TheTechGuide Forum

General Category => Tech Clinic => Topic started by: soccerpm on March 02, 2005, 12:26:41 PM

Title: IST Bar
Post by: soccerpm on March 02, 2005, 12:26:41 PM

Cant get rid of the spyware, have tried spybot and adaware

Title: IST Bar
Post by: soccerpm on March 02, 2005, 02:22:08 PM

Logfile of HijackThis v1.99.1
Scan saved at 17:18:28, on 02/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mspci.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\pingppac.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\uitmsa.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\lp.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
C:\Documents and Settings\Graham\My Documents\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/ (http://\"http://www.btbroadbandstart.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Windows Compliant] smidja.exe
O4 - HKLM\..\Run: [PPPOEO] pingppac.exe
O4 - HKLM\..\Run: [Microsoft PCI Device] mspci.exe
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [6Pf8Sw] C:\WINDOWS\uitmsa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [Windows Compliant] smidja.exe
O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe
O4 - HKLM\..\RunServices: [Microsoft PCI Device] mspci.exe
O4 - HKLM\..\RunOnce: [Microsoft PCI Device] mspci.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [GIANTAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [Microsoft PCI Device] mspci.exe
O4 - HKCU\..\Run: [Windows Compliant] smidja.exe
O4 - HKCU\..\RunOnce: [Microsoft PCI Device] mspci.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{27527510-205C-4FD6-8913-EBA7F46172D7}: NameServer = 194.72.9.34 194.74.65.68
O17 - HKLM\System\CS1\Services\Tcpip\..\{27527510-205C-4FD6-8913-EBA7F46172D7}: NameServer = 194.72.9.34 194.74.65.68
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Title: IST Bar
Post by: BBUK on March 09, 2005, 09:34:01 AM

I have spent the better part of the last month working on getting rid of this thing.  Also had W32.Spybot.Worm and a recently a Trojan.  But I finally got rid of it/them yesterday.  
Need to ask you some questions.
What have you done so far to try and get rid of it other then run Spybot and AdAware?  Do you have Virus protection?  If so, has it alerted you that you may have the W32.Spybot.worm?  Looking at your hijack this log I see the same virus file that I had.  

Let me know what you've done so I know where to start with explaining how to get rid of this nasty sucker!  it's going to take a while!

Title: IST Bar
Post by: BBUK on March 09, 2005, 09:38:27 AM

Re the Virus file I saw in your Hijack this log = C:\WINDOWS\System32\pingppac.exe.  Take a look at this information on the Symantec website.  This will at least be a start to getting things cleaned up!

http://securityresponse.symantec.com/avcen...spybot.khc.html (http://\"http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.khc.html\")

Title: IST Bar
Post by: BBUK on March 09, 2005, 10:50:30 AM

Symantec (Norton) have some instructions and a removal tool that I used.  I used it in conjuntion with a lot of other tools and steps because in itself it wasn't enough to get rid of everything... but that might not be the case for you..it's worth giving it a try for starters!   You'll find instructions for manual removal and a link to the tool here:  

Http://securityresponse.symantec.com/avcen...are.istbar.html (http://\"http://Http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html\")

 /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: IST Bar
Post by: BBUK on March 09, 2005, 10:57:46 AM

Ok..me again!  I tested the link I had included in the last post and it didn't work... when it opens the address bar showed http://http:// (http://\"http://http://\")  ---- if you remove the extra http://  and try again it should take you to the right place!!!

 /dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />