Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virusblast


  • Please log in to reply
3 replies to this topic

#1 scarletcantos

scarletcantos

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 28 July 2006 - 10:01 AM

Hi there guys!

Turned on my trusty PC this morning to a "warning" from Norton/Symantec saying that my system was infected with VirusBlast.
Have run full scans on Norton, Ad-Aware, Spybot, and ewido, as well as downloading the suggested McAfee stinger, and Hijackthis download but all have found nothing. (Yet STILL it pops up annoyingly ever so often!)

My system was built with the main hard drive being the I drive (for reasons best known to the builder who thought this would help avoid viruses etc!), so I have trawled through I drive looking for anything suspicious, but have drawn a blank. I know its got to be embedded somewhere, but WHERE........

See below for Hijackthis log, and help would save me tearing my hair out! :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 13:13:36, on 28/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Windows Defender\MsMpEng.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\Program Files\Common Files\Symantec Shared\ccProxy.exe
I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
I:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
I:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
I:\WINDOWS\system32\drivers\CDAC11BA.EXE
I:\WINDOWS\system32\CTsvcCDA.EXE
I:\Program Files\ewido anti-malware\ewidoctrl.exe
I:\Program Files\Ahead\InCD\InCDsrv.exe
I:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\Ahead\InCD\InCD.exe
I:\Program Files\Creative\Shared Files\CAMTRAY.EXE
I:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
I:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE
I:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Ad-Protect\ad-protect.exe
I:\Program Files\Windows Defender\MSASCui.exe
I:\Program Files\Ad-Protect\ad-protect.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\WINDOWS\SOUNDMAN.EXE
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\MSN Messenger\MsnMsgr.Exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
I:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
I:\Program Files\Logitech\SetPoint\KEM.exe
I:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
I:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Messenger\msmsgs.exe
I:\Documents and Settings\Kate\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - I:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - I:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: (no name) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - I:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - I:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] I:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] I:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] I:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Ulead Memory Card Detector] I:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
O4 - HKLM\..\Run: [EPSON Stylus C48 Series] I:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I091.EXE /P23 "EPSON Stylus C48 Series" /O6 "USB001" /M "Stylus C48"
O4 - HKLM\..\Run: [SunJavaUpdateSched] I:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ErrorDoctor] I:\Program Files\SoftwareDoctor\ErrorDoctor\ErrorDoctor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ad-Protect] I:\Program Files\Ad-Protect\ad-protect.exe /s
O4 - HKLM\..\Run: [Windows Defender] "I:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MsnMsgr] "I:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [avicap] I:\WINDOWS\system32\avicap.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DSLMON.lnk = I:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = I:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = I:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Google Search - res://i:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZN
O8 - Extra context menu item: &Translate English Word - res://i:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://i:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://i:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Send To &Bluetooth - I:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://i:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://i:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - I:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - I:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: I:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://scarletcantos.spaces.msn.com//Photo...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.jessopsphotoexpress.com/wpp/jes...opcuploader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{A77E38DC-45FC-419A-AAE7-698501E84C41}: NameServer = 80.225.250.186 80.225.250.178
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - I:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - I:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - I:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - I:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - I:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - I:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - I:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - I:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - I:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - I:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - I:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - I:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Scarletcantos

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:47 AM

Posted 31 July 2006 - 04:47 PM

Hey there and welcome to Bleeping Computer.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Turned on my trusty PC this morning to a "warning" from Norton/Symantec saying that my system was infected with VirusBlast.

Are you able to tell me the exact location of this file?

1) Download Silent Runners and extract it to a new folder on your Desktop.
Run the Silent Runners.vbs file.
You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run.
This script is not malicious so please allow it.
A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!)
Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.

2) Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, copy and paste next in the field:

I:\WINDOWS\system32\avicap.exe

Then click the Send File button below.
Please let me know when you have submitted the file.

3) I want you to remove Ad-Protect from your computer.
It's a rogue program and has a very murky background.
You can read more about it here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

Ad-Protect

So reboot your computer and post back with the silent runners log, and a new Hijackthis log.
David

#3 scarletcantos

scarletcantos
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 09 August 2006 - 01:08 PM

Thanks a lot David!

Removed Ad-Protet and it all magically disappeared. (Thats the last time I leave my hubby alone with my PC for an evening, he knows less than I do!)

Will let you know if I get any repeat problems.

Thanks again

Kate (Scarletcantos)

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:47 AM

Posted 09 August 2006 - 05:03 PM

Hey Kate,
Although that may have removed Ad-Protect, I still fear there is more malware on the system.
I would recommend you complete the instructions.
You're welcome for the help thus far though :thumbsup:
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users