|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
03-20-2005, 03:51 PM
|
#1 (permalink) |
|
Registered User
Join Date: Mar 2005
Location: chicago
Posts: 2
OS: win2000pro
|
Win2000pro - Elastica MP3 Search leads to Pop Ups & Downloads Galore
on thursday evening i was using internet explorer searching for an mp3 of a song using google. this is exactly what i typed ... elastica connection free mp3 ... it was the first option on the search results. when i clicked the link (which i can provide you if it would be helpful), my computer automatically downloaded something and said that it would need to restart. i did nothing and everything seemed to be ok. then within about a minute i started getting pop ups galore. I knew that I must have a virus, so I ran CW Shredder, Spybot S&D and Adaware ... it appeared that I had a virus called "BookedSpace", which I googled and found on Symantec and other web sites.
So I decided to shut down my computer and let the Norton AntiVirus Corporate Edition running on our office server try to solve whatever problem that i may have when I logged in in the morning. Norton did not solve anything in the morning so I called the IT consultant for our company. He recommended that I run Adaware, Spybot S&D & Counter Spy, which I did. He also recommended that I download and run Mozilla Firefox in lieu of IE, which I did. These programs seemed to do a pretty good job getting rid of the problems, but they kept returning. Plus the Counter Spy program has an blocker so after I installed it I started noticing that about every 30 seconds or so the Counter Spy program would advise me that a new program was trying to install on my machine. It asked if I would like to block or delete (one or the other depending on the download) I would say yes and run a scan using counter spy. Every time I ran a new scan I would find many of the same programs had installed themselves. This is a list of some of those that have been found. Clicks Adware ISearch.Toolbar ISearch.DesktopSearch eZula.TopText TracePlus Ethernet 3.05.00 Bundleware Virtumondo MX-Targeting Adware Vx2.ZServ.Trojan Vx2.Narrator Toolbar Vx2.ABetterInternet VX2.ABetterInternet.Transponder.Ceres Vx2.DLMax VirtualBouncer There are others too ... Anyway I have gone through all of the steps in the "Please, Read This Before Posting A Hijackthis Log" and I have the following information. Per your request "I used the HijackThis Analyzer program to get the "new" log" I am just praying that one of you people can help me. HERE IS MY HJT LOG FILE: Logfile of HijackThis v1.99.1 Scan saved at 4:15:48 PM, on 3/20/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\mnmsrvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\rundll32.exe C:\WINNT\Explorer.EXE C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\PROGRA~1\Sony\JOGDIA~1\JogServ2.exe C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll O4 - HKLM\..\Run: [MSConfig] C:\WINNT\msconfig.exe /auto O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [wqzrrc] c:\winnt\system32\wqzrrc.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [pwrpdfprsrv.exe] C:\Program Files\PowerPDF\pwrpdfsrv.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce O4 - HKLM\..\Run: [nsvcin] C:\WINNT\system32\n20050308.exe O4 - HKLM\..\Run: [JVM0.12] C:\WINNT\system32\azovqdu.exe O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe O4 - HKLM\..\Run: [EasySync Pro - LtNts4] C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgent.exe O4 - HKLM\..\Run: [EasySync Pro - 3CmPlm] C:\Program Files\Common Files\XCPCSync\Translators\3CmPlm\AutoDet.exe O4 - HKLM\..\Run: [EasySync Pro] C:\Program Files\Common Files\XCPCMenu.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [AMBITWireless] C:\Program Files\AMBIT\Wireless\Utility\WlanUtil.exe O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k42037/sb026.cab O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.knoll.com/FSL/KnFSLInstall/setup.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = VortexEnterprises.local O17 - HKLM\System\CCS\Services\Tcpip\..\{43669065-0930-4BE7-B368-CEB4BA147013}: NameServer = 10.0.1.5 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = VortexEnterprises.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = VortexEnterprises.local O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\l00u0ad9ed0.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe HERE IS MY ANALYZED FILE: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 4:15:48 PM, on 3/20/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\PROGRA~1\Sony\JOGDIA~1\JogServ2.exe C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll O4 - HKLM\..\Run: [MSConfig] C:\WINNT\msconfig.exe /auto O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe O4 - HKLM\..\Run: [wqzrrc] c:\winnt\system32\wqzrrc.exe O4 - HKLM\..\Run: [pwrpdfprsrv.exe] C:\Program Files\PowerPDF\pwrpdfsrv.exe O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce O4 - HKLM\..\Run: [nsvcin] C:\WINNT\system32\n20050308.exe O4 - HKLM\..\Run: [JVM0.12] C:\WINNT\system32\azovqdu.exe O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [EasySync Pro - LtNts4] C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgent.exe O4 - HKLM\..\Run: [EasySync Pro - 3CmPlm] C:\Program Files\Common Files\XCPCSync\Translators\3CmPlm\AutoDet.exe O4 - HKLM\..\Run: [EasySync Pro] C:\Program Files\Common Files\XCPCMenu.exe O4 - HKLM\..\Run: [AMBITWireless] C:\Program Files\AMBIT\Wireless\Utility\WlanUtil.exe O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k42037/sb026.cab O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.knoll.com/FSL/KnFSLInstall/setup.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = VortexEnterprises.local O17 - HKLM\System\CCS\Services\Tcpip\..\{43669065-0930-4BE7-B368-CEB4BA147013}: NameServer = 10.0.1.5 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = VortexEnterprises.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = VortexEnterprises.local O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\l00u0ad9ed0.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
| Thread Tools | |
|
|
