Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

robinhood42

2 Intern

 • 

1.2K Posts

2664

February 9th, 2005 12:00

Need help with pop ups, malware, etc.

I need some help in getting rid of excessive pop ups, malware, etc.
 
I just had a new hard drive put in my computer. The old one went after just 4 months. After the new hard drive was installed, I installed Windows. Then before I went on the internet I made sure that the Windows Firewall was on and that my Norton AntiVirus was up to date. After that I started getting all these pop ups. It didn't matter what webpage I was on. I downloaded Spybot and Adaware and ran those. They found numerous problems. I deleted what these programs found. But, I am still getting these pop ups. Spybot found Malware on my system. I keep running these two programs. I even downloaded Spyblaster. This morning when I came to this forum I got another popup. Could it have come from the new drive that was put in my computer? It wasn't a brand new drive, it was a "refurbished" one. When I installed Windows I didn't do a full reformat. I just ran the Quick format. Should I reinstall Windows again and reformat the hard drive? If this would help I would try it. I'm getting tired of all this junk on my system. Thanks for any help.

100mph

1.2K Posts

February 9th, 2005 13:00

You didn’t list the step when you are installing an alternative browser …
http://www.mozilla.org

And locking you HOSTS file:
http://www.mvps.org/winhelp2002/hosts.htm

Since you already have an infection on your computer, please run some online virus scans:
http://www.fixyourwindows.com/windowsxpsolutions.htm#OnlineVirusScans

And then post your HijackThis log for analysis:
http://www.majorgeeks.com/download3155.html

robinhood42

2 Intern

 • 

1.2K Posts

February 9th, 2005 14:00

I'm still using Internet Explorer for my browser. I'm not sure what you are talking about when you say "host files." I have used HiJackThis once, but can't remember how I posted the log? Can you help me with these?

Midnight Star

4.8K Posts

February 10th, 2005 02:00

RobinHood,

Let's see what's running on that system; post up a HiJackThis log for analysis.


Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.0. Now, let's do the following:

1. Click " Scan"
2. Click " Save log"

Notepad will pop-up with a copy of your system long, then:

1. " Edit | Select all"
2. " Edit | Copy"

Next, let's " Reply" back to this post, then:

1. Right-click on the message body.
2. Select " Paste"

Then just " Post" the message, and we'll analyze your log shortly, then post back any recommendation(s).


Mike.

robinhood42

2 Intern

 • 

1.2K Posts

February 10th, 2005 04:00

I posted a log earlier and I was told what to get rid of. I think I got it all but the pop ups remain. I went to Norton's Website and did a scan. It found 4 Adware risks. One was Adware, BargainBuddy and QoolAid. I have tried everything to delete these off of my system. I tried what Norton suggested but when I run a scan with my own Norton program, they get picked up but the NAV won't delete them. I've been trying all night to get rid of them, but I can't. I also searched the hard drive for the files so I could delete them, but I could only find 2 files, and even though I deleted them, when I ran a scan they showed right back up. Would reformatting my hard drive get rid of this stuff? I just had a new hard drive put in, and I don't have many programs installed right now. I'm using NAV2004. Is the 2005 one better? I'm also using the Windows Firewall. Is there any other program that I should use? Thank you for the help.
 
Logfile of HijackThis v1.99.0
Scan saved at 1:33:38 AM, on 2/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maine.rr.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\vivgqr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107893171812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: IAA Event Monitor - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: spkrmon - Unknown - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

zbestwun2001

4 Apprentice

 • 

8.8K Posts

February 10th, 2005 16:00

Robinhood42
You have 3 open posts with 2 HJT logs.
This makes it real difficult for us to keep up any continuity with what's going on concerning your situation.

I am confused.

Steve

Midnight Star

4.8K Posts

February 10th, 2005 17:00

robinhood,
 
Let's see what we can do...
 

