Panda found and disinfected Blaster

Discussion in 'adware, spyware & hijack cleaning' started by lilliebet65, Feb 29, 2004.

Thread Status:
Not open for further replies.
  1. lilliebet65

    lilliebet65 Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    15
    Location:
    UK
    Hi, I've been having trouble installing an AV and consequently have Panda ActiveScan has just found and disinfected Blaster. Can someone please check my log and advise whether anything else needs removing. Thanks in advance.

    Logfile of HijackThis v1.97.7
    Scan saved at 21:34:02, on 29/02/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\System32\navap32.exe
    E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    E:\WINDOWS\System32\ctfmon.exe
    E:\Program Files\Messenger\msmsgs.exe
    E:\Program Files\blueyonder IST\bin\mpbtn.exe
    E:\WINDOWS\System32\ZoneLabs\vsmon.exe
    E:\WINDOWS\System32\wuauclt.exe
    F:\Tools\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/blueyonder/index.jsp
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.blueyonder.co.uk:8080
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Norton AntiVirus Auto Protection] navap32.exe
    O4 - HKLM\..\Run: [Zone Labs Client] E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [Norton AntiVirus Auto Protection] navap32.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = E:\Program Files\blueyonder IST\bin\matcli.exe
    O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38044.4467361111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    lilliebet65, Feb 29, 2004
    #1
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi lilliebet65,

    You look great. :)

    Errmm. And so does your log.
    Did you try to install another AV along with Norton?
    Or is Norton the one giving you problems?

    Regards,

    Pieter
     
    Pieter_Arntz, Feb 29, 2004
    #2
  3. lilliebet65

    lilliebet65 Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    15
    Location:
    UK
    Hi Pieter

    errrr haven't we met before somewhere? ;)

    I tried to install AVG, then Nod32 but I don't know where Norton came from, honestly, is it possible to be hijacked by an AV? lol
     
    lilliebet65, Feb 29, 2004
    #3
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Pieter_Arntz, Feb 29, 2004
    #4
  5. lilliebet65

    lilliebet65 Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    15
    Location:
    UK
    Sorry for being stupid but what am I looking for in this link?
     
    lilliebet65, Feb 29, 2004
    #5
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    It's teling you how to remove the backdoor sdbot that pretends to be a norton file navap32.exe

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked
    O4 - HKLM\..\Run: [Norton AntiVirus Auto Protection] navap32.exe

    O4 - HKLM\..\RunServices: [Norton AntiVirus Auto Protection] navap32.exe

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
    Click "Apply" then "OK"

    delete E:\WINDOWS\System32\navap32.exe


    Hopefully that will then allow you to install NOD

    any more problems installing nod come back to the nod forum
     
    dvk01, Feb 29, 2004
    #6
  7. lilliebet65

    lilliebet65 Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    15
    Location:
    UK
    Thanks, my German's not so good

    What about the other 04 entry that points to navap32?
     
    lilliebet65, Feb 29, 2004
    #7
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I edited my post, I just realised I missed the O4 run as well as the run services, I must get some new glasses soon
     
    dvk01, Feb 29, 2004
    #8
  9. lilliebet65

    lilliebet65 Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    15
    Location:
    UK
    OK Thanks, Derek - wish me luck!
     
    lilliebet65, Feb 29, 2004
    #9
  10. lilliebet65

    lilliebet65 Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    15
    Location:
    UK
    Hello again!

    All fixed, super dooper. Also just downloaded AVG successfully (will look at a better alternative when my blood pressure has gone back to normal)

    Thanks to you both for your patience and guidance, see you soon I'm sure ;)
     
    lilliebet65, Feb 29, 2004
    #10
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Very pleased we could help

    come back anytime
     
    dvk01, Mar 1, 2004
    #11
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...