0

Please help. I have found bling.exe and have google'd it. .... it looks a wee bit nasty.

Here is the hijackthis log;


ogfile of HijackThis v1.99.1
Scan saved at 22:15:32, on 18/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ezSP_Px.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\WINNT\system32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Ad-Aware] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sygate Personal Firewall] bling.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] bling.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] bling.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tobiehome
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tobiehome
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tobiehome
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


I have selecetd fix but it does not seem to remove this crap.


Can anyone please help. :sad:

5
Contributors
8
Replies
9
Views
12 Years
Discussion Span
Last Post by crunchie
0

Oh yes.. can anyone of you clever modrerators help in identifying any other nasties?

I think from looking at this log that there are others but I am not very technical.....

0

Please do the following:

1. Download ewido Security Suite and install it, and then open the program. If you initially receive a warning message saying "Database not found" when you first run the program, just click "OK" for this. Next- in the main screen, click "Update" and click "Start Update". After the update completes, run a full system scan and save the scan report it generates.


2. Reboot after the scan completes.


3. Run another HijackThis scan, post the new log, and also post the ewido log.

0

DMR,

As you know I am new to this site.... I just want to say in the interim (I am at work now so I will do what you suggest tonight as bling is on my home PC) that I am astonished at all the goodwill amongst IT lovers and the war against spam, spyware, malware and virusses. It is refreshing to see that you guys so unselfishly help us "poor" victims of these criminal atacks on our privacy.
Thanks ... will post my next reply tonight then.

0

Hello,

BLING is a nasty virus. You will need to use safe mode to eliminate the thing, and also edit the registry areas to successfully kill it. I also had to turn on the showing of system files in order to locate it and delete it.

Christian

0

DMR & kc0arf,

I know it has been ages since I started this thread apologies for not replying back then, but here goes.

I have tried a *&£$*$ load full of things to try and get rid of this bling entry. Here is all I did.

1. DMR:
I did what you said. I installed ewido security suite and ran it. It was a clean scan and nothing was picked up.
Let me just mention. I have the following software already on my pc;
a) Norton Internet security. Definitions are always up to date and automatic. I also run a full scan once a week but have not had any infections for ages. (which prooves at least that Norton works some way)
b) Adawre SE Plus. Latest version fully licenced. I also have ad-watch enabled and on startup a full scan always runs.
c) PC Tools Spyware Doctor and Registry Mechanic. Once again defenitions up to date & Reg Mech runs on startup + Online Guard enabled for real-time protection.
d) Spybot search & destroy - Defenitions updated and fullm scan run weekly.

e) I have all latest windows updates, service packs and hotfixes and regularly check it. At least once in 21 days.....

With all the above I run full scans at least weekly, so I know I have "near" max protection.

NOW, to carry on:

As I said, I did run ewido and it was clean and therefor nothing else was picked up other that the above already do and prevent.

I used regedit and searched for all entries of "bling". It came up in 4 keys.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\S-1-5-21-583907252-492894223-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run


I then rebooted my machine and started up in safe mode.

I deleted the entries in the right pane against the above keys. I once again searched the whole registry in safe mode and found no othre entries.

I also searched the whole C:drive for any entry blin*.*, *lin*.*, bling.*
I could not find a trace.... ( I did turn on system files to view and hidden files and folders.)

I then thought that should be it. I rebooted back in normal mode


NO LUCK!

Ad-watch actually picked up and reported it in it's event log that the registry was modified on startup. The entries I deleted while in safe mode were put back. Note that it always put it back with the key name/value ="Sygate personal Firewall"

I attach a screen print of the ad-watch log. I also attach a copy of my task manager showing memory usage. Please see whether you can spot anything?


I read in a related thread that somebody suggested that the retrcictanonymous value must be changed from 1 to 0 or 0 to 2.

Well I am not so sure where to find it. Here is where I found the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WindowsNT\CurrentVersion\SeCEdit\RegValues\MACHINE
/System/CurrentControlSet/Control/Lsa/RestrictAnonymous

there were 5 Entries on left -
(default) REG_SZ (Value not set)
Display Choices REG_MULTI_SZ 0|None Rely on default permissions
1|Do not allow ennumeration of SAM accounts and shares
2|No access without explicit anonymous persmissions
Display name REG_SZ Additional restrictions for anonymous connections
DisplayType REG_DWORD 0x00000003 (3)
ValueType Reg_DWORD 0x00000004 (4)

I did not change anything though. Should I and what should I change?


Please guys, I am desperate to get rid of this thing... bling.

Incidentally, you will also note the entry in the ad-watch log shows "internat.exe" as being written back in. I deleted it while in safe mode because I am not sure what it is. Should it be there? What is it.? Why would it be written back. Is it legit?

thanx

tobes

:(

0

I have done everything as in the symantec instructions but still no luck...... Help

0

Adaware's Adwatch has probably reinstated those values. Disable it and remove those keys again. If still no luck, uninstall Adaware and try again.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.