Tech Support Forum - View Single Post - Hijacked by popups, hopefully a quick fix; log inside

lotuz · 03-22-2005, 01:10 AM

Alright, here's the newest HJT log:

Log was analyzed using HijackThis Analyzer - Updated on 12/1/04
Get updates at http://www.greyknight17.com/download.htm#programs

Logfile of HijackThis v1.99.0
Scan saved at 3:08:44 AM, on 3/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Tweak-XP\blads.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NProtect.exe
C:\WINDOWS\system32\w?nlogon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ncf.edu/exchange/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wolverine.network.ncf.edu/exchange/
O2 - BHO: (no name) - {63929A18-7BF9-2F7A-8688-5740459DFBCC} - C:\WINDOWS\System32\aoop.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093464417609
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

End of HijackThis Analyzer Log.

and here's the other log:

00:58:50 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
00:58:50 [Init] Started 22-03-05 00:58:50 Eastern Standard Time (UTC: 5), Internet Time @290.86
00:58:50 [Init] Loading TDS-3 Systems ...
00:58:50 [Init] Token successfully adjusted.
00:58:50 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
00:58:51 [Init] • Plugins : OK. Loaded 13
00:58:51 [Init] • Exec Protection : Not Installed
00:58:51 [Init] WARNING: Your Radius.TD3 database needs to be updated!
00:58:51 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
00:58:51 [Init] Licensed users can use the Update facility from the TDS menu
00:58:51 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
00:58:59 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
00:58:59 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
00:58:59 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
00:58:59 [Init] TDS-3 Ready. <Tim@131.247.157.87, 127.0.0.1 - United States>
00:58:59 [Tip Of The Day] TDS-3 is the only anti-trojan system capable of detecting, enumerating and scanning in hidden NTFS Alternate Data Streams - you can enable this powerful capability in Scan Control
00:58:59 [TDS] Good morning Tim. It's getting late, aren't you sleepy yet?
00:59:05 [Mutex Memory Scan] Started...
00:59:07 [Mutex Memory Scan] Finished (no trojan mutexes found).
00:59:07 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
00:59:24 [CRC32] Started - verifying 29 files ...
00:59:25 [CRC32] File doesn't exist: C:\autoexec.bat
00:59:39 [CRC32] Test finished.
01:00:12 [Memory Scan] Memory scan started, please wait a moment ...
01:00:13 [Memory Scan] Memory scan complete.
01:00:13 [Mutex Memory Scan] Started...
01:00:14 [Mutex Memory Scan] Finished (no trojan mutexes found).
01:00:14 [Trace Scan] Started...
01:00:23 [Trace Scan] Finished.
01:00:23 [Service\Driver Scan] Scanning for services and drivers ...
01:00:28 [Service\Driver Scan] Scanned 314 services and drivers.
01:00:28 [File Scan] Scanning in A:\ ...
01:00:29 [File Scan] Scanned 0 files: 0 alarms in 1.031006 seconds (Avg 1. files/sec)
01:00:29 [File Scan] Scanning in C:\ ...
02:36:12 [Locked File] Couldn't open c:\windows\system32\w?nlogon.exe for read access, file is locked
02:44:57 [TDS] Good morning Tim. Would you like a coffee?
02:46:15 [File Scan] Scanned 107744 files: 16 alarms in 6345.5 seconds (Avg 17.98 files/sec)
02:46:15 [File Scan] Scanning in D:\ ...
02:46:15 [File Scan] Scanned 0 files: 16 alarms in 0 seconds (Avg -1.#IND files/sec)
02:46:15 [File Scan] Scanning in E:\ ...
02:46:17 [File Scan] Scanned 1491 files: 16 alarms in 2.15625 seconds (Avg 692.48 files/sec)
02:46:17 [File Scan] Scanning in F:\ ...
02:46:17 [File Scan] Scanned 0 files: 16 alarms in 0 seconds (Avg -1.#IND files/sec)
02:46:17 [Scan] Finished.
02:49:02 [Screen Text] Saved to C:\Program Files\TDS3\scr0.txt
02:49:51 [Screen Text] Saved to C:\Program Files\TDS3\scr1.txt
02:49:53 [Quit] Unloading ...

Thanks, again.

I'm sorry if I offended anyone with my language - it wasn't my intention.

