Adaware & Symantec Virus Scan??

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

aggie85

Thread Starter
Joined
Apr 29, 2004
Messages
37
I have Adaware. Every time my Symantec Internet Security does the Virus Scan, it comes up with these 7 "at risks files". I am NOT an expert but it appears these are just Ad aware files. Here is what the NAV report says & a link to these site describing the risk. Can someone tell me if these are truly at risks files? THX!!!!!!!!!!!

BTW, when I try to delete to these 7 files, they keep coming back.

Here is what the NAV scan finds:

The file C:\ESB.exe is a Adware threat.

http://securityresponse.symantec.com/avcenter/venc/data/adware.addestroyer.html

The file C:\Program Files\IncrediFind\BHO\IncFindBHO.dll is a Adware threat.

http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=26490

The file C:\WINNT\system32\pcs\init.dll is a Adware threat.


http://securityresponse.symantec.com/avcenter/venc/data/adware.delfin.html


The file C:\WINNT\system32\pcs\pcsvc.dll is a Adware threat.

http://securityresponse.symantec.com/avcenter/venc/data/adware.delfin.html

The file C:\Program Files\Common Files\updmgr\rvupdmgr.exe is a Adware threat.

http://securityresponse.symantec.com/avcenter/venc/data/adware.addestroyer.html

The file C:\WINNT\system32\silent.exe is a Adware threat.

http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=26461

The file C:\Program Files\Common Files\updmgr\simgr.exe is a Adware threat.

http://securityresponse.symantec.com/avcenter/venc/data/adware.keenval.html
 

aggie85

Thread Starter
Joined
Apr 29, 2004
Messages
37
I am running the Ad-Aware Personal (not the SE). I ran another today after get the latest update that was released yesterday. Same thing happened with the 7 files popping up after a NAV scan.

1) Should I get the SE version of Ad-Aware?

2) If I need to get the SE version, should I uninstall the Personal version of Ad-Aware first?

3) When I run the Ad-Awre, should I disable the NAV?

4) I always reboot after running Ad-aware, reboot, then run Spy Bot, reboot & then NAV. Is this right?

5) Also, I tried to find Hyjack This to install & the site I went to said it was down. Can u tell me where to go for this?

THX!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
Joined
Jan 17, 2004
Messages
9,600
Hello Aggie
1. Load the new version SE 1.04
2. I prefer to uninstall previous versions.
3.You shouldnt have to disable AV, but no harm done if you do.
4. I always reboot after a removal, { habit} you are doing nothing wrong.
5.HJT download sites are often down.
Here is a link that should work for downloading both AdAware {newest version} and Hijackthis.>>>>>>>>> Do not fix anything with HJT without expert advice.
http://www.majorgeeks.com/downloads31.html
Hope this helps you.>f
 
Joined
Aug 18, 2003
Messages
2,438
Ditto on all five ...

The internal updater within HJT points to a site that is down ... I'd suggest you install a fresh copy (current version is 1.98.2).
 

aggie85

Thread Starter
Joined
Apr 29, 2004
Messages
37
I have an old version of HJT. It is still in my hard drive in my "download" file. The way I use to run it was click on the .exe file using WinZip. Should I remove this old version form my Download file before downloading the new version of HJT? Do u always run the HJT from the executuable file or should it be permanently installed on my PC?

Also I removed the old version of the Ad-Aware from my PC & ran a system scan using NAV & those 7 files were still there. I guess I should run a new HJT before tacking those 7 files right?

thx!!!!!!!!!!!!
 
Joined
Dec 23, 2003
Messages
262
Well personally I would trust your NAV scan results and allow NAV to fix/delete/quarantine the at-risk files, according to what options it offers you. NAV is not known for false positives so I don't see any reason to worry about it working on those baddies! :)

If it can't fix the suspect files then boot to safe mode and re-run the scan, sometimes AVs can fix things in safe mode that can't be got at in normal mode.

Download and install AdAware SE 1.04, it will offer you the option to uninstall your prevous version during the install process, select yes to uninstall. Update it with the latest definitions and run that in safe mode also.

Delete your old HijackThis version and then download version 1.98.2 from here - http://www.aumha.org/downloads/hijackthis.exe

Create a new folder named "HJT" and move the hijackthis.exe file into the folder, run it from there and post the scan results in this thread, wait for expert advice before fixing anything.

hth (y)
 

aggie85

Thread Starter
Joined
Apr 29, 2004
Messages
37
Okay. I have several questions.

