Jump to content


Photo

Norton's still identifying issues


  • This topic is locked This topic is locked
3 replies to this topic

#1 jkzml

jkzml

    Member

  • New Member
  • Pip
  • 2 posts

Posted 05 June 2004 - 02:12 AM

I have a machine that has become over-populated with spyware. A few days ago, the machine would shut itself down after working to open a web page. Pop up ads would clutter the screen and the machine would freeze.

Adaware and Spybot have both been run on this machine. All entries found on those scans have been removed. A Norton's scan is still finding several files that are considered threats. The machine is running much better, but there is a real lag on start-up. I counted 80 items in the startup list.

Here is the hijack this log file.

Logfile of HijackThis v1.97.7
Scan saved at 11:29:34 PM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Documents and Settings\JY\Desktop\spybot\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [yzirip] C:\WINDOWS\yzirip.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [judyd] C:\WINDOWS\judyd.exe
O4 - HKLM\..\Run: [uzmlkzqf] C:\WINDOWS\uzmlkzqf.exe
O4 - HKLM\..\Run: [wlqfof] C:\WINDOWS\wlqfof.exe
O4 - HKLM\..\Run: [mpgnyr] C:\WINDOWS\mpgnyr.exe
O4 - HKLM\..\Run: [tizwnix] C:\WINDOWS\tizwnix.exe
O4 - HKLM\..\Run: [sfknov] C:\WINDOWS\sfknov.exe
O4 - HKLM\..\Run: [vqxuf] C:\WINDOWS\vqxuf.exe
O4 - HKLM\..\Run: [wrsjqdwn] C:\WINDOWS\wrsjqdwn.exe
O4 - HKLM\..\Run: [qryxef] C:\WINDOWS\qryxef.exe
O4 - HKLM\..\Run: [bib] C:\WINDOWS\bib.exe
O4 - HKLM\..\Run: [zyn] C:\WINDOWS\zyn.exe
O4 - HKLM\..\Run: [pyfkv] C:\WINDOWS\pyfkv.exe
O4 - HKLM\..\Run: [gbozyx] C:\WINDOWS\gbozyx.exe
O4 - HKLM\..\Run: [rsdodgh] C:\WINDOWS\rsdodgh.exe
O4 - HKLM\..\Run: [ydibwfer] C:\WINDOWS\ydibwfer.exe
O4 - HKLM\..\Run: [lebit] C:\WINDOWS\lebit.exe
O4 - HKLM\..\Run: [cpkdkx] C:\WINDOWS\cpkdkx.exe
O4 - HKLM\..\Run: [spudcp] C:\WINDOWS\spudcp.exe
O4 - HKLM\..\Run: [qxcnwf] C:\WINDOWS\qxcnwf.exe
O4 - HKLM\..\Run: [tkfafad] C:\WINDOWS\tkfafad.exe