03-22-2005, 01:10 AM	#7 (permalink)
lotuz Member Join Date: Dec 2004 Posts: 46 OS: Windows XP Pro	Alright, here's the newest HJT log: Log was analyzed using HijackThis Analyzer - Updated on 12/1/04 Get updates at http://www.greyknight17.com/download.htm#programs Logfile of HijackThis v1.99.0 Scan saved at 3:08:44 AM, on 3/22/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Tweak-XP\blads.exe C:\Program Files\Norton Utilities\SYSDOC32.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Utilities\NProtect.exe C:\WINDOWS\system32\w?nlogon.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ncf.edu/exchange/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wolverine.network.ncf.edu/exchange/ O2 - BHO: (no name) - {63929A18-7BF9-2F7A-8688-5740459DFBCC} - C:\WINDOWS\System32\aoop.dll O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093464417609 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe End of HijackThis Analyzer Log. and here's the other log: 00:58:50 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 00:58:50 [Init] Started 22-03-05 00:58:50 Eastern Standard Time (UTC: 5), Internet Time @290.86 00:58:50 [Init] Loading TDS-3 Systems ... 00:58:50 [Init] Token successfully adjusted. 00:58:50 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 00:58:51 [Init] • Plugins : OK. Loaded 13 00:58:51 [Init] • Exec Protection : Not Installed 00:58:51 [Init] WARNING: Your Radius.TD3 database needs to be updated! 00:58:51 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 00:58:51 [Init] Licensed users can use the Update facility from the TDS menu 00:58:51 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 00:58:59 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 00:58:59 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other] 00:58:59 [Init] Radius Systems loaded. <Databases updated 14-10-2004> 00:58:59 [Init] TDS-3 Ready. <Tim@131.247.157.87, 127.0.0.1 - United States> 00:58:59 [Tip Of The Day] TDS-3 is the only anti-trojan system capable of detecting, enumerating and scanning in hidden NTFS Alternate Data Streams - you can enable this powerful capability in Scan Control 00:58:59 [TDS] Good morning Tim. It's getting late, aren't you sleepy yet? 00:59:05 [Mutex Memory Scan] Started... 00:59:07 [Mutex Memory Scan] Finished (no trojan mutexes found). 00:59:07 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 00:59:24 [CRC32] Started - verifying 29 files ... 00:59:25 [CRC32] File doesn't exist: C:\autoexec.bat 00:59:39 [CRC32] Test finished. 01:00:12 [Memory Scan] Memory scan started, please wait a moment ... 01:00:13 [Memory Scan] Memory scan complete. 01:00:13 [Mutex Memory Scan] Started... 01:00:14 [Mutex Memory Scan] Finished (no trojan mutexes found). 01:00:14 [Trace Scan] Started... 01:00:23 [Trace Scan] Finished. 01:00:23 [Service\Driver Scan] Scanning for services and drivers ... 01:00:28 [Service\Driver Scan] Scanned 314 services and drivers. 01:00:28 [File Scan] Scanning in A:\ ... 01:00:29 [File Scan] Scanned 0 files: 0 alarms in 1.031006 seconds (Avg 1. files/sec) 01:00:29 [File Scan] Scanning in C:\ ... 02:36:12 [Locked File] Couldn't open c:\windows\system32\w?nlogon.exe for read access, file is locked 02:44:57 [TDS] Good morning Tim. Would you like a coffee? 02:46:15 [File Scan] Scanned 107744 files: 16 alarms in 6345.5 seconds (Avg 17.98 files/sec) 02:46:15 [File Scan] Scanning in D:\ ... 02:46:15 [File Scan] Scanned 0 files: 16 alarms in 0 seconds (Avg -1.#IND files/sec) 02:46:15 [File Scan] Scanning in E:\ ... 02:46:17 [File Scan] Scanned 1491 files: 16 alarms in 2.15625 seconds (Avg 692.48 files/sec) 02:46:17 [File Scan] Scanning in F:\ ... 02:46:17 [File Scan] Scanned 0 files: 16 alarms in 0 seconds (Avg -1.#IND files/sec) 02:46:17 [Scan] Finished. 02:49:02 [Screen Text] Saved to C:\Program Files\TDS3\scr0.txt 02:49:51 [Screen Text] Saved to C:\Program Files\TDS3\scr1.txt 02:49:53 [Quit] Unloading ... Thanks, again. I'm sorry if I offended anyone with my language - it wasn't my intention.