Sign in with
Sign up | Sign in
Your question

Still Hi-Jacked by Anti-Virus Gold

Last response: in Windows XP
Share
Anonymous
June 15, 2005 9:02:49 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Some weeks back, my desktop was hi-jacked by Anti-Virus Gold. Tried
everything to get rid of it. MSAS seems to know about it, trys to
remove it, but fails. It also seems to be the culprit that is
blocking an MSAS report, even in safe mode. Can't send it in.

The offending file is "desktop.html", residing in c:\windows. Remove
it, but it come back on reboot. This is a particularly nasty
parasite, basically it is imposing extortion - "Buy it, and I'll
remove it!"

I cannot imagine that anybody would buy this product after what it
does to your computer. I'm filled with rage at this parasite and
the tactic.

Here's my report from HiJack This:

++++++++++++++

Logfile of HijackThis v1.99.1
Scan saved at 11:56:36 AM, on 06/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe
C:\Program Files\IC Card Reader Driver v1.8e2\Disk_Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\SMSC\Seticon.exe
C:\WINDOWS\system32\UMonit2K.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Polyphony Software\Keyboard Manager\KeybdMgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\windows\system32\ewvqmoe.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\m?config.exe
C:\Program Files\Agent\agent.exe
C:\UTILS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini:
UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6AA4D2A4-3A1B-1398-46C5-4071740F8199} -
C:\WINDOWS\system32\uaj.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\\IC Card Reader
Driver v1.8e2\Disk_Monitor.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [ejzuhgh] c:\windows\system32\ewvqmoe.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [KeyboardManager] "C:\Program Files\Polyphony
Software\Keyboard Manager\KeybdMgr.exe" /s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: Add to AD Black List - C:\Program
Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server -
C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant
Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... -
C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant
Browser\Search.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,684 -
https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassap...
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)
- http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x40...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
-
http://v5.windowsupdate.microsoft.com/v5consumer/V5Cont...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
-
http://a840.g.akamai.net/7/840/537/2004061001/housecall...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDown...
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -
http://download.spyspotter.com/spyspotter/SpSp29952.41o...
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) -
Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology
Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton
AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec
Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. -
C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) -
TuneUp Software GmbH - C:\Program Files\TuneUp Utilities
2004\WinStylerThemeSvc.exe

+++++++++++++++++++++++++++++++++++++++++++++++++++

Thoughts of others?

Regards,

Terry Smythe
Winnipeg, Canada

More about : jacked anti virus gold

Anonymous
June 15, 2005 9:02:50 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

"Terry Smythe" <smythe@shaw.ca> wrote in message
news:gfn0b1l2c9k8gsf6fgl1rmsacbqpd5niuj@4ax.com...
> Some weeks back, my desktop was hi-jacked by Anti-Virus Gold. Tried
> everything to get rid of it. MSAS seems to know about it, trys to
> remove it, but fails. It also seems to be the culprit that is
> blocking an MSAS report, even in safe mode. Can't send it in.
>
> The offending file is "desktop.html", residing in c:\windows. Remove
> it, but it come back on reboot. This is a particularly nasty
> parasite, basically it is imposing extortion - "Buy it, and I'll
> remove it!"
>
> I cannot imagine that anybody would buy this product after what it
> does to your computer. I'm filled with rage at this parasite and
> the tactic.
>

This is not the best place to post a HiJackThis log. You have to boot to
safe mode, logon as each user in turn, including administrator, run
MSAntispyware and the latest versions of Spybot and Adaware. Make sure they
are all set to scan all files not a quick scan. Then repeat the process in
normal mode. You may have to repeat this procedure more than once. Yes, it
is tedious. Yes, it will get rid of it. Be prepared to spend most of a day.

