| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 90733 | 2008-06-14 07:29:00 | Help with winaonymous | Vladimir (13865) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 678401 | 2008-06-14 07:29:00 | hey i just had a trojan recenty and i have gotten rid of it but when i go on the intnet a pop up keeps coming up that says to scan with winanonymous and when i press cancel it says scanning and then it says threat detected! then it says i should install winanonymous if i press cancel it just goes back to the first popup. heres a hijack this log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:38:18 p.m., on 14/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\Windows\System32\smss.exe C:\Windows\system32\csrss.exe C:\Windows\system32\winlogon.exe C:\Windows\system32\services.exe C:\Windows\system32\lsass.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Windows\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Windows\system32\NMSSvc.exe C:\Windows\system32\nvsvc32.exe C:\Windows\system32\PnkBstrA.exe C:\Windows\System32\svchost.exe C:\Windows\System32\MsPMSPSv.exe C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.e xe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Windows\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\D-Link\DSL-200\dslstat.exe C:\Program Files\D-Link\DSL-200\dslagent.exe C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe C:\Windows\system32\PROMon.exe C:\Windows\System32\spool\drivers\w32x86\3\hpztsb0 5.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Valve\Steam\Steam.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ihug.co.nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe O4 - HKLM\..\Run: [IMJPMIG8.1] C:\Windows\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\Windows\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\Windows\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\Windows\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\Windows\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb0 5.exe O4 - HKLM\..\Run: [AutoLogon] regedit.exe /s \appl.zip\WXPPUPTW\logon.reg O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [BMff335d5c] Rundll32.exe "C:\Windows\system32\wgvdflvb.dll",s O4 - HKLM\..\Run: [fc006ec0] rundll32.exe "C:\Windows\system32\hnlfkgpj.dll",b O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?') O4 - HKUS\S-1-5-21-2326369520-2541319435-2214429306-1004\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User '?') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - gamingzone.ubisoft.com O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - launch.gamespyarcade.com O16 - DPF: {8D7AFAB7-42D6-4671-A53E-CD355673F026} (SonySncMView Control) - 64.181.42.210:9006 O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - h17000.www1.hp.com O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - netbank.bgbank.dk O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - h30043.www3.hp.com O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - www2.incredimail.com O17 - HKLM\System\CCS\Services\Tcpip\..\{41530A51-1281-4D12-BC4E-D4364D78D701}: NameServer = 203.109.129.67 203.109.129.68 O20 - AppInit_DLLs: C:\Windows\system32\__c00F6601.dat O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\system32\NMSSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 8310 bytes |
Vladimir (13865) | ||
| 678402 | 2008-06-14 08:27:00 | Run HJT again tick these then tick fix checked Close browsers O4 - HKLM\..\Run: [AutoLogon] regedit.exe /s \appl.zip\WXPPUPTW\logon.reg O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [BMff335d5c] Rundll32.exe "C:\Windows\system32\wgvdflvb.dll",s O4 - HKLM\..\Run: [fc006ec0] rundll32.exe "C:\Windows\system32\hnlfkgpj.dll",b O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe 04 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - launch.gamespyarcade.com O20 - AppInit_DLLs: C:\Windows\system32\__c00F6601.dat Then reboot then get trojan remover in my sig, update then click on scan |
Speedy Gonzales (78) | ||
| 678403 | 2008-06-14 09:20:00 | Winanonymous is a rogue program, download rogueremover and run it. It should deal to it. It gets into the system via holes in the browser so go to windows update and make sure you are patched up. |
apsattv (7406) | ||
| 678404 | 2008-06-14 09:23:00 | Two below look suspect as well O4 - HKLM\..\Run: [BMff335d5c] Rundll32.exe "C:\Windows\system32\wgvdflvb.dll",s O4 - HKLM\..\Run: [fc006ec0] rundll32.exe "C:\Windows\system32\hnlfkgpj.dll",b |
apsattv (7406) | ||
| 678405 | 2008-06-14 09:46:00 | You only have to post 1 thread, I've asked the mods to merge the other thread. | Speedy Gonzales (78) | ||
| 1 | |||||