looks like a hijack..log posted..help please..

delay on L.I.R.R.....will report tommoeow...thanks,gene

 

dave...when i try to run rav...what do i put in the browse box?
HouseCall (for Netscape) installation
It appears that the required components for HouseCall are not currently installed on your computer.

To install HouseCall, do the following steps:

1. download this program ;
2. run it;
3. restart your Netscape browser.
cant seen to get this to run
i did run the c/a scan and nothing came up
thanks,gene

 

On RAV, just click the 'scan my PC' button. Easiest to just use Internet Explorer, rather than Netscape, on both scans. IE only needs an ActiveX plugin, which you may or may not get prompted for, and installs in seconds.

 

Will Advise Tonite....gene

 

running rav again..i.e.6.crashed as i was submiting the first scan...running on netscape...
Scan started at 6/18/2004 9:56:56 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP11\A0001048.exe - TrojanDropper:Win32/Small.GU -> Suspicious
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP12\A0001095.exe - TrojanDropper:Win32/Small.GU -> Suspicious
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP12\A0002095.exe - TrojanDropper:Win32/Small.GU -> Suspicious
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP13\A0002275.sys - Backdoor:Win32/Haxdoor.T -> Infected
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP13\A0002279.exe - TrojanDropper:Win32/Small.GU -> Suspicious
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP5\A0000598.exe - TrojanDropper:Win32/Small.GU -> Suspicious
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP7\A0000835.exe - TrojanDropper:Win32/Small.GU -> Suspicious

Scanned
============================
Objects: 70104
Directories: 4569
Archives: 3798
Size(Kb): -2042513
Infected files: 1

Found
============================
Viruses found: 1
Suspicious files: 6
Disinfected files: 0
Mail files: 999

 

Those files are in your System Restore folder, disable System Restore, reboot, then enable it, and reboot.
Did you find out anything about the registry keys, per Noadfears's post?

 

debugg.dll file.
did not delete

 

how to disable system restore xp pro

 

Detailed directions Here.

 

did the system restore...some thing goes on..??? gene
hause call said uncleanable...could post housecall..would not copy
thanks,gene

 

Mornin' gene

Debugg.dll is definately a bug. From your PV Zip log.

Notice the files above and below the debugg entry both have a version number, which I put in bold, and debugg has none? That is how it is identified as bad. Possibly what is causing IE to crash on the RAV scan. You need to follow the steps outlined in the links on the Google hit I provided to remove the file(s) and registry entries. If you are uncomfortable doing the regedits, you could see if Trojan Hunter or Stinger can find and clean it. If no luck with those, I could probably put together a .reg file for you to run for the registry cleanup and then you would just need to delete the file(s).
System restore will have to be disabled when the file is deleted, disk cleanup run afterward and PC rebooted before turning restore back on.

Disk Cleanup
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.

 

trojan hunter found none....stinger found not...what should i try next?
thanks,gene

 

Are you comfortable with the registry?

 

yes....

 

Please wait for other members to respond in case they have something to add, see something I may have missed, or feel it should be done differently.

You may want to print this out, or save it to text where you can access it in safe mode.

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Don't allow to restart yet!

Please download TheKillbox from here: http://tools.zerosrealm.com/killbox.zip

Unzip the files to a folder. Open the Killbox folder then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\Debugg.dll

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot ". On the next screen, click on the File menu and choose "Add File ". The filename and path above should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot ". Reboot when prompted.


Don't be concerned if some/any of these are not present.
Open regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Winlogon\Notify and delete the key debugg.
Then to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root and delete the key LEGACY_SDMAPI.
Then HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services and delete the keys boot32 and sdmapi.
Also HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and the key LEGACY_SDMAPI.
And finally to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and the keys boot32 and sdmapi.
Close regedit.

You will need to show hidden files and folders

Open C:\Windows\System32 and delete all of the following if present.

w32_ss.exe.
Boot32.sys
C3.dll
C3.sys
C4.sys
Sdmapi.sys
P2.ini

Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Back in Windows, you can re-enable system restore. Again, open the pv folder. Double click on the runme.bat. A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter. Post it's log.

The link below will show the files I have noted, as well as all the registry entries listed.
http://www.symantec.com.br/avcenter/venc/data/backdoor.haxdoor.b.html

 

open the pv folder.
how to do?
thanks,gene

 

From post #14 of this thread.

 

From post #14 - Download this zip. http://tools.zerosrealm.com/pv.zip Please unzip it to the desktop. It will not work if you run it from inside the zip. After unzipping, open the pv folder. Double click on the runme.bat

Assuming you did place it on the desktop, just double-click it open.

 

Thanks...will Do Tonite...gene

 

OK...REMOVED ALL I COULD IN REGESTRY...RE-SET SYSTEM RESTORE IN SAFE
MODE..FINGERS CROSSED...LOOKS GOOD THIS IS H.J.LOG ON SECOND REBOOT... Logfile of HijackThis v1.97.7
Scan saved at 5:34:38 AM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\TrojanHunter 3.9\TrojanHunter.exe
C:\DOCUME~1\EUGENE~1\LOCALS~1\Temp\set3F.tmp
C:\Documents and Settings\eugene berkery\Desktop\HijackThis.exe

N3 - Netscape 7: user_pref( "browser.startup.homepage ",
"http://my.yahoo.com/ "); (C:\Documents and Settings\eugene
berkery\Application Data\Mozilla\Profiles\default\q9l5854o.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ",
"engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01
.src "); (C:\Documents and Settings\eugene berkery\Application
Data\Mozilla\Profiles\default\q9l5854o.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application
Data\Dell\Alert\252\updtSup3.exe "
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe "
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe
/scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe "
O4 - HKLM\..\Run: [PestPatrol Control Center]
C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program
Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet
Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template
and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup
Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) -
http://www.pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/house
call/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -
http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry
Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) -
http://fdl.msn.com/public/investor/v13/ticker.cab
LOOKS GOOD????
THANKS AGAIN, GENE