NAV viruses not showing, now have one

The system processes to allow out:

Generic Host Process for Win32 Services
NT Kernel & System

Next, to close ports:

Double click the Sygate tray icon > click the Applications button and highlight each app go into the Advanced option for the application. There, uncheck Act as Server.

Afterwards, go here to check test the firewall https://grc.com/x/ne.dll?bh0bkyd2

http://forums.sygate.com/vb/ Sygate forum.

Regards - Charles

 

Laura,

Forgot to add that you seem to have a lot of "no name" BHO's.

This program http://www.definitivesolutions.com/bhodemon.htm - BHODemon will give you more detail on them and also has the ability to disable/re-enable them to see what the effects are if not running. Then a decision can be made as to whether to delete them w/HJT.

Regards - Charles

 

Log looks clean to me. BHO's are OK. They say no name at the beginning, but are identified after the CSLID.

 

NAV vireuses

Closed the ports for 'Generic and NT Kernal'.

Other advice please. Should I use Norton's Active X CleanUp; PlugIn cleanup' and SmartSweep cleanup? I'm now concerned that anything I do with Norton will offset all the work that we have done.

I cannot thank all of you enough. You have really impressed me.

BTW...Carpet people just called...installation tomorrow. Too bad we'll have to move all the furniture in nearly 90 degree heat!!

Laura

 

Let them move it! LOL

No comment on the Norton utilities. I don't (won't) use them.

 

Hi Laura,

Go thru that process of unchecking "act as server" with ALL the applications - not just for those two MS processes. The only exception may be MSN's msmsgs - but try it unchecked first, always can allow the "act as server" again.

I use just Norton's AV - quite enough thankyou - so I'll let someone who does offer advice on those.

Regards - Charles

 

NAV viruses

Charles:
I responded yesterday, but it didn't appear. Anyway, unchecked 'act as server' for all apps.
Got a 3rd error in WinDoctor stating an invalid startup command in relationship to the unwanted 'alchem'. SO, given all 3 errors are listed as invalid keys, being things we got rid of, I just said repair, which they say will delete the invalid key.

Read in another forum by accident that 'lserv.exe' is a worm, which I have in System 32. Opinion

Am I just about healed? Thought about trying to send one of you, by e-mail,
a picture of my applications page in Sygate. Help any??

Later...Laura

 

Yep. Strange that the run keys were never present in your logs. Delete the file and check the registry for any entries.

Do you have a printscreen app. such as Gadwin or Hoversnap?

 

Hi Laura,

Another way w/o 3rd party software:

Hold down the <Alt> key and hit the <Print Screen> key. Bring up Wordpad or Word and paste. The image will be the top window.

Handy way to save settings to a folder as well.

Regards - Charles

 

NAV viruses

Noah: I'm somewhat confused about this alchem.exe
It was listed on a HJT log a few days ago & was told to get rid of it. Now it no longer is in the HJT log, BUT remains in my System 32 folder..which also means there is a registry key, right? SO?? Manually delete file (also a few listed in the TEMP folder) and then go into the registry..right again?

Asked about the print screen because didn't know if I should use it to send you more info. Besides the PS on the keyboard I have PrintScreen32, but am unable to get the whole screen(Applications in Sygate). Would have to send 2 halfs, which has to be wrong (I think). Program recommendation?

Back on June 4th, Johanna said, "wipe out your previous Restore Points and make a new one." I don't have a clue what she is talking about.

Need me to send anything else?

Laura

 

No, nothing wrong with that. Paste both halves to wordpad or word - then you have a single page. Any other software wouldn't do anymore in this instance - the problem is Sygate' control panel which can't be expanded beyond a certain size.

The reason for this is because System Restore "backs up" the operating system and the malware, if present, along with it. Those backed up OS "states" can be "restored" if there is a major problem with the system. Because you've had various malware problems, those would re-infect your system if restored. Type System Restore into the Help and Support applet on the control panel for what it is and how its used.

To get rid of those infected restore points: right click on My Computer > properties > system restore tab > uncheck Monitor Drive > reboot > go back into the System Restore tab and re-enable SR. You will now have an initial clean restore point.

Regards - Charles

 

Close! Check the box to turn off system restore, reboot and then uncheck. No need to even do a printscreen. You can export the log to a text file and attach the file to an email. Just open Sygate to the log you want to view, click file on the menu, export. Then save it as traffic.txt (or security.txt or which ever log it is), with type at the bottom as All files (*.*).

If I understand correctly, alchem.exe is no longer running in task manager yet it will not let you delete it, even in safe mode? No problem. Install Move-on-Boot. You will have a new right click option for files. Delete on next boot. Right click the alchem file and select it. Then reboot. Just run Regseeker to clean up. Just for good measure, since it's been a while, post a new HJT log too.

You can't attach files to BBS emails, so a PM to anyone you'd like to send it to requesting an address will be necessary. I'm more than happy to.

 

I think MS got that a**s backwards I always do that, especially when I'm not on XP, which was the case when I posted.

BTW, I think what Laura wants to show us Sygate's application panel.

Regards - Charles

 

Ahhh, yes it is. Forget what I said about the logs Laura.

 

Dave, Sent her a PM about how to do that.

Reagrds - Charles

 

NAV viruses

Hi: I've wiped out the Restore Points. 2 of us couldn't figure out how to copy/paste a printscreen to send to you, as the forum doesn't support regular e-mail, sooo...I

Went to REGEDIT, found 'lserve and alchem' and deleted them.

Spybot doesn't really take care of 'DSO Exploits'. In fact, had to run it 4-5 times in order to get rid of the 7 other listed items.

Here is latest HJT log. One strange thing...upon first opening it today I discovered MANY of the item I had gotten rid of earlier. I'm curious to see what tomorrow brings.

Logfile of HijackThis v1.97.7
Scan saved at 2:46:39 PM, on 6/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SygateFirewall\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Scan & Fix\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Scan & Fix\RegSeeker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Applications\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.scoresandodds.com./ "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\k9zn1qw3.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\k9zn1qw3.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ALLUSE~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE~1\smc.exe -startgui
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

Any pop-up stopper recommendation?

Have a good weekend!

Laura

 

This is coming up a lot lately Exclude those items from the SSD scan.

For an explanation on DSO: http://forums.net-integration.net/i...showtopic=15308

This thread is at SSD's forum hosting site.

Regards - Charles

 

??? Log looks good. What is back that you didn't want?

The Google toolbar seems to work well.

 

Im still curious about this, Looks like twichell has installed program's into the start menu ?
http://www.windowsbbs.com/showpost.php?p=161225&postcount=23
dont install programs to the start menu, nor put exe's in there. start menu is only for shortcuts to them

Not nessesary, once the file is deleted, theres usualy no need to del mention of it in the registry, in fact its not worth the risk, there will always be some leftovers (best to let regseeker do that)

 

NAV viruses

Noah: This partial l0og was June 4th, AFTER making many deletions. Deleted items again, and they stayed deleted now.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

Looney: When installing, I usually put the exe in an 'applications' folder.
And install the rest in 'program files'. Can I correct the Start Menu by dragging/dropping in Windows Explorer, and making a shortcut to that p-program in the Start Menu?? Have noticed some programs put the uninstall in the Start Menu, others do not. Personally, I like it there, or is that a no-no too(and should be a shortcut)? Per your response. I'll find some time to fix, what looks to be, a ,mess!

Laura