Go to www.trendmicro.com, and then:
 
1.  Click " Free Online Scan".
2.  Click " Scan now, it's free".
 
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
 
1.  Select all available drives.
2.  Check(tick) " Auto Clean".
3.  Click " Scan".
 
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
 

Download and unzip FindIt NT-2K-XP, then:       
               
 1.  Double-click " FintIt NT-2K-XP.zip" folder.       
 2.  Double-click " FindIt NT-2K-XP" folder.       
 3.  Double-click " FindNarrator.bat"       
             
 4.  Click " Extract All"       
 5.  Click " Next"       
 6.  Click " Next".       
 7.  Click " Finish"       
               
     ( If you've already downloaded and unzipped it before, skip the above steps.)       
               
 8.  Double-click " FindIt NT-2K-XP" folder.       
 9.  Double-click " FindNarrator.bat".       
               
     ( Wait until the scan completes.)       
               
10.  When notepad comes up post back the contents of   FindNarrator.txt.       
11.  Close notepad.
 

Post back a new log, and let me know how everything goes.
 
-
 
Mike.
 

robinhood42

2 Intern

 • 

1.2K Posts

February 10th, 2005 22:00

Mike,

Trendmicro.com found one malware and deleted it. It was TROJ_Narrator.A.

Here is the Log from FindIt.

---------------- FindNarrator NT-2K-XP ----------------
 
Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.
 
***** Operating System *****
 
Microsoft Windows XP Professional 5.1 Service Pack 2 (Build 2600)
 
********* Date/Time ********
 
Thursday, February 10, 2005 (2/10/2005)
6:54 PM, Eastern Standard Time
 
*********** Path ***********
 
FindNarrator.bat is running from: C:\Documents and Settings\Robin\Local Settings\Temporary Internet Files\Content.IE5\8TMN0XQR\FindIt%20NT-2K-XP[1]\FindIt NT-2K-XP
 
---------------- Strings.exe Qoologic Results ----------------
 
 
---------------- Strings.exe Aspack Results ----------------
 
C:\WINDOWS\system32\ntdll.dll: .aspack
 
---------------- Active Setup Installed Components ----------------

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\0c260cc8-7b05-4934-b105-64529215f094

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}
 
---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mnmxst]
@="{272a166e-59ad-4afe-86aa-6a7dadfb35fa}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu]
@="{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Application Accelerator\\iaanotif.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"CTHelper"="CTHELPER.EXE"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

---------------- FindNarrator NT-2K-XP ----------------

Thanks for your help.
Robin

Midnight Star

4.8K Posts

February 11th, 2005 23:00

Robin,
 
That's looking good! Post back a new hjt log and let's see what we have left.
 
Mike.
 

Midnight Star

4.8K Posts

February 12th, 2005 01:00

Robin,

That log is looking good! Can you post back the names of the files that Norton's detected, but couldn't fix?

Mike.

robinhood42

2 Intern

 • 

1.2K Posts

February 12th, 2005 01:00

Mike, here is the new HJT logfile. I ran Norton tonight and it found 12 items. It says they are security risks. It's Adware. BargainBuddy.Qool Aid. I followed all the instructions for deleting them, but Norton won't let me. I tried to manually delete them but I can't find the files. According to Symantec, it's adware that hides in other files. Norton only gave me two options on those files. To exclude them or skip them.
 
Logfile of HijackThis v1.99.0
Scan saved at 10:24:14 PM, on 2/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maine.rr.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107893171812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: IAA Event Monitor - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: spkrmon - Unknown - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

Midnight Star

4.8K Posts

February 12th, 2005 02:00

Robin,

I'm going to call it a night. I'll pick those up when I first log on tommorrow.

I believe we'll be able to delete the two .vxd files and the other ones not compressed in those two files without any problem.