I installed the Ad-aware SE. I am now down to 2 things that pop up after scanning with NAV...Ad-aware comes up clean.

1) I have "StatBlaster". Here is the info about this one: http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=26461

2) I also have DelFin. Here is the info about this one:
http://securityresponse.symantec.com/avcenter/venc/data/adware.delfin.html

When I go to my registry I do NOT have what they say I should have with StatBlaster & DelFin.

3) I tried to uninstall my old version of HJT (version 1.97.7) before installing the new version of 1.98 by clicking on the icon for Hijack this in my C drive. Then under the "Config", Misc Tools". I clicked on remove & exit. Then Nothing looked like it happened. I rebooted & it is still there. So should I just rick click on it & delete it? There has got to be a better way right?

I want to delte the old version of HJT before I install the new version right?

Thx!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
Joined
Dec 23, 2003
Messages
262
Yes, just right click and delete the older HijackThis version. Actually you can install and run the new version without any problems even if the old version is still there, because HijackThis doesn't install itself as such so you don't need to uninstall it. Just that removing the old version will help you to avoid confusion over which version to run - well that's the case for disorganised folks like me anyway :D

Does NAV offer you the option to fix/quarantine/delete StatBlaster and DelFin? - if so then go ahead and fix them. I don't know why exactly the registry entries don't correspond to the information in the write-ups, but just as a guess I think that often a named malware has many variants that are detected by an AV under the same name, and the write-ups may not include every possible variant.

Anyhow, go ahead and post your log and I'm sure one of the experts will be able to cast an eye over it for you :)
 

aggie85

Thread Starter
Joined
Apr 29, 2004
Messages
37
Logfile of HijackThis v1.98.2
Scan saved at 8:03:22 PM, on 9/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\System32\cqginsts.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\starter.exe
C:\WINNT\system32\mobsync.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Download\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1.5&bm=ho_search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003042101/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
 
Joined
Aug 18, 2003
Messages
2,438
Run HJT again, put a checkmark next to this item, and press "Fix Checked":

R3 - Default URLSearchHook is missing


What is the status of your original problem?
 

aggie85

Thread Starter
Joined
Apr 29, 2004
Messages
37
After running NAV it says I still have this 2 Adware programs & for some reason even though it says to check them to delete them, it does not work & they will not go away.

1) I have "StatBlaster". Here is the info about this one: http://securityresponse.symantec.co...o.cgi?vid=26461

2) I also have DelFin. Here is the info about this one:
http://securityresponse.symantec.co...are.delfin.html

When I go to my registry I do NOT have what they say I should have with StatBlaster & DelFin.

Also, under Change/Remove Programs it says I have "PGAte Basic". When I click to remove it screens pop up that tells me to download this to remove PGate from my PC, but I am too scared to try that!

I ran SpyBot before, should I do it again?

Any suggestions??

Thx!
 
Joined
Dec 23, 2003
Messages
262
Can you tell us the filenames and paths for all the files detected as StatBlaster and DelFin by NAV?

I saw some indications that AdAware might be able to remove PGate - and I noticed that there's a new version 1.05 of AdAware SW just out, so I guess you should upgrade to 1.05 and get the latest definitions, run in Safe Mode and see what it finds. Also run Spybot 1.3 with its latest definitions in Safe Mode.

As a general rule its worth running both AdAware and Spybot regularly whether you think you have malware issues or not, maybe once a week at minimum. Same of course goes for anti-virus full system scans only even more vital! (y)
 
Joined
Aug 18, 2003
Messages
2,438
aggie85:

Neither of those Norton links work ... you must have copy/pasted truncated links.

Seeing the filepaths as KrashedKris suggested would be useful.
 

aggie85

Thread Starter
Joined
Apr 29, 2004
Messages
37
Hi Guys!

Here is what my activity Log from the NAV says about those 2 files. Also, below each one is a link to the Symantec site about the file...I checked it twice to see if the link would work.

I will run the Ad-aware & SpyBot later this evening...have to go right now


1)
Source: C:\WINNT\system32\silent.exe
Description: The file C:\WINNT\system32\silent.exe is a Adware threat.
Click for more information about this threat : Adware.StatBlaster

http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=26461


2)
Source: C:\WINNT\system32\pcs\init.dll
Description: The file C:\WINNT\system32\pcs\init.dll is a Adware threat.
Click for more information about this threat : Adware.DelFin

http://securityresponse.symantec.com/avcenter/venc/data/adware.delfin.html
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top