[BLuLQQker]

Thanks again for helping me clean up my Home computer.
Now for the one at work.
I had a bad sypware infection a month ago, cleaned most of it up
with a system restore.
The Norton anti-virus picks up 5 files, but won't let
me delete them.
Everything I have used finds them but nothing gets rid of these files.
Any help is appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 2:36:31 PM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\South FL Counseling\Desktop\Removable Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F0E42D60-368C-11D0-AD81-00A0C90DC8D9} (Snapshot Viewer Control 9.0) - http://outcomes.fmhi...du/snapview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DDDDA60-F23C-457A-B04A-0B631F4304AF}: NameServer = 207.69.188.185,207.69.188.186
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Advertisements]

It's a squeaky clean log. Just fix these items:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Now what are the names and the location[s) of the files Norton objects to?

[TonyKlein]

It's a squeaky clean log. Just fix these items:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Now what are the names and the location[s) of the files Norton objects to?

[BLuLQQker]

I fixed what you suggested and am posting the scan results…..Thanks.


OK, housecall found:

TROJ SMALL.AGT Non Cleanable C: Documents and Settings\Loc...
EXPL IFRAMEBO.A " "
TROJ WINTOOL.E " "
CHM PSYME. AX " "


Norton:

The compressed file C:/Program Files/ BullsEye Network/bin/adv.exe within
C:\WINDOWS\system32\mac80ex.idf is a Adware threat.


The compressed file C:/Program Files/ BullsEye Network/bin/adx.exe within
C:\WINDOWS\system32\mac80ex.idf is a Adware threat.

The compressed file C:/Program Files/ BullsEye Network/bin/bargains.exe within
C:\WINDOWS\system32\mac80ex.idf is a Adware threat.


The compressed file C:/WINDOWS/System32/msbe.dll
C:\WINDOWS\system32\mac80ex.idf is a Adware threat.

The compressed file svcmm32.exe within C:\Documents (etc)\Temporary Internet Files\
Content.IE5\3CYZ77DW\mmviewer_ic13[1]_cab.vir is a Adware threat.

[TonyKlein]

TROJ SMALL.AGT    Non Cleanable     C: Documents and Settings\Loc...
EXPL IFRAMEBO.A          "                                    "
TROJ WINTOOL.E            "                                     "CHM
PSYME.             "                                     "

So what's the entire path here?

"C: Documents and Settings\Loc..."? Is it in Temporary Internet Files, like mmviewer_ic13[1]_cab.vir?

Close all browser Windows, go to Control Panel > Internet Options, and on the General tab, in the Temp. Internet Files ection, press Delete Files.

Start your computer in Safe Mode and find and delete that C:\WINDOWS\system32\mac80ex.idf file.

Once you're there, go to Start > Run, type %temp% then press enter.
Your Personal Temp folder will open. Select everything in there, and press Delete.

NOTE: To avoid the risk of any of the above not being found due to it having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

Start your computer normally, and tell us how that went.

Edited by TonyKlein, 25 April 2005 - 03:27 PM.

[BLuLQQker]

Hi there,
When I got to work today I followed your instructions.
Everything worked out well.
On the new Norton scan I only found I piece of
adware.

svmm32.exe Adware.whileUsurf

The compressed file svmm32.exe within
C:\Documents and Settings\my company name\Local Settings\Temporary Internet Files\Content.IE5\3CYZ77DW\mmviewer_ic13[1]
_cab.vir is a Adware threat.


Thanks again for your time!

[TonyKlein]

Once again, it's in the Temporary Internet Files folder of that particular profile. Delete those files again.

For a more rigorous cleanup, log in as Administrator (just having administrative priviledges is not enough!), and you'll be able to delete the entire Temporary Internet Files folder in that profile.

Windows will automatically create a new one as soon as you log on in that profile and start your browser.

Edited by TonyKlein, 26 April 2005 - 03:09 PM.

[BLuLQQker]

Sorry...
I went in as Administrator today and ran %temp%,
however the folder was empty.
In todays scan I still have that one piece of Adware.
Not sure what to do.


The compressed file svmm32.exe within
C:\Documents and Settings\my company name\Local Settings\Temporary Internet Files\Content.IE5\3CYZ77DW\mmviewer_ic13[1]
_cab.vir is a Adware threat.

[TonyKlein]

The compressed file svmm32.exe within
C:\Documents and Settings\my company name\Local Settings\Temporary Internet Files\Content.IE5\3CYZ77DW\mmviewer_ic13[1]
_cab.vir is a Adware threat.

The Temp and Temporary Internet Files folders are two different things.

If you effectively DELETE the C:\Documents and Settings\my company name\Local Settings\Temporary Internet Files folder the way I described, a new folder will created later, and that svmm32.exe file will be gone.

I suggest you gibe it another try.

[TonyKlein]

... or have a look here:

Safely Delete the Temporary Internet Files

There's a link to CCleaner in there as well; it will delete the contents of the TIF folder including the index.dat too.