Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Needed....Desperately


  • This topic is locked This topic is locked
13 replies to this topic

#1 juliemango

juliemango

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 20 February 2005 - 12:38 PM

I just ried posting this and ended up in the Twilight Zone, so if it's duplicated please accepy my apology...it's my first time here. Anyway, I run an AMD Athlon XP 1.85Gz with Win 2000 OS. Through info I've picked up on this site, I downloaded Spybot S&D and Hijackthis; I've had AdAware for a number of years now, and I am running the latest update. Spybot returns an error message @ Z Demon...in German nonetheless. NAV tells me I have 19 threats when I run a system scan. This is my hijackthis logfile. I am not the most computer-literate person on the planet so I'm hoping for a response with the simplest language possible. Much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 11:31:13 AM, on 20/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\winhlp32.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nonstopsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {7A56E9ED-BB8C-A21D-3642-0CDF20D8140B} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: AeDebug - C:\WINNT\system32\anaamon.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Configuration Loading - Unknown owner - C:\WINNT\System32\svchos1.exe" -service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 20 February 2005 - 06:20 PM

Hello juliemango, Welcome to BleepingComputer. If you are still looking for help I will see what I can do.

I want you to Scan with HijackThis and put a check in the box in front of each of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nonstopsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R3 - URLSearchHook: (no name) - {7A56E9ED-BB8C-A21D-3642-0CDF20D8140B} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O20 - Winlogon Notify: AeDebug - C:\WINNT\system32\anaamon.dll (file missing)
O23 - Service: Configuration Loading - Unknown owner - C:\WINNT\System32\svchos1.exe" -service (file missing)

Close all programs but HJT and all browser windows then click on "Fix Checked"

Then follow the directions in this link to enable hidden files for your Operating System:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT click on Start then click on Explore. Locate and delete this file if it is there:

C:\WINNT\System32\svchos1.exe >>> file (this is bad and may not be there, be very careful)

Be very careful there is a file that is good that is near and it looks like this svchost.exe(this is good)

Clean Like this: Start, Run type "cleanmgr" without the quotes then ok. Check and remove anything windows locates. Empty the recycle bin and restart the computer. Use ADD REPLY to post a new log, include your comments, anything you think I should know.
Thanks...pskelley
BleepingComputer.com

Edited by pskelley, 20 February 2005 - 06:24 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 juliemango

juliemango
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 21 February 2005 - 08:11 PM

Thanks a mil' PS Kelley :thumbsup: . Your instructions were so easy to follow...I was able to complete the tasks in less that 1/2 hr. I am at the point now where I've restarted the PC and am unsure about posting "a new log." Do you mean I should run HijackThis again and post another "logfile," or that what I'm doing now is called a "Log"? I haven't run any scans yet- SpyBot S & D, AdAware or NAV. Getting back to this location took more time than following your instructions :flowers: believe it or not. Anyway, just in case, I'll run those scans again and see what happens...I'm crossing my fingers. Thanks again.

Juliemango

#4 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 21 February 2005 - 08:17 PM

Yes Juliemango, post a new log just like you did in the first place, I will look it over and see if we were successful at cleaning out the bad stuff. There may be more, if not I will tell you and give you some great information to keep you clean. Those instructions will include information about your scans, when and how to run them and give you links to a few additional free programs that will help you keep the malware junk off your computer.

Thanks...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 juliemango

juliemango
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 21 February 2005 - 09:18 PM

Me again pskelley. I hope I'm following protocol here. I've run:

AdAware (0 threats;)

Spybot ("Error during check; Z=Demon [Ungultiger Datentypo fur "]

NAV [(1) Filename:webdlg.32dll; path: C: WINNT\Downloaded Program Files\CONFLICT.1\webdlg.32dll; (2) Filename:webdlg.32dll; path: C: WINNT\Downloaded Program Files\webdlg.32dll.]

HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 9:02:44 PM, on 21/02/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

I really hope this is where I should be posting the logfile.

The great thing is NAV now returns 2 threats vs. 19 before your assistance. Thanks again. Have a great evening

Juliemango.

#6 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 21 February 2005 - 10:18 PM

Hi Juliemango,

Me again pskelley. I hope I'm following protocol here

.

You are doing a great job. The problem is when I look at the log I see nothing bad left, so I am wondering what Norton can see? It is not a problem that you ran the scans, I usually run Ad-aware and Spybot first if a log is real bad, then finish with HJT. I do not know what the Spybot item is, but I believe it is just an error, I would run it again after updating in a day or two to see if it is clean. Those Norton messages, and both point to a Downloaded Program File. Now you have three showing in your log. The first one is: Windows Genuine Advantage Validation Tool, this looks like the new tool windows is giving to make sure the copy of Windows is legal...lol.

The other two are both from Symantec, so lets remove them just in case, they will be put back if they are needed the next time you visit the site that put them there.

Scan with HJT and check these two lines:

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

Close all programs but HJT and all windows, the click "Fix Checked"

Then I want you to look in one other place. Open your Internet Explorer browser, then click on Tools, then Internet Options. Right in the middle where you delete cookies and delete Files (Temporary Internet) is a button marked Settings. Click on it, the look for a button marked View Objects and click on it. These are your Downloaded Program Files. Look to see if anything looks strange. Make sure all of the Status is Installed for all that are there. If you have any doubt about any of them, post the name. If any are there that you know should NOT be there, highlite and delete them. When I search Google for this name: C: WINNT\Downloaded Program Files\webdlg.32dll, Google says the name can't be identified, so if they are in there, they are bad.

This could also be a false positive coming from Norton, but I want to look at everything. It might not be a bad idea to run a free online scan as a double check, let me know what this scan produces in the way of information if any.
http://www.pandasoftware.com/activescan/co...n_principal.htm

I would also like you to take a look to make sure this item is gone, you may have to enable hidden files. RIGHT click on Start, then click on Explore, in the C:\WINNT\system32\ folder, look to see if this item is there: anaamon.dll if it is, delete it.


I am also interested in how the computer is running right now. Since the log is clean, while we look into these items, I am going to give you the all clean information so you can start looking it over. This is some great information from Tony Klein, Texruss, ChrisRLG and Grinler that will help you stay clean and safe online.
http://forums.net-integration.net/index.php?showtopic=3051
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

Once you have finished the above instructions, please post a new logfile just like you did this one, I wish to take one more look and see what information is produced by the instructions. You are doing a great job.
Thanks...pskelley
BleepingComputer.com

Edited by pskelley, 21 February 2005 - 10:27 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#7 juliemango

juliemango
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 22 February 2005 - 08:55 PM

Thank you so much, PSKelley. I really appreciate your encouragement. Ever thought of being an "e-motivator"? :thumbsup: Well...let's see.

1. I did the HJT scan and "fixed" the two lines you recommended.

2. There were 2 objects in IE>Tools>Options>Settings>View Objects, the Windows Validation Tool you mentioned and something called YInst...a Yahoo install tool. I removed both.

3. I did the Active scan, and here are the results: Unfortunately, I could not copy/paste:

Incident Status Location

Adware:Adware/MediaTickets No Disinfected Windows Registry
Adware:Adware/SBSoft No Disinfected C:WINNT\Downloaded Program
Files\webdlg32.dll
Adware:Adware/SuperSpider No Disinfected Windows Registry
Spyware:Spyware/YourSiteBar No Disinfected C:WINNT\DownloadedProgram
Files\YSBactivex.???
Spyware:Spyware/RealSpy No Disinfected Windows Registry
Virus:Trj/Startpage.QP Disinfected Operating System
Adware:Adware/IEMenuExtension No Disinfected Windows Registry
Adware:Adware/WUpd No Disinfected C:\Documents and Settings\Defalut User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\CF8FYZON\Goo%20Goo%20Dolls%20lyrics[2].htm
Virus:Trj/Downloader.ALW Disinfected C:\Documents and Settings\Defalut User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\X1CXD11E\a570a171[1].js
Virus:Trj/Downloader.ADD Disinfected C:Program Files\Windows Media Player\wmplayer.exe
Adware:Adware/SBSoft No Disinfected C:\WINNT\Downloaded Program Files\CONFLICT.1\webdlg32.dll
Adware:Adware/SBSoft No Disinfected C:\WINNT\Downloaded Program Files\CONFLICT.1\webdlg32.inf
Adware:Adware/SBSoft No Disinfected C:\WINNT\Downloaded Program Files\webdlg32.dll
Adware:Adware/SBSoft No Disinfected C:\WINNT\Downloaded Program Files\webdlg32.inf
Spyware:Spyware/YourSiteBar No Disinfected C:\WINNT\Downloaded Program Files\YSBactiveX.inf Virus:Trj/Startpage.PC Disinfected C:\WINNT\system32\acextadsn.dll
Adware:Adware/WUpd No disinfected C:\WINNT\Temp\A6RJLF9E.htm
Adware:Adware/WUpd No disinfected C:\WINNT\Temp\XALIT4K1.htm

