[black99gm]

My Norton antivirus is going nuts blocking intrusion attempts (5 in less than a minute). I have run Ad-Aware & spybot scans. Can someone check this Hijack This scan for problems?

Thanks Bob

P.S. I may have posted this in the wrong forum. Can it be moved to the malware & hijack this forum?

Thanks Bob

Logfile of HijackThis v1.99.1
Scan saved at 10:38:52 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Symantec Shared\SecurityHistory\mcui32.exe
C:\Documents and Settings\Administrator\My Documents\old computer\Hijack This V1.99.1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-CA
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172173733312
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A5E88A67-4F93-44BB-A30F-772F7FE31D38} (Colonies.com Photo Upload Tool Control) - http://colonies.com/pages/PhotoUploadTool.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A3CCB12-EBDB-43BC-80E4-F8BD9A92D35E}: NameServer = 199.166.6.2 209.239.11.98
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

[lunarlander]

Can you give some examples of what Norton is blocking?

[Michael Bennett]

The log doesn't look good (but I'm not an expert)!

If you disconnect from the internet do the intrusion attempts keep happening?

Michael.

[black99gm]

Thanks for the replies; to answer the questions the alerts stop as soon as the internet is disconected. The following is the Norton log files.

Category: Security risks
Date Time,Feature,Risk Name,Result,Item Type,Virus Definition Version,Product Version,User Name,Computer Name,Details
11/26/2007 10:08:48 AM,Auto-Protect,Downloader,Blocked,File,N/A,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MXBWTWZ6\land[1].htm,Risk category: Virus,Overall Risk Impact: High,Action taken: Blocked"
11/25/2007 9:47:21 PM,Auto-Protect,ExpertAntiVirus,Blocked,File,N/A,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4RF7EKLT\install247[1].cab,Risk category: Security risk,Overall Risk Impact: Medium,Action taken: Blocked"
11/25/2007 9:47:07 PM,Auto-Protect,Downloader,Blocked,File,N/A,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPEVOL6Z\land[1].htm,Risk category: Virus,Overall Risk Impact: High,Action taken: Blocked"
11/25/2007 9:10:17 PM,Auto-Protect,Downloader,Blocked,File,N/A,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\03JNQCX5\land[1].htm,Risk category: Virus,Overall Risk Impact: High,Action taken: Blocked"
11/24/2007 4:39:56 AM,Virus scanner,Downloader,Fully removed,File,2007.11.22.022,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: c:\documents and settings\administrator\local settings\temporary internet files\content.ie5\tc0nx5c1\8[1].htm,Risk category: Virus,Overall Risk Impact: High,Action taken: Fully removed"
11/24/2007 4:39:56 AM,Virus scanner,SpyShredder,Fully removed,File,2007.11.22.022,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: [webinst[1].cab] inside of [c:\documents and settings\administrator\local settings\temporary internet files\content.ie5\d8c35lo5\webinst[1].cab],Risk category: Security risk,Overall Risk Impact: Medium,Action taken: Fully removed"
11/24/2007 4:39:56 AM,Virus scanner,Tracking Cookie,Fully removed,File,2007.11.22.022,14.0.4.1,SYSTEM,USER-D93275BC9F,"Source: ,Risk category: Cookie,Overall Risk Impact: Low,Action taken: Fully removed"

[Michael Bennett]

Definitely looks bad.

Post your HJT! log in the Malware Removal forum and someone will get to you as soon as possible.

[Nesjemannen]

Also: Update your Hijackthis!

Download

[Michael Bennett]

The bigwigs will sort him out, Nes.

[lunarlander]

Well, in addition to posting a new hijackthis log in the correct forum, you can empty the contents of your C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\ folder, as I see several malware attempting to 'call home' resides there.

I see you are surfing with your Administrator account, don't do that. Create a limited user account and surf with that one, so any attempts of intrusion will not affect the entire system.

[black99gm]

How do I create a limited user account? My girls use this computer as well for homework and course messenger & facebook. I don't have much experience.

Thanks

[lunarlander]

In XP:
Control Panel / User Accounts / Create A New Account /
Enter account name / Next / Choose 'Limited' radio button
Click 'Create new Account' button

[black99gm]

Thanks for the reply; I created a new user but the problem is it is now the adminitrator user and I have lost the original administrator and can't find it! There also is another account called "ASP.net machine A..." I don't know where it came from.

Bob

[lunarlander]

press CTRL-ALT-DEL twice at the login screen and you will be given a field to enter the user name.

I think the ASP.NET user account is installed by MS's Dot Net Framework. Somebody correct me if I'm wrong

[black99gm]

Thanks wk2000 that worked. I have looked at the user accounts to change the Family user account to limited but the radio button won't change. It has a message "you must assign another user on this computer with a computer administrator before you can change this user's account type" The user accounts page shows both as computer administrators. The only options with the administrator account are " create a password" - "change my picture" & "change my .net passport" Any ideas?

[lunarlander]

Yes, in addition to the built in Administrator account, there must be one more account which is an admin. So there are two accounts with admin rights. Create a fourth account which is limited then.

[black99gm]

OK I have done the 4th account and called it "Family users" the second administrator account I have named "Adm 2". The original Administrator account does not show when I am at the log in screen, the only time I can get to it is by doing the CNTL-ALT-DEL twice. Is this normal? I would also like to get my e-mail and my documents (pics & music) from the original Administrator to Family users.

Thanks for taking the time with a novice!!!