Post by: tk421 on April 04, 2005, 03:17:58 PM
Hope you guys can help i came across here helping others , only to find in some cases i can't help myself
/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> I have a coulpe of problems it seems, one in, one of my java folders and one in the system restore.
I ran microworld antivirus toolkit 6.0.5 and it caught these 2 things.However here it the current infected list:
File C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\archive.jar-6b1eb8d4-4a8a70c2.zip infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\appz and drivers\DivX505Bundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\appz and drivers\sound vid and monitor drivers\audigy drivers old\audigy driver1.exe tagged as not-a-virus:RiskWare.Tool.KillApp.b. No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\games+patches\quake 3\q3pointrelease_132.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\games+patches\quake 3\quake3.1.3.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Quake III Arena\Check for Quake III Arena Updates.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Quake III Arena\Extras\WorldNet\PCVKIT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Worlds\WorldsPlayer by Worlds.com\bin\xup.template tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\RECYCLER\S-1-5-21-1606980848-2025429265-725345543-500\Dc16.zip infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{A588E3AB-21CB-4F1B-AC24-B515698C897F}\RP163\A0008954.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{A588E3AB-21CB-4F1B-AC24-B515698C897F}\RP178\A0010374.exe infected by "Trojan-Dropper.Win32.Delf.fd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{A588E3AB-21CB-4F1B-AC24-B515698C897F}\RP181\A0010404.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{A588E3AB-21CB-4F1B-AC24-B515698C897F}\RP181\A0010405.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
You can see that "Trojan-Downloader.Java.OpenConnection.v" is in 2 locations, that's because i deleted it out of the \.jpi_cache\jar\1.0\ folder during the scan so it's just sitting in the bin.
I reckon it's a temp file and not needed, so it's there for now just in case.
The "riskware" warning is just a renamed sound driver that came from creative labs site.
This is what bothers me most as it's a little over my head [for now]
C:\System Volume Information\_restore{A588E3AB-21CB-4F1B-AC24-B515698C897F}\RP178\A0010374.exe infected by "Trojan-Dropper.Win32.Delf.fd" Virus. Action Taken: No Action Taken.
Here's my hijack this log: many thanx.
Logfile of HijackThis v1.99.1
Scan saved at 3:55:19 PM, on 4/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TClock2\tclock2.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kavss.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TClock2.lnk = C:\Program Files\TClock2\tclock2.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab (http://\"http://tw.msi.com.tw/autobios/client/iftwclix.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1092629704390 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092629704390\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{47125B0B-47CA-4216-A584-A44DC405D297}: NameServer = 166.102.165.13,166.102.165.11
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Hadiolpvpa - Creative Technology Ltd - (no file)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Would i be better off with NOD32 for antivirus rather than Nav2005??
Post by: guestolo on April 04, 2005, 08:50:44 PM
To clear those we will have to disable system Restore>>restart your computer>>>enable system restore
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Before you do the above
I'm unsure if this is an orphan entry
O23 - Service: Hadiolpvpa - Creative Technology Ltd - (no file)
It looks as if it's related to Creative products, but we should try the following
Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Hadiolpvpa
Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
If you find you need it you can reenable it
Next>>Access your Control Panel>>Open the Java Icon
Under the General tab>>Delete Files>>OK
Now disable system restore>>Restart your computer>>enable system restore
Hope that helps
Post by: tk421 on April 05, 2005, 12:53:50 AM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> that did the job nicely, i appreciate the help, i guess i'm gonna have to come out of retirement a bit and keep up with these new threats.I thought i'd run a scan on the wife's laptop just for the hell of it so far its presented me with this:
"File System Found infected by "VB and VBA Program Settings Spyware/Adware" Virus. Action Taken: No Action Taken"
nav2005 doesn't see it, nor does ad-aware.
As i'm not sure entirely what i'm looking for, do you have any suggestions on what may help? - i had a quick dig in the registry but didn't see anything obvious that jumped right out at me.
Again, many thanks for your speedy reply/solution!
