaspersky scan report.

Tuesday, December 25, 2007 12:17:10 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/12/2007
Kaspersky Anti-Virus database records: 492825


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 30858
Number of viruses found 3
Number of infected objects 40
Number of suspicious objects 0
Duration of the scan process 00:39:30

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\GAREN~1\LOKALA~1\Temp\mirc63.exe/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped

C:\Deckard\System Scanner\backup\DOCUME~1\GAREN~1\LOKALA~1\Temp\mirc63.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped

C:\Deckard\System Scanner\backup\DOCUME~1\GAREN~1\LOKALA~1\Temp\mirc63.exe NSIS: infected - 2 skipped

C:\Deckard\System Scanner\backup\DOCUME~1\GAREN~1\LOKALA~1\Temp\mirc631.exe/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped

C:\Deckard\System Scanner\backup\DOCUME~1\GAREN~1\LOKALA~1\Temp\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped

C:\Deckard\System Scanner\backup\DOCUME~1\GAREN~1\LOKALA~1\Temp\mirc631.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Ägaren\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Ägaren\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ägaren\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ägaren\Skrivbord\[4]-Submit_2007-12-25@0.27.zip/bdzzzcl.dll Infected: Trojan-Downloader.Win32.Bojo.ab skipped

C:\Documents and Settings\Ägaren\Skrivbord\[4]-Submit_2007-12-25@0.27.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Ägaren\Skrivbord\Gamla genvägar\MIRC\d-000mi.rar/DVT.rar/Setup/mirc63.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped

C:\Documents and Settings\Ägaren\Skrivbord\Gamla genvägar\MIRC\d-000mi.rar/DVT.rar/Setup/mirc63.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped

C:\Documents and Settings\Ägaren\Skrivbord\Gamla genvägar\MIRC\d-000mi.rar/DVT.rar/Setup/mirc63.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped

C:\Documents and Settings\Ägaren\Skrivbord\Gamla genvägar\MIRC\d-000mi.rar/DVT.rar/Setup/mirc63.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped

C:\Documents and Setti