1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Adaware & Symantec Virus Scan??

Discussion in 'Virus & Other Malware Removal' started by aggie85, Sep 14, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. aggie85

    aggie85 Thread Starter

    Joined:
    Apr 29, 2004
    Messages:
    37
    I have Adaware. Every time my Symantec Internet Security does the Virus Scan, it comes up with these 7 "at risks files". I am NOT an expert but it appears these are just Ad aware files. Here is what the NAV report says & a link to these site describing the risk. Can someone tell me if these are truly at risks files? THX!!!!!!!!!!!

    BTW, when I try to delete to these 7 files, they keep coming back.

    Here is what the NAV scan finds:

    The file C:\ESB.exe is a Adware threat.

    http://securityresponse.symantec.com/avcenter/venc/data/adware.addestroyer.html

    The file C:\Program Files\IncrediFind\BHO\IncFindBHO.dll is a Adware threat.

    http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=26490

    The file C:\WINNT\system32\pcs\init.dll is a Adware threat.


    http://securityresponse.symantec.com/avcenter/venc/data/adware.delfin.html


    The file C:\WINNT\system32\pcs\pcsvc.dll is a Adware threat.

    http://securityresponse.symantec.com/avcenter/venc/data/adware.delfin.html

    The file C:\Program Files\Common Files\updmgr\rvupdmgr.exe is a Adware threat.

    http://securityresponse.symantec.com/avcenter/venc/data/adware.addestroyer.html

    The file C:\WINNT\system32\silent.exe is a Adware threat.

    http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=26461

    The file C:\Program Files\Common Files\updmgr\simgr.exe is a Adware threat.

    http://securityresponse.symantec.com/avcenter/venc/data/adware.keenval.html
     
  2. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Are you running Ad-Aware SE build 1.04 with the most recent definitions file installed?
     
  3. aggie85

    aggie85 Thread Starter

    Joined:
    Apr 29, 2004
    Messages:
    37
    I am running the Ad-Aware Personal (not the SE). I ran another today after get the latest update that was released yesterday. Same thing happened with the 7 files popping up after a NAV scan.

    1) Should I get the SE version of Ad-Aware?

    2) If I need to get the SE version, should I uninstall the Personal version of Ad-Aware first?

    3) When I run the Ad-Awre, should I disable the NAV?

    4) I always reboot after running Ad-aware, reboot, then run Spy Bot, reboot & then NAV. Is this right?

    5) Also, I tried to find Hyjack This to install & the site I went to said it was down. Can u tell me where to go for this?

    THX!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
     
  4. Fidelista

    Fidelista

    Joined:
    Jan 17, 2004
    Messages:
    9,600
    Hello Aggie
    1. Load the new version SE 1.04
    2. I prefer to uninstall previous versions.
    3.You shouldnt have to disable AV, but no harm done if you do.
    4. I always reboot after a removal, { habit} you are doing nothing wrong.
    5.HJT download sites are often down.
    Here is a link that should work for downloading both AdAware {newest version} and Hijackthis.>>>>>>>>> Do not fix anything with HJT without expert advice.
    http://www.majorgeeks.com/downloads31.html
    Hope this helps you.>f
     
  5. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Ditto on all five ...

    The internal updater within HJT points to a site that is down ... I'd suggest you install a fresh copy (current version is 1.98.2).
     
  6. aggie85

    aggie85 Thread Starter

    Joined:
    Apr 29, 2004
    Messages:
    37
    I have an old version of HJT. It is still in my hard drive in my "download" file. The way I use to run it was click on the .exe file using WinZip. Should I remove this old version form my Download file before downloading the new version of HJT? Do u always run the HJT from the executuable file or should it be permanently installed on my PC?

    Also I removed the old version of the Ad-Aware from my PC & ran a system scan using NAV & those 7 files were still there. I guess I should run a new HJT before tacking those 7 files right?

    thx!!!!!!!!!!!!
     
  7. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
    Well personally I would trust your NAV scan results and allow NAV to fix/delete/quarantine the at-risk files, according to what options it offers you. NAV is not known for false positives so I don't see any reason to worry about it working on those baddies! :)

    If it can't fix the suspect files then boot to safe mode and re-run the scan, sometimes AVs can fix things in safe mode that can't be got at in normal mode.

    Download and install AdAware SE 1.04, it will offer you the option to uninstall your prevous version during the install process, select yes to uninstall. Update it with the latest definitions and run that in safe mode also.

    Delete your old HijackThis version and then download version 1.98.2 from here - http://www.aumha.org/downloads/hijackthis.exe

    Create a new folder named "HJT" and move the hijackthis.exe file into the folder, run it from there and post the scan results in this thread, wait for expert advice before fixing anything.

    hth (y)
     
  8. aggie85

    aggie85 Thread Starter

    Joined:
    Apr 29, 2004
    Messages:
    37
    Okay. I have several questions.