Post by: guestolo on April 05, 2005, 12:14:03 PM
You might want to post a hijackthis log from the wife's laptop
Just post it in this thread
Oh, I don't use Norton's and have never used Nod32
but to be fair
Anti-virus can detect a virus or trojan or other malware in the System Restore folder
but can't remove it
Usually, disabling system restore will clear the restore points
and restarting will delete the files
Post by: tk421 on April 05, 2005, 03:51:18 PM
Yeah i ditched the file from the bin ok.I know virus scanners are useless at removing sypware [most viri too] just wondered if you had any thoughts as i'm gonna be helping out a family with a new system soon.
Here's the wifes hijack log:
thanx again.
Logfile of HijackThis v1.99.1
Scan saved at 4:38:41 PM, on 4/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tclock2_120\tclock2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com (http://\"http://www.dell.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com/ (http://\"http://www.ntlworld.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com (http://\"http://www.dell.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlhome.com/ (http://\"http://www.ntlhome.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TClock2.lnk = C:\Program Files\Tclock2_120\tclock2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094534180468 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094534180468\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADAA6969-0C80-4B46-85C3-4536329D7763}: NameServer = 166.102.165.13,166.102.165.11
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Post by: guestolo on April 05, 2005, 05:39:48 PM
Besides Ad-Aware, did you have any other Spyware removal software installed on your computer?
You may want to try running Spybot 1.3
I use ad-aware and spybot, they work good together
This is optional, but worth a try
Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/3000-8022-10122137.html\")
After installation--SEARCH FOR UPDATES
Ensure you check and download all updates
Afterwards
Check for Problems>>Let it complete the scan
FIX everything in RED>>they should be checked by default
Restart the computer if anything found bad to finish the cleaning process
Post by: tk421 on April 05, 2005, 06:40:45 PM
"File System Found infected by "VB and VBA Program Settings Spyware/Adware" Virus. Action Taken: No Action Taken"
I dunno, i've seen the same errors on google searches [most of them in german] but i'm not sure what it is.it might even be a false alarm.
Antyhing eles you can sling my way would help when you get the time.
thanx muchly.
-r
Post by: guestolo on April 05, 2005, 07:48:13 PM
Just curious what this reveals, if anything
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Code: [Select]
@echo off
regedit /e C:\temp.reg "HKEY_CURRENT_USER\Software\Microsoft\VB and VBA Program Settings"
more C:\temp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\temp.reg
del /q C:\Display.txtDouble click on Export.bat, a log will be produced
Can you post it back if anything found
Post by: tk421 on April 06, 2005, 01:29:17 AM
Anywho the results of the bat file revealed a notepad popping up blank and a dos box with "Cannot access file C:\temp.reg"
I also did it on my machine too, same result.
/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />
Post by: guestolo on April 06, 2005, 01:46:14 AM
Can you manually navigate to that entry in the registry
and export it?
Go to start>>run>>type in
regedit
Hit OK
Navigate to this entry, if you can find it
HKEY_CURRENT_USER\Software\Microsoft\VB and VBA Program Settings
Expand+ the following
+HKEY_CURRENT_USER
+Software
+Microsoft
Left click and highlight VB and VBA Program Settings
Right click on VB and VBA Program Settings and EXPORT the key
Name it and save it to a folder
Save to a folder
Exit the reg editor
Right click on it and choose EDIT
Copy and paste back the findings
It's more curiousity now more than anything
Post by: tk421 on April 06, 2005, 02:37:05 PM
You know i navigated to here previously and went ah! "boingo" stupid malware crap... i was so tired i thought it was bonzai buddy, till i googled it.This is some software disc that the hotel gave us one time to get on to their wireless network...
