Unsolved
This post is more than 5 years old
21 Posts
0
4512
P E Bugbear.B.O Virus ?
I have had Nav 2004 sitting on my desk for two weeks. Unfortunately, I have not installed it.
Last week I received three emails (in my Outlook Express mailbox), which I opened. I think I may have gotten a virus or Trojan horse because I keep getting the same emails over and over again. I checked my computer using the Nav CD ROM but it came up with "No Viruses Found". I then used Housecall.tredmicro (the free online scan) and it came up with the same virus twice, "P E BUGBEAR.B-O" in C:\-Restore\Archive\fs47.C... (I think the C stands for CAB file). When I tried to delete the infected file(s) the system will not let me do it, instead stating that the files are in use. Since the computer is infected I am unable to install Nav. Please advise me on how to handle this problem.
Thank you.
ChrisRLG
3.9K Posts
0
December 16th, 2003 06:00
If that does not work try the malware route. (Go straight to the hijackthis instructions below).
Use these to remove Malware (Spyware and Adware).
Spybot S&D
Ad-Aware
Cwshredder
With all of these download them, install (after unzip if required), download the latest signature/update file, run, delete all that they find.
Failing those solving your problems a post of a hijackthis log for the experts to advise.
HijackThis From Here
Download, run, scan, save log, then in notepad copy the FULL log by copy and paste to a post in one of these specialist spyware removal forums:-
http://tomcoyote.org/forums/index.php
http://forums.spywareinfo.com/index.php
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi
http://boards.cexx.org/index.php
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Do read the sites FAQ before posting, and advise your problem and what steps you have already done to try to cure your problem.
I am in all those sites as ChrisRLG. You might get me, but any of the more problematic ones are handled by the experts. If you get a 'advanced member' like me, we have other ways of asking for advice from the experts, to pass on to you.
You could post your log here in this thread (if in the Virus Information and Removal Board - if not post in that board not in this thread), and I will have a go at giving advice, but if you go to one of the more specalist forums more experts will be able to help.
Josbet
21 Posts
0
December 17th, 2003 02:00
Thanks CrisRLG.
I run nav2004, Spybot S&D and Ad-aware6.0. Now this is my HijackThis list:
Logfile of HijackThis v1.97.7
Scan saved at 6:05:53 PM, on 12/16/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TBCTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dell.com/search/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SpeedKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM\TBCTRAY.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKCU\..\Run: [TClockEx] C:\PROGRAM FILES\TCLOCKEX\TCLOCKEX.EXE
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
ChrisRLG
3.9K Posts
0
December 17th, 2003 11:00
Your system looks clean, have you tried deleting all your restore points from system restore, which Is where you seen to have the malware.
I could not find the ME instructions for you but here is a link to the XP version which should not be too different.
http://support.dell.com/us/en/kb/document.asp?dn=1055856
You need to delete all the restore point that it currently hasm, you should be able to do this by turning the system restore off, rebooting and then starting it again.
Then do a AV scan to prove it is all clear.
Josbet
21 Posts
0
December 23rd, 2003 22:00
Thanks ChrisRLG for all your help. I followed your directions and returned my computer to an earlier restore point. This stopped all the mass mailings that were filling my Outlook ex inbox.
Merry X-Mas.
Joe.