Kerry


> Here's my report from HiJack This:
>
> ++++++++++++++
>
> Logfile of HijackThis v1.99.1
> Scan saved at 11:56:36 AM, on 06/15/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
> C:\WINDOWS\TSI32\tsircusr.exe
> C:\WINDOWS\Explorer.exe
> C:\WINDOWS\system32\CTsvcCDA.EXE
> C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
> C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
> C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\TSIRCSRV.EXE
> C:\WINDOWS\system32\MsPMSPSv.exe
> C:\Program Files\Common Files\Symantec Shared\Security
> Center\SymWSC.exe
> C:\Program Files\IC Card Reader Driver v1.8e2\Disk_Monitor.exe
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
> C:\Program Files\SMSC\Seticon.exe
> C:\WINDOWS\system32\UMonit2K.exe
> C:\Program Files\Messenger\msmsgs.exe
> C:\Program Files\Polyphony Software\Keyboard Manager\KeybdMgr.exe
> C:\Program Files\MSN Messenger\MsnMsgr.Exe
> c:\windows\system32\ewvqmoe.exe
> C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\WINDOWS\SYSTEM32\m?config.exe
> C:\Program Files\Agent\agent.exe
> C:\UTILS\HijackThis.exe
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
> F2 - REG:system.ini:
> UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
> - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
> O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
> C:\WINDOWS\system32\dla\tfswshx.dll
> O2 - BHO: (no name) - {6AA4D2A4-3A1B-1398-46C5-4071740F8199} -
> C:\WINDOWS\system32\uaj.dll
> O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
> C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
> O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
> {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
> O3 - Toolbar: Norton AntiVirus -
> {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
> SystemWorks\Norton AntiVirus\NavShExt.dll
> O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
> O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\\IC Card Reader
> Driver v1.8e2\Disk_Monitor.exe
> O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
> Shared\ccRegVfy.exe"
> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
> Shared\ccApp.exe"
> O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
> AntiSpyware\gcasServ.exe"
> O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
> O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
> O4 - HKLM\..\Run: [ejzuhgh] c:\windows\system32\ewvqmoe.exe r
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
> /background
> O4 - HKCU\..\Run: [KeyboardManager] "C:\Program Files\Polyphony
> Software\Keyboard Manager\KeybdMgr.exe" /s
> O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
> Messenger\MsnMsgr.Exe" /background
> O8 - Extra context menu item: Add to AD Black List - C:\Program
> Files\Avant Browser\AddToADBlackList.htm
> O8 - Extra context menu item: Block All Images from the Same Server -
> C:\Program Files\Avant Browser\AddAllToADBlackList.htm
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
> O8 - Extra context menu item: Highlight - C:\Program Files\Avant
> Browser\Highlight.htm
> O8 - Extra context menu item: Open All Links in This Page... -
> C:\Program Files\Avant Browser\OpenAllLinks.htm
> O8 - Extra context menu item: Search - C:\Program Files\Avant
> Browser\Search.htm
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
> - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O12 - Plugin for .spop: C:\Program Files\Internet
> Explorer\Plugins\NPDocBox.dll
> O16 - DPF: TruePass EPF 7,0,100,684 -
> https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassap...
> O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)
> - http://housecall60.trendmicro.com/housecall/xscan60.cab
> O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
> Advantage Validation Tool) -
> http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x40...
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
> -
> http://v5.windowsupdate.microsoft.com/v5consumer/V5Cont...
> O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
> Utility Class) -
> http://security.symantec.com/sscv6/SharedContent/common...
> O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
> -
> http://a840.g.akamai.net/7/840/537/2004061001/housecall...
> O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
> (MsnMessengerSetupDownloadControl Class) -
> http://messenger.msn.com/download/MsnMessengerSetupDown...
> O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -
> http://download.spyspotter.com/spyspotter/SpSp29952.41o...
> O23 - Service: Ati HotKey Poller - Unknown owner -
> C:\WINDOWS\system32\Ati2evxx.exe (file missing)
> O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
> Corporation - C:\Program Files\Common Files\Symantec
> Shared\ccEvtMgr.exe
> O23 - Service: Symantec Password Validation Service (ccPwdSvc) -
> Symantec Corporation - C:\Program Files\Common Files\Symantec
> Shared\ccPwdSvc.exe
> O23 - Service: Creative Service for CDROM Access - Creative Technology
> Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
> O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -
> Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton
> AntiVirus\navapsvc.exe
> O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
> Corporation - C:\Program Files\Norton SystemWorks\Norton
> Utilities\NPROTECT.EXE
> O23 - Service: ScriptBlocking Service (SBService) - Symantec
> Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
> O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
> Corporation - C:\Program Files\Common Files\Symantec
> Shared\SNDSrvc.exe
> O23 - Service: Speed Disk service - Symantec Corporation -
> C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
> O23 - Service: System Startup Service (SvcProc) - Unknown owner -
> C:\WINDOWS\svcproc.exe
> O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -
> C:\Program Files\Common Files\Symantec Shared\Security
> Center\SymWSC.exe
> O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. -
> C:\WINDOWS\System32\TSIRCSRV.EXE
> O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) -
> TuneUp Software GmbH - C:\Program Files\TuneUp Utilities
> 2004\WinStylerThemeSvc.exe
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Thoughts of others?
>
> Regards,
>
> Terry Smythe
> Winnipeg, Canada
>
>
Anonymous
June 15, 2005 9:02:50 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Hello, You can post your log file at: http://hjt.iamnotageek.com
Take Care.
beamish.

