spyware infecting my computer

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by willstroll, Dec 28, 2004.

  1. willstroll

    willstroll Private E-2

    Hi there,

    I have disabled "network security service" - the other two are not present.

    Attached is a copy of the log generated by Hijack This.
     

    Attached Files:

    willstroll, Dec 28, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please read my directions again for where HijackThis is supposed to be running from. You have it running from the ZIP file:
    C:\DOCUME~1\Will\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    You must follow directions! You will not get backups otherwise. Install it as requested and post a new HJT log.
     
    chaslang, Dec 28, 2004
    #2
  3. willstroll

    willstroll Private E-2

    Sorry about that. I thought that I had put it into a separate file but obviously not! I hope that this log is more help!

    Thanks.
     

    Attached Files:

    willstroll, Dec 29, 2004
    #3
  4. 1FTR

    1FTR Private E-2

    Sry I gave an answer that would be of no use to you. I did not read where you had some of the programs I was going to suggest downloaded, sry.
     
    1FTR, Dec 29, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have an HSA hijack problem. Have you run HSremove and About:Buster?
    Even if you have run them do the following:
    - Make sure you have downloaded HSremove and About:Buster. Run About:Buster and click on the updates button to get the current reference file which is #21. Do not run a scan yet!!!
    - print or save the below instructions locally because you must be physically disconnected (unplug cable) from the internet and do not run any browsers like IE or FireFox etc until I tell you to. Okay if you have printed these. Exit all browsers now and physically disconnect now!

    - run About:Buster's scan now and click yes later when asked about doing a secondary scan. Save its log to ab1.log. When it finishes, immediately reboot in safe mode.
    - run HSremove
    - run About:Buster's scan and click yes later when asked about doing a secondary scan. Save its log to ab2.log. When it finishes, immediately normal mode.
    - now (still no connection to the internet & no browsers should have been run) get a new HJT log and call it hjt1.log
    - now connect to the internet and open one IE session and after it connects to what ever start page comes up. Exit the IE session.
    - run another HJT scan and save the log to hjt2.log
    - now come back here and post both AB logs and both HJT logs. That will require two messages.
     
    chaslang, Dec 30, 2004
    #5
  6. willstroll

    willstroll Private E-2

    I had run both Hremove and about:buster before but the problem remained.

    Attached are the Hijack this logs.
     

    Attached Files:

    willstroll, Dec 30, 2004
    #6
  7. willstroll

    willstroll Private E-2

    The About:Buster logs are attached.

    When I logged onto the internet the first time the homepage was google. However, when I next logged on to post these messages the homepage was again about:blank (no text on screen).

    Furthermore, AVG pops up messages saying 'Virus Detected - c:\windows\iesl32 (or other locations) - file infected with Trojan Horse Downloader Agent.6.M'

    I click heal and AVG states it has healed file - then immediately the message pops up again and this time the only possible action is to press continue (no other action works). This will normally happen two or three times with AVG spotting the Trojan in two or three different files, all with similar filenames.

    I am running the latest version of MacAffee as well as AVG.
     

    Attached Files:

    • ab1.log
      File size:
      490 bytes
      Views:
      2
    • ab2.log
      File size:
      435 bytes
      Views:
      2
    willstroll, Dec 30, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! First you must not run more than on antivirus application. Looks like you have McAfee and AVG. I would uninstall McAfee and keep AVG.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rvzxl.dll/sp.html#89328
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rvzxl.dll/sp.html#89328
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rvzxl.dll/sp.html#89328
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rvzxl.dll/sp.html#89328
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rvzxl.dll/sp.html#89328
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rvzxl.dll/sp.html#89328
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {7FD1C6CE-B869-3B10-086D-CD732EE71233} - C:\WINDOWS\ntnb32.dll
    O4 - HKLM\..\Run: [addya.exe] C:\WINDOWS\system32\addya.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe (file missing)
    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\crfa32.exe (file missing)

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\rvzxl.dll
    C:\WINDOWS\ntnb32.dll
    C:\WINDOWS\system32\addya.exe

    Let me know if you have any problems finding or deleting those files.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 30, 2004
    #8
  9. willstroll

    willstroll Private E-2

    Followed all instructions so far.

    In safe mode - unable to find:

    C:\WINDOWS\ntnb32.dll
    C:\WINDOWS\system32\addya.exe

    Have refrained from loading up the internet or from running Hijack this. I found and deleted: C:\WINDOWS\rvzxl.dll.
     
    willstroll, Dec 31, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you have each of these items set correctly?
    Click Start and select Explore
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    - Under the Hidden files and folders heading select Show hidden files and folders.
    - Uncheck the Hide extensions for known file types option.
    - Uncheck the Hide protected operating system files (recommended) option.
    Click Apply.
    Click OK.

    I need the HijackThis log!
     
    chaslang, Dec 31, 2004
    #10
  11. willstroll

    willstroll Private E-2

    Followed all instructions - still unable to find either of those two files:

    C:\WINDOWS\ntnb32.dll
    C:\WINDOWS\system32\addya.exe


    Logged onto internet - so far no pop up adds and the homepage has not as yet deviated from what I have set it to.

    AVG intercepted a trojan horse downloader Agent.6.N when I opened up windows explorer to run HijackThis.

    AVG has not popped up with any messages so far whilst running internet explorer.

    The Hijackthis log is attached.

    Thanks for your help and Happy New Year!
     

    Attached Files:

    willstroll, Dec 31, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have both McAfee and AVG installed. You must uninstall one. Running more than one antivirus applications can cause problems. They can fight against each other and they will slow your system down.

    Other than that, your log looks clean.

    But if AVG is popping up with downloader Agent.6.N, there may still be files remaining of your system. Do a full system scan with AVG in safe mode.
     
    chaslang, Dec 31, 2004
    #12
  13. willstroll

    willstroll Private E-2

    Thank you for all your help. My computer now seems to be spyware free. A virus scan (I have removed one scanner) found Agent.6.N and zapped it.

    Once again thanks for helping me get my computer back on track!
     
    willstroll, Jan 4, 2005
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jan 4, 2005
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds