LkszNY
July 8, 2009, 11:23pm
1
Hey, I'm not sure exactly what to search about this. I spoke to customer service on chat and they mentioned someone going in to fix the registry for 99 bucks. Not gonna happen, haha. Any way someone can walk me through it?
Here are some details:
I was on watchxonline.com watching a tv show (futurama in case it would matter) and all of a sudden a big blank window came up. A small balloon came up on the bottom part of the screen where norton should be, but it was a fake icon that looked like a shield. The message was "Your computer is infected" or something of the sort. I knew it was fishy so I tried to access Norton through the start menu. No dice. I restarted my pc and did a scan, turns out it found a "downloader" and "trojan" and removed them, but I'm having problems with some websites (automatically redirected to sites at random). On top of that, it says that SONAR isn't working, and I can't quite seem to get rid of whatever is still in my computer.
Can I do a HiJackThis scan or something and have someone let me know whether there are questionable files in the registry? I'm not sure what to do but now I'm afraid to back up some stuff because it might transfer over to my external drive. Any help would be great as long it's not gonna cost me more dough. I'm a student that relies on his computer for school work / income (design). So funds are low.
LkszNY
July 8, 2009, 11:50pm
2
I appreciate YOUR help!
Here is the HiJackThis log...
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:42:25 PM, on 7/8/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: MessengerUpdate - {5948A52A-BA3A-49A8-BCAF-D578502BDA9D} - C:\Documents and Settings\Lukas\Application Data\Messenger\Drivers\MsgUpdate.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [EPSON Stylus Photo R2400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE /FU "C:\WINDOWS\TEMP\E_S72.tmp" /EF "HKCU" O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - S-1-5-18 Startup: Epson printer Registration.lnk = D:\E_reg\EPSONREG.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Epson printer Registration.lnk = D:\E_reg\EPSONREG.EXE (User 'Default user') O4 - Startup: Epson printer Registration.lnk = D:\E_reg\EPSONREG.EXE O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://onecare.live.com O15 - Trusted Zone: http://*.windowsupdate.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe -- End of file - 11218 bytes
-------------------------------------------------------------------------
And I attached the GMER log.
Thanks again for the quick response. Hopefully this thing isn't too big of a deal.
Uninstall Spybot S&D; it will interfere with N360's scanners. Also, I see you are using MS OneCare. Having more than one realtime scanners can be a problem as they usually tend to cancel each other out instead of helping.
Run HiJackThis and then select (click and check) the following:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU\..\Run: [EPSON Stylus Photo R2400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE /FU "C:\WINDOWS\TEMP\E_S72.tmp" /EF "HKCU" O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
Click on "Fix checked" and reboot your system. See if the SONAR starts now.
Quads
July 9, 2009, 12:19am
4
Why take part of his printer serttings??
And you need the bonjour service if you are using the likes of itunes etc.
Quads
LkszNY
July 8, 2009, 11:23pm
5
Hey, I'm not sure exactly what to search about this. I spoke to customer service on chat and they mentioned someone going in to fix the registry for 99 bucks. Not gonna happen, haha. Any way someone can walk me through it?
Here are some details:
I was on watchxonline.com watching a tv show (futurama in case it would matter) and all of a sudden a big blank window came up. A small balloon came up on the bottom part of the screen where norton should be, but it was a fake icon that looked like a shield. The message was "Your computer is infected" or something of the sort. I knew it was fishy so I tried to access Norton through the start menu. No dice. I restarted my pc and did a scan, turns out it found a "downloader" and "trojan" and removed them, but I'm having problems with some websites (automatically redirected to sites at random). On top of that, it says that SONAR isn't working, and I can't quite seem to get rid of whatever is still in my computer.
Can I do a HiJackThis scan or something and have someone let me know whether there are questionable files in the registry? I'm not sure what to do but now I'm afraid to back up some stuff because it might transfer over to my external drive. Any help would be great as long it's not gonna cost me more dough. I'm a student that relies on his computer for school work / income (design). So funds are low.
LkszNY
July 9, 2009, 12:41am
6
So I shouldn't get rid of those?
I'm pretty sure PnkBsterA is a file I need for this game. I looked into it and it doesn't seem to be malicious.
But if you're telling me I should definitely dump it, let me know.
And "SPOOL" is definitely for the printer.
and won't deleting that winamp file delete winamp itself?
LkszNY
July 9, 2009, 12:42am
7
And I just noticed that for some reason “One Click Support” pops up on its own, but it’s a blank window.
LkszNY
July 9, 2009, 12:49am
8
found something else... csrss.exe in my processes.
Did a search and it came up as a Trojan file. Is this legit or is it a false positive or whatever?
Quads
July 9, 2009, 1:10am
9
There is a legit file of that name in the correct location, with a backup in the dllcache
Quads,
My Norton is having the exact same problems, even the way I got the virus is the same. Did you ever figure out what was causing it or how to resolve it? Thanks.
LkszNY
July 12, 2009, 8:46pm
11
hey, actually I went on majorgeeks.com and stumbled upon a section in the messageboard about virus removal that was really helpful. Check it out if you can. They suggest you download about 5 programs, all of which you need to use to get rid of the viruses/do scans/save logs.
http://forums.majorgeeks.com/showthread.php?t=35407 Thats the link. There is a lot to do. I sat on my computer from about 11 am til 5:30ish pm. I ran all of the programs, then uninstalled norton 360, then re-installed it. It seems to have worked for now, but seeing as how my computer was having some harddrive problems already, I'm just going to send it to get updated and get a new HD. Best of luck in getting rid of the junk!