|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
11-16-2005, 01:02 PM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 4
OS: WINXP
|
Please analyze my log file
Here is my preanalyzed HJT log captured after running the latest AdAware SE definintions and Trendmicro HouseCall scan as instructed:
==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 12:49:41 PM, on 11/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Draxysoft\Wallpaper Sequencer\Walser.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\RunServices: [timesync] timesync.exe O4 - HKLM\..\RunServices: [update] ms.exe O4 - HKCU\..\Run: [Walser] C:\Program Files\Draxysoft\Wallpaper Sequencer\Walser.exe start O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O15 - Trusted Zone: http://www.bluebottle.com O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt4_x.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.wintu.edu/secure/PhxStudent15.CAB O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v6.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{AB16D627-77B4-4DC4-8DB5-C69117294A24}: NameServer = 66.109.128.2,66.109.128.3 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe End of KRC HijackThis Analyzer Log. ==================================================================== Thx, any help is appreciated. Carl |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
11-16-2005, 02:10 PM
|
#2 (permalink) |
|
TSF Enthusiast
Join Date: Apr 2005
Location: Ohio
Posts: 1,156
OS: XP
|
Hi and welcome to TSF.
I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p In the meantime, make sure you subscribe to this thread so that you will receive an instant email when I have replied with a fix to your problem. You may do this by clicking the Thread Tools option at the top of your post and then clicking Subscribe to this thread. Then, make sure Instant Notification by email is selected and click Add Subscription Please be patient with me during this time. |
|
|
|
|
11-16-2005, 05:54 PM
|
#3 (permalink) | |
|
TSF Enthusiast
Join Date: Apr 2005
Location: Ohio
Posts: 1,156
OS: XP
|
Please analyze my log file
Quote:
 Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. ==================================================================================================== Showing Hidden files, folders, and system files and folders Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. ==================================================================================================== Downloads Cleanup! or use this (Alternate Link) if the main link does not work and install it. You will use this later. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). ==================================================================================================== HiJackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O4 - HKLM\..\RunServices: [update] ms.exe O15 - Trusted Zone: http://www.bluebottle.com O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab Please remember to close all other windows, including browsers then click Fix checked. ==================================================================================================== Deleting Files and Folders Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. ms.exe <- Do a search for this file and delete (Please let me know the directory in which you found this file as well) ==================================================================================================== Tools CleanUp! *NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups. Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following:
Click OK, Press the CleanUp! button to start the program and reboot when prompted. Reboot your system in Normal Mode. ==================================================================================================== Online Virus/Spyware Scans Perform an online scan with Internet Explorer with Panda ActiveScan ** click on "Free use ActiveScan" located on the top right hand corner
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. *Turn off the real time scanner of any existing antivirus program while performing the online scan Trend Micro Anti-Spyware for the Web Utility (Go to the link and click the "Scan and Clean your PC" button).
Repeat the same procedure above using the TrendMicro tool. Post the log from the second scan/clean, NOT the first, as this will contain what’s left in the system. ==================================================================================================== Summary: Please make sure you have completed all the steps above and include the following with your next post HiJackThis! Log Panda ActiveScan Log TrendMicro Anti-Spyware Log |
|
|
|
|
|
11-17-2005, 02:21 PM
|
#4 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 4
OS: WINXP
|
latest logs
Here are the latest logs as instructed:
BTW, you contradicted yourself on the instructions for running the TrendMicro Anti-Spyware tool. You first said to post the initial log file contents and then you said you only wanted the second. I have included both the initial and subsequent scan logs. Regardless, it did not find any malware, even though Panda ActiveScan found three instances, but did not clean them. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 11:59:20 AM, on 11/17/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Draxysoft\Wallpaper Sequencer\Walser.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\RunServices: [timesync] timesync.exe O4 - HKCU\..\Run: [Walser] C:\Program Files\Draxysoft\Wallpaper Sequencer\Walser.exe start O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt4_x.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.wintu.edu/secure/PhxStudent15.CAB O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v6.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{AB16D627-77B4-4DC4-8DB5-C69117294A24}: NameServer = 66.109.128.2,66.109.128.3 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe End of KRC HijackThis Analyzer Log. ==================================================================== ********************************************************* Active Scan log Incident Status Location Adware:adware/commad No disinfected Windows Registry Adware:Adware/IWon No disinfected C:\HJT\backups\backup-20051116-190818-568.inf Adware:Adware/Look2Me No disinfected C:\installer.exe End of Active Scan log ******************************************************* ******************************************************* TrendMicro Anti-Spyware Log Run 1 Started Scanning Internet Cookies Programs in Memory Windows Registry Internet URL Shortcuts Files and Directories Finished Scanning End of TrendMicro Anti-Spyware Log Run 1 ******************************************************** ******************************************************** TrendMicro Anti-Spyware Log Run 2 Started Scanning Internet Cookies Programs in Memory Windows Registry Internet URL Shortcuts Files and Directories Finished Scanning End of TrendMicro Anti-Spyware Log Run 2 ******************************************************** Thanks, Carl PS After fixing the three items with HijackThis as instructed, the file "ms.exe" was not found when using the WinXP search utility. Last edited by cdreyer; 11-17-2005 at 02:25 PM. Reason: forgot to include info |
|
|
|
|
11-19-2005, 08:58 AM
|
#5 (permalink) |
|
TSF Enthusiast
Join Date: Apr 2005
Location: Ohio
Posts: 1,156
OS: XP
|
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.
Please reboot your computer in Safe Mode ==================================================================================================== Folder/File Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\installer.exe ==================================================================================================== Please reboot your computer in Normal Mode Online Virus/Spyware Scan Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* Turn off the real time scanner of any existing antivirus program while performing the online scan ==================================================================================================== Summary Please include the following with your next reply: Fresh HJT Log Kaspersky Anti-Virus Web Scanner Log Last edited by Eclipse2003; 11-19-2005 at 09:09 AM. |
|
|
|
|
11-19-2005, 02:04 PM
|
#6 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 4
OS: WINXP
|
fyi
No need to reply to this, but I noticed the following anomalies in your last post:
The message that shows up in my email as 'Here is the message that has just been posted' is NOT the same as the message that shows up in the forum thread. The following instruction is missing from the forum post: 'Once your computer boots up, please run another HJT Scan and post a fresh log' The following instructions are missing from the email message: All of the procedure for running Kaspersky is missing from the email message Under Summary the following is missing: 'Kaspersky Anti-Virus Web Scanner Log' These discrepancies could be confusing to someone that is not as thorough as someone with my experience. The popups have disappeared after the initial HJT scan and fix that disabled the ms.exe service being loaded under HKLM, so it appears that file was causing all the popups. However, I believe it prudent to proceed to root out all other malware. Again, no need to reply to this post, as I will proceed with the instructions I received from you last post. Thank, Carl |
|
|
|
|
11-20-2005, 08:22 PM
|
#7 (permalink) | |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
  |
Quote:
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
   Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
| Thread Tools | |
|
|
