Re: SPYWARE

From: Judy (Judy_at_discussions.microsoft.com)
Date: 01/22/05 

Date: Fri, 21 Jan 2005 19:49:01 -0800

I did a search in regedit and found the file. (tbpssvc.exe) If I right click
on it, it gives me the option to delete it. would it be ok to delete it?
After that I'd run another symantec scan and see if it is gone.

"Judy" wrote:

> here is the hijack this log. I think I can remove some things, could you
> please review it and let me know. Thank you!
> Judy
> logfile of HijackThis v1.98.2
> Scan saved at 9:04:27 PM, on 1/21/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
> C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
> C:\Program Files\Norton Internet Security\ISSVC.exe
> C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
> C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\WINDOWS\System32\CTsvcCDA.EXE
> C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
> C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
> C:\WINDOWS\System32\nvsvc32.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
> C:\WINDOWS\system32\devldr32.exe
> C:\WINDOWS\Explorer.EXE
> C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
> C:\WINDOWS\system32\ltmsg.exe
> C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
> C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
> C:\Program Files\Greetings Workshop\GWREMIND.EXE
> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
> C:\Documents and Settings\Judy\My Documents\hijackthis\HijackThis.exe
> C:\Program Files\Messenger\msmsgs.exe
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
> O2 - BHO: MyTotalSearch Search Assistant BHO -
> {00BD2861-C654-4694-A44A-98642D73247D} - C:\Program
> Files\MyTotalSearch\SrchAstt\1.bin\MTSSRCAS.DLL (file missing)
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
> C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
> O2 - BHO: mtsBar BHO - {094176F1-BF35-4bcb-B68A-108DFB8C3825} - C:\Program
> Files\MyTotalSearch\bar\1.bin\MTSBAR.DLL (file missing)
> O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} -
> C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1}
> - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
> O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
> Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
> O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} -
> C:\Program Files\AIM Toolbar\AIMBar.dll
> O3 - Toolbar: (no name) - {094176F9-BF35-4bcb-B68A-108DFB8C3825} - (no file)
> O3 - Toolbar: Norton Internet Security -
> {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common
> Files\Symantec Shared\AdBlocking\NISShExt.dll
> O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
> C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
> O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative
> Diagnostics 2.0\DIAGENT.EXE startup
> O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
> O4 - HKLM\..\Run: [AHQInit] C:\Program
> Files\Creative\SBLive\Program\AHQInit.exe
> O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
> O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD
> Creator 5\DirectCD\DirectCD.exe"
> O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
> O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft
> Works\WksSb.exe /AllUsers
> O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common
> Files\Microsoft Shared\Works Shared\WkUFind.exe
> O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink
> Monitor\InkMonitor.exe
> O4 - HKLM\..\Run: [gdqazpiglkniy] C:\WINDOWS\System32\iixnnkh.exe
> O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
> Files\Real\Update_OB\realsched.exe" -osboot
> O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd
> Service\DeskAdServ.exe
> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
> Shared\ccApp.exe"
> O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
> O4 - HKLM\..\Run: [lch] C:\WINDOWS\lch.exe
> O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings
> Workshop\GWREMIND.EXE
> O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
> Files\Adobe\Calibration\Adobe Gamma Loader.exe
> O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
> C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
> Office\Office10\OSA.EXE
> O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
> O8 - Extra context menu item: &Search -
> http://bar.mytotalsearch.com/menusearch.html?p=VSXXXXXX46US
> O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
> Files\AIM\aim.exe
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
> C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
> O12 - Plugin for .mid: C:\Program Files\Internet
> Explorer\PLUGINS\npqtplugin2.dll
> O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) -
> http://fdl.msn.com/public/investor/v13/invinstl.exe
> O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
> http://software-dl.real.com/03f5174f279c76c0ad20/netzip/RdxIE601.cab
> O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
> http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
> O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} -
> http://cabs.roings.com/cabs/mmed.cab
> O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -
> http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
>
>
>
>
> "Judy" wrote:
>
> > The strange thing is that I am not getting any of the symptons described with
> > this item. Symantec found it. I was able to run spybot and adaware in safe
> > mode. I did not try to run symantec in safe mode again, becuase I was able
> > to remove all of the other pests. Another question for you, do you know any
> > more on the spybot dso exploit issue. I've read that it is nothing to worry
> > about and will be addressed in an update. Is this true? Thank you!
> > Judy
> >
> > "Bigbruva" wrote:
> >
> > > Judy did you ever get Symantec to run in Safe Mode? If not did you get any
> > > other AV app to run that way?
> > >
> > > BB
> > >
> > > "Judy" <Judy@discussions.microsoft.com> wrote in message
> > > news:ACA41E50-FDAD-4CD2-BD8B-8A89FC0321A4@microsoft.com...
> > > > I've been having some issues. Runing xp home with sp2, symantec internet
> > > > securitues (virus defs all up to date) adaware and spybot.
> > > > I got the system clean except for one file. It is TBPSSvc.exe. I ran a
> > > > Hijack This scan and it appeared as if it did not pick it up. I did not
> > > > remove anything from the list, becuase I know that can be very dangerous.
> > > > Any suggestions?
> > > > Judy
> > > >
> > >
> > >
> > >