dbase118
asked on
Strange behavior....possible virus...or spam....something odd
Strange problem just started occurring today. When I am on the net, every so often a captcha box pops up. It has the Windows XP logo with two words. Myspace is watermarked in the background. It basically says if I dont put in the codes it will restart the computer. I have never seen or heard of this one and Ive searched all the virus databases I can find and cant seem to find anything similar. Anyone ever heard of this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nothing was checked. Maybe this line?
O4 - HKLM\..\Run: [Captcha5] rundll "C:\Program Files\captcha5.dll",captch a
O4 - HKLM\..\Run: [Captcha5] rundll "C:\Program Files\captcha5.dll",captch
ASKER
Found the offending file mstre8.exe associated with Windows Fake Security System Mal-ware. Think I got it removed with a tool called remove on reboot. Restarted file is gone waiting to see if there are further occurences.
ASKER
Thanks for the time guys. Everything seems to be working fine.
ASKER
Scan saved at 5:45:01 PM, on 11/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.e
C:\Program Files\Alwil Software\Avast4\ashServ.ex
C:\WINDOWS\system32\spools
C:\PROGRA~1\COMMON~1\AOL\A
C:\Program Files\Bonjour\mDNSResponde
C:\WINDOWS\eHome\ehRecvr.e
C:\WINDOWS\eHome\ehSched.e
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.S
C:\WINDOWS\system32\svchos
C:\Program Files\Alwil Software\Avast4\ashMaiSv.e
C:\Program Files\Alwil Software\Avast4\ashWebSv.e
C:\WINDOWS\system32\wscntf
C:\WINDOWS\system32\dllhos
C:\WINDOWS\ehome\ehtray.ex
C:\Program Files\Java\jre1.6.0_03\bin
C:\WINDOWS\eHome\ehmsas.ex
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\COMMON~1\AOL\A
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\P
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast
C:\Program Files\Common Files\AOL\1213927454\ee\AO
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbar
C:\WINDOWS\system32\ctfmon
C:\Program Files\Yahoo!\Messenger\Yah
C:\WINDOWS\system32\lxcico
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\wuaucl
C:\Program Files\Java\jre1.6.0_03\bin
C:\Program Files\Common Files\AOL\1213927454\ee\an
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
c:\windows\mstre8.exe
C:\WINDOWS\system32\rundll
C:\WINDOWS\system32\cmd.ex
C:\Program Files\Alwil Software\Avast4\setup\avas
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJ
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-E
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.E
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\P
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1213927454\ee\AO
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [systray] c:\windows\mstre8.exe
O4 - HKLM\..\Run: [Captcha5] rundll "C:\Program Files\captcha5.dll",captch
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\Yah
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-6
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-5
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-5
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O16 - DPF: {4871A87A-BFDD-4106-8153-F
O16 - DPF: {6414512B-B978-451D-A0D8-F
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\A
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.e
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.ex
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.e
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.e
O23 - Service: ##Id_String1.6844F930_1628
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingServ
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcico
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.S
--
End of file - 10209 bytes