Author Topic: Extremely annoying warning message  (Read 16486 times)

0 Members and 1 Guest are viewing this topic.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: Extremely annoying warning message
« Reply #15 on: May 19, 2009, 01:55:48 PM »
Randel,

I did a "google" of that file name, and there are a lot of hits. (This is good.) Thought I'd offer some results:
NoVirusThanks, (about halfway down there are manual removal instructions).
Prevx Info. (Prevx makes a type of scanner/monitor which has quite a following, and thanks to a large user database tends to have quite a large malware database.)
Windows 10,Windows Firewall,Firefox w/Adblock.

Randel

  • Guest
Re: Extremely annoying warning message
« Reply #16 on: May 19, 2009, 06:26:45 PM »
Thanks for the help.

1. Tempory files cleaned

2. Avast boot scan done - nothing found

3. MBAM, i got this
Quote
Malwarebytes' Anti-Malware 1.36
Version de la base de données: 2154
Windows 5.1.2600 Service Pack 2

19/05/2009 17:27:49
mbam-log-2009-05-19 (17-27-49).txt

Type de recherche: Examen rapide
Eléments examinés: 71188
Temps écoulé: 2 minute(s), 8 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 4
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 2

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digiwet.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
C:\WINDOWS\system32\digiwet.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Xavier\Local Settings\Temp\wJQs.exe (Trojan.Agent) -> Quarantined and deleted successfully.

4. RootkitBuster - nothing found

5. HijackThis
Quote
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:25:43, on 19/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205780422468
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Extensions du pilote WMI WmiSSDPSRV (WmiSSDPSRV) - Unknown owner - C:\WINDOWS\system32\1042n.exe

--
End of file - 5548 bytes

CharleyO

  • Guest
Re: Extremely annoying warning message
« Reply #17 on: May 20, 2009, 02:04:17 AM »
***

An analysis of your HJT log shows only one problem :

Platform: Windows XP SP2 (WinNT 5.01.2600)

A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft's windowsupdate site to download the newest version of the service pack.


***

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: Extremely annoying warning message
« Reply #18 on: May 20, 2009, 02:06:23 AM »
Looks to me that you need to update your Java, and IE is at version 8 now; you appear to have version 6.
Windows 10,Windows Firewall,Firefox w/Adblock.

ponsfrilus

  • Guest
Re: Extremely annoying warning message
« Reply #19 on: May 20, 2009, 02:14:02 AM »
I don't get the message anymore.

So what have you done???

CharleyO

  • Guest
Re: Extremely annoying warning message
« Reply #20 on: May 20, 2009, 02:48:11 AM »
***

I forgot the Java version ... thanks, Tarq.   :)


***

Randel

  • Guest
Re: Extremely annoying warning message
« Reply #21 on: May 20, 2009, 09:54:09 AM »
I don't get the message anymore.

So what have you done???

I just reboot the computer. But when the computer restarted i get a message from my firewall saying that an unauthorized program was trying to access internet [pqarocuvuw yfyqu (c:\windows\ld08.exe)].

I don't know if there is a relation between these 2 events.

PS : thanks for the help all.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: Extremely annoying warning message
« Reply #22 on: May 20, 2009, 10:26:15 AM »
Hopefully you blocked permission for that connection? There is malware still active.
I'd have a look at the data contained in the link I posted above, and see if you can find any of those files in the file and registry system, and if you can delete them to the recycle bin. (Don't empty the bin. Leave everything as it is afterward for a while.) Then update and run MBAM again.
Windows 10,Windows Firewall,Firefox w/Adblock.

Randel

  • Guest
Re: Extremely annoying warning message
« Reply #23 on: May 20, 2009, 01:38:39 PM »
Hopefully you blocked permission for that connection? There is malware still active.
I'd have a look at the data contained in the link I posted above, and see if you can find any of those files in the file and registry system, and if you can delete them to the recycle bin. (Don't empty the bin. Leave everything as it is afterward for a while.) Then update and run MBAM again.

Yes, i blocked the permission & removed the file with hickjackthis.

It was before the full boot avast scan, MAM scan & rootkitbuster scan.

The hickjakthis log i posted earlier was done after all these steps.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: Extremely annoying warning message
« Reply #24 on: May 20, 2009, 01:48:35 PM »
Just let me get this straight, the order or sequence of events:
You fixed it with HjT, scanned with Avast, scanned with MBAM then rootkit buster, restarted.
After these measures you still got that file trying to connect?
Or is that file permanently silenced, and had tried to connect before you removed it?

If it is the former, something is rebuilding that file, and needs to be fixed.
Windows 10,Windows Firewall,Firefox w/Adblock.

Randel

  • Guest
Re: Extremely annoying warning message
« Reply #25 on: May 20, 2009, 02:20:17 PM »
The steps were :

1. Got this message from avast
Quote
19.05.2009  11:23:09  Network Shield: blocked access to malicious site mixmediadirect.cn/gate/gate.php [ C:\WINDOWS\system32\svchost.exe ( 3896 ) ]

2. Restart computer

3. When the computer restarted i get a message from my firewall saying that an unauthorized program was trying to access internet [pqarocuvuw yfyqu (c:\windows\ld08.exe)].

4. Blocked the permission & removed the file with hickjackthis

4bis. Don't get the first mesage anymore (i check the avastnetwork shield : the file must be cleaned because it doesn't try to connect to the malicious site anymore)

5. boot avast scan, MAM scan (you can see the log in a previous post), Rootkit buster scan and then a final hickjackthis scan.

Hope this helps.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: Extremely annoying warning message
« Reply #26 on: May 20, 2009, 02:23:09 PM »
All clear, now, thank you, just wanted to make sure you didn't still have the thing on your computer.
As much as I can be certain, you should be clean.
 ;)
Windows 10,Windows Firewall,Firefox w/Adblock.

Randel

  • Guest
Re: Extremely annoying warning message
« Reply #27 on: May 20, 2009, 02:31:30 PM »
Again thanks for the help, greatly appreciated.

theslydog

  • Guest
Re: Extremely annoying warning message
« Reply #28 on: June 02, 2009, 11:28:45 PM »
Hi everyone, i'm using avast home 4.8...

ever since i visited this random website, the following popup keeps appearing every 5 minutes or so... i'm afraid it has installed some sort of process in my system without my consent...


How can i get rid of this warning and how can i delete it forever?

Thanks

I had this exact same problem. I tried a number of scanners and standalone scanners, reinstalls and they came up with nothing.
Infact when I restarted after a fresh install of avast the system icons disapeared from the system tray.

What fixed it was
run ATF-Cleaner first use 'select all' and clean out every temp and associated file
run Malwarebytes' Anti-Malware - mbam (this great program found the nasties)
run Avast Antirootkit cleaner - aswar
run HijackThis to recheck all
run registry mechanc or similar to check/fix the registry

When I restarted all was working again.

« Last Edit: June 02, 2009, 11:32:40 PM by theslydog »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Extremely annoying warning message
« Reply #29 on: June 03, 2009, 02:55:20 AM »
ever since i visited this random website, the following popup keeps appearing every 5 minutes or so... i'm afraid it has installed some sort of process in my system without my consent...
avast should be blocking the access to this webpage with NetShield. Are you saying that regardless that, you were infected, i.e., avast fails to block the infection? ???
The best things in life are free.