    I installed the Ad-aware SE. I am now down to 2 things that pop up after scanning with NAV...Ad-aware comes up clean.

    1) I have "StatBlaster". Here is the info about this one: http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=26461

    2) I also have DelFin. Here is the info about this one:
    http://securityresponse.symantec.com/avcenter/venc/data/adware.delfin.html

    When I go to my registry I do NOT have what they say I should have with StatBlaster & DelFin.

    3) I tried to uninstall my old version of HJT (version 1.97.7) before installing the new version of 1.98 by clicking on the icon for Hijack this in my C drive. Then under the "Config", Misc Tools". I clicked on remove & exit. Then Nothing looked like it happened. I rebooted & it is still there. So should I just rick click on it & delete it? There has got to be a better way right?

    I want to delte the old version of HJT before I install the new version right?

    Thx!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
     
  9. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
    Yes, just right click and delete the older HijackThis version. Actually you can install and run the new version without any problems even if the old version is still there, because HijackThis doesn't install itself as such so you don't need to uninstall it. Just that removing the old version will help you to avoid confusion over which version to run - well that's the case for disorganised folks like me anyway :D

    Does NAV offer you the option to fix/quarantine/delete StatBlaster and DelFin? - if so then go ahead and fix them. I don't know why exactly the registry entries don't correspond to the information in the write-ups, but just as a guess I think that often a named malware has many variants that are detected by an AV under the same name, and the write-ups may not include every possible variant.

    Anyhow, go ahead and post your log and I'm sure one of the experts will be able to cast an eye over it for you :)
     
  10. aggie85

    aggie85 Thread Starter

    Joined:
    Apr 29, 2004
    Messages:
    37
    Logfile of HijackThis v1.98.2
    Scan saved at 8:03:22 PM, on 9/16/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\WINNT\System32\cqginsts.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\starter.exe
    C:\WINNT\system32\mobsync.exe
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\WINNT\system32\SK9910DM.EXE
    C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Download\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1.5&bm=ho_search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
    O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003042101/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
     
  11. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Run HJT again, put a checkmark next to this item, and press "Fix Checked":

    R3 - Default URLSearchHook is missing


    What is the status of your original problem?
     
  12. aggie85

    aggie85 Thread Starter

    Joined:
    Apr 29, 2004
    Messages:
    37
    After running NAV it says I still have this 2 Adware programs & for some reason even though it says to check them to delete them, it does not work & they will not go away.

    1) I have "StatBlaster". Here is the info about this one: http://securityresponse.symantec.co...o.cgi?vid=26461

    2) I also have DelFin. Here is the info about this one:
    http://securityresponse.symantec.co...are.delfin.html

    When I go to my registry I do NOT have what they say I should have with StatBlaster & DelFin.

    Also, under Change/Remove Programs it says I have "PGAte Basic". When I click to remove it screens pop up that tells me to download this to remove PGate from my PC, but I am too scared to try that!

    I ran SpyBot before, should I do it again?

    Any suggestions??

    Thx!
     
  13. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
    Can you tell us the filenames and paths for all the files detected as StatBlaster and DelFin by NAV?

    I saw some indications that AdAware might be able to remove PGate - and I noticed that there's a new version 1.05 of AdAware SW just out, so I guess you should upgrade to 1.05 and get the latest definitions, run in Safe Mode and see what it finds. Also run Spybot 1.3 with its latest definitions in Safe Mode.

    As a general rule its worth running both AdAware and Spybot regularly whether you think you have malware issues or not, maybe once a week at minimum. Same of course goes for anti-virus full system scans only even more vital! (y)
     
  14. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    aggie85:

    Neither of those Norton links work ... you must have copy/pasted truncated links.

    Seeing the filepaths as KrashedKris suggested would be useful.
     
  15. aggie85

    aggie85 Thread Starter

    Joined:
    Apr 29, 2004
    Messages:
    37
    Hi Guys!

    Here is what my activity Log from the NAV says about those 2 files. Also, below each one is a link to the Symantec site about the file...I checked it twice to see if the link would work.

    I will run the Ad-aware & SpyBot later this evening...have to go right now


    1)
    Source: C:\WINNT\system32\silent.exe
    Description: The file C:\WINNT\system32\silent.exe is a Adware threat.
    Click for more information about this threat : Adware.StatBlaster

    http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=26461


    2)
    Source: C:\WINNT\system32\pcs\init.dll
    Description: The file C:\WINNT\system32\pcs\init.dll is a Adware threat.
    Click for more information about this threat : Adware.DelFin

    http://securityresponse.symantec.com/avcenter/venc/data/adware.delfin.html
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/274094

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice