System Alert: Spyware Detected - Secret Crush

  gddss2000 01:57 14 Aug 2006

I have tried Adaware, Spybot, Trojan Hunter, Avast, AVG, Hijack This and none of them have been able to catch this little bugger. I'll post it in two part as there's a limit on characters here.

Logfile of HijackThis v1.99.1

Running processes:
C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Functions\iTouch.exe
C:\Program Files\IntCodec\pmmon.exe
D:\Program Functions\kbdtray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Functions\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrojanHunter 4.5\TrojanHunter.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
D:\Program Functions\HijackThis.exe

  gddss2000 01:58 14 Aug 2006

part II

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Functions\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Functions\iTouch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Functions\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StopCop] C:\Program Files\StopCop Popup Software Trial\stopcopt.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Functions\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - click here
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - click here
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Any help would be appreciated.

  gddss2000 02:00 14 Aug 2006

Sorry, I don't see an edit button and it looks as if I had to split it up into 3 parts. This is the second part, the second post is the third piece.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program functions\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - C:\Program Files\IntCodec\isaddon.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\IntCodec\iesplugin.dll (file missing)

  beynac 08:21 14 Aug 2006

You have a Trojan. Possibly click here

Ewido should be worth a try. Download it from click here . Update it and run a scan.

  johnnyrocker 10:11 14 Aug 2006

if xp have you run the scans with system restore disabled and also possibly in safe mode?


  gddss2000 01:18 15 Aug 2006

Ok, so after a very educational walk through from a friend lastnight I have been able to overcome this and I wanted to post so hopefully I could help some others from the knowledge I've gained.

Ok, so basically these types of viruses inbed themselves and cause a false alert telling you that you have a virus and then you click on the flashing icon in your tray and it takes you to a website that you can there buy their $50 miracle to cure your virus.

My friend told me to bring up my task manager by pressing ctrl+alt+del and send him the list of processes that I had running that had me as the user (He said that most required windows programs will have 'system' listed as the user). The two files that came up for this virus were pmsngr.exe and pmmon.exe - Fortunately he had enough knowledge of the basic programs that should be running he was able to pick those out. When I did a search for the files by pressing start, then search, looking in all files and folders, I then found where they were located.

For mine in particular, it placed itself under c:\Program Files\IntCodec

Of course it wouldn't let me delete the whole thing. My solution to this was to reboot into safe mode, go into the Program Files folder delete the IntCodec folder, and then empty my garbage can.

After this for further clean up, you'll want to delete the registry entries. Do this by pressing start, then choosing run. Type in regedit and then hit enter. This will bring up your registry keys. To do a search, press F3 and type in the name of the file. I had to close out and repeat process for each file, as when I hit F3 again it would look for the same file, though this can be handy, too as it seems the registry keys like to hide in several places. Repeat this process until all files are deleted. Also do a search for the name of the virus, in my case, I did a search on 'secret' and crush'. Basically as it was explained to me, the registry key's purpose is to tell the file which contains the virus what to do, where to go, ect., and it also has a way to conect to the internet and update or replace the virus files if deleted, this is why it's important to delete the registry keys as well. Once this is done, reboot. You should be good to go. He did tell me also, that if it comes back to repeat this process as sometimes you may miss a file, or registry, and to continue until it's gone. It's been 24 hours *crosses fingers* and no return to the 2 every two minute pop up.

I hope this has been a simple enough write up for my fellow average user to understand and fight against this type of thing without wasting hours and hours of precious time such as I had to to learn about and destroy this thing.

  gddss2000 01:22 15 Aug 2006

One final reminder, I forgot to mention, make sure you empty your trash can from the registry keys before your final reboot. You don't want those little buggers coming back from the dirty grave... lol

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

WPA2 hack: How secure is your Wi-Fi?

Add Depth Of Field to a photo using Tilt Shift Blur in Photoshop

iPhone tips & tricks

Les meilleures tablettes 2017