|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
02-26-2005, 09:34 AM
|
#1 (permalink) |
|
Registered User
Join Date: Feb 2005
Location: Maryland
Posts: 31
OS: Win2k Pro
|
Can someone PLEASE help me with my HijackThis Log?
Every few minutes I receive a pop-up from Norton Antivirus telling my that the virus Download.Trojan has been detected and the file has been removed. When I click 'Ok' the box immediately comes back with the same message.
I think the infection may have occurred I ran the file winupdt.exe accidently. A window popped up asking if I wanted to download browser enhancements. I usually close the window without hitting "Yes", but at the time I was in the middle of writing a program and accidently hit 'Yes'. I noticed that my Firewall kept popping up asking permission for file to access the internet. At first, I allowed them because my ISP, Bluelight, often wants to install harmless updates to my browser. After awhile, I started denying permission. A few minutes later, I ran my virus scan and that's when the virus was detected and I noticed Casino and Game icons on my desktop. Every few minutes, I get random pop-up ads and links in the text of online documents which take me to "EnhanceMySearch". Adaware deleted what it detected to be Malware and the programs on my desktop were deleted. However, I am still being prompted from Norton that it has removed the same Trojan and Trojan Dropper. I have run Norton, Adaware, and Spy Sweeper which have removed some files. I can't download Spybot for some reason. I have tried downloading it with both IE and Firebox, but the download stops in the middle and the file is corrupt. If anyone could help me figure out what to delete, I would be ever so greatful ^_^ Here is my HijackThis log, I used the HijackThis Analyzer to generate this log: =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 1/7/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton<a onMouseOver="window.status='' ; return true;" onMouseOut="window.status='';" oncontextmenu="window.status=''; return true;" onclick="location.href='http://www.enhancemysearch.com/admin/results.php?q=Antivirus&id=49';return false;" href="" TITLE="More Info..."> AntiVirus </a>- {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 11:59:33 AM, on 2/26/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\NoAds\NoAds.exe C:\WINNT\system32\sysmonnt.exe C:\WINNT\system32\prutqct.exe C:\WINNT\system32\ntmrxy.exe C:\WINNT\system32\prutqct.exe C:\Program Files\E-Color\True Internet Color\TICIcon.exe C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe C:\Program Files\BlueLight Internet\exec.exe C:\Program Files\BlueLight Internet\exec.exe C:\Sharita\hijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mybluelight.com/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mybluelight.com/s/search?r=minisearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.creative.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mybluelight.com/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mybluelight.com/s/search?r=minisearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mybluelight.com/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.mybluelight.com/s/search?r=minisearch R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\BLSearch\SearchEnh1.dll O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\system32\AUNBHO.dll O3 - Toolbar: Browser Bar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\BlueLight Internet\toolbar.dll O3 - Toolbar: MyBlueLight - {25EEFF3E-58EE-4811-95CC-78F922605006} - C:\Program Files\BlueLight Internet\Toolbar.dll O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe O4 - HKLM\..\Run: [2ssP33j] nwcanui.exe O4 - HKLM\..\Run: [8k3or6e9] C:\Program Files\8k3or6e9\8k3or6e9.exe O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe" O4 - HKCU\..\Run: [spc_w] "C:\Program Files\BLSearch\blspc.exe" -w O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt O4 - HKCU\..\Run: [prutqct] C:\WINNT\system32\prutqct.exe O4 - HKCU\..\Run: [JB3FRTHsO] ntmrxy.exe O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com O17 - HKLM\System\CCS\Services\Tcpip\..\{A5DEBAF0-BA47-42AF-9A1F-2C23548E5F0C}: NameServer = 64.136.20.173 64.136.28.183 O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Sharita\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton<a onMouseOver="window.status='' ; return true;" onMouseOut="window.status='';" oncontextmenu="window.status=''; return true;" onclick="location.href='http://www.enhancemysearch.com/admin/results.php?q=Antivirus&id=49';return false;" href="" TITLE="More Info..."> AntiVirus </a>Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe End of HijackThis Analyzer Log. =========================================================================================================================== Last edited by hikkifan84; 02-26-2005 at 10:01 AM. |
|
     |
| Sponsored Links |
|
02-26-2005, 02:55 PM
|
#3 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Yes, yes.......patience.
============ Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Don't run it yet. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINNT\system32\sysmonnt.exe C:\WINNT\system32\prutqct.exe C:\WINNT\system32\ntmrxy.exe C:\WINNT\system32\prutqct.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: E2G Viewpoint (all apps) WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINNT\system32\AUNBHO.dll O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe O4 - HKLM\..\Run: [2ssP33j] nwcanui.exe O4 - HKLM\..\Run: [8k3or6e9] C:\Program Files\8k3or6e9\8k3or6e9.exe O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt O4 - HKCU\..\Run: [prutqct] C:\WINNT\system32\prutqct.exe O4 - HKCU\..\Run: [JB3FRTHsO] ntmrxy.exe O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\Program Files\8k3or6e9\ C:\Program Files\E2G\ C:\Program Files\Viewpoint\ C:\Program Files\WildTangent\ C:\WINNT\Helper101.dll C:\WINNT\system32\AUNBHO.dll C:\WINNT\system32\ntmrxy.exe C:\WINNT\system32\nwcanui.exe C:\WINNT\SYSTEM32\nwprovau.dll C:\WINNT\system32\prutqct.exe C:\WINNT\system32\prutqct.exe C:\WINNT\system32\sysmonnt.exe C:\WINNT\system32\winupdt.exe Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. Let's also use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.
__________________
 GO BIG BLUE!! Last edited by CTSNKY; 02-26-2005 at 02:57 PM. |
|
|
|
|
02-27-2005, 04:48 PM
|
#6 (permalink) | |||
|
Registered User
Join Date: Feb 2005
Location: Maryland
Posts: 31
OS: Win2k Pro
|
Here's what you told me to post.
HijackThis Analyzer Results Quote:
TDS-3 System Scan Log Quote:
Quote:
|
|||
|
|
|
|
02-27-2005, 06:40 PM
|
#7 (permalink) |
|
Analyst, Security Team
|
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Don't run it yet. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINNT\system\vppi.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O1 - Hosts: 64.91.255.87 www.dcsresearch.com Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINNT\system\vppi.exe c:\command.exe Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
02-28-2005, 01:17 PM
|
#8 (permalink) | |
|
Registered User
Join Date: Feb 2005
Location: Maryland
Posts: 31
OS: Win2k Pro
|
HijackThis Analysis
Quote:
|
|
|
|
|
|
02-28-2005, 01:24 PM
|
#9 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Your log is clean. If you disabled System Restore, make sure to enable it now.
To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided. Are there any problems now? If not, you should be set to go.
__________________
GO BIG BLUE!! |
|
|
|
| Thread Tools | |
|
|
