1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Possible trojan?

Discussion in 'Virus & Other Malware Removal' started by Fossilized, Oct 17, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Fossilized

    Fossilized Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    6
    Greetings all,

    This is actually my first thread here and am seeking the expertise to possibly resolve this problem.

    Something attempted to log on to the internet recently, but asked for confirmation before it could do so. Don't know what the file was, but was hoping by looking at the following some information could be divulged from it. It seems to have tried to access again, but to a different IP address (caught by firewall). I know the sites it's trying to access, but not the source that's triggering it.

    Additionally, would the process have to be running at the time hijackthis is run in order to catch it as an active process? I will take note to run it at that time if it happens again. I didn't have hijackthis during the prior two times. Here's the system info:

    Logfile of HijackThis v1.97.2
    Scan saved at 7:34:04 PM, on 10/15/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NProtect.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Cathy\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE

    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    O9 - Extra button: Messenger (HKLM)

    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    Any help would be immensely appreciated. Thanks again.

    Foss
     
  2. scmazter

    scmazter

    Joined:
    Oct 5, 2003
    Messages:
    557
  3. cannymum

    cannymum

    Joined:
    Apr 8, 2003
    Messages:
    50
    Have you tried running AdAware 6.181

    Uninstall any old versions you may have. Install the new Build, click on "check for updates" to get the latest reference file.

    Then configure it this way (recommended for a first scan)

    Please make sure that you have these options checked:
    Under Ad-aware 6 > Configurations (The gear wheel) > Tweaks > Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-aware 6 > Configurations > Tweaks > Cleaning Engine:
    "Let Windows remove files in use after reboot."
    Also, please check to see if you have the option "quarantine all objects prior to removal" checked. Open Ad-aware > General Options, there is an option "Automatically Quarantine objects prior to removal

    When you click on the 'start' button, in the next window, select the 2nd option (Use custom scanning options) and make sure 'Activate In-depth scan (recommended) is ticked...green

    Run Ad-Aware.

    Mark the objects for removal you wish to get rid of, and then choose next.

    Be sure to reboot after removal.

    Please Note:

    After removing a Browser Hijacker Ad-aware 6 will set your Start Page to "Blank".
    So you may need to set the Start and Search pages in your Browser manually back to your prefered one.
    The reason is, the Hijack has changed the page, since Ad-aware 6 does not know what it was set to before, it resets it to a blank page.
    If you do not see any differences, then disregard this.....

    If you have any further questions, please don't hesitate to ask.

    If you would like to post a log file, before you remove anything...please do so.

    Thanks
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Cathy..........there is nothing in your log [if that is alll your logfile]at all that shouldnt be there.
    The next time you get the alert write it down and let us know.

    ;)
     
  5. Fossilized

    Fossilized Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    6
    Thanks to all of you for your help.

    scmazter .... what was the full url from the BetaNews site? There's a partial link showing. Thanks.

    cannymum ... thanks for the detailed rundown on AdAware. If I were to keep items in quarantine after reboot, would I alter the Tweaks > Cleaning Engine: line that you provided? Thank you!

    Have had the newest AdAware installed since the second occurance (prior to posting). Haven't had a reoccurance since then, but had one more inquiry.

    What can be done to document proof that spyware is trying to contact a specific site. This involves legalities, so it has nothing to do with your typical spyware contacting jo-schmo mothership. Would I essentially keep unidentified spyware in quarantine and research them?

    Foss
     
  6. scmazter

    scmazter

    Joined:
    Oct 5, 2003
    Messages:
    557
    The link i posed was ofr adware lol, but didnt work for some reason, of well.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172533

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice