Virus, trojans, worms, Need Help

[Sue]

I have adware Plus, MS Beta Antispyware, NAV, all updated/definitions, I
ran trend, stinger, and Symantec online scans
All Scans, (excluding NAV) come up clean, because of the below crap that
got on my computer, again, just from going to Websites/Forums.

My questions are as follows:
1. How can any of this happen when I have a new Gateway computer, firewall,
NAV, Adware Plus, Antispayware. I just don't get it. I have my settings
properly configured according to the Help files. I have scan compressed
files check.
2. Are those I have listed below that says ignored, are those still on my
system? if so why do the scans not catch them?
3. The main questions is their are 3 infects that still show up in NAV scan,
will not let me delete them. All other Scan programs come up clean.
- compressed file, crogramfiles/cashback/bin/cashback, exe within
C\windows\system32\psis80.ex.ax
- c\windows\system 32 mscb.dll within
C\windows\system32\psis80.ex.ax
c:/programfiles/cashback/bin/cb.exe within
C\windows\system32\psis80.ex.ax
4. If I restore my system to an early date, would this get rid of all the
infected files assuming there are some infected.
Thank you, help would be much appreciated on these matters.

This was the result of the scans, MS Beta:

It took several scans to rid of the eXact Dowloader..

eXact Downloader is a Trojan used by eXact Bargain Buddy and Cash Back to
download and install additional components.
Status: Removed
Infected files detected
c:\windows\system32\vx3x.nls
Bubba WinTools' purpose is currently unknown. Bubba.WinTools installs an
Internet Explorer browser helper object, a URL search hook, and downloads
several files in Common files\WinTools\. Bubba.WinTools runs at startup
Status: Removed
eXact.BullseyeNetwork Adware more information...
Details: Bullseye displays pop-up advertisements.
Status: Removed
Details: Network Essentials adds hundreds of Internet Explorer favorite site
links to your Favorites folder and desktop.
Status: Removed
Superlogy.com is an Internet Explorer browser helper object that changes Web
browser settings. It can update itself and start programs on your computer.
Status: Removed
Details: Cydoor downloads advertisements from a remote server and displays
them on your computer.
Status: Removed
WebSearch Toolbar Under Investigation more information...
Details: WebSearch Toolbar is an Internet Explorer search redirector.
Status: Quarantined

WinTools Trojan more information...
Details: Bubba WinTools' purpose is currently unknown. Bubba.WinTools
installs an Internet Explorer browser helper object, a URL search hook, and
downloads several files in Common files\WinTools\. Bubba.WinTools runs at
startup
Status: Ignored

eXact.ISEXEng Trojan more information...
Details: eXact.ISEXEng is a Trojan Windows service installed by BargainBuddy
and CashBack.
Status: Removed
Network Essentials Browser Modifier more information...
Details: Network Essentials adds hundreds of Internet Explorer favorite site
links to your Favorites folder and desktop.
Status: Ignored
WebSearch Toolbar Browser Plug-in more information...
Details: WebSearch Toolbar is an Internet Explorer search redirector.
Status: Ignored

 

[Gerry Cornell]

Sue

Do not try using System Restore as it is likely infected.

Read the attached link:
http://securityresponse.symantec.com/avcenter/venc/data/adware.bargainbuddy.html

Note c in Section 3.

--


Hope this helps.

Gerry
~~~~~~~~~~~~~~~~~~~~~~~~
FCA

Using invalid email address

Stourport, Worcs, England
Enquire, plan and execute.
~~~~~~~~~~~~~~~~~~~~~~~~
Please tell the newsgroup how any
suggested solution worked for you.



~~~~~~~~~~~~~~~~~~~~~~~~

 

[Carey Frisch [MVP]]

There is a very helpful virus removal newsgroup you may wish­ to post to:
news://msnews.microsoft.com/microsoft.public.security.virus ­

Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

Virus Removal Tools
http://securityresponse.symantec.com/avcenter/tools.list.html

Online Virus Removal Tutorials
http://www.symantec.com/techsupp/virusremoval/virusremoval_info_tutorial.html

3 Simple Steps to Insure the Security of Your PC
http://www.microsoft.com/athome/security/protect/default.mspx

Antivirus software: Frequently asked questions
http://www.microsoft.com/athome/security/protect/antivirus.mspx

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.mspx

------------------------------------------------------------------------------

:

| I have adware Plus, MS Beta Antispyware, NAV, all updated/definitions, I
| ran trend, stinger, and Symantec online scans
| All Scans, (excluding NAV) come up clean, because of the below crap that
| got on my computer, again, just from going to Websites/Forums.
|
| My questions are as follows:
| 1. How can any of this happen when I have a new Gateway computer, firewall,
| NAV, Adware Plus, Antispayware. I just don't get it. I have my settings
| properly configured according to the Help files. I have scan compressed
| files check.
| 2. Are those I have listed below that says ignored, are those still on my
| system? if so why do the scans not catch them?
| 3. The main questions is their are 3 infects that still show up in NAV scan,
| will not let me delete them. All other Scan programs come up clean.
| - compressed file, crogramfiles/cashback/bin/cashback, exe within
| C\windows\system32\psis80.ex.ax
| - c\windows\system 32 mscb.dll within
| C\windows\system32\psis80.ex.ax
| c:/programfiles/cashback/bin/cb.exe within
| C\windows\system32\psis80.ex.ax
| 4. If I restore my system to an early date, would this get rid of all the
| infected files assuming there are some infected.
| Thank you, help would be much appreciated on these matters.
|
| This was the result of the scans, MS Beta:
|
| It took several scans to rid of the eXact Dowloader..
|
| eXact Downloader is a Trojan used by eXact Bargain Buddy and Cash Back to
| download and install additional components.
| Status: Removed
| Infected files detected
| c:\windows\system32\vx3x.nls
| Bubba WinTools' purpose is currently unknown. Bubba.WinTools installs an
| Internet Explorer browser helper object, a URL search hook, and downloads
| several files in Common files\WinTools\. Bubba.WinTools runs at startup
| Status: Removed
| eXact.BullseyeNetwork Adware more information...
| Details: Bullseye displays pop-up advertisements.
| Status: Removed
| Details: Network Essentials adds hundreds of Internet Explorer favorite site
| links to your Favorites folder and desktop.
| Status: Removed
| Superlogy.com is an Internet Explorer browser helper object that changes Web
| browser settings. It can update itself and start programs on your computer.
| Status: Removed
| Details: Cydoor downloads advertisements from a remote server and displays
| them on your computer.
| Status: Removed
| WebSearch Toolbar Under Investigation more information...
| Details: WebSearch Toolbar is an Internet Explorer search redirector.
| Status: Quarantined
|
| WinTools Trojan more information...
| Details: Bubba WinTools' purpose is currently unknown. Bubba.WinTools
| installs an Internet Explorer browser helper object, a URL search hook, and
| downloads several files in Common files\WinTools\. Bubba.WinTools runs at
| startup
| Status: Ignored
|
| eXact.ISEXEng Trojan more information...
| Details: eXact.ISEXEng is a Trojan Windows service installed by BargainBuddy
| and CashBack.
| Status: Removed
| Network Essentials Browser Modifier more information...
| Details: Network Essentials adds hundreds of Internet Explorer favorite site
| links to your Favorites folder and desktop.
| Status: Ignored
| WebSearch Toolbar Browser Plug-in more information...
| Details: WebSearch Toolbar is an Internet Explorer search redirector.
| Status: Ignored

 

[Guest]

I don't use microsoft antispyware so this is a guess, but are you sure there
is no way to decrease it's tolerance level and make it more rigorose
somewhere in options?

I would suggest, if possible, turning off the quarentine option and
decreasing the tolerance level. Also, kaspersky's antivirus pro from
kaspersky labs is a very high quality all around security options. It
protects all routes of malicious data entering your computer, it even activly
scans the webpages you're using (if using microsoft IE5 or up), not limited
to viruses but also trojans, spyware and adware.

I don't work for kaspersky, i simply use it and am very satisfied. It mostly
eliminated the need for any other anti-spyware or anti-virus solution.

 

[David H. Lipman]

Sue this wasn't the *best* News Groups either, the following are...

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

I *strongly* suggest you cross-post your question to the following two News Groups...

alt.comp.anti-virus and microsoft.public.security.virus

My immediate answer is all the software in the world will not make up for your actions if
you don't follow Safe Hex practices.

--
Dave




|
| I have adware Plus, MS Beta Antispyware, NAV, all updated/definitions, I
| ran trend, stinger, and Symantec online scans
| All Scans, (excluding NAV) come up clean, because of the below crap that
| got on my computer, again, just from going to Websites/Forums.
|
| My questions are as follows:
| 1. How can any of this happen when I have a new Gateway computer, firewall,
| NAV, Adware Plus, Antispayware. I just don't get it. I have my settings
| properly configured according to the Help files. I have scan compressed
| files check.
| 2. Are those I have listed below that says ignored, are those still on my
| system? if so why do the scans not catch them?
| 3. The main questions is their are 3 infects that still show up in NAV scan,
| will not let me delete them. All other Scan programs come up clean.
| - compressed file, crogramfiles/cashback/bin/cashback, exe within
| C\windows\system32\psis80.ex.ax
| - c\windows\system 32 mscb.dll within
| C\windows\system32\psis80.ex.ax
| c:/programfiles/cashback/bin/cb.exe within
| C\windows\system32\psis80.ex.ax
| 4. If I restore my system to an early date, would this get rid of all the
| infected files assuming there are some infected.
| Thank you, help would be much appreciated on these matters.
|
| This was the result of the scans, MS Beta:
|
| It took several scans to rid of the eXact Dowloader..
|
| eXact Downloader is a Trojan used by eXact Bargain Buddy and Cash Back to
| download and install additional components.
| Status: Removed
| Infected files detected
| c:\windows\system32\vx3x.nls
| Bubba WinTools' purpose is currently unknown. Bubba.WinTools installs an
| Internet Explorer browser helper object, a URL search hook, and downloads
| several files in Common files\WinTools\. Bubba.WinTools runs at startup
| Status: Removed
| eXact.BullseyeNetwork Adware more information...
| Details: Bullseye displays pop-up advertisements.
| Status: Removed
| Details: Network Essentials adds hundreds of Internet Explorer favorite site
| links to your Favorites folder and desktop.
| Status: Removed
| Superlogy.com is an Internet Explorer browser helper object that changes Web
| browser settings. It can update itself and start programs on your computer.
| Status: Removed
| Details: Cydoor downloads advertisements from a remote server and displays
| them on your computer.
| Status: Removed
| WebSearch Toolbar Under Investigation more information...
| Details: WebSearch Toolbar is an Internet Explorer search redirector.
| Status: Quarantined
|
| WinTools Trojan more information...
| Details: Bubba WinTools' purpose is currently unknown. Bubba.WinTools
| installs an Internet Explorer browser helper object, a URL search hook, and
| downloads several files in Common files\WinTools\. Bubba.WinTools runs at
| startup
| Status: Ignored
|
| eXact.ISEXEng Trojan more information...
| Details: eXact.ISEXEng is a Trojan Windows service installed by BargainBuddy
| and CashBack.
| Status: Removed
| Network Essentials Browser Modifier more information...
| Details: Network Essentials adds hundreds of Internet Explorer favorite site
| links to your Favorites folder and desktop.
| Status: Ignored
| WebSearch Toolbar Browser Plug-in more information...
| Details: WebSearch Toolbar is an Internet Explorer search redirector.
| Status: Ignored
|
|
|
|

 

[Sue]

Thank you I did post as requested.

Now for the safe hex practice, Dave, assuming you are saying that I don't,
not sure what you meant by that, but let me assure you, I know what safe hex
practice is, and I have practiced every thing according to the Hex list. Now
any more ideas as to why I would go to a website then get an intrusion such
as I have? No, it is not porn, or anything similar, they are women's health
sites.

 

[Ken Gardner]

My immediate answer is all the software in the world will not make up for your actions if
you don't follow Safe Hex practices.

Words to live by.

Ken

 

[Sue]

Carey thank you, but I have done all that already,

 

[Vagabond Software]

I have adware Plus, MS Beta Antispyware, NAV, all updated/definitions, I
ran trend, stinger, and Symantec online scans
All Scans, (excluding NAV) come up clean, because of the below crap that
got on my computer, again, just from going to Websites/Forums.

There must be something a user is doing to install this stuff on the
computer. Are there any Internet games being downloaded and installed? Are
special "viewers" or "download managers" being installed? Are you
