Tech Support Forum - View Single Post

hikkifan84 · 02-26-2005, 10:34 AM

Every few minutes I receive a pop-up from Norton Antivirus telling my that the virus Download.Trojan has been detected and the file has been removed. When I click 'Ok' the box immediately comes back with the same message.

I think the infection may have occurred I ran the file winupdt.exe accidently. A window popped up asking if I wanted to download browser enhancements. I usually close the window without hitting "Yes", but at the time I was in the middle of writing a program and accidently hit 'Yes'. I noticed that my Firewall kept popping up asking permission for file to access the internet. At first, I allowed them because my ISP, Bluelight, often wants to install harmless updates to my browser. After awhile, I started denying permission. A few minutes later, I ran my virus scan and that's when the virus was detected and I noticed Casino and Game icons on my desktop. Every few minutes, I get random pop-up ads and links in the text of online documents which take me to "EnhanceMySearch". Adaware deleted what it detected to be Malware and the programs on my desktop were deleted. However, I am still being prompted from Norton that it has removed the same Trojan and Trojan Dropper.

I have run Norton, Adaware, and Spy Sweeper which have removed some files. I can't download Spybot for some reason. I have tried downloading it with both IE and Firebox, but the download stops in the middle and the file is corrupt.

If anyone could help me figure out what to delete, I would be ever so greatful ^_^ Here is my HijackThis log, I used the HijackThis Analyzer to generate this log:

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 1/7/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton<a onMouseOver="window.status='' ; return true;" onMouseOut="window.status='';" oncontextmenu="window.status=''; return true;" onclick="location.href='http://www.enhancemysearch.com/admin/results.php?q=Antivirus&id=49';return false;" href="" TITLE="More Info..."> AntiVirus </a>- {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:59:33 AM, on 2/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINNT\system32\sysmonnt.exe
C:\WINNT\system32\prutqct.exe
C:\WINNT\system32\ntmrxy.exe
C:\WINNT\system32\prutqct.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\Program Files\BlueLight Internet\exec.exe
C:\Program Files\BlueLight Internet\exec.exe
C:\Sharita\hijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mybluelight.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mybluelight.com/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mybluelight.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mybluelight.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mybluelight.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.mybluelight.com/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\BLSearch\SearchEnh1.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\system32\AUNBHO.dll
O3 - Toolbar: Browser Bar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\BlueLight Internet\toolbar.dll
O3 - Toolbar: MyBlueLight - {25EEFF3E-58EE-4811-95CC-78F922605006} - C:\Program Files\BlueLight Internet\Toolbar.dll
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [2ssP33j] nwcanui.exe
O4 - HKLM\..\Run: [8k3or6e9] C:\Program Files\8k3or6e9\8k3or6e9.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\BLSearch\blspc.exe" -w
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - HKCU\..\Run: [prutqct] C:\WINNT\system32\prutqct.exe
O4 - HKCU\..\Run: [JB3FRTHsO] ntmrxy.exe
O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5DEBAF0-BA47-42AF-9A1F-2C23548E5F0C}: NameServer = 64.136.20.173 64.136.28.183
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Sharita\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton<a onMouseOver="window.status='' ; return true;" onMouseOut="window.status='';" oncontextmenu="window.status=''; return true;" onclick="location.href='http://www.enhancemysearch.com/admin/results.php?q=Antivirus&id=49';return false;" href="" TITLE="More Info..."> AntiVirus </a>Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

End of HijackThis Analyzer Log.
===========================================================================================================================

02-26-2005, 10:34 AM	#1 (permalink)
hikkifan84 Registered User Join Date: Feb 2005 Location: Maryland Posts: 31 OS: Win2k Pro	Can someone PLEASE help me with my HijackThis Log? Every few minutes I receive a pop-up from Norton Antivirus telling my that the virus Download.Trojan has been detected and the file has been removed. When I click 'Ok' the box immediately comes back with the same message. I think the infection may have occurred I ran the file winupdt.exe accidently. A window popped up asking if I wanted to download browser enhancements. I usually close the window without hitting "Yes", but at the time I was in the middle of writing a program and accidently hit 'Yes'. I noticed that my Firewall kept popping up asking permission for file to access the internet. At first, I allowed them because my ISP, Bluelight, often wants to install harmless updates to my browser. After awhile, I started denying permission. A few minutes later, I ran my virus scan and that's when the virus was detected and I noticed Casino and Game icons on my desktop. Every few minutes, I get random pop-up ads and links in the text of online documents which take me to "EnhanceMySearch". Adaware deleted what it detected to be Malware and the programs on my desktop were deleted. However, I am still being prompted from Norton that it has removed the same Trojan and Trojan Dropper. I have run Norton, Adaware, and Spy Sweeper which have removed some files. I can't download Spybot for some reason. I have tried downloading it with both IE and Firebox, but the download stops in the middle and the file is corrupt. If anyone could help me figure out what to delete, I would be ever so greatful ^_^ Here is my HijackThis log, I used the HijackThis Analyzer to generate this log: =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 1/7/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton<a onMouseOver="window.status='' ; return true;" onMouseOut="window.status='';" oncontextmenu="window.status=''; return true;" onclick="location.href='http://www.enhancemysearch.com/admin/results.php?q=Antivirus&id=49';return false;" href="" TITLE="More Info..."> AntiVirus </a>- {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 11:59:33 AM, on 2/26/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\NoAds\NoAds.exe C:\WINNT\system32\sysmonnt.exe C:\WINNT\system32\prutqct.exe C:\WINNT\system32\ntmrxy.exe C:\WINNT\system32\prutqct.exe C:\Program Files\E-Color\True Internet Color\TICIcon.exe C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe C:\Program Files\BlueLight Internet\exec.exe C:\Program Files\BlueLight Internet\exec.exe C:\Sharita\hijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mybluelight.com/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mybluelight.com/s/search?r=minisearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mybluelight.com/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mybluelight.com/s/search?r=minisearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mybluelight.com/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.mybluelight.com/s/search?r=minisearch R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\BLSearch\SearchEnh1.dll O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\system32\AUNBHO.dll O3 - Toolbar: Browser Bar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\BlueLight Internet\toolbar.dll O3 - Toolbar: MyBlueLight - {25EEFF3E-58EE-4811-95CC-78F922605006} - C:\Program Files\BlueLight Internet\Toolbar.dll O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe O4 - HKLM\..\Run: [2ssP33j] nwcanui.exe O4 - HKLM\..\Run: [8k3or6e9] C:\Program Files\8k3or6e9\8k3or6e9.exe O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" O4 - HKCU\..\Run: [spc_w] "C:\Program Files\BLSearch\blspc.exe" -w O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt O4 - HKCU\..\Run: [prutqct] C:\WINNT\system32\prutqct.exe O4 - HKCU\..\Run: [JB3FRTHsO] ntmrxy.exe O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com O17 - HKLM\System\CCS\Services\Tcpip\..\{A5DEBAF0-BA47-42AF-9A1F-2C23548E5F0C}: NameServer = 64.136.20.173 64.136.28.183 O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Sharita\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton<a onMouseOver="window.status='' ; return true;" onMouseOut="window.status='';" oncontextmenu="window.status=''; return true;" onclick="location.href='http://www.enhancemysearch.com/admin/results.php?q=Antivirus&id=49';return false;" href="" TITLE="More Info..."> AntiVirus </a>Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe End of HijackThis Analyzer Log. =========================================================================================================================== Last edited by hikkifan84; 02-26-2005 at 11:01 AM.