-

Mike.

robinhood42

2 Intern

 • 

1.2K Posts

February 12th, 2005 02:00

Mike,

Here they are from Norton's Log Viewer:


,Threat category: AdwareSource: C:\WINDOWS\ZServ.dll,Description: The file C:\WINDOWS\ZServ.dll is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/msexreg.exe,Description: The compressed file C:/WINDOWS/system32/msexreg.exe within C:\WINDOWS\system32\netut80ex.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/javexulm.vxd,Description: The compressed file C:/WINDOWS/system32/javexulm.vxd within C:\WINDOWS\system32\netut80ex.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/exul.exe,Description: The compressed file C:/WINDOWS/system32/exul.exe within C:\WINDOWS\system32\netut80ex.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/mqexdlm.srg,Description: The compressed file C:/WINDOWS/system32/mqexdlm.srg within C:\WINDOWS\system32\netut80ex.vxd is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/BullsEye Network/bin/adx.exe,Description: The compressed file C:/Program Files/BullsEye Network/bin/adx.exe within C:\WINDOWS\system32\mac80ex.idf is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/exdl.exe,Description: The compressed file C:/WINDOWS/system32/exdl.exe within C:\WINDOWS\system32\netut80ex.vxd is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/NaviSearch/bin/nls.exe,Description: The compressed file C:/Program Files/NaviSearch/bin/nls.exe within C:\WINDOWS\system32\javex80.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/msbe.dll,Description: The compressed file C:/WINDOWS/system32/msbe.dll within C:\WINDOWS\system32\mac80ex.idf is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/BullsEye Network/bin/bargains.exe,Description: The compressed file C:/Program Files/BullsEye Network/bin/bargains.exe within C:\WINDOWS\system32\mac80ex.idf is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/BullsEye Network/bin/adv.exe,Description: The compressed file C:/Program Files/BullsEye Network/bin/adv.exe within C:\WINDOWS\system32\mac80ex.idf is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/nvms.dll,Description: The compressed file C:/WINDOWS/system32/nvms.dll within C:\WINDOWS\system32\javex80.vxd is a Adware threat.

Midnight Star

4.8K Posts

February 12th, 2005 18:00

Robin,

Let's first try this: Reboot your system into "Safe Mode", then re-run Norton's and see if those files can be deleted. If that doesn't work, let try and delete them manually...

C:\WINDOWS\system32\mac80ex.idf
C:\WINDOWS\system32\javex80.vxd
C:\WINDOWS\system32\netut80ex.vxd
C:\WINDOWS\ZServ.dll

When your done, re-run Nortons and see if what we have left to remove.
 
-
 
Mike.
 

robinhood42

2 Intern

 • 

1.2K Posts

February 13th, 2005 12:00

Mike,

I ran Norton in Safe Mode and it wouldn't let me delete any of those files. It still gave me only two options, to Exclude or Skip the files when running NAV again. So, I manually deleted the files and then ran Norton again. It is still picking up those same files. It seems like there is no way to get rid of them. Here is the new Norton AV log. Would it be better if I did a full reformat of the hard drive? I don't have many programs installed, so I won't be losing anything, and it would be worth it to get rid of this stuff.

