Panda found and disinfected Blaster

Discussion in 'adware, spyware & hijack cleaning' started by lilliebet65, Feb 29, 2004.

Thread Status:
Not open for further replies.
  1. lilliebet65
    Offline

    lilliebet65 Registered Member

    Hi, I've been having trouble installing an AV and consequently have Panda ActiveScan has just found and disinfected Blaster. Can someone please check my log and advise whether anything else needs removing. Thanks in advance.

    Logfile of HijackThis v1.97.7
    Scan saved at 21:34:02, on 29/02/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\System32\navap32.exe
    E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    E:\WINDOWS\System32\ctfmon.exe
    E:\Program Files\Messenger\msmsgs.exe
    E:\Program Files\blueyonder IST\bin\mpbtn.exe
    E:\WINDOWS\System32\ZoneLabs\vsmon.exe
    E:\WINDOWS\System32\wuauclt.exe
    F:\Tools\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/blueyonder/index.jsp
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.blueyonder.co.uk:8080
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Norton AntiVirus Auto Protection] navap32.exe
    O4 - HKLM\..\Run: [Zone Labs Client] E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [Norton AntiVirus Auto Protection] navap32.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = E:\Program Files\blueyonder IST\bin\matcli.exe
    O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38044.4467361111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  2. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi lilliebet65,

    You look great. :)

    Errmm. And so does your log.
    Did you try to install another AV along with Norton?
    Or is Norton the one giving you problems?

    Regards,

    Pieter
  3. lilliebet65
    Offline

    lilliebet65 Registered Member

    Hi Pieter

    errrr haven't we met before somewhere? ;)

    I tried to install AVG, then Nod32 but I don't know where Norton came from, honestly, is it possible to be hijacked by an AV? lol
  4. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

  5. lilliebet65
    Offline

    lilliebet65 Registered Member

    Sorry for being stupid but what am I looking for in this link?
  6. dvk01
    Offline

    dvk01 Global Moderator

    It's teling you how to remove the backdoor sdbot that pretends to be a norton file navap32.exe

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked
    O4 - HKLM\..\Run: [Norton AntiVirus Auto Protection] navap32.exe

    O4 - HKLM\..\RunServices: [Norton AntiVirus Auto Protection] navap32.exe

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
    Click "Apply" then "OK"

    delete E:\WINDOWS\System32\navap32.exe


    Hopefully that will then allow you to install NOD

    any more problems installing nod come back to the nod forum
  7. lilliebet65
    Offline

    lilliebet65 Registered Member

    Thanks, my German's not so good

    What about the other 04 entry that points to navap32?
  8. dvk01
    Offline

    dvk01 Global Moderator

    I edited my post, I just realised I missed the O4 run as well as the run services, I must get some new glasses soon
  9. lilliebet65
    Offline

    lilliebet65 Registered Member

    OK Thanks, Derek - wish me luck!
  10. lilliebet65
    Offline

    lilliebet65 Registered Member

    Hello again!

    All fixed, super dooper. Also just downloaded AVG successfully (will look at a better alternative when my blood pressure has gone back to normal)

    Thanks to you both for your patience and guidance, see you soon I'm sure ;)
  11. dvk01
    Offline

    dvk01 Global Moderator

    Very pleased we could help

    come back anytime
Thread Status:
Not open for further replies.