I coloured the lines that wrapped "Red" because I thought it may be easier to distinguish. I hope that's okay.

4. The "anaamon.dll" file was discovered and deleted from the C:\WINNT\system32\ folder.

5. There's no real problem with my PC at this time, but the only difference is that I get an NAV error message saying something about NAV doesn't support uninstall...or something like that...should've written it down. I saw it before all this mess and my buddy just suggested I uninstall and re-install it. PN it was a copy.

Well, now that I've burnt out the corneas of my eyes, I'll bid you adieu. I'll check the links to the "all clean information" tomorrow. I will understand if going through my "novel" takes a little time :flowers:

Thanks again pskelley. I will certainly alert my friends to this site; it is simply awesome. Well, have a great evening. Ciao.

Juliemango

#8 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 23 February 2005 - 09:01 AM

OK Juliemango, I am glad your computer is performing better. I will push on with a few other suggestions if you will. First it looks like most of the red could be stuff removed and stored in quarantine and being seen by another scanner. Please take a look at each removal program you have, all of them. Ad-aware, Norton, Spybot and anything else I did not mention. If this stuff has been removed and quarantined for a while, you can get it off the computer. Find the quarantine area in each program (ask if not sure) I can't help with Norton, but Symantec Support will help if you can't locate it and empty all that is stored in them.
Next, make sure all Temporary Internet files are deleted. IE > Tools > Internet Options > General Tab > Delete Cookies and Delete Files. Make sure the box is checked to "Delete All Offline Content". Clean Like this: Start, Run type "cleanmgr" without the quotes then ok. Check and remove anything windows locates. Now delete all Temp files, it is very important that you delete only the contents, not the folders. Look for these folders:

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Here is a little tut that may help: http://personal-computer-tutor.com/deletingtempfiles.htm

Now look at this information so you will understand the Prefetch folder, keep in mind the first time you start after cleaning out this folder it will be slow as windows repopulates the folder with the files needed to boot quickly, you will see this information in the links:
http://www.pcmag.com/article2/0,1759,1683520,00.asp
http://techrepublic.com.com/5100-6270-5165773.html

Now you should be good and clean, I am going to also give you a link to a tool that is free which will scan your system (took two hours on mine, but I am clean) and produce a log we can look at which will show anything on the computer that is bad. It will not remove these bad items if they are there, as this is a pay for removal product, but it will show them to us and we can remove anything that should go at that point. It is your option if you wish to run this tool. I will not close this thread for a week in the event you wish to post that log or give me any feedback or ask any questions.
http://www.mwti.net/antivirus/mwav.asp the instructions are this:
Download mwavscan. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply. (only the lower pane, which will be a short log, the complete log is very, very long and I do not need to see it.

