1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojans/virus on my system?

Discussion in 'Virus & Other Malware Removal' started by spiritcenter, Aug 31, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. spiritcenter

    spiritcenter Thread Starter

    Joined:
    Aug 31, 2004
    Messages:
    6
    Hi there, thank heavens for forums like this one!

    I am a complete newbie to computer stuff and am having problems. I had my c drive reformatted because I had a virus that was connected to my symantec settings and every time I removed it system would reboot and reinstall it. As far as I could ascertain it wasn't letting me update by nortons security.

    I am running Zone Alarm Pro and noticed today that it appears I have two copies of some dll's in my nortons folders.

    ---------

    These are:

    defaltert.dll - Norton AntiVirus DefAlter c:/program files/norton system works/Norton AntiVirus/DEFALTERT.DLL

    same again but in capitals.

    APWUTIL.DLL - c:/program files/norton system works/Norton AntiVirus/DEFALTERT.DLL

    same again but in capitals

    CCEmlPxy.dll c:/program files/common files/Symantec Shared/ccEmlPxy.dll

    same again but in capitals

    Common Client Error Display

    ccErrDsp.ll c:/program files/common files/Symantec Shared/ccErrDsp.dll

    same again but in capitals

    ccEvt.dll c:/program files/common files/Symantec Shared/ccEvt.dll

    same again but file path in capitals.

    CCIMSCAN.DLL C:/Program Files/Norton SystemWorks/Norton Anti-Virus/CCIMSCAN.DLL

    same again but in caps

    comctl132.dll C:/WINDOWS/System32/comctl32.dll

    same again:

    C:\WINDOWS\WinSxS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.10.0_X-WW_F7FB5805

    DEFALTERT.DLL C:\Program Files\Norton SystemWorks\Norton AntiVirus

    AND

    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

    DJSMAR00.dll C:\PROGRAM FILES\NORTON SYSTEMWORKS

    AND

    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

    N32EXCLU.DLL C:\Program Files\Norton SystemWorks\Norton AntiVirus

    AND

    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

    NAVAPW32.DLL C:\Program Files\Norton SystemWorks\Norton AntiVirus

    AND

    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

    NAVENG32.DLL - C:\Program Files\Common Files\Symantec Shared\VirusDefs\20040825.021

    AND

    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\VIRUSDEFS\20040825.021

    NAVEX32A.DLL C:\Program Files\Common Files\Symantec Shared\VirusDefs\20040825.021

    AND

    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\VIRUSDEFS\20040825.021

    NAVLUCBK.DLL C:\Program Files\Norton SystemWorks\Norton AntiVirus

    AND

    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

    S32NAVO.DLL C:\Program Files\Norton SystemWorks\Norton AntiVirus

    AND

    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

    Other Wierd Files

    PATCH321.DLL in C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

    rtcimsp.dll C:\Program Files\Messenger

    and

    C:\PROGRAM FILES\MESSENGER

    -----------

    However when viewing through windows explorer these files do not appear to show.

    --

    I have also been running the netstat command and have some ports 'listening' from ports known to have something to do with dodgy componants according to http://www.grc.org

    I also have security task manager and hijack this.

    Any help would be vastly appreciated - this is seriously making me consider going offline as it's just too much of a worry.

    TY in advance :)
     
  2. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Please go to this site and download HiJackThis by Merijn Bellekom:

    ***NOTE***Do not FIX anything without a log analyzer's guidance. MOST of what's listed is necessary for your computer to operate normally.

    HiJackThis download link

    Alternate download links:

    http://www.spychecker.com/program/hijackthis.html

    http://www.majorgeeks.com/download3155.html



    Under "Official Downloads" HiJackThis. It's the 2nd one down.

    Download and unzip to a permanent folder of your own creation.

    Open HiJackThis. Click "Scan". Then, in the lower left corner, click "Save Log".

    Save it to your permanent HiJackThis folder (or floppy disk if necessary).

    The log will open in Notepad. Click "Edit" then "Select All".

    Copy and paste the log back to this thread.
     
  3. spiritcenter

    spiritcenter Thread Starter

    Joined:
    Aug 31, 2004
    Messages:
    6
    Logfile of HijackThis v1.97.7
    Scan saved at 2:28:23 p.m., on 1/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\slrundll.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Security Task Manager\TaskMan.exe
    C:\WINDOWS\System32\NOTEPAD.EXE
    C:\Documents and Settings\Mandy\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/advanced_search?hl=en
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{33F34322-8A8B-4D38-A475-A51B66F97D6D}: NameServer = 202.27.158.40 202.27.184.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{33F34322-8A8B-4D38-A475-A51B66F97D6D}: NameServer = 202.27.158.40 202.27.184.3

    --------

    TY for your prompt reply! You guys are fast :)
     
  4. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Sorry about that. That's an outdated link. :( Try the one from "majorgeeks".
     
  5. spiritcenter

    spiritcenter Thread Starter

    Joined:
    Aug 31, 2004
    Messages:
    6
    I downloaded hijack this from spychecker this week so I presume it's the most current copy. That's what I used to provide the log in my last post before this :)
     
  6. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    It should be version 1.98.2 ;)
     
  7. spiritcenter

    spiritcenter Thread Starter

    Joined:
    Aug 31, 2004
    Messages:
    6
    Oops - no it's not - I'll download the latest version - ty!
     
  8. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
  9. spiritcenter

    spiritcenter Thread Starter

    Joined:
    Aug 31, 2004
    Messages:
    6
    Here tis:

    Logfile of HijackThis v1.98.2
    Scan saved at 2:50:10 p.m., on 1/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\slrundll.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Mandy\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/advanced_search?hl=en
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{33F34322-8A8B-4D38-A475-A51B66F97D6D}: NameServer = 202.27.158.40 202.27.184.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{33F34322-8A8B-4D38-A475-A51B66F97D6D}: NameServer = 202.27.158.40 202.27.184.3
     
  10. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    You said you did a reformat?

    There's nothing nasty in that log.
     
  11. spiritcenter

    spiritcenter Thread Starter

    Joined:
    Aug 31, 2004
    Messages:
    6
    Yes I did do a reformat :) It was the possiblity of having winhole that concerned me but I ran a removal script and it said it wasn't on my system.

    What do you think of the two copies of the dll's in my nortons folders? (according to zone alarm program componants screen)

    Ty for your help - I am relieved there is nothing dodgy in there. Paranoia is not pleasant lol
     
  12. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    lol...a dose of paranoia's healthy. I can't say about the double dll's. If you're able to update you anti-virus and your firewall's running, I wouldn't worry about it. (y)
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/268796

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice