Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Removal : Please Help!


  • This topic is locked This topic is locked
2 replies to this topic

#1 TTC

TTC

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 30 March 2008 - 05:30 PM

A supposed "Norton Security Scan" has been installed into my family's computer. Thing is, we never intentionally installed this program. (It also did not come with the computer; our family computer has always been norton-free since we really dislike norton products.) When it runs, this window pops up:

Posted Image

The Windows Task Manager associates this process with a file named Nss.exe

[edit] : I located the folder that contains this executable. It had these files in it:

cc70U.dll
ccScanw.dll
ccVrTrst.dll
dec_abi.dll
DefUtDCD.dll
ecmldr32.dll
help.htm
Microsoft.VC80.CRT.manifest
msl.dll
msvp80.dll
msvcr80.dll
Nss.exe
patch25d.dll
SAUpdt.dll
ScanCore.dll
ScanRes.dll
SKURes.dll


This is the only trace of this supposed 'Norton' I have on my computer.

Is this a fake Norton scanner? Can you help me figure out what this is and remove it? Thank you.

---------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:38 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSSystem32hkcmd.exe
C:Program FilesAnalog DevicesSoundMAXDrvLsnr.exe
C:Program FilesRealRealPlayerRealPlay.exe
C:Program FilesQuickTimeqttask.exe
C:WINDOWSSystem32spooldriversw32x863hpztsb04.exe
C:Program FilesCommon FilesAOL1134931059eeservicessafetyCorever210_5_2_1AOLSP Scheduler.exe
C:Program Filesmcafee.comantivirusoasclnt.exe
C:Program Filesmcafee.comantivirusmcvsescn.exe
C:Program Filesmcafee.compersonal firewallMPfTray.exe
C:Program FilesJavajre1.6.0_03binjusched.exe
C:Program FilesHPHP Software UpdateHPWuSchd2.exe
C:Program FilesWasherwasher.exe
C:Program FilesCommon FilesAOL1134931059eeSSCEvtHdlr.exe
C:Program FilesMSN MessengerMsnMsgr.Exe
C:Program FilesCommon FilesAOLLoaderaolload.exe
C:Program FilesCommon FilesAOLLoaderaolload.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesCommon FilesAOL1134931059EEaolsoftware.exe
C:Program FilesLavasoftAd-Aware 2007aawservice.exe
C:Program FilesCommon FilesAOLACSAOLAcsd.exe
C:Program FilesCommon FilesAOLTopSpeed2.0aoltsmon.exe
C:Program FilesCommon FilesAOL1134931059eeservicessafetyCorever210_5_2_1aolavupd.exe
C:Program FilesCAPPRTbinITMRTSVC.exe
C:PROGRA~1mcafee.comANTIVI~1mcshield.exe
C:Program FilesHPDigital ImagingbinhpqSTE08.exe
C:Program Filesmcafee.compersonal firewallMPFService.exe
C:Program FilesDantzRetrospectretrorun.exe
C:Program FilesAnalog DevicesSoundMAXSMAgent.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32wscntfy.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesWiFiConnectorNintendoWFCReg.exe
C:Program FilesCommon FilesAOL1134931059EEaolsoftware.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesNorton Security ScanNss.exe
C:WINDOWSsystem32mspaint.exe
C:WINDOWSsystem32taskmgr.exe
C:WINDOWSsystem32notepad.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.optonline.net/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = about:blank
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll
O2 - BHO: (no name) - {3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_03binssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier2.0.301.7164swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar1.dll
O3 - Toolbar: FLYLADY BenefitBar - {E19E589B-749F-4641-9ED3-032DEB7A8D92} - C:Program FilesBenefitBarIEbenefitbar.dll
O4 - HKLM..Run: [IgfxTray] C:WINDOWSSystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSSystem32hkcmd.exe
O4 - HKLM..Run: [DrvLsnr] C:Program FilesAnalog DevicesSoundMAXDrvLsnr.exe
O4 - HKLM..Run: [HostManager] C:Program FilesCommon FilesAOL1134931059eeAOLSoftware.exe
O4 - HKLM..Run: [AOLDialer] C:Program FilesCommon FilesAOLACSAOLDial.exe
O4 - HKLM..Run: [RealTray] C:Program FilesRealRealPlayerRealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [Pure Networks Port Magic] "C:PROGRA~1PURENE~1PORTMA~1PortAOL.exe" -Run
O4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSSystem32spooldriversw32x863hpztsb04.exe
O4 - HKLM..Run: [AOLSPScheduler] C:Program FilesCommon FilesAOL1134931059eeservicessafetyCorever210_5_2_1AOLSP Scheduler.exe
O4 - HKLM..Run: [sscRun] C:Program FilesCommon FilesAOL1134931059eeSSCRun.exe
O4 - HKLM..Run: [OASClnt] C:Program Filesmcafee.comantivirusoasclnt.exe
O4 - HKLM..Run: [EmailScan] C:Program Filesmcafee.comantivirusmcvsescn.exe
O4 - HKLM..Run: [MPFExe] C:Program Filesmcafee.compersonal firewallMPfTray.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_03binjusched.exe"
O4 - HKLM..Run: [HP Software Update] C:Program FilesHPHP Software UpdateHPWuSchd2.exe
O4 - HKLM..RunServicesOnce: [washindex] C:Program FilesWasherwashidx.exe
O4 - HKCU..Run: [Washer] C:Program FilesWasherwasher.exe /0
O4 - HKCU..Run: [MsnMsgr] "C:Program FilesMSN MessengerMsnMsgr.Exe" /background
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [SUPERAntiSpyware] C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
O4 - HKCU..Run: [swg] C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
O4 - HKUSS-1-5-18..RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:Program FilesHPDigital Imagingbinhpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:Program FilesWiFiConnectorNintendoWFCReg.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:Program FilesAOL Toolbartoolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSSystem32Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.gaiaonline.com/plugins/IDMFlash.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:Program FilesLavasoftAd-Aware 2007aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:Program FilesCommon FilesAOLACSAOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:Program FilesCommon FilesAOLTopSpeed2.0aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:Program FilesCommon FilesAOL1134931059eeservicessafetyCorever210_5_2_1aolavupd.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:WINDOWSSystem32ccsrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:WINDOWSsystem32spooldriversw32x863HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:WINDOWSsystem32spooldriversw32x863HPBOID.EXE
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:Program FilesCAPPRTbinITMRTSVC.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:PROGRA~1mcafee.comANTIVI~1mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:Program Filesmcafee.compersonal firewallMPFService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:Program FilesDantzRetrospectretrorun.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:Program FilesAnalog DevicesSoundMAXSMAgent.exe

--
End of file - 10261 bytes

This icon recently appeared on my desktop. It appears to be related to the file in question.

Posted Image

- TTC

Edited by Orange Blossom, 30 March 2008 - 10:56 PM.
Merged posts


BC AdBot (Login to Remove)

 


#2 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:09:23 PM

Posted 10 April 2008 - 08:23 PM

Apologies for the delay in replying, but the forums have been overwhelmed with HIjackThis logs lately. If you still need help, please post back with a new HijackThis log, along with an update of the problems you are currently experiencing.
Posted Image

#3 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:09:23 PM

Posted 22 April 2008 - 07:31 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users