Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Adware is back I think.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Adware is back I think.

Unread postby Perkypen » February 18th, 2005, 10:38 am

I had a problem this AM. Something has turned off my Norton Anti-virus auto protect. I can not get it back on. When I ran Norton - it seems that there is adware on it again!

Can you please just take a look and tell me what you think?

Thanks a whole bunch!!!!

Logfile of HijackThis v1.99.0
Scan saved at 9:33:41 AM, on 2/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Program Files\Citrix\ICA Client\Wfcrun32.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\z9wktdj6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\z9wktdj6.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/r ... cregie.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{695869E1-1A86-4E6E-86B6-ABDAF4B1F8F8}: NameServer = 10.0.0.3,64.7.11.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{695869E1-1A86-4E6E-86B6-ABDAF4B1F8F8}: NameServer = 10.0.0.3,64.7.11.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{695869E1-1A86-4E6E-86B6-ABDAF4B1F8F8}: NameServer = 10.0.0.3,64.7.11.2
O23 - Service: ASF Agent - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Web Jetadmin - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks a million!!!!
Perkypen
Regular Member
 
Posts: 180
Joined: February 9th, 2005, 12:07 pm
Location: Catawba, NC
Advertisement
Register to Remove

Unread postby ChrisRLG » February 18th, 2005, 11:00 am

the only line I cannot check fully is the )17 with this IP address - do you know the service - is it your ISP.

Server Used: [ rwhois.megapath.net ]

64.7.11.2 = [ ns3.megapath.net ] network: Class-Name: network
network: ID: NET-64711030
network: Auth-Area: 64.7.0.0/19
network: Network-Name: 64.7.0.0/19-0
network: IP-Network: 64.7.11.0/30
network: Organization;I: MegaPath Networks Inc.
network: Organization-Address;I: 6691 Owens Drive
network: Organization-Address;I: Pleasanton CA 94588
network: Admin-Contact;I: Crandall Sean
network: Admin-Contact;I: 925-201-2530
network: Created: 20050218
network: Updated: 20050218
network: Updated-By: hostmaster@megapath.net

Other than that you are clean - it must be a setting problem of some kind.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

ISP

Unread postby Perkypen » February 18th, 2005, 11:51 am

Yeah, my ISP provider is Megapath.

:?

The following items show up when I do the Norton Antivirus Scan and this is what comes up and I can't seem to delete it:

Adware.Iefeats
Adware.BargainBuddy
Adware.DealHelper
Spyware.Apropos

Got any suggestions?

Thanks,
Penny
Perkypen
Regular Member
 
Posts: 180
Joined: February 9th, 2005, 12:07 pm
Location: Catawba, NC

Unread postby ChrisRLG » February 18th, 2005, 11:56 am

Do they show the file/folder they were found in.

It may be they are a false-positives. That would be someing like norton seeing the removal setting for a malware inside say spybot.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » February 18th, 2005, 11:58 am

maybe inside the M$ beta anti-malware program you have installed.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Norton anti-virus

Unread postby Perkypen » February 18th, 2005, 1:47 pm

I rebooted and ran Norton again.

Here is were is says the above files are.

The File C:\Documents and Settings\AdministratorLocal Settings\Temp\1.temp is a Adware threat

The File C:\WINDOWS\SYSTEM32\mqexdlm.srg is a Adware threat

The File C:\WINDOWS\SYSTEM32\Lghbda.exe is a Adware threat

The compressed file C:\WINDOWS\System32\msexreg.exe within C:WINDOWS\SYSTEM32\netut80ex.vxd is a Adware threat

The compressed file C:\WINDOWS\System32\mqexdlm.srg within C:WINDOWS\SYSTEM32\netut80ex.vxd is a Adware threat

The compressed file C:\WINDOWS\System32\javexulm.vxd within C:WINDOWS\SYSTEM32\netut80ex.vxd is a Adware threat

The compressed file C:\WINDOWS\System32\exul.exe within C:WINDOWS\SYSTEM32\netut80ex.vxd is a Adware threat

The compressed file C:\WINDOWS\System32\exdl.exe within C:WINDOWS\SYSTEM32\netut80ex.vxd is a Adware threat


can C:\WINDOWS\SYSTEM32\netut80ex.vxd be deleted?

Penny
Perkypen
Regular Member
 
Posts: 180
Joined: February 9th, 2005, 12:07 pm
Location: Catawba, NC

Unread postby ChrisRLG » February 18th, 2005, 4:59 pm

OK

In all my searches for those files I come accross lots of people with a similar problem.

What we are seeing I believe is a leftover file - a 'packed' file that contains the malware componants.

Because your program is finding it within a compressed file, it is unable to just delete the single item so has to leave it.

What we will do - because these are not active - is just delete the files manually - the whole compressed file in most cases.

so open windows explorer - find these files and delete them - if you have a probelm come back and I have a special program that will be able to do it.

Try first to do a straight delete - or change the file permissions (right click of the file - properties) so you can delete.

C:\Documents and Settings\AdministratorLocal Settings\Temp\ (all Content - BUT not the folder itself - some created with todays date may not be able to be deleted as they will be in use)
C:\WINDOWS\SYSTEM32\mqexdlm.srg
C:\WINDOWS\SYSTEM32\Lghbda.exe
C:WINDOWS\SYSTEM32\netut80ex.vxd

Post back with a HJT log and tell me how the deletes worked - do run your program again to see if any more are found.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » February 27th, 2005, 7:21 pm

Due to the time delay in a reply to this topic - a new hijackthis log etc would be required, so please post a new one in a new topic should you still require assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » March 1st, 2005, 9:21 am

Topic reopened by request.

Please provide a new hijackthis log - new version now available - see download link above the forum.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » March 14th, 2005, 5:03 am

Due to the time delay in a reply to this topic - a new hijackthis log etc would be required, so please post a new one in a new topic should you still require assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 62 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware