All anti-malware fail to pick up this, what to do?

Discussion in 'other anti-malware software' started by gevin, Oct 25, 2006.

Thread Status:
Not open for further replies.
  1. gevin

    gevin Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    71
    My friend pc have a big problem, it IE 6 keep popup XXX window every 5-10min, showing page from www.suaibbs.com/buy/index.html or www.qddown.com/love.html. i try to help him fix, use Ad-aware, AVG antispy 7.5, Spybot, MS Defender, PrevX to scan his system, but all fail to detect anything funny.

    what should i do next?
     
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
  3. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    If you haven't done already, contact Prevx support though the link on the Prevx1 console.
     
  4. gevin

    gevin Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    71
    Thank for those advice. will try those option, will post result later.
     
  5. gevin

    gevin Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    71
    Arrrrg, the popup still won't go away after so many scan, as suggested. i have posted the HIjackThis log at Castlecops.com HijackThis forum, waiting for expert response. Anyone can help here?
     
  6. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Your HijackThis log looks clean, but I guess, that the process "FilMsg.exe" should be located in:

    "C:\Program Files\Common Files\Filseclab\FilMsg.exe" not in "c:\windows\system\FilMsg.exe".

    Have you installed Filseclab Messenger? If you did not, proceed to the following:

    Start - Run - Services.msc - Find the service "Computer Browsereser" - Stop it.

    Now try to terminate the proccess "FilMsg.exe" in the TaskManager (if it still there).

    If it helps, then set service startup type to "Disabled" and delete the file "FilMsg.exe".

    Create a txt file, put there what it is in the code, then change txt extension to reg and run it.
    Code:
    Windows Registry Editor Version 5.00
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceF2]
    If it does not help, post RootkitRevealer log in the RR Forum, maybe you have a rootkit.
     
    Last edited: Oct 26, 2006
  7. gevin

    gevin Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    71
    Hi TOM_SK,

    It's seem your suggestion step work. yes i don't Filseclab Messenger, so i'm sure is the Filmsg.exe messing up my friend IE. Follow all the steps, his system & IE very quite now, no popup.

    Btw, Scan PC with CureIt, found on probably trojan file named "dowoxt.exe", deleted. It have the same date stamp as "filmsg.exe", and that is the day the stupid popup started. Don't know got any link with the issue, because still have popup after deleted.

    Have been monitor for hours, should be clear now. Thank for Big help. Appreciated. :)
     
Loading...
Thread Status:
Not open for further replies.