Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log: Please Diagnose


  • Please log in to reply
11 replies to this topic

#1 Lolachola

Lolachola

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 14 June 2005 - 03:26 PM

Hi Groovicus,

Last night I ran this Kaspersky online antivirus scan and it said that I was infected with a virus called 'Virus.Dos.Terronia.2538'. I used the disinfect option but I don't know if that's enough. I also scanned with Panda online scan and it said I had adware called "Exact/Search". This is exactly what Kaspersky said about the infected file:

C:\WINDOWS/system32/ActiveScan\imscan.dll Virus.Dos.Terronia.2538

The log for the Panda Online scan identified two adwares:
Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/PopCapLoader No disinfected C:\Program Files\backups\backup-20050613-203239-264.inf

I deleted the second file but didn't know how to get rid of Exact Search. Below is my HJT log.

Linda

Logfile of HijackThis v1.99.1
Scan saved at 3:17:49 PM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Prevx Pro\SAGUI.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\HijackThis.exe
C:\Program Files\Prevx Pro\PXAgent.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [PrevxPro] "C:\Program Files\Prevx Pro\SAGUI.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118732811981
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Pro\PXAgent.exe" -f (file missing)
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:02 AM

Posted 14 June 2005 - 06:15 PM

Tea Timer is preventing the fixes from working. You will need to disable it first, and then Spybot, Adaware, or PandaScan should work.

Tea-Timer disable:
http://russelltexas.com/malware/teatimer.htm

See if that works.

#3 Lolachola

Lolachola
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 14 June 2005 - 10:10 PM

Hi Groovicus,

I didn't have TeaTimer going when I did the scan last night. I uninstalled and reinstalled SpyBot only today because I realized that I never checked to run TeaTimer. Any suggestions for this ExactSearch?

Thanks!
Linda

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:02 AM

Posted 14 June 2005 - 10:26 PM

Sigh.. another one of these phantom hijackers. They are really quite bothersome to troubleshoot. At any rate, according to all the documentation I have, ExactSearch should be removable through the add/remove programs option. Did I recommend we do that yet..lol. I have so many different logs going at the moment, I get lost sometimes. :thumbsup:

#5 Lolachola

Lolachola
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 14 June 2005 - 10:52 PM

Nope .. it doesn't appear in the Add/Remove programs box. :thumbsup: For your info, it doesn't come up when I use Ad-Aware or Spybot .. just when I ran the Panda Scan. I guess Panda detects some things that the others don't? It seems like I can't seem to avoid this damn spyware! I think I am fairly protected now .. maybe I had this before or something. Also, I ran Trend Micro PC-cillin and it identified the Regprot program as spyware!!! Is that weird?

Thanks so much.

Linda

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:02 AM

Posted 15 June 2005 - 08:07 AM

Sometimes scanners identify programs based on behavior, and not based on an actual threat. If Panda says you have a virus though, I would tend to believe it, and it is easy enouh to doublecheck. Go to jotti's:
http://virusscan.jotti.org/

And submit the file that Panda says is infected. Let me know how that goes. If it is infected, then we can manually delete it.

#7 Lolachola

Lolachola
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 15 June 2005 - 02:36 PM

Unfortunately I can't submit the file that Panda found because I deleted one of them -- one was a backup that is somehow relevant to some msn games I used to play so I got rid of it because I don't need it anymore. The other one Panda found it just said was in the registry -- that was the ExactSearch. Can I submit something like that to http://virusscan.jotti.org/ site? If so, how do I do it?

And for the Kaspersky file (which was the one that was identified as the virus), I chose the disinfect option and it doesn't seem to have returned when I run the scan again.

I submitted the regprot files (RPADMIN.exe and REGPROT.exe that Trend Pc-cillin was identifying as malware and the message I got back on both of them was:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.

Linda

#8 Lolachola

Lolachola
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 15 June 2005 - 02:52 PM

Groovicus,

If it means anything, I did a search for ExactSearch in my registry and found that it is under HKCU --> Software --> Microsoft --> Windows --> Current Version --> Internet Settings --> P3P --> History --> exact search bar. It seems that this has a list of other restricted sites. Maybe it's a false positive on Panda's part?

#9 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:02 AM

Posted 15 June 2005 - 03:17 PM

It's nota false positive, but it is not harmful either. What are the other entries undet the key?

#10 Lolachola

Lolachola
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 15 June 2005 - 07:27 PM

There are like about 300 or more things in there such as cometcursor.com, casinolasvegas.com, freshgirls.com (lol), paycounter.com, sextracker.com, xxxtoolbar.com. Are they the sites that Spybot has restricted? I also have installed IE-Spy Ad (as recommended on your security guide). Anything to do with that?

I ran Kaspersky online scan and Panda again and nothing came up this time ... although Panda has been doing weird things to my computer ...everytime i run it I get a Windows messaging box come up and I cancel.

Thanks!

Linda

#11 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:02 AM

Posted 15 June 2005 - 07:44 PM

:thumbsup:

Well that explains alot.. that's exactly what it is.. it is restricted zones. Phew. I've been sitting here scratching my head trying to figure out what was happening with your system.

I don't think there is anything on your system. I think that all of the different scans are showing false positives, and that is confusing the both of us, because they are not finding the same things. That's one of the "dangers" of having too many things running. I'd just keep an eye on your system for a day or two and see if anything very unusual is happening.

#12 Lolachola

Lolachola
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 15 June 2005 - 08:33 PM

Phew. I'm glad that's what it is too. I'll keep an eye on it and post if anything strange starts happening again. Thanks again for all of your help -- you guys are truly amazing on here! :thumbsup:

Linda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users