,Threat category: AdwareSource: C:\RECYCLER\S-1-5-21-1606980848-1659004503-839522115-1003\Dc4.dll,Description: The file C:\RECYCLER\S-1-5-21-1606980848-1659004503-839522115-1003\Dc4.dll is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/msexreg.exe,Description: The compressed file C:/WINDOWS/system32/msexreg.exe within C:\RECYCLER\S-1-5-21-1606980848-1659004503-839522115-1003\Dc3.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/javexulm.vxd,Description: The compressed file C:/WINDOWS/system32/javexulm.vxd within C:\RECYCLER\S-1-5-21-1606980848-1659004503-839522115-1003\Dc3.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/exul.exe,Description: The compressed file C:/WINDOWS/system32/exul.exe within C:\RECYCLER\S-1-5-21-1606980848-1659004503-839522115-1003\Dc3.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/mqexdlm.srg,Description: The compressed file C:/WINDOWS/system32/mqexdlm.srg within C:\RECYCLER\S-1-5-21-1606980848-1659004503-839522115-1003\Dc3.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/exdl.exe,Description: The compressed file C:/WINDOWS/system32/exdl.exe within C:\RECYCLER\S-1-5-21-1606980848-1659004503-839522115-1003\Dc3.vxd is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/NaviSearch/bin/nls.exe,Description: The compressed file C:/Program Files/NaviSearch/bin/nls.exe within C:\RECYCLER\S-1-5-21-1606980848-1659004503-839522115-1003\Dc2.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/nvms.dll,Description: The compressed file C:/WINDOWS/system32/nvms.dll within C:\RECYCLER\S-1-5-21-1606980848-1659004503-839522115-1003\Dc2.vxd is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/BullsEye Network/bin/adx.exe,Description: The compressed file C:/Program Files/BullsEye Network/bin/adx.exe within C:\RECYCLER\S-1-5-21-1606980848-1659004503-839522115-1003\Dc1.idf is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/BullsEye Network/bin/adv.exe,Description: The compressed file C:/Program Files/BullsEye Network/bin/adv.exe within C:\RECYCLER\S-1-5-21-1606980848-1659004503-839522115-1003\Dc1.idf is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/msbe.dll,Description: The compressed file C:/WINDOWS/system32/msbe.dll within C:\RECYCLER\S-1-5-21-1606980848-1659004503-839522115-1003\Dc1.idf is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/BullsEye Network/bin/bargains.exe,Description: The compressed file C:/Program Files/BullsEye Network/bin/bargains.exe within C:\RECYCLER\S-1-5-21-1606980848-1659004503-839522115-1003\Dc1.idf is a Adware threat.
,Threat category: AdwareSource: C:\WINDOWS\ZServ.dll,Description: The file C:\WINDOWS\ZServ.dll is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/msexreg.exe,Description: The compressed file C:/WINDOWS/system32/msexreg.exe within C:\WINDOWS\system32\netut80ex.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/javexulm.vxd,Description: The compressed file C:/WINDOWS/system32/javexulm.vxd within C:\WINDOWS\system32\netut80ex.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/exul.exe,Description: The compressed file C:/WINDOWS/system32/exul.exe within C:\WINDOWS\system32\netut80ex.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/mqexdlm.srg,Description: The compressed file C:/WINDOWS/system32/mqexdlm.srg within C:\WINDOWS\system32\netut80ex.vxd is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/BullsEye Network/bin/adx.exe,Description: The compressed file C:/Program Files/BullsEye Network/bin/adx.exe within C:\WINDOWS\system32\mac80ex.idf is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/exdl.exe,Description: The compressed file C:/WINDOWS/system32/exdl.exe within C:\WINDOWS\system32\netut80ex.vxd is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/NaviSearch/bin/nls.exe,Description: The compressed file C:/Program Files/NaviSearch/bin/nls.exe within C:\WINDOWS\system32\javex80.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/msbe.dll,Description: The compressed file C:/WINDOWS/system32/msbe.dll within C:\WINDOWS\system32\mac80ex.idf is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/BullsEye Network/bin/bargains.exe,Description: The compressed file C:/Program Files/BullsEye Network/bin/bargains.exe within C:\WINDOWS\system32\mac80ex.idf is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/BullsEye Network/bin/adv.exe,Description: The compressed file C:/Program Files/BullsEye Network/bin/adv.exe within C:\WINDOWS\system32\mac80ex.idf is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/nvms.dll,Description: The compressed file C:/WINDOWS/system32/nvms.dll within C:\WINDOWS\system32\javex80.vxd is a Adware threat.

Midnight Star

4.8K Posts

February 13th, 2005 14:00

Robin,
 
Maybe Norton is restoring the file back from the protected recycle bin. If your upto it, try deleteing the same files again, and include the folder:
 
c:\program files\bullseye networks
 
...then run "Disk Cleanup" and allow it to remove everything it finds and empty Norton's protected recycle bin and re-run Norton and see if it still is picking up the same files.
 
-
 
Mike.
 

Was this post helpful?

View All

No Events found!

Top