installing any special "desktop updaters" being installed for news, weather,
sports, or other purposes? Are you running any "swapping" applications like
Kazaa? Is anyone downloading illegal music, movies, or software?

Are you installing/re-installing applications from old eMachine media or
something else of that nature?

Otherwise, I would recommend switching to the Firefox browser. It's a
little slower, but it may not have the same problems, at least for awhile.

carl

 

[CWatters]

C\windows\system32\psis80.ex.ax

see second reply by Ron Kinner (dated Jan 4, 2005 23:41:30) on this
thread...

http://forums1.itrc.hp.com/service/...493758+1108924266897+28353475&threadId=776298

Reproduced in part below....

Ron Kinner Jan 4, 2005 23:41:30 GMT 7 pts

<snip>

Let's look at your Norton log. Essentially it is telling you that there are
still some nasties on your system. First there are three compressed files in
your C:\WINNT\System32 folder:

C:\WINDOWS\system32\psis80ex.ax
C:\WINDOWS\system32\netut80ex.vxd
C:\WINDOWS\system32\mac80ex.idf

These are like zip files and contain nasty files with the full path where it
wants them to be installed. Let's try to delete them (| = then press or type
the following, <Enter> = press the Enter key):

Start | Run | cmd <Enter>

(This should bring up a new DOS style window which you can also get to by
pressing Start then Programs then Accessories then Command Prompt)

c: <Enter>
cd \winnt\system32 <Enter>

(You should now be in the System32 folder.)

attrib -s -h -r psis80ex.ax <Enter>

attrib -s -h -r netut80ex.vxd <Enter>

attrib -s -h -r mac80ex.idf <Enter>

erase psis80ex.ax <Enter>
erase netut80ex.vxd <Enter>
mac80ex.idf <Enter>

(If it works it will just return the prompt. If it can't find the file or
can't delete it then it will tell you.)

(Now do)

cd \Documents and Settings\Curtis Jenkins\Local Settings\ <Enter>

cd \Temp\ <Enter>

attrib -h -s -r istsvc.exe <Enter>
erase istsvc.exe <Enter>

cd ..\Temporary Internet Files\Content.IE5\PDN7J93U\ <Enter>

attrib -r -h -s istsvc.exe <Enter>
erase istsvc.exe <Enter>

cd \Documents and Settings\All Users\Application Data\SecTaskMan\ <Enter>

attrib -r -h -s mhepq.exe.q_2CF1800_q
erase mhepq.exe.q_2CF1800_q <Enter>


(That should take care of all of the Norton log entries unless I missed one.
The attrib line just removes the system, hidden and read-only attributes
from a file so that we can delete it. You can use all small letters if you
want - you don't need to worry about the capitalization.)

 

[JerryMouse]

Thank you I did post as requested.

Now for the safe hex practice, Dave, assuming you are saying that I
don't, not sure what you meant by that, but let me assure you, I know
what safe hex practice is, and I have practiced every thing according
to the Hex list. Now any more ideas as to why I would go to a website
then get an intrusion such as I have? No, it is not porn, or anything
similar, they are women's health sites.

Sue, the stuff didn't miracle itself onto your machine.

 

[Sue]

And I understand that, what I am after here, is how can I have all the anti
programs and still get infected? I have spoken to Symantec's tech, Gateway
tech support, to ensure I have all the settings proper, I paid for both to
get this information, I have read and read and read, so I must be missing
something here, hence why I am asking this group. I do not open attachments,
nor do I send them, I do not go to any website that is questionable. If I
did I wouldn't be acquiring in here.
I am perhaps overly anal about a clean computer, and in being so, I have
missed something.

 

[Sue]

Well Thank you for giving me examples.. that helps more than you know, I am
running napster free trial, but it came installed on this computer. I have
not downloaded any music. I have recently installed lavasoft Plus from
their webpage. I had the free version before.
I am the only user of this computer, again I thank you for your help, as I
am at a loss. Like I said this is a brand new computer.
So I am doing something wrong obviously.
I am downloading the free scans from, stinger, Trend and Symantec's from the
their website.
I have been watching Daves posts, because he seems to know a lot and doing
what he has been telling others to do in similar situations. And a few
others on here, can't recall their names, but I always use the find feature
first and read what others have done and who helped them ..
Thanks to those who have helped.

 

[Sue]

WOW, thank you . You are truly someone that wants to help.
Now, let's see if I can do this. Will keep you posted.

 

[Gerry Cornell]

Your answer is in the link I posted. Perhaps you did not read it!

Transmission
This adware program must be manually installed. However, there are
several known programs that have Adware.BargainBuddy within them, and
that can install it when the program itself is installed.

Also read here:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.abebot.html

--


Hope this helps.

Gerry
~~~~~~~~~~~~~~~~~~~~~~~~
FCA

Using invalid email address

Stourport, Worcs, England
Enquire, plan and execute.
~~~~~~~~~~~~~~~~~~~~~~~~
Please tell the newsgroup how any
suggested solution worked for you.



~~~~~~~~~~~~~~~~~~~~~~~~

 

[Malke]

WOW, thank you . You are truly someone that wants to help.
Now, let's see if I can do this. Will keep you posted.

I answered this question that you posted in the other newsgroup. Please
don't multipost like this; crosspost judiciously if you must with a
followup set to one newsgroup.

As I said in the other newsgroup, you got more cr*p on your computer
because your computer still had malware on it. If you hadn't done all
your scans in Safe Mode and used HijackThis, etc. you still had
BargainBuddy and as soon as you went on the Internet, BB was activated
and downloaded more garbage.

Mlake

 

[David H. Lipman]

Malke:

She originally posted in IE/OE and then here and realized it was not a good News Group to
post her problem.

I then asked her to re-post in Security/Virus and alt.comp.anti-virus so she would get the
*best* advice. ;-)

--
Dave




| Sue wrote:
|
| > WOW, thank you . You are truly someone that wants to help.
| > Now, let's see if I can do this. Will keep you posted.
| >
| > | >>
| I answered this question that you posted in the other newsgroup. Please
| don't multipost like this; crosspost judiciously if you must with a
| followup set to one newsgroup.
|
| As I said in the other newsgroup, you got more cr*p on your computer
| because your computer still had malware on it. If you hadn't done all
| your scans in Safe Mode and used HijackThis, etc. you still had
| BargainBuddy and as soon as you went on the Internet, BB was activated
| and downloaded more garbage.
|
| Mlake
| --
| MS MVP - Windows Shell/User
| Elephant Boy Computers
| www.elephantboycomputers.com
| "Don't Panic!"

 

[Sue]

I posted this originally on this site, when I was told by others that
responded to post it again onto the security.virus newsgroup. But all the
replies have come to this one, They said this was not the forum, I said ok
and reposted where they told me too.
What do you mean by multipost? I am just replying to who responds is this
against the rules? Thank you for your help.

 

[Malke]

I posted this originally on this site, when I was told by others that
responded to post it again onto the security.virus newsgroup. But all
the
replies have come to this one, They said this was not the forum, I
said ok and reposted where they told me too.
What do you mean by multipost? I am just replying to who responds is
this against the rules? Thank you for your help.

Basically, I saw that you had posted in two separate newsgroups; David
says you also posted in a third. This is called "multiposting" and is
bad because you've now got three completely separate places where
people are answering you, no one knows what anyone else has said, and
there is a lot of wasted time and effort. When you think your problem
is pertinent to two, maybe three different newsgroups, you can
"crosspost", which is when you post one message on one newsgroup with
copies of it appearing on the other groups. You set a followup so that
all answers go to one place. It isn't a question of "against the
rules"; it's a netiquette issue, but even more than just that - people
get annoyed when they reply to a post and then find the same question
all over the place. After all, your end goal is to get answers and you
want to optimize your search for them. Here are some links about using
newsgroups:

http://www.dts-l.org/goodpost.htm

http://www.blakjak.demon.co.uk/mul_crss.htm - multi- & cross-posting
http://www.mailmsg.com/SPAM_munging.htm - how to munge email address

So, back to your original issue - this has been answered. You didn't
have a clean computer, even though you thought you did. Find all your
other posts and read the many responses you got.

Good luck,

Malke

 

[CWatters]

WOW, thank you . You are truly someone that wants to help.
Now, let's see if I can do this. Will keep you posted.

If that doesn't work the best advice is to run Hijackthis and post the
results to their forum. With Hijackthis it takes an expert eye to spot what
is a real problem and what is a false alarm.