|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
03-20-2005, 02:51 PM
|
#1 (permalink) |
|
Registered User
Join Date: Mar 2005
Location: chicago
Posts: 2
OS: win2000pro
|
Win2000pro - Elastica MP3 Search leads to Pop Ups & Downloads Galore
on thursday evening i was using internet explorer searching for an mp3 of a song using google. this is exactly what i typed ... elastica connection free mp3 ... it was the first option on the search results. when i clicked the link (which i can provide you if it would be helpful), my computer automatically downloaded something and said that it would need to restart. i did nothing and everything seemed to be ok. then within about a minute i started getting pop ups galore. I knew that I must have a virus, so I ran CW Shredder, Spybot S&D and Adaware ... it appeared that I had a virus called "BookedSpace", which I googled and found on Symantec and other web sites.
So I decided to shut down my computer and let the Norton AntiVirus Corporate Edition running on our office server try to solve whatever problem that i may have when I logged in in the morning. Norton did not solve anything in the morning so I called the IT consultant for our company. He recommended that I run Adaware, Spybot S&D & Counter Spy, which I did. He also recommended that I download and run Mozilla Firefox in lieu of IE, which I did. These programs seemed to do a pretty good job getting rid of the problems, but they kept returning. Plus the Counter Spy program has an blocker so after I installed it I started noticing that about every 30 seconds or so the Counter Spy program would advise me that a new program was trying to install on my machine. It asked if I would like to block or delete (one or the other depending on the download) I would say yes and run a scan using counter spy. Every time I ran a new scan I would find many of the same programs had installed themselves. This is a list of some of those that have been found. Clicks Adware ISearch.Toolbar ISearch.DesktopSearch eZula.TopText TracePlus Ethernet 3.05.00 Bundleware Virtumondo MX-Targeting Adware Vx2.ZServ.Trojan Vx2.Narrator Toolbar Vx2.ABetterInternet VX2.ABetterInternet.Transponder.Ceres Vx2.DLMax VirtualBouncer There are others too ... Anyway I have gone through all of the steps in the "Please, Read This Before Posting A Hijackthis Log" and I have the following information. Per your request "I used the HijackThis Analyzer program to get the "new" log" I am just praying that one of you people can help me. HERE IS MY HJT LOG FILE: Logfile of HijackThis v1.99.1 Scan saved at 4:15:48 PM, on 3/20/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\mnmsrvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\rundll32.exe C:\WINNT\Explorer.EXE C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\PROGRA~1\Sony\JOGDIA~1\JogServ2.exe C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll O4 - HKLM\..\Run: [MSConfig] C:\WINNT\msconfig.exe /auto O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [wqzrrc] c:\winnt\system32\wqzrrc.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [pwrpdfprsrv.exe] C:\Program Files\PowerPDF\pwrpdfsrv.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce O4 - HKLM\..\Run: [nsvcin] C:\WINNT\system32\n20050308.exe O4 - HKLM\..\Run: [JVM0.12] C:\WINNT\system32\azovqdu.exe O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe O4 - HKLM\..\Run: [EasySync Pro - LtNts4] C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgent.exe O4 - HKLM\..\Run: [EasySync Pro - 3CmPlm] C:\Program Files\Common Files\XCPCSync\Translators\3CmPlm\AutoDet.exe O4 - HKLM\..\Run: [EasySync Pro] C:\Program Files\Common Files\XCPCMenu.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [AMBITWireless] C:\Program Files\AMBIT\Wireless\Utility\WlanUtil.exe O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k42037/sb026.cab O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.knoll.com/FSL/KnFSLInstall/setup.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = VortexEnterprises.local O17 - HKLM\System\CCS\Services\Tcpip\..\{43669065-0930-4BE7-B368-CEB4BA147013}: NameServer = 10.0.1.5 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = VortexEnterprises.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = VortexEnterprises.local O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\l00u0ad9ed0.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe HERE IS MY ANALYZED FILE: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 4:15:48 PM, on 3/20/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\PROGRA~1\Sony\JOGDIA~1\JogServ2.exe C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll O4 - HKLM\..\Run: [MSConfig] C:\WINNT\msconfig.exe /auto O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe O4 - HKLM\..\Run: [wqzrrc] c:\winnt\system32\wqzrrc.exe O4 - HKLM\..\Run: [pwrpdfprsrv.exe] C:\Program Files\PowerPDF\pwrpdfsrv.exe O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce O4 - HKLM\..\Run: [nsvcin] C:\WINNT\system32\n20050308.exe O4 - HKLM\..\Run: [JVM0.12] C:\WINNT\system32\azovqdu.exe O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [EasySync Pro - LtNts4] C:\Program Files\Common Files\XCPCSync\Translators\LtNts4\NtsAgent.exe O4 - HKLM\..\Run: [EasySync Pro - 3CmPlm] C:\Program Files\Common Files\XCPCSync\Translators\3CmPlm\AutoDet.exe O4 - HKLM\..\Run: [EasySync Pro] C:\Program Files\Common Files\XCPCMenu.exe O4 - HKLM\..\Run: [AMBITWireless] C:\Program Files\AMBIT\Wireless\Utility\WlanUtil.exe O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k42037/sb026.cab O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.knoll.com/FSL/KnFSLInstall/setup.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = VortexEnterprises.local O17 - HKLM\System\CCS\Services\Tcpip\..\{43669065-0930-4BE7-B368-CEB4BA147013}: NameServer = 10.0.1.5 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = VortexEnterprises.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = VortexEnterprises.local O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\l00u0ad9ed0.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
     |
| Sponsored Links |
| Thread Tools | |
|
|
