Trojans/virus on my system?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

spiritcenter

Thread Starter
Joined
Aug 31, 2004
Messages
6
Hi there, thank heavens for forums like this one!

I am a complete newbie to computer stuff and am having problems. I had my c drive reformatted because I had a virus that was connected to my symantec settings and every time I removed it system would reboot and reinstall it. As far as I could ascertain it wasn't letting me update by nortons security.

I am running Zone Alarm Pro and noticed today that it appears I have two copies of some dll's in my nortons folders.

---------

These are:

defaltert.dll - Norton AntiVirus DefAlter c:/program files/norton system works/Norton AntiVirus/DEFALTERT.DLL

same again but in capitals.

APWUTIL.DLL - c:/program files/norton system works/Norton AntiVirus/DEFALTERT.DLL

same again but in capitals

CCEmlPxy.dll c:/program files/common files/Symantec Shared/ccEmlPxy.dll

same again but in capitals

Common Client Error Display

ccErrDsp.ll c:/program files/common files/Symantec Shared/ccErrDsp.dll

same again but in capitals

ccEvt.dll c:/program files/common files/Symantec Shared/ccEvt.dll

same again but file path in capitals.

CCIMSCAN.DLL C:/Program Files/Norton SystemWorks/Norton Anti-Virus/CCIMSCAN.DLL

same again but in caps

comctl132.dll C:/WINDOWS/System32/comctl32.dll

same again:

C:\WINDOWS\WinSxS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.10.0_X-WW_F7FB5805

DEFALTERT.DLL C:\Program Files\Norton SystemWorks\Norton AntiVirus

AND

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

DJSMAR00.dll C:\PROGRAM FILES\NORTON SYSTEMWORKS

AND

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

N32EXCLU.DLL C:\Program Files\Norton SystemWorks\Norton AntiVirus

AND

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

NAVAPW32.DLL C:\Program Files\Norton SystemWorks\Norton AntiVirus

AND

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

NAVENG32.DLL - C:\Program Files\Common Files\Symantec Shared\VirusDefs\20040825.021

AND

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\VIRUSDEFS\20040825.021

NAVEX32A.DLL C:\Program Files\Common Files\Symantec Shared\VirusDefs\20040825.021

AND

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\VIRUSDEFS\20040825.021

NAVLUCBK.DLL C:\Program Files\Norton SystemWorks\Norton AntiVirus

AND

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

S32NAVO.DLL C:\Program Files\Norton SystemWorks\Norton AntiVirus

AND

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

Other Wierd Files

PATCH321.DLL in C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS

rtcimsp.dll C:\Program Files\Messenger

and

C:\PROGRAM FILES\MESSENGER

-----------

However when viewing through windows explorer these files do not appear to show.

--

I have also been running the netstat command and have some ports 'listening' from ports known to have something to do with dodgy componants according to http://www.grc.org

I also have security task manager and hijack this.

Any help would be vastly appreciated - this is seriously making me consider going offline as it's just too much of a worry.

TY in advance :)
 
Joined
Oct 13, 2003
Messages
2,367
Please go to this site and download HiJackThis by Merijn Bellekom:

***NOTE***Do not FIX anything without a log analyzer's guidance. MOST of what's listed is necessary for your computer to operate normally.

HiJackThis download link

Alternate download links:

http://www.spychecker.com/program/hijackthis.html

http://www.majorgeeks.com/download3155.html



Under "Official Downloads" HiJackThis. It's the 2nd one down.

Download and unzip to a permanent folder of your own creation.

Open HiJackThis. Click "Scan". Then, in the lower left corner, click "Save Log".

Save it to your permanent HiJackThis folder (or floppy disk if necessary).

The log will open in Notepad. Click "Edit" then "Select All".

Copy and paste the log back to this thread.
 

spiritcenter

Thread Starter
Joined
Aug 31, 2004
Messages
6
Logfile of HijackThis v1.97.7
Scan saved at 2:28:23 p.m., on 1/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Security Task Manager\TaskMan.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Documents and Settings\Mandy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/advanced_search?hl=en
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33F34322-8A8B-4D38-A475-A51B66F97D6D}: NameServer = 202.27.158.40 202.27.184.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{33F34322-8A8B-4D38-A475-A51B66F97D6D}: NameServer = 202.27.158.40 202.27.184.3

--------

TY for your prompt reply! You guys are fast :)
 

spiritcenter

Thread Starter
Joined
Aug 31, 2004
Messages
6
I downloaded hijack this from spychecker this week so I presume it's the most current copy. That's what I used to provide the log in my last post before this :)
 

spiritcenter

Thread Starter
Joined
Aug 31, 2004
Messages
6
Here tis:

Logfile of HijackThis v1.98.2
Scan saved at 2:50:10 p.m., on 1/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mandy\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/advanced_search?hl=en
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{33F34322-8A8B-4D38-A475-A51B66F97D6D}: NameServer = 202.27.158.40 202.27.184.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{33F34322-8A8B-4D38-A475-A51B66F97D6D}: NameServer = 202.27.158.40 202.27.184.3
 

spiritcenter

Thread Starter
Joined
Aug 31, 2004
Messages
6
Yes I did do a reformat :) It was the possiblity of having winhole that concerned me but I ran a removal script and it said it wasn't on my system.

What do you think of the two copies of the dll's in my nortons folders? (according to zone alarm program componants screen)

Ty for your help - I am relieved there is nothing dodgy in there. Paranoia is not pleasant lol
 
Joined
Oct 13, 2003
Messages
2,367
lol...a dose of paranoia's healthy. I can't say about the double dll's. If you're able to update you anti-virus and your firewall's running, I wouldn't worry about it. (y)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top