|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
01-06-2005, 05:13 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jan 2005
Posts: 15
OS: win 2000
|
ggkrgi.exe, nnabno.dll
The file ggkrgi.exe keeps trying to run on my computer. Also nnabno.dll is asociated with it. I think it has something to do with VX2 adware. I'e tryed to get rid of it with Spybot S&D & Ad-Aware SE, but nothing works. I've even deleted it in Safe mode.
I used Killbox V.2 to replace it on reboot which seems to have stoped it fron running, but it keeps flashing up every few seconds and then going off again. I use Windows 2000 on my computer. Can anyone help me get rid of this file This is my file. Logfile of HijackThis v1.99.0 Scan saved at 7:13 PM, on 6 Jan 2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\AGRSMMSG.exe C:\Program Files\BellSouth Internet Tools\blsloader.exe C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\WINNT\system32\svchost.exe C:\Program Files\AIM\aim.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Bigwills\Desktop\Spyware removal\HijackThis.exe O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe" O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O15 - Trusted Zone: http://housecall.trendmicro.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe |
|
     
|
|
01-06-2005, 07:42 PM
|
#2 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). Also post the contents of the scandump log it creates.
__________________
 GO BIG BLUE!! |
|
|
|
|
01-07-2005, 05:14 PM
|
#3 (permalink) |
|
Registered User
Join Date: Jan 2005
Posts: 15
OS: win 2000
|
Thankyou for your help. Here is the log file TDS-3 created after a ful scan. There were 15 alarms but I could not make a copy of the list, but these were TrojanDownloader: uxvexvm.dll, aaqwaz.exe, qqpoqy.dll,
and these were adware: muiole16.dll, ez052404.exe, updinstall.exe, nsdtmp09.dll, tb041026.dat. 17:13:04 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 17:13:04 [Init] Started 07-01-05 17:13:04 Central Standard Time (UTC: 6), Internet Time @1009.07 17:13:04 [Init] Loading TDS-3 Systems ... 17:13:04 [Init] Token successfully adjusted. 17:13:04 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 17:13:04 [Init] • Plugins : OK. Loaded 13 17:13:04 [Init] • Exec Protection : Not Installed 17:13:04 [Init] WARNING: Your Radius.TD3 database needs to be updated! 17:13:04 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 17:13:04 [Init] Licensed users can use the Update facility from the TDS menu 17:13:04 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 17:13:08 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 17:13:08 [Init] • Systems Initialised [44216 references - 20387 primaries/11695 traces/12134 variants/other] 17:13:08 [Init] Radius Systems loaded. <Databases updated 07-01-2005> 17:13:08 [Init] TDS-3 Ready. <Bigwills@192.168.1.97, 127.0.0.1 - United States> 17:13:08 [Tip Of The Day] Can't remember the port that a particular service uses? Or perhaps you can't remember the service that a particular port uses? Try the Port Reference and Reverse Port Reference utilities - available in the Utilities menu! 17:13:08 [TDS] Good evening Bigwills. 17:13:10 [Mutex Memory Scan] Started... 17:13:11 [Mutex Memory Scan] Finished (no trojan mutexes found). 17:13:11 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 17:15:55 [CRC32] Started - verifying 29 files ... 17:15:56 [CRC32] File doesn't exist: C:\autoexec.bat 17:15:59 [CRC32] Test finished. 17:16:46 [Memory Scan] Memory scan started, please wait a moment ... 17:16:47 [Memory Scan] Memory scan complete. 17:16:47 [Mutex Memory Scan] Started... 17:16:48 [Mutex Memory Scan] Finished (no trojan mutexes found). 17:16:48 [Trace Scan] Started... 17:16:59 [Trace Scan] Finished. 17:16:59 [ServiceScan] Scanning for services and drivers ... 17:17:00 [ServiceScan] Scanned 268 services and drivers. 17:17:00 [File Scan] Scanning in A:\ ... 17:17:02 [File Scan] Scanned 0 files: 0 alarms in 1.0625 seconds (Avg 1. files/sec) 17:17:02 [File Scan] Scanning in C:\ ... 17:51:51 [File Scan] Scanned 73787 files: 13 alarms in 2089.156 seconds (Avg 36.32 files/sec) 17:51:51 [File Scan] Scanning in D:\ ... 18:14:11 [File Scan] Scanned 19300 files: 15 alarms in 1340.609 seconds (Avg 15.4 files/sec) 18:14:11 [File Scan] Scanning in E:\ ... 18:14:11 [File Scan] Scanned 0 files: 15 alarms in 0.015625 seconds (Avg 1. files/sec) 18:14:11 [File Scan] Scanning in F:\ ... 18:14:11 [File Scan] Scanned 0 files: 15 alarms in 0.015625 seconds (Avg 1. files/sec) 18:14:11 [File Scan] Scanning in G:\ ... 18:28:37 [File Scan] Scanned 7918 files: 15 alarms in 865.9531 seconds (Avg 10.14 files/sec) 18:28:37 [Scan] Finished. |
|
|
|
|
01-07-2005, 08:04 PM
|
#4 (permalink) |
|
Analyst, Security Team
|
Run TSD-3 again. Once complete...in the bottom window it will list those 15 alarms. Right click..and select delete for the ones that say "Postive Trojan" or Suspected trojan. Be careful as TDS-3 also lists suspious filenames in this area so don't delete an update file with a version name in it or something you recognize..
Also delete the filenames in question. Restart and run a new TDS scan and also a new HijackThis scan. Post both logs here.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
01-10-2005, 08:38 AM
|
#5 (permalink) |
|
Registered User
Join Date: Jan 2005
Posts: 15
OS: win 2000
|
In Safe mode I was able to kill then delete the last problem (qqpogy.dll) and after a full scan TDS-3 listed no problems or Alerts. I was then able to delete problem files ggkrgi.exe and nnabno.dll. I havn't had any problem the past couple of days with ggkrgi.exe trying to run all the time or place an entry in the startup programs, so I believe every thing is great and I appreciate your help very much.
Johnny Here is my file Logfile of HijackThis v1.99.0 Scan saved at 10:38 AM, on 10 Jan 2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\AGRSMMSG.exe C:\Program Files\BellSouth Internet Tools\blsloader.exe C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\WINNT\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Bigwills\Desktop\Spyware removal\HijackThis.exe O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe" O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O15 - Trusted Zone: http://housecall.trendmicro.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents...1/imloader.cab O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe |
|
|
|
|
01-10-2005, 08:40 AM
|
#6 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
I would recommend uninstalling all of the Viewpoint apps on there, as they contain some spyware.
Otherwise, your log is clean. To help prevent future spyware installations/infections, please read the Anti-Spyware Section (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided. Are there any problems now? If not, you should be set to go.
__________________
GO BIG BLUE!! |
|
|
|
|
| Thread Tools | |
|
|
