Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

0x800C0005 and LU1814: LiveUpdate

Started by spartacus , Mar 20 2005 03:25 PM

  • This topic is locked This topic is locked

#1
spartacus
Posted 20 March 2005 - 03:25 PM

spartacus

    Member

  • Member
  • PipPip
  • 12 posts
I can not seem to update anything......

I am connected to the net and can access all the websites I want, but when I try to do a live update through Norton or when I try to update windows I get the errors in the topic title.

I have gone through all the initial site recomendations and I have gone through the symantic recomendations, I have gone through the microsoft recomendations, I have taken a number of steps that this site recomends in other posts, and nothing seems to work. My Norton personal firewall is also disabled and is not allowing me to enable it (it says I have insufficient privledges .... this is not true I am the admin.).

I have also tried the recomendation of not using IE but rather switching to Firefox (or other explorer), but Firefox gives me an error about not being able to connect to the internet as well.

I ame open to any recomendations you may have .... here is my Hijack This log... If you see anything on it pertaining to this issue or anyother, I would appreciate your help.....

Thanks in advance...

Logfile of HijackThis v1.99.0
Scan saved at 1:22:57 PM, on 3/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\VPC32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE
C:\Drivers and Programs\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements

#2
spartacus
Posted 26 March 2005 - 07:52 AM

spartacus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
HELLOOOOOOOOOOOOOOOOO.... Is there anybody ...... out there...!?? How about a little suggestion or a small hint ........even a guess would do at this point....
  • 0

#3
Guest_thatman_*
Posted 26 March 2005 - 08:10 AM

Guest_thatman_*
  • Guest
Hi spartacus

Welcome to geekstogo

Please read through the instructions before you start (you may want to print this out).The following items are malware and must be fixed
[LIST]The following explains how to remove items from your computer that are malware. These must be fixed now!

You are running an out-of-date version of HijackThis; can you please download a new copy (there is a link in my signature), unzip it, and replace your existing copy with the new version.

Please set your system to show all files; please see here if you're unsure how to do this.

Using Windows Add Remove Program File see if this has a uninstaller
C:\Program Files\NavNT\VPC32.EXE
Exit the Task Manager when finished.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\Program Files\NavNT/B]<--Delete the whole folder

Exit Explorer,

Reboot your PC.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

[b]Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#4
spartacus
Posted 30 March 2005 - 07:05 PM

spartacus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
thatman, YOU ROCK!!!! Thank you for your suggestions.


I get a bit overly detailed sometimes in my intrepertations, so please excuse my ignorance.

I could not find an uninstaller for

C:\Program Files\NavNT\VPC32.EXE

But I did find the file using Explorer. I did nothing to it.


I went into Safe Mode and could not find the file ...

C:\Program Files\NavNT/B]

The closest thing to it was....

C:\Program Files\NavNT

But I did not know if that is what you meant so I did nothing to it.

I ran the housecall virus scan but it found nothing .... I had run it prior to posting anything and had wiped a number of things out.

I ran Panda and found the following.....



Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\exclean.exe
Adware:Adware/nCase No disinfected C:\Temp\FLEOK
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\sahagent*.exe
Adware:Adware/BHO No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\system32\SWRT??.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\swrt01.dll
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\DealHelper
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\guard.tmp
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\Aklsp.dll
Adware:Adware/nCase No disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\05AVGLYN\AppWrap[1].exe
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\ADQTUL8J\AppWrap[1].exe
Adware:Adware/CWS.008k No disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\Q74V09MD\AppWrap[1].exe
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\SX2FGXEV\AppWrap[1].exe
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\SX2FGXEV\AppWrap[2].exe
Spyware:Spyware/Overpro No disinfected C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\WZYTW5GZ\AppWrap[1].exe
Adware:Adware/WUpd No disinfected C:\Program Files\AdStatus Service\AdStatKeep.exe
Adware:Adware/WUpd No disinfected C:\Program Files\AdStatus Service\AdStatServ.exe
Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate\AutoUpdate.exe
Adware:Adware/Apropos No disinfected C:\temp\cxtpls_loader_ff.exe
Adware:Adware/SAHAgent No disinfected C:\temp\SAHAgent.exe
Adware:Adware/nCase No disinfected C:\temp\salmhook.dll
Virus:Trj/Multidropper.NB Disinfected C:\WINDOWS\ahadp.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[lsp_.dll]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[xmlparse_.dll]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[xmltok_.dll]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[SAHAgent_.exe]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[SAHUninstall_.exe]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[SahHtml_.exe]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[WEBInstaller.dll]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[setup.inf]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\lsp_.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\SahHtml_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\xmlparse_.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\xmltok_.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\icont.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\akcore.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\aklsp.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\akupd.dll
Adware:Adware/Envolo No disinfected C:\WINDOWS\system32\auto_update_uninstall.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\cacfg32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\dnl4013qe.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\docore.dll
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\system32\dosync.dll
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-105705.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-105706.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-105717.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-105727.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-105734.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-105741.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-105749.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-105756.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-113558.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-113606.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-113611.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-113622.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-113630.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-113638.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050205-113645.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050216-160124.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050216-160126.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050220-190202.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050221-042725.backup
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\dun.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\enn8l15u1.dll
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\exdl.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\exdl0.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\guard.tmp
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\h84m0ih1e84.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\IKHLPAPI.DLL
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\inkoader.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\jr2025fmg.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\kpdfo.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\m8nqli5518.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\m8rm0i91e8.dll
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\mqexdlm.srg
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\SahAgent.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\Sbohwy.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\SKMEVNT1.DLL
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\SWRT01.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\TargetSoftSetup.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\Yzvdbp.exe
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\Temp\akcore.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\Temp\aklsp.dll
Spyware:Spyware/Overpro No disinfected C:\WINDOWS\Temp\nsdtmp09.dll
  • 0

#5
Guest_thatman_*
Posted 31 March 2005 - 01:52 AM

Guest_thatman_*
  • Guest
Hi spartacus

Please read through the instructions before you start (you may want to print this out).

Download Pocket Killbox and unzip it; save it to your Desktop.

Download the CCleaner unzip the file to install.

Reboot into Safe Mode: Click here if you don't know how to do this.

Open the ccleaner.
Place a check by everything in the Applications tab.
Place a check by Internet Explorer, Windows explorer, and System in the Windows tab.
Now click on Run Cleaner

Using windows Explorer delete the following files and folders:

C:\Program Files\NavNT<--Delete the whole folder
C:\Program Files\AdStatus Service<--Delete the whole folder
C:\Program Files\AutoUpdate<--Delete the whole folder

C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\05AVGLYN\AppWrap[1].exe<--Delete this file
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\ADQTUL8J\AppWrap[1].exe<--Delete this file
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\Q74V09MD\AppWrap[1].exe<--Delete this file
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\SX2FGXEV\AppWrap[1].exe<--Delete this file
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\SX2FGXEV\AppWrap[2].exe<--Delete this file
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\WZYTW5GZ\AppWrap[1].exe<--Delete this file

C:\WINDOWS\Downloaded Program Files\bunSetup.cab<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\lsp_.dll<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\SahHtml_.exe<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\setup.inf<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\xmlparse_.dll<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\xmltok_.dll<--Delete the whole folder
C:\keys.ini<--Delete the whole folder
C:\Temp<--Delete the whole folder
C:\temp<--Delete the whole folder


Virus:Trj/Qhost.Y Disinfected (Delete all file with the number20050205)
C:\WINDOWS\system32\drivers\etc\hosts.20050205-105705.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-105706.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-105717.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-105727.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-105734.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-105741.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-105749.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-105756.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-113558.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-113606.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-113611.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-113622.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-113630.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-113638.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050205-113645.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050216-160124.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050216-160126.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050220-190202.backup
C:\WINDOWS\system32\drivers\etc\hosts.20050221-042725.backup