O4 - HKLM\..\Run: [faxapcl] C:\WINDOWS\faxapcl.exe
O4 - HKLM\..\Run: [jmtuxgp] C:\WINDOWS\jmtuxgp.exe
O4 - HKLM\..\Run: [uzkfyfun] C:\WINDOWS\uzkfyfun.exe
O4 - HKLM\..\Run: [stktwjyr] C:\WINDOWS\stktwjyr.exe
O4 - HKLM\..\Run: [lwh] C:\WINDOWS\lwh.exe
O4 - HKLM\..\Run: [rqrkp] C:\WINDOWS\rqrkp.exe
O4 - HKLM\..\Run: [knct] C:\WINDOWS\knct.exe
O4 - HKLM\..\Run: [qvyt] C:\WINDOWS\qvyt.exe
O4 - HKLM\..\Run: [adwtibun] C:\WINDOWS\adwtibun.exe
O4 - HKLM\..\Run: [mdqd] C:\WINDOWS\mdqd.exe
O4 - HKLM\..\Run: [qxadehgh] C:\WINDOWS\qxadehgh.exe
O4 - HKLM\..\Run: [arexwrah] C:\WINDOWS\arexwrah.exe
O4 - HKLM\..\Run: [lqd] C:\WINDOWS\lqd.exe
O4 - HKLM\..\Run: [wbmj] C:\WINDOWS\wbmj.exe
O4 - HKLM\..\Run: [tehob] C:\WINDOWS\tehob.exe
O4 - HKLM\..\Run: [fir] C:\WINDOWS\fir.exe
O4 - HKLM\..\Run: [iryn] C:\WINDOWS\iryn.exe
O4 - HKLM\..\Run: [lepgvet] C:\WINDOWS\lepgvet.exe
O4 - HKLM\..\Run: [ivcnclid] C:\WINDOWS\ivcnclid.exe
O4 - HKLM\..\Run: [jmlsn] C:\WINDOWS\jmlsn.exe
O4 - HKLM\..\Run: [yxovwxgv] C:\WINDOWS\yxovwxgv.exe
O4 - HKLM\..\Run: [evwfsdqp] C:\WINDOWS\evwfsdqp.exe
O4 - HKLM\..\Run: [befcn] C:\WINDOWS\befcn.exe
O4 - HKLM\..\Run: [upazyv] C:\WINDOWS\upazyv.exe
O4 - HKLM\..\Run: [rmxkt] C:\WINDOWS\rmxkt.exe
O4 - HKLM\..\Run: [dov] C:\WINDOWS\dov.exe
O4 - HKLM\..\Run: [vatqpqx] C:\WINDOWS\vatqpqx.exe
O4 - HKLM\..\Run: [sdijknoh] C:\WINDOWS\sdijknoh.exe
O4 - HKLM\..\Run: [utmhixal] C:\WINDOWS\utmhixal.exe
O4 - HKLM\..\Run: [hmvojuf] C:\WINDOWS\hmvojuf.exe
O4 - HKLM\..\Run: [qbmzgrwv] C:\WINDOWS\qbmzgrwv.exe
O4 - HKLM\..\Run: [japql] C:\WINDOWS\japql.exe
O4 - HKLM\..\Run: [ubon] C:\WINDOWS\ubon.exe
O4 - HKLM\..\Run: [dgvgfsn] C:\WINDOWS\dgvgfsn.exe
O4 - HKLM\..\Run: [erinsjkn] C:\WINDOWS\erinsjkn.exe
O4 - HKLM\..\Run: [ctetot] C:\WINDOWS\ctetot.exe
O4 - HKLM\..\Run: [qtwdon] C:\WINDOWS\qtwdon.exe
O4 - HKLM\..\Run: [ixgrez] C:\WINDOWS\ixgrez.exe
O4 - HKLM\..\Run: [hsx] C:\WINDOWS\hsx.exe
O4 - HKLM\..\Run: [mrahcpoh] C:\WINDOWS\mrahcpoh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab


Thanks in advance..

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 05 June 2004 - 06:19 AM

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [yzirip] C:\WINDOWS\yzirip.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [judyd] C:\WINDOWS\judyd.exe
O4 - HKLM\..\Run: [uzmlkzqf] C:\WINDOWS\uzmlkzqf.exe
O4 - HKLM\..\Run: [wlqfof] C:\WINDOWS\wlqfof.exe
O4 - HKLM\..\Run: [mpgnyr] C:\WINDOWS\mpgnyr.exe
O4 - HKLM\..\Run: [tizwnix] C:\WINDOWS\tizwnix.exe
O4 - HKLM\..\Run: [sfknov] C:\WINDOWS\sfknov.exe
O4 - HKLM\..\Run: [vqxuf] C:\WINDOWS\vqxuf.exe
O4 - HKLM\..\Run: [wrsjqdwn] C:\WINDOWS\wrsjqdwn.exe
O4 - HKLM\..\Run: [qryxef] C:\WINDOWS\qryxef.exe
O4 - HKLM\..\Run: [bib] C:\WINDOWS\bib.exe
O4 - HKLM\..\Run: [zyn] C:\WINDOWS\zyn.exe
O4 - HKLM\..\Run: [pyfkv] C:\WINDOWS\pyfkv.exe
O4 - HKLM\..\Run: [gbozyx] C:\WINDOWS\gbozyx.exe
O4 - HKLM\..\Run: [rsdodgh] C:\WINDOWS\rsdodgh.exe
O4 - HKLM\..\Run: [ydibwfer] C:\WINDOWS\ydibwfer.exe
O4 - HKLM\..\Run: [lebit] C:\WINDOWS\lebit.exe
O4 - HKLM\..\Run: [cpkdkx] C:\WINDOWS\cpkdkx.exe
O4 - HKLM\..\Run: [spudcp] C:\WINDOWS\spudcp.exe
O4 - HKLM\..\Run: [qxcnwf] C:\WINDOWS\qxcnwf.exe
O4 - HKLM\..\Run: [tkfafad] C:\WINDOWS\tkfafad.exe
O4 - HKLM\..\Run: [faxapcl] C:\WINDOWS\faxapcl.exe
O4 - HKLM\..\Run: [jmtuxgp] C:\WINDOWS\jmtuxgp.exe
O4 - HKLM\..\Run: [uzkfyfun] C:\WINDOWS\uzkfyfun.exe
O4 - HKLM\..\Run: [stktwjyr] C:\WINDOWS\stktwjyr.exe
O4 - HKLM\..\Run: [lwh] C:\WINDOWS\lwh.exe
O4 - HKLM\..\Run: [rqrkp] C:\WINDOWS\rqrkp.exe
O4 - HKLM\..\Run: [knct] C:\WINDOWS\knct.exe
O4 - HKLM\..\Run: [qvyt] C:\WINDOWS\qvyt.exe
O4 - HKLM\..\Run: [adwtibun] C:\WINDOWS\adwtibun.exe
O4 - HKLM\..\Run: [mdqd] C:\WINDOWS\mdqd.exe
O4 - HKLM\..\Run: [qxadehgh] C:\WINDOWS\qxadehgh.exe
O4 - HKLM\..\Run: [arexwrah] C:\WINDOWS\arexwrah.exe
O4 - HKLM\..\Run: [lqd] C:\WINDOWS\lqd.exe
O4 - HKLM\..\Run: [wbmj] C:\WINDOWS\wbmj.exe
O4 - HKLM\..\Run: [tehob] C:\WINDOWS\tehob.exe
O4 - HKLM\..\Run: [fir] C:\WINDOWS\fir.exe
O4 - HKLM\..\Run: [iryn] C:\WINDOWS\iryn.exe
O4 - HKLM\..\Run: [lepgvet] C:\WINDOWS\lepgvet.exe
O4 - HKLM\..\Run: [ivcnclid] C:\WINDOWS\ivcnclid.exe
O4 - HKLM\..\Run: [jmlsn] C:\WINDOWS\jmlsn.exe
O4 - HKLM\..\Run: [yxovwxgv] C:\WINDOWS\yxovwxgv.exe
O4 - HKLM\..\Run: [evwfsdqp] C:\WINDOWS\evwfsdqp.exe
O4 - HKLM\..\Run: [befcn] C:\WINDOWS\befcn.exe
O4 - HKLM\..\Run: [upazyv] C:\WINDOWS\upazyv.exe
O4 - HKLM\..\Run: [rmxkt] C:\WINDOWS\rmxkt.exe
O4 - HKLM\..\Run: [dov] C:\WINDOWS\dov.exe
O4 - HKLM\..\Run: [vatqpqx] C:\WINDOWS\vatqpqx.exe
O4 - HKLM\..\Run: [sdijknoh] C:\WINDOWS\sdijknoh.exe
O4 - HKLM\..\Run: [utmhixal] C:\WINDOWS\utmhixal.exe
O4 - HKLM\..\Run: [hmvojuf] C:\WINDOWS\hmvojuf.exe
O4 - HKLM\..\Run: [qbmzgrwv] C:\WINDOWS\qbmzgrwv.exe
O4 - HKLM\..\Run: [japql] C:\WINDOWS\japql.exe
O4 - HKLM\..\Run: [ubon] C:\WINDOWS\ubon.exe
O4 - HKLM\..\Run: [dgvgfsn] C:\WINDOWS\dgvgfsn.exe
O4 - HKLM\..\Run: [erinsjkn] C:\WINDOWS\erinsjkn.exe
O4 - HKLM\..\Run: [ctetot] C:\WINDOWS\ctetot.exe
O4 - HKLM\..\Run: [qtwdon] C:\WINDOWS\qtwdon.exe
O4 - HKLM\..\Run: [ixgrez] C:\WINDOWS\ixgrez.exe
O4 - HKLM\..\Run: [hsx] C:\WINDOWS\hsx.exe
O4 - HKLM\..\Run: [mrahcpoh] C:\WINDOWS\mrahcpoh.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab

Reboot when done, rescan with HJT and post a new log here for a final check over.
Posted Image

#3 jkzml

jkzml

    Member

  • New Member
  • Pip
  • 2 posts

Posted 05 June 2004 - 11:02 AM

Daemon,
Thank you for the direction. I had only one item that was still present after running the fix. I rebooted to safe mode and ran the utility one more time. The log is clear of all of the items.

Once again, thanks for the help.

Until we meet again...

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 05 June 2004 - 11:15 AM

You're welcome - glad to help :D

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button