I just ran a highjack log file, but it is too long to post. Here’s as much as I could get posted.
Logfile of HijackThis v1.99.1
Scan saved at 6:39:20 PM, on 4/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I’m not sure but this seems WebShield warning… you should have being receiving a virus message (window) either…
You’re using FlashGet. Avast detects some files of it as “Win32:Adan-078[Adw]” infected indeed… FlashGet is an adware (and a lot of scanners consider the payed version as adware too).
You do NOT seem to have any antiSPYWARE program(s)
on your computer and it appears you have a spyware
problem ; I recommend you ask the Experts on the forums
at www.landzdown.com .
P.S. In addition to the "suspect" Flashget, unless you use
AOL as your ISP, "Viewpoint Manager" should be removed.
If this is happening and you are not actually browsing that website you may well have a trojan on your system that is trying to make these connections to download more malware.
If you do a forum search for ‘users/fill/web’ without the quotes you find other posts like this as I remember something like this recently.
Logfile of HijackThis v1.99.1
Scan saved at 8:37:26 PM, on 7/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
ALso try to run Security Task Manager (http://www.snapfiles.com/get/securitytask.html). Security Task Manager shows a Spyware Rating for the running processes. It is not because a file has a high spyware rating that it is a virus. Most of the processes with a high spyware rating are not virusses. You should look for files that have a high spyware rating in Security Task Manager and that are also started in the hyjack.log. Also do a search on google.com. If you don’t find anything about a file with a high spyware rating on google.com then it should be a virus.
In Security Task Manager look for the following processes :
C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe
C:\Program Files\TM Net\tmnet streamyx dialer\fwportal.exe
C:\Program Files\TM Net\Diagnostic Tool\tmnet connect.exe
C:\WINDOWS\system32\blrsa.exe
C:\WINDOWS\system32\tkxgz.exe
To remove them you should rightclick mouse button. Choose menu option “remove…”. Choose menu option “move to quarantine”. And maybe you will need to reboot your PC in safe mode (=press F8 during reboot).
You could also look at the properties from the files :
C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe
C:\Program Files\TM Net\tmnet streamyx dialer\fwportal.exe
C:\Program Files\TM Net\Diagnostic Tool\tmnet connect.exe
C:\WINDOWS\system32\blrsa.exe
C:\WINDOWS\system32\tkxgz.exe
If you find any keyshortcuts in the properties of these files, then disable the keyshorcuts. Because anytime you use these keyshorcuts the virus will be started again.
It could be that after you kill the process and remove the lines from hyjack.log that the virus process is started again and the virus add again the virus lines to hyjack.log. So when you think you get rid of the virus, you should scan again with hyjackthis and do a refresh with Security Task Manager to see if the processes are really deleted.
You should also check if the following files/folders are correctly removed (don’t forget to enable “show system/hidden files” in your file explorer) :
C:\Program Files\TM Net
C:\WINDOWS\system32\blrsa.exe
C:\WINDOWS\system32\tkxgz.exe
@ ridzal
The common factor for most of this malware is in the system folders and you (read the malware) need permissions/admin rights to do this.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
The IP address in the 017 entries could be your ISP (see quote below) or related to it so you would need to confirm this, if you fix these entries and can’t get internet access, that is likely to be the reason, so you would need to restore them in HJT.
You don’t appear to have an active firewall ?
For an on-line analysis of you log (Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.) http://hijackthis.de/logfiles/8747e12149db5c079b0f9a97d7d43dcc.html The ones mentioned by ‘ericzutter’ are there as are a number of other Possibly Nasty and Unknown entries, which if you don’t recognise them (e.g. you installed them) check them out, google the file name, etc.
If you haven’t already got this software (freeware), download, install, update and run it.
Another interesting tool is Sandboxie (http://www.sandboxie.com/). You could compare it to the tool DropMyRights, with the difference that DropMyRights will strip apps from certain rights and running apps with Sandboxie will deny malware the chance to see the real registry and file system.
For example, your run your web browser with Sandboxie. You download a virus, install it on your computer, the virus changes your registry, infect your system files. You close your web browser and you have a clean system. Why, because Sandboxie has done all these modifications to a fake registry and a fake file system. The fake registery and fake file system are removed after closing your web browser leaving you with a clean system.
Not wanting to take this Topic off Topic, perhaps creating a new topic in the General forum on Sandboxie.
What are the overheads of using sandboxie resources, etc. ?
I certainly like the sound of it and will have a look at the web site. However my concern is being a dial-up user I start my browser of choice at the start of the day and leave it on all day. In closing the browser from sandboxie do you also lose the browser cache, favourites, etc. I would assume so ?
If that were to be the case that would slow subsequent loading of pages that would otherwise be in the cache.
Hi Ammoyeah :