Run killbox and click the radio button that says Delete a file on reboot.
Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\system32\exclean.exe
C:\WINDOWS\system32\sahagent*.exe
C:\WINDOWS\system32\SWRT??.dll
C:\WINDOWS\system32\swrt01.dll
C:\WINDOWS\system32\DealHelper
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\Aklsp.dll
C:\WINDOWS\icont.exe
C:\WINDOWS\system32\akcore.dll
C:\WINDOWS\system32\aklsp.dll
C:\WINDOWS\system32\akupd.dll
C:\WINDOWS\system32\auto_update_uninstall.exe
C:\WINDOWS\system32\cacfg32.dll
C:\WINDOWS\system32\dnl4013qe.dll
C:\WINDOWS\system32\docore.dll
C:\WINDOWS\system32\dosync.dll
C:\WINDOWS\system32\dun.exe
C:\WINDOWS\system32\enn8l15u1.dll
C:\WINDOWS\system32\exdl.exe
C:\WINDOWS\system32\exdl0.exe
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\h84m0ih1e84.dll
C:\WINDOWS\system32\IKHLPAPI.DLL
C:\WINDOWS\system32\inkoader.exe
C:\WINDOWS\system32\jr2025fmg.dll
C:\WINDOWS\system32\kpdfo.dll
C:\WINDOWS\system32\m8nqli5518.dll
C:\WINDOWS\system32\m8rm0i91e8.dll
C:\WINDOWS\system32\mqexdlm.srg
C:\WINDOWS\system32\SahAgent.exe
C:\WINDOWS\system32\Sbohwy.exe
C:\WINDOWS\system32\SKMEVNT1.DLL
C:\WINDOWS\system32\SWRT01.dll
C:\WINDOWS\system32\TargetSoftSetup.exe
C:\WINDOWS\system32\Yzvdbp.exe
C:\WINDOWS\Temp\akcore.dll
C:\WINDOWS\Temp\aklsp.dll
C:\WINDOWS\Temp\nsdtmp09.dll
End of killbox files

Reboot into normal mode.

Download the Hoster from here Press "Restore Original Hosts. and press "OK". Exit Program.

Please run the following free, online virus scan.
http://www.pandasoft...n_principal.htm

Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#6
spartacus
Posted 01 April 2005 - 05:55 AM

spartacus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks again for your help.

I was able to do most of the things you have asked. I could not find the following files.


C:\WINDOWS\Downloaded Program Files\bunSetup.cab<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\lsp_.dll<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\SahHtml_.exe<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\setup.inf<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\xmlparse_.dll<--Delete the whole folder
C:\WINDOWS\Downloaded Program Files\xmltok_.dll<--Delete the whole folder
C:\Temp<--Delete the whole folder

I see from the new Panda scan that the above files are still there but I don't see them when using Explorer. Here is what Explorer is telling me is in that location...

{32564D57-0000-0010-8000-00AA00389B71}
{33564D57-0000-0010-8000-00AA00389B71}
ActiveScan Installer Class
HouseCall Control
Shockwave ActiveX Control
Shockwave Flash Object
Symantec AntiVirus scanner
Symantec RuFSI Utility Class
Update Class
DirectAnimation Java Classes
Microsoft XML Parser for Java

I clicked on ......

File ...... Show All Files .....

In Explorer but still nothing more.

Also none of the 20050205 files you listed were there.... but there were a number of other 20050205 files so I erased them.

Here is my current panda scan and HJT log......

Logfile of HijackThis v1.99.1
Scan saved at 3:37:31 AM, on 4/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\NavNT\defwatch.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\lsp_.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\inneradinstall.log
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[lsp_.dll]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[xmlparse_.dll]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[xmltok_.dll]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[SAHAgent_.exe]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[SAHUninstall_.exe]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[SahHtml_.exe]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[WEBInstaller.dll]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\bunSetup.cab[setup.inf]
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\lsp_.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\SahHtml_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\xmlparse_.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\xmltok_.dll


Thanks again for everything!!
  • 0

#7
Guest_thatman_*
Posted 01 April 2005 - 09:20 AM

Guest_thatman_*
  • Guest
Hi spartacus

Read this Introduction to the Windows Command Prompt

Open a command line window. click Start> click on run > then type CMD into the run box
go to c:\windows\downloaded program files
type dir to see what files are present
And type
erase bunSetup.cab
erase lsp_.dll
erase SAHAgent_.exe
erase SahHtml_.exe
erase SAHUninstall_.exe
erase inf
erase WEBInstaller.dll
erase xmlparse_.dll
erase xmltok_.dll

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm

Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#8
spartacus
Posted 02 April 2005 - 08:42 AM

spartacus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Now that is progress!!!!!!!!!!! Thanks!!! Heck, another 15 or 20 thousand hours infront of this thing and I might even know which side is up!!!!!!!!

In your instructions you wrote ....

erase inf

The computer could not find "inf." In comparing your instructions with the Panda file, It seems that you may have meant

erase setup.inf

So I .... erased ... setup.inf

If this was wrong, and I should back away from my computer while it blows it self up in a horific manner, please let me know.

Here are the current panda and HJT logs....


Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\inneradinstall.log
Adware:Adware/SideFind No disinfected Windows Registry
Virus:Trj/Agent.KU Disinfected C:\WINDOWS\system32\CmdLineExt03.dll



Logfile of HijackThis v1.99.1
Scan saved at 6:41:46 AM, on 4/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\NavNT\defwatch.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#9
Guest_thatman_*
Posted 02 April 2005 - 11:13 AM

Guest_thatman_*
  • Guest
Hi spartacus

Read this Demystifying the Windows Registry
Use windows registery find the following items and remove the left over Hiv.keys
SideFind
eZula


Use windows explorer delete the following files.
C:\WINDOWS\system32\inneradinstall.log<--Delete if found
C:\WINDOWS\system32\CmdLineExt03.dll <--Delete this file if found

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm

Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#10
spartacus
Posted 02 April 2005 - 03:31 PM

spartacus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Down to one I think....


I deleted eZula and SideFind.


I could not find...

C:\WINDOWS\system32\CmdLineExt03.dll

I did a search of the C drive and could not find it anywhere.

I did find...

C:\WINDOWS\system32\inneradinstall (it did not have the .log but I think it was the correct file So I deleted it.)


here is the Panda and HJL

I know this says that eZula exists, but I did delete it, and after I saw that Panda still found the file below, I did another "Find" of the entire registry for "eZula" and found nothing. I have not re-booted sincethe Mar 31 post when you told me to, does this make a difference?



Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry


Logfile of HijackThis v1.99.1
Scan saved at 1:28:30 PM, on 4/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\NavNT\defwatch.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements

#11
Guest_thatman_*
Posted 03 April 2005 - 01:06 AM

Guest_thatman_*
  • Guest
Hi spartacus

We can now reboot the sytem all looks good from my end.

Reboot your system

Scan with panda if the log is clean just post a new HJT.Log.

Kc :tazz:
  • 0

#12
spartacus
Posted 03 April 2005 - 10:03 AM

spartacus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Good Morning (Well, at least it is morning for me.)

Again I have to say thank you for all your help.

I re-booted the system and did a panda scan but eZula is still there. I also attempted to do a Windows update and it still did not work. I attempted to activate Norton personal firewall and it still will not activate, nor will it allow me to access "Options" it still says I do not have proper privliges. I attempted to run Firefox and it says that it can not find a connection. I am still getting the errors int the topic title. Any Ideas?

:tazz:

Here are both logs....

Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry


Logfile of HijackThis v1.99.1
Scan saved at 8:56:48 AM, on 4/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\NavNT\defwatch.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#13
Guest_thatman_*
Posted 03 April 2005 - 03:22 PM

Guest_thatman_*
  • Guest
Hi spartacus

Try this Download the Hoster from here Press "Restore Original Hosts. and press "OK". Exit Program.

Kc :tazz:
  • 0

#14
spartacus
Posted 10 April 2005 - 01:34 PM

spartacus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok, it has been an interesting week. My internet went down and I have been unable to reply. I uninstalled Norton. After I did so, Windows updated, then I re-installed Norton and it worked properly. I did the Restore Original Host process, but eZula is still there. I don't know if there is anything else I can do about it. Everything seems to be working properly now. If you have any suggestions on how to get rid of eZula, I would be up for it, but if not let me simply say ..

THANK YOU VERY MUCH FOR ALL YOU HAVE DONE!!!

Any one who would like to start a petition which would require the death penalty for everyone who creates the adware attachment crap should e-mail me and I will sign it without hesitation.

Thank you thatman.
  • 0

#15
spartacus
Posted 10 April 2005 - 02:34 PM

spartacus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok, before I go......... I did one last scan with panda and it found 2 more things.... neither one is eZula.... what do you think?



here are the 2 new logs.....

Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\i0lola331d.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\lvnq0955e.dll


and ....


Logfile of HijackThis v1.99.1
Scan saved at 1:30:37 PM, on 4/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Unknown owner - C:\Program Files\NavNT\defwatch.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP