Go Back   Computer Forums > General Computing > Hardware
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 12-11-2004, 05:17 PM   #1
Baseband Member
 
anisah123's Avatar
 
Join Date: Sep 2004
Posts: 76
Default Long Post-but needed

Hi all,
I hve ran norton internet security and it identifies the following files;

"The file C:\System Volume Information\_restore{1450A557-4027-4F57-AFFC-65B5F7AFB22A}\RP19\A0007757.dll is a Adware threat."

"The file C:\System Volume Information\_restore{1450A557-4027-4F57-AFFC-65B5F7AFB22A}\RP22\A0008672.exe is a Adware threat"

but norton is unable to delete them.Therefore I hve tried to manually delete them but to no avail and I have adaware, spybot, pest control and few less known ones and have ran them but cant seem to get rid of the below files because they stll appear on norton.

Can anyone offer me any advice on wht to do to get rid of these files.I hve ran Hijack and below is the report; (maybe I could delete it frm there-but i dnt recognize the files in the report).

"Logfile of HijackThis v1.98.2
Scan saved at 21:20:12, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\SSMS.EXE
C:\WINDOWS\system32\LSSAS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\netdaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Anisah\Desktop\SyAdFdTune Up\hijackthis.[+dll].1.98.2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0. dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O2 - BHO: Local Spool Net support DLL - {E0000D50-8DE9-4FCB-9284-22EC06851B37} - C:\WINDOWS\system32\localsplnet.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0. dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [netdaemon] C:\WINDOWS\system32\netdaemon /v
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/scri...ons/review.htm
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...AData.cab"
__________________

anisah123 is offline   Reply With Quote
Old 12-12-2004, 01:24 AM   #2
In Runtime
 
skunx710's Avatar
 
Join Date: Nov 2004
Posts: 289
Default Re: Long Post-but needed

Get rid of the following..
Also you can download a program called killbox that will delete the files.
http://www.bleepingcomputer.com/files/killbox.php



C:\WINDOWS\system32\Ati2evxx.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\system32\SSMS.EXE
C:\WINDOWS\system32\LSSAS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\system32\netdaemon.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0. dll
O2 - BHO: Local Spool Net support DLL - {E0000D50-8DE9-4FCB-9284-22EC06851B37} - C:\WINDOWS\system32\localsplnet.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0. dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll



it also looks like you have, or had at one time the sasser worm, have you done a full system scan lately?
__________________

skunx710 is offline   Reply With Quote
Old 12-12-2004, 01:40 PM   #3
Baseband Member
 
anisah123's Avatar
 
Join Date: Sep 2004
Posts: 76
Default

Thanks

Yeah I have ran a full system scan

N.B When I re-run the scan the same file comes up but in different locations is there anyway I could just delete the file regardless of the number of locations it is in?
anisah123 is offline   Reply With Quote
Old 12-12-2004, 08:55 PM   #4
Baseband Member
 
anisah123's Avatar
 
Join Date: Sep 2004
Posts: 76
Default Re: Long Post-but needed

see modified post
anisah123 is offline   Reply With Quote
Old 12-12-2004, 09:07 PM   #5
In Runtime
 
skunx710's Avatar
 
Join Date: Nov 2004
Posts: 289
Default Re: Long Post-but needed

yeah you should just remove it in all locations. If its real bad I'd backup and format.
skunx710 is offline   Reply With Quote
Old 12-13-2004, 04:51 PM   #6
Baseband Member
 
anisah123's Avatar
 
Join Date: Sep 2004
Posts: 76
Default

Thanks,

but when i went to delete the files using killbox but it says it cant delete it, is there any other program I could use to delete them.
anisah123 is offline   Reply With Quote
Old 12-13-2004, 07:25 PM   #7
In Runtime
 
skunx710's Avatar
 
Join Date: Nov 2004
Posts: 289
Default Re: Long Post-but needed

did u boot to safe mode and then try it? also you need to use the option "delete on reboot".
skunx710 is offline   Reply With Quote
Old 12-13-2004, 07:28 PM   #8
xxcobraxx
 
Join Date: Oct 2004
Location: England
Posts: 6,224
Default Re: Long Post-but needed

why is it noobs these days come on here ask a qustion then bog off and try it then dont even say YER IT DID WORK THNX FFS
__________________
Liveleaker
IAntDemo is offline   Reply With Quote
Old 12-13-2004, 09:19 PM   #9
Baseband Member
 
anisah123's Avatar
 
Join Date: Sep 2004
Posts: 76
Default Re: Long Post-but needed

Quote:
Originally Posted by xx cobra xx
why is it noobs these days come on here ask a qustion then bog off and try it then dont even say YER IT DID WORK THNX FFS

GIVE ME A CHANCE U MAY FIND IF U LOOKED AT MY POSTS i HAVE ALWAYS APPRECIATED THE HELP AS A NOOB OFCOURSE!
anisah123 is offline   Reply With Quote
Old 12-13-2004, 09:21 PM   #10
Baseband Member
 
anisah123's Avatar
 
Join Date: Sep 2004
Posts: 76
Default Re: Long Post-but needed

Quote:
Originally Posted by skunx710
did u boot to safe mode and then try it? also you need to use the option "delete on reboot".
YES thanks it worked but when I ran norton again the same two pieces of adware came up again in norton

("The file C:\System Volume Information\_restore{1450A557-4027-4F57-AFFC-65B5F7AFB22A}\RP19\A0007757.dll is a Adware threat."

"The file C:\System Volume Information\_restore{1450A557-4027-4F57-AFFC-65B5F7AFB22A}\RP22\A0008672.exe is a Adware threat")

Thanks
__________________

anisah123 is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 08:50 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0