Thanks...pskelley
BleepingComputer.com
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#9 juliemango

juliemango
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 01 March 2005 - 04:41 AM

Hi pskelley,

I"ve been away tending to some family health problems and when I returned to the post over the weekend, there was a "system error" with the forum requiring "administrator" intervention(?) Anyway, I gotta thank you again for all your assistance. After the previous round of instructions, I did a couple NAV scans and finally, on the second, I had the option to delete the "iwantadsearch" threats, so I did. Now, when I run the scan, every day or two, there are "0" threats. Eureka :flowers: Anyway, I've followed the instructions on this latest post, and here is the result of the MWAV scan:

File C:\WINNT\system32\KILLAPPS.EXE tagged as not-a-virus:RiskWare.Tool.KillApp.b. No Action Taken.
File C:\audio\soundforge\UEX_FORG.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\8H2ZC527\a578a97a[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\LNR7D54E\a578ad77[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\RU43FXSH\7c787295af6f0253c946e04fc7bee43e_v2[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\WP6V09QN\a578ad74[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\11887BB4.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\118B25B0.dll infected by "Trojan-Downloader.Win32.IstBar.gz" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\140E10A9.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\14113AA6.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\141564A2.dll infected by "Trojan-Downloader.Win32.IstBar.gz" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1A984FEA.dll infected by "not-a-virus:AdWare.ToolBar.SBSoft.g" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4D8037C1.dll infected by "Trojan-Downloader.Win32.Small.rn" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\522F5499.htm infected by "Exploit.HTML.IframeBof" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\539C3306.htm infected by "Exploit.VBS.Phel.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\53A306FF.cla infected by "Trojan.Java.ClassLoader.f" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\53A306FF.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\53A630FC.cla infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\53DA50C2.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\56826DD7.htm infected by "Exploit.VBS.Phel.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\569813BD.htm infected by "Exploit.VBS.Phel.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\56BC6196.htm infected by "Exploit.VBS.Phel.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6888788F.htm infected by "Exploit.VBS.Phel.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\703B0840.dll infected by "Trojan-Downloader.Win32.Small.rn" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\719C3EBC.dll infected by "Trojan-Downloader.Win32.Small.rn" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\793172EC.dll infected by "not-a-virus:AdWare.ToolBar.SBSoft.g" Virus. Action Taken: No Action Taken.
File C:\Program Files\PCRescueSetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINNT\system32\KILLAPPS.EXE tagged as not-a-virus:RiskWare.Tool.KillApp.b. No Action Taken.

The report stated there were 28 viruses found and 90 "errors."

So I guess there's more "cleaning" to do, eh? :trumpet: Anyway, thanks again pskelley. Now I've got to go shovel some snow :thumbsup: ! Have a terrific day.

Juliemango.

#10 juliemango

juliemango
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 01 March 2005 - 05:01 AM

Hi again, pskelley. I forgot to clarify in my February 22, 2205 post that I highlighted the "red items" because the text in those lines wrapped around, and I wanted to make sure you knew each represented one line....forgetting you're the expert :thumbsup: Sorry for the confusion. Now....to that snow. Have a good one.

Juliemango

#11 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 01 March 2005 - 05:39 AM

I have no idea when you ran this MWAV scan. Please return to the information in my last post. Most of this stuff if in the NORTON quarantine. If I am reading it correctly something may have infected your Temporary Internet Files. You should follow the instructions above and clear ALL TIF and Temp files. You should also be well on your way through the information I gave you from the experts on how to stay clean. I can IF you will post it. pskelley

Edited by pskelley, 01 March 2005 - 05:39 AM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#12 juliemango

juliemango
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 02 March 2005 - 02:00 PM

Thanks for the swift response pskelley. First, in my initial post, I did state that I run Windows 2000. Everything on the "Prefetch" folder information you provided talks about XP. I tried locating this folder in Win 2k but can't find it. Second, the log I displayed in my last post was from the scan I ran on the same day...so March 1st, 2005. Third, to get to the quarantined items in NAV, I just select "Reports" from the interface, then "View Quarantined Items," then "Delete All." At this time, there are "0 items" there, as well as AdAware & SpyBot. I just started doing another MWAV scan and I stopped because after a while, I saw the same 1st, then 2nd items listed in my last log. Not sure if this is because the "Prefetch" folder hasn't been emptied (?) Anyway, thanks again.

Juliemango

#13 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 16 March 2005 - 10:17 PM

Closing this post...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#14 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:36 PM

Posted 16 March 2005 - 10:18 PM

Closing this post...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users