Re: Still Hi-Jacked by Anti-Virus Gold

"Terry Smythe" <smythe@xxxxxxx> wrote in message
news:gfn0b1l2c9k8gsf6fgl1rmsacbqpd5niuj@xxxxxxxxxx
> Some weeks back, my desktop was hi-jacked by Anti-Virus Gold. Tried
> everything to get rid of it. MSAS seems to know about it, trys to
> remove it, but fails. It also seems to be the culprit that is
> blocking an MSAS report, even in safe mode. Can't send it in.
>
> The offending file is "desktop.html", residing in c:\windows. Remove
> it, but it come back on reboot. This is a particularly nasty
> parasite, basically it is imposing extortion - "Buy it, and I'll
> remove it!"
>
> I cannot imagine that anybody would buy this product after what it
> does to your computer. I'm filled with rage at this parasite and
> the tactic.
>

This is not the best place to post a HiJackThis log. You have to boot to
safe mode, logon as each user in turn, including administrator, run
MSAntispyware and the latest versions of Spybot and Adaware. Make sure they
are all set to scan all files not a quick scan. Then repeat the process in
normal mode. You may have to repeat this procedure more than once. Yes, it
is tedious. Yes, it will get rid of it. Be prepared to spend most of a day.

Kerry


> Here's my report from HiJack This:
>
> ++++++++++++++
>
> Logfile of HijackThis v1.99.1
> Scan saved at 11:56:36 AM, on 06/15/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
> C:\WINDOWS\TSI32\tsircusr.exe
> C:\WINDOWS\Explorer.exe
> C:\WINDOWS\system32\CTsvcCDA.EXE
> C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
> C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
> C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\TSIRCSRV.EXE
> C:\WINDOWS\system32\MsPMSPSv.exe
> C:\Program Files\Common Files\Symantec Shared\Security
> Center\SymWSC.exe
> C:\Program Files\IC Card Reader Driver v1.8e2\Disk_Monitor.exe
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
> C:\Program Files\SMSC\Seticon.exe
> C:\WINDOWS\system32\UMonit2K.exe
> C:\Program Files\Messenger\msmsgs.exe
> C:\Program Files\Polyphony Software\Keyboard Manager\KeybdMgr.exe
> C:\Program Files\MSN Messenger\MsnMsgr.Exe
> c:\windows\system32\ewvqmoe.exe
> C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\WINDOWS\SYSTEM32\m?config.exe
> C:\Program Files\Agent\agent.exe
> C:\UTILS\HijackThis.exe
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
> F2 - REG:system.ini:
> UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
> - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
> O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
> C:\WINDOWS\system32\dla\tfswshx.dll
> O2 - BHO: (no name) - {6AA4D2A4-3A1B-1398-46C5-4071740F8199} -
> C:\WINDOWS\system32\uaj.dll
> O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
> C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
> O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
> {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
> O3 - Toolbar: Norton AntiVirus -
> {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
> SystemWorks\Norton AntiVirus\NavShExt.dll
> O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
> O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\\IC Card Reader
> Driver v1.8e2\Disk_Monitor.exe
> O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
> Shared\ccRegVfy.exe"
> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
> Shared\ccApp.exe"
> O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
> AntiSpyware\gcasServ.exe"
> O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
> O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
> O4 - HKLM\..\Run: [ejzuhgh] c:\windows\system32\ewvqmoe.exe r
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
> /background
> O4 - HKCU\..\Run: [KeyboardManager] "C:\Program Files\Polyphony
> Software\Keyboard Manager\KeybdMgr.exe" /s
> O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
> Messenger\MsnMsgr.Exe" /background
> O8 - Extra context menu item: Add to AD Black List - C:\Program
> Files\Avant Browser\AddToADBlackList.htm
> O8 - Extra context menu item: Block All Images from the Same Server -
> C:\Program Files\Avant Browser\AddAllToADBlackList.htm
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
> O8 - Extra context menu item: Highlight - C:\Program Files\Avant
> Browser\Highlight.htm
> O8 - Extra context menu item: Open All Links in This Page... -
> C:\Program Files\Avant Browser\OpenAllLinks.htm
> O8 - Extra context menu item: Search - C:\Program Files\Avant
> Browser\Search.htm
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
> - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O12 - Plugin for .spop: C:\Program Files\Internet
> Explorer\Plugins\NPDocBox.dll
> O16 - DPF: TruePass EPF 7,0,100,684 -
> https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
> O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)
> - http://housecall60.trendmicro.com/housecall/xscan60.cab
> O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
> Advantage Validation Tool) -
> http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
> -
> http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116989928093
> O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
> Utility Class) -
> http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
> O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
> -
> http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
> O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
> (MsnMessengerSetupDownloadControl Class) -
> http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
> O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -
> http://download.spyspotter.com/spyspotter/SpSp29952.41optYplkOmji/SpySpotterCabInstall.cab
> O23 - Service: Ati HotKey Poller - Unknown owner -
> C:\WINDOWS\system32\Ati2evxx.exe (file missing)
> O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
> Corporation - C:\Program Files\Common Files\Symantec
> Shared\ccEvtMgr.exe
> O23 - Service: Symantec Password Validation Service (ccPwdSvc) -
> Symantec Corporation - C:\Program Files\Common Files\Symantec
> Shared\ccPwdSvc.exe
> O23 - Service: Creative Service for CDROM Access - Creative Technology
> Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
> O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -
> Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton
> AntiVirus\navapsvc.exe
> O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
> Corporation - C:\Program Files\Norton SystemWorks\Norton
> Utilities\NPROTECT.EXE
> O23 - Service: ScriptBlocking Service (SBService) - Symantec
> Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
> O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
> Corporation - C:\Program Files\Common Files\Symantec
> Shared\SNDSrvc.exe
> O23 - Service: Speed Disk service - Symantec Corporation -
> C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
> O23 - Service: System Startup Service (SvcProc) - Unknown owner -
> C:\WINDOWS\svcproc.exe
> O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -
> C:\Program Files\Common Files\Symantec Shared\Security
> Center\SymWSC.exe
> O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. -
> C:\WINDOWS\System32\TSIRCSRV.EXE
> O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) -
> TuneUp Software GmbH - C:\Program Files\TuneUp Utilities
> 2004\WinStylerThemeSvc.exe
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Thoughts of others?
>
> Regards,
>
> Terry Smythe
> Winnipeg, Canada
>
>


.