Of course it didn't work very well, so i ended up using the network from the furniture store across the road
/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' /> here ya go:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings]
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\boingo]
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\boingo\Settings]
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\boingo\Settings\frmLogin]
"RememberPassword"="False"
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\boingo\Settings\General]
"NetworkAvailableAction"="1"
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\boingo\Settings\RunTimeWork]
"VpnManage"="False"
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\boingo\Settings\ucpVPN]
"AlwaysConnectPrivateVPN"="False"
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\boingo\Settings\WepKeyEdit]
"DefaultKeyLength"="128"
"DefaultEditMode"="0"
Post by: tk421 on April 08, 2005, 03:02:14 AM
/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />
Post by: guestolo on April 08, 2005, 07:19:06 PM
HKEY_CURRENT_USER\Software\VB and VBA Program Settings
It should do no harm leaving that key in the registry as you have removed the entries for
boingo
That would be might suspicions anyways
I don't think it's nothing to worry about, of course you could export VB and VBA Programs settings for backup purposes and then
Delete the key
Try scanning again
Post by: tk421 on April 09, 2005, 01:10:08 AM
Thanks alot for the help, one last thing:
the key: HKEY_CURRENT_USER\Software\VB and VBA Program Settings
Isn't on this computer, is it something thats created by a program? in this case Boingo? because if it is i can just chuck the backup away right?
Post by: guestolo on April 09, 2005, 01:24:55 AM
I don't think it's created on a fresh install of windows
I wish I knew all the entries on a fresh install
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> I don't have it either
You may want to hold onto the backup for a couple days
then
Should be safe to delete
Post by: tk421 on April 09, 2005, 05:46:40 AM
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> again thanx for the help.. promise not to bug you again unless something explodes
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> -r
Post by: guestolo on April 09, 2005, 11:18:27 AM
Both don't run in the background,
Consider them silent spyware blockers
I couldn't be without either one, the wife won't get away from Internet Explorer
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
FYI>>IE-Spyad is compatible with XP SP2 as well
I know your using Firefox, I wouldn't be without it either,
SpywareBlaster is compatible with Firefox as well
IE-Spyad for the times you have to use IE
Post by: tk421 on April 09, 2005, 06:28:11 PM
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> Yeah, gotta have your Firefox, my wifes been using it now for while - i think for her, extensions are the equiv of shoe shoppin tho
/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' /> I have spyware blaster loaded on; it looks nice, easy to use etc, i'll give the other one a go later, thanx.
Totally random question, i rebuilt an old HP machine which is now running win2k and all the other good stuff for my in-laws, but they use walmart connect which is quite possibly the most invasive isp/web interface in the world; and i refuse to install it on this old/new machine.
Anthing you would recomend for the $10-15 a month for 56k? I've seen things like netzero, people pc online, netscape - basically something that i can work around without having to install all the useless crap that's bundled.
They don't have a lot of moneys and i try to help out folks with pc troubles when i can from what i've learned / broken myself.. it's been ages since i've used 56k and i'm not goin back man!
Post by: guestolo on April 10, 2005, 01:23:02 AM
All probably come bundled with some sort of crapware of some sort
The thing is, is to weed out the best without giving up speed
I use to use a local ISP for dialup ages ago, so that's not much help
Just make sure you run those free spyware programs through it after installation
Use these links to decide what you need or don't need on startup
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm (http://\"http://www.answersthatwork.com/Tasklist_pages/tasklist.htm\")
http://www.sysinfo.org/startuplist.php?off...&count=&filter= (http://\"http://www.sysinfo.org/startuplist.php?offset=&count=&filter=\")
If you need a free program to assist in disabling startup entries
You don't need the Ultimate Troubleshooter as recommended by Tasklists
There is Codestuff's Starter for XP-2000
Compatible with 9x systems
But I prefer Mike Lin's Control Panel for 9x systems
Post by: tk421 on April 11, 2005, 08:37:29 AM
wasn't so keen on "starter" however - but hey, it's free.
thanx for all the great links, tools, fixes etc, i've learned alot in the last week and i thought i was pretty savvy in the first place
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> i can now pass on stuff i've learned here to friends, n00bs etc - then they will worship me as their god!!
or call me a geek.. either will do
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> -r
Post by: guestolo on April 12, 2005, 01:20:04 AM
I'll lock this up, if you need it reopened, please PM a mod or the site Admin and supply a link to this thread