"Terry Smythe" wrote:

> Some weeks back, my desktop was hi-jacked by Anti-Virus Gold. Tried
> everything to get rid of it. MSAS seems to know about it, trys to
> remove it, but fails. It also seems to be the culprit that is
> blocking an MSAS report, even in safe mode. Can't send it in.
>
> The offending file is "desktop.html", residing in c:\windows. Remove
> it, but it come back on reboot. This is a particularly nasty
> parasite, basically it is imposing extortion - "Buy it, and I'll
> remove it!"
>
> I cannot imagine that anybody would buy this product after what it
> does to your computer. I'm filled with rage at this parasite and
> the tactic.
>
> Here's my report from HiJack This:
>
> ++++++++++++++
>
> Logfile of HijackThis v1.99.1
> Scan saved at 11:56:36 AM, on 06/15/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
> C:\WINDOWS\TSI32\tsircusr.exe
> C:\WINDOWS\Explorer.exe
> C:\WINDOWS\system32\CTsvcCDA.EXE
> C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
> C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
> C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\TSIRCSRV.EXE
> C:\WINDOWS\system32\MsPMSPSv.exe
> C:\Program Files\Common Files\Symantec Shared\Security
> Center\SymWSC.exe
> C:\Program Files\IC Card Reader Driver v1.8e2\Disk_Monitor.exe
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
> C:\Program Files\SMSC\Seticon.exe
> C:\WINDOWS\system32\UMonit2K.exe
> C:\Program Files\Messenger\msmsgs.exe
> C:\Program Files\Polyphony Software\Keyboard Manager\KeybdMgr.exe
> C:\Program Files\MSN Messenger\MsnMsgr.Exe
> c:\windows\system32\ewvqmoe.exe
> C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\WINDOWS\SYSTEM32\m?config.exe
> C:\Program Files\Agent\agent.exe
> C:\UTILS\HijackThis.exe
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
> F2 - REG:system.ini:
> UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
> - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
> O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
> C:\WINDOWS\system32\dla\tfswshx.dll
> O2 - BHO: (no name) - {6AA4D2A4-3A1B-1398-46C5-4071740F8199} -
> C:\WINDOWS\system32\uaj.dll
> O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
> C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
> O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
> {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
> O3 - Toolbar: Norton AntiVirus -
> {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
> SystemWorks\Norton AntiVirus\NavShExt.dll
> O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
> O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\\IC Card Reader
> Driver v1.8e2\Disk_Monitor.exe
> O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
> Shared\ccRegVfy.exe"
> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
> Shared\ccApp.exe"
> O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
> AntiSpyware\gcasServ.exe"
> O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
> O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
> O4 - HKLM\..\Run: [ejzuhgh] c:\windows\system32\ewvqmoe.exe r
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
> /background
> O4 - HKCU\..\Run: [KeyboardManager] "C:\Program Files\Polyphony
> Software\Keyboard Manager\KeybdMgr.exe" /s
> O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
> Messenger\MsnMsgr.Exe" /background
> O8 - Extra context menu item: Add to AD Black List - C:\Program
> Files\Avant Browser\AddToADBlackList.htm
> O8 - Extra context menu item: Block All Images from the Same Server -
> C:\Program Files\Avant Browser\AddAllToADBlackList.htm
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
> O8 - Extra context menu item: Highlight - C:\Program Files\Avant
> Browser\Highlight.htm
> O8 - Extra context menu item: Open All Links in This Page... -
> C:\Program Files\Avant Browser\OpenAllLinks.htm
> O8 - Extra context menu item: Search - C:\Program Files\Avant
> Browser\Search.htm
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
> - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O12 - Plugin for .spop: C:\Program Files\Internet
> Explorer\Plugins\NPDocBox.dll
> O16 - DPF: TruePass EPF 7,0,100,684 -
> https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassap...
> O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)
> - http://housecall60.trendmicro.com/housecall/xscan60.cab
> O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
> Advantage Validation Tool) -
> http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x40...
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
> -
> http://v5.windowsupdate.microsoft.com/v5consumer/V5Cont...
> O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
> Utility Class) -
> http://security.symantec.com/sscv6/SharedContent/common...
> O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
> -
> http://a840.g.akamai.net/7/840/537/2004061001/housecall...
> O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
> (MsnMessengerSetupDownloadControl Class) -
> http://messenger.msn.com/download/MsnMessengerSetupDown...
> O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -
> http://download.spyspotter.com/spyspotter/SpSp29952.41o...
> O23 - Service: Ati HotKey Poller - Unknown owner -
> C:\WINDOWS\system32\Ati2evxx.exe (file missing)
> O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
> Corporation - C:\Program Files\Common Files\Symantec
> Shared\ccEvtMgr.exe
> O23 - Service: Symantec Password Validation Service (ccPwdSvc) -
> Symantec Corporation - C:\Program Files\Common Files\Symantec
> Shared\ccPwdSvc.exe
> O23 - Service: Creative Service for CDROM Access - Creative Technology
> Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
> O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -
> Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton
> AntiVirus\navapsvc.exe
> O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
> Corporation - C:\Program Files\Norton SystemWorks\Norton
> Utilities\NPROTECT.EXE
> O23 - Service: ScriptBlocking Service (SBService) - Symantec
> Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
> O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
> Corporation - C:\Program Files\Common Files\Symantec
> Shared\SNDSrvc.exe
> O23 - Service: Speed Disk service - Symantec Corporation -
> C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
> O23 - Service: System Startup Service (SvcProc) - Unknown owner -
> C:\WINDOWS\svcproc.exe
> O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -
> C:\Program Files\Common Files\Symantec Shared\Security
> Center\SymWSC.exe
> O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. -
> C:\WINDOWS\System32\TSIRCSRV.EXE
> O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) -
> TuneUp Software GmbH - C:\Program Files\TuneUp Utilities
> 2004\WinStylerThemeSvc.exe
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Thoughts of others?
>
> Regards,
>
> Terry Smythe
> Winnipeg, Canada
>
>
>
Related resources
Anonymous
June 15, 2005 10:16:57 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Did you know there is more than one program available for helping to get rid
of problems? A good strategy would seem to be if one doesnt work to try
another.

And XP has restore points, have you considered using them?

And don't you think whatever you did to get infected would be good
information to give to others so they can avoid problems?




"Terry Smythe" <smythe@shaw.ca> wrote in message
news:gfn0b1l2c9k8gsf6fgl1rmsacbqpd5niuj@4ax.com...
> Some weeks back, my desktop was hi-jacked by Anti-Virus Gold. Tried
> everything to get rid of it. MSAS seems to know about it, trys to
> remove it, but fails. It also seems to be the culprit that is
> blocking an MSAS report, even in safe mode. Can't send it in.
>
> The offending file is "desktop.html", residing in c:\windows. ........
>
> Thoughts of others?
>
> Regards,
>
> Terry Smythe
> Winnipeg, Canada
>
>
Anonymous
June 15, 2005 10:16:58 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

On Wed, 15 Jun 2005 18:16:57 +0100, "Alan Smith" <alan@hidden.email>
wrote:

>Did you know there is more than one program available for helping to get rid
>of problems? A good strategy would seem to be if one doesnt work to try
>another.

Agreed, but so far nothing works to remove this parasite. I've tried
SpyBot, TuneUp, Registry First Aid, SpyCrusher, et al......

>And XP has restore points, have you considered using them?

Yes, they failed me. Each restore point I chose was blocked, for
whatever reason, "cannot be restored to chosen point".

>And don't you think whatever you did to get infected would be good
>information to give to others so they can avoid problems?

Agreed, but source unknown, just appeared one day from an unknown
source.

I would hope that the folks at Microsoft AntiSpyware are monitoring
this newsgroup. MSAS seems to recognize this parasite as something
to remove, but the removal fails. Just keeps coming back. And any
attempt to send a "SpyReport" from within MSAS is blocked, even in
Safe mode.

Regards,

Terry
!