•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 392,016 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 4,323 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our Viruses, Spyware and other Nasties advertiser:
Views: 2613 | Replies: 9
•
•
Join Date: Mar 2005
Posts: 11
Reputation: 
Rep Power: 4
Solved Threads: 0
Newbie Poster
Hi I have a IBM Thinkpad T20 with a pentium III running XP professional.
A program highjacked my desktop about two days ago. It turned my desktop black with a big WARNING sign about spyware with a place to click into for a solution. I think that this is an advertisement for some anti-virus company or something so I dont click into it. When a triangular :!: symbol appeared in my task bar I thought that this is my outdated norton antivirus telling me there is a problem. I click into the balloon and it takes me to what looks like a msn search page with a list of places to get anti-spyware. I had had a problem with spyware before on another computer and was able to fix it with help from a forum such as this one. I consider doing the same thing but I didn't have a lot of time so, after remembering how much time it took me the last time, I say to myself "I guess i need updated virus protection software anyway let me just buy this new package that updates daily for one year and get back to work". I buy winantivirus 2005 pro with the anitspyware and anti popup ad firewall package and proceed to install it. it tells me that I have to uninstall all other anti virus anti spyware stuff off of my computer for it to work. This dosent sound right to me and then i start to notice that it seems that the thing that had highjack my desktop was just and advertisment for the company i just bought my anti highjack package. I feel like i just paid protection money to the mob. :mad: did I get taken? any way I still have spyware on my computer. Panda has detected the same thing twice after I ran the WinAntiVirus. Below you can find the HJT log, an activescan report and the one from WAV2005pro. THank you in advance for any help with this problem. Peace G
Activescan:
Incident Status Location
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Personal\Favorites\Search the web.url
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\System32\spoolsrv32.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\A0138686.exeggbwkfnq
Virus:Trj/Downloader.ASF Disinfected C:\WINDOWS\system32\spoolsrv32.exe
High Jack This:
Logfile of HijackThis v1.99.1
Scan saved at 1:42:30 PM, on 3/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVSvc.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVSchSvc.exe
C:\Program Files\WinAntiVirus 2005 Pro\pgeng.exe
C:\Program Files\WinAntiVirus 2005 Pro\cs_srv.exe
C:\Program Files\WinAntiVirus 2005 Pro\Quar.exe
C:\Program Files\Common Files\WinSoftware\VapFM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\WinAntiVirus 2005 Pro\WinAV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.sunrise.ch/en/hom/default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458f-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus 2005 Pro\winpgi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\System32\Belkin\F5U109\PostCopy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\System32\winstarter.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB003" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [AVTray] "C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe"
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {E30A569E-CDDE-4696-AF05-DB58F1F422C6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E30A569E-CDDE-4696-AF05-DB58F1F422C6} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://go.sunrise.ch/en/hom/default.asp
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1110553832768
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FF2AAB0-80DB-42E9-8845-6B2CE2906C5A}: NameServer = 80.58.61.250,80.58.61.254
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSchSvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSvc.exe
WinAntiVirus would n't let me copy paste thier report here is what I found int he report:
4 files infected with: Win32.bagle.3.gen@mm
1 file infected with: Trojan.dropper.small.oy
1 file infected with: Application.adware.powerreg.3.0
also a file named: hotmail-inbox.dbx (infected but the program says that I should use the mail client to eliminate it.
A program highjacked my desktop about two days ago. It turned my desktop black with a big WARNING sign about spyware with a place to click into for a solution. I think that this is an advertisement for some anti-virus company or something so I dont click into it. When a triangular :!: symbol appeared in my task bar I thought that this is my outdated norton antivirus telling me there is a problem. I click into the balloon and it takes me to what looks like a msn search page with a list of places to get anti-spyware. I had had a problem with spyware before on another computer and was able to fix it with help from a forum such as this one. I consider doing the same thing but I didn't have a lot of time so, after remembering how much time it took me the last time, I say to myself "I guess i need updated virus protection software anyway let me just buy this new package that updates daily for one year and get back to work". I buy winantivirus 2005 pro with the anitspyware and anti popup ad firewall package and proceed to install it. it tells me that I have to uninstall all other anti virus anti spyware stuff off of my computer for it to work. This dosent sound right to me and then i start to notice that it seems that the thing that had highjack my desktop was just and advertisment for the company i just bought my anti highjack package. I feel like i just paid protection money to the mob. :mad: did I get taken? any way I still have spyware on my computer. Panda has detected the same thing twice after I ran the WinAntiVirus. Below you can find the HJT log, an activescan report and the one from WAV2005pro. THank you in advance for any help with this problem. Peace G
Activescan:
Incident Status Location
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Personal\Favorites\Search the web.url
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\System32\spoolsrv32.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\A0138686.exeggbwkfnq
Virus:Trj/Downloader.ASF Disinfected C:\WINDOWS\system32\spoolsrv32.exe
High Jack This:
Logfile of HijackThis v1.99.1
Scan saved at 1:42:30 PM, on 3/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVSvc.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVSchSvc.exe
C:\Program Files\WinAntiVirus 2005 Pro\pgeng.exe
C:\Program Files\WinAntiVirus 2005 Pro\cs_srv.exe
C:\Program Files\WinAntiVirus 2005 Pro\Quar.exe
C:\Program Files\Common Files\WinSoftware\VapFM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\WinAntiVirus 2005 Pro\WinAV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.sunrise.ch/en/hom/default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458f-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus 2005 Pro\winpgi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\System32\Belkin\F5U109\PostCopy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\System32\winstarter.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB003" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [AVTray] "C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe"
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {E30A569E-CDDE-4696-AF05-DB58F1F422C6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E30A569E-CDDE-4696-AF05-DB58F1F422C6} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://go.sunrise.ch/en/hom/default.asp
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1110553832768
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FF2AAB0-80DB-42E9-8845-6B2CE2906C5A}: NameServer = 80.58.61.250,80.58.61.254
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSchSvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSvc.exe
WinAntiVirus would n't let me copy paste thier report here is what I found int he report:
4 files infected with: Win32.bagle.3.gen@mm
1 file infected with: Trojan.dropper.small.oy
1 file infected with: Application.adware.powerreg.3.0
also a file named: hotmail-inbox.dbx (infected but the program says that I should use the mail client to eliminate it.
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
•
•
•
•
•
•
•
•
DaniWeb Viruses, Spyware and other Nasties Marketplace
Threaded Mode- trojan horse backdoor. dumador. w/ HJT log (Viruses, Spyware and other Nasties)
- Friends HJT log, (Viruses, Spyware and other Nasties)
- Pls help with my HJT log (Viruses, Spyware and other Nasties)
- bridge.dll run error HJT log inside (Viruses, Spyware and other Nasties)
- help pls...Hjt log... (Viruses, Spyware and other Nasties)
- my HJT log, 2 of them for 2 comp (Viruses, Spyware and other Nasties)
- can somebody pls. help me out with my HJT log.. (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Pop up ads to buy Spyware and Homepage changed.
- Next Thread: HJT log - win explorer, folders won't load
