Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HijackThis! Log

Started by david.sorenson , Jan 01 2007 07:13 PM

  • Please log in to reply

#1
david.sorenson
Posted 01 January 2007 - 07:13 PM

david.sorenson

    Member

  • Member
  • PipPip
  • 13 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:00:31 PM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace.i...ech.edu/qp2.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://www.drd.dyndn...hecker_6110.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...55/sdcregie.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://msfm.interwis...nt/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123334050296
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137956252187
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akama...ol/SymDlBrg.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by david.sorenson, 01 January 2007 - 07:14 PM.

  • 0

Advertisements

#2
miekiemoes
Posted 02 January 2007 - 06:56 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

I can't see anything suspicious in your log.
Can you tell me what EXACT problem you are having? I see you mentioning something about system restore and installed programs.. but this is somewhat unclear for me.
Do you get any error when opening add/remove programs? Does system restore display a blank page?
  • 0

#3
david.sorenson
Posted 02 January 2007 - 07:29 AM

david.sorenson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
When I try to go to System Restore, the computer freezes. I ALWAYS have to reboot. The icon for it also is "blank"; as if it's not installed. Is there a .dll or the .exe file missing? I attempted to run chkdsk in the Command Prompt, but it says the (C:\) drive is in use and will run next when the computer is restarted.

When opening add/remove programs under Control Panel the PC just hangs (for several minutes) and the installed programs never display. This happens in administrator mode and all other account types.

When a user first logs in through the welcome screen it takes up to 10 minutes for their profile to load. During this time, the desktop is displayed but the user cannot choose any programs or icons from the desktop or systray. There is also a spike in networking traffic from that tab/screen in Task Manager, and the CPU usage is 100%. There are times when a user also selects an application and there is no response for up to 5 minutes. Once the user has been on the PC for a while the "issue" seems to improve.

I am absolutely confounded. Could it be the hard drive? Would it be easier to just purchase a new computer?

Please help!

David
  • 0

#4
miekiemoes
Posted 02 January 2007 - 08:34 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I can't see anything suspicious in your log though.
Since when did this issue start?

This could be indeed a hardware issue, but can be caused by software as well.
But first we have to make sure that nothing malware related is present.

The freezing system restore and add/remove programs may be caused by some dlls not registered properly as well, or some dlls missing.

Do next first..

Go to start > run and copy and paste next command in the field:

sfc /scannow

This will check for missing or corrupted files and will ask for your cd to restore them.

then, copy and paste next commands one by one in the field in run > start and hit enter.

regsvr32 %Windir%\System32\Mshtml.dll

regsvr32 %Windir%\System32\Jscript.dll

regsvr32 %Windir%\System32\Msi.dll

regsvr32 %windir%\system32\webvw.dll

regsvr32 %Windir%\System32\Mshtmled.dll

You should get a message saying "DllRegisterServer ... succeeded" afterwards after copying and pasting every line and clicking enter.

Then,

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CLASSES_ROOT\.htc]
"Content Type"="text/x-component"

[HKEY_CLASSES_ROOT\.hta]
@="htafile"
"Content Type"="application/hta"

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Reboot. Important!

To check for malware..

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-sec...light/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
I need that log later.

Then, * Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv. I need that log later.
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with the blacklight log and drWeb CureIt log.

As a sidenote - the fact you are mentioning that windows starts up very slowly, but once loaded, everything is ok again and you can open the programs again. This *may be caused by Norton as well though, because Norton can still cause a huge boot delay and you can only open programs when Norton is properly started.
Actually, Norton can be the cause of many problems with your computer - an incompatibility issue with other software installed.

To find out, I also want you to restart your computer in safe mode and look if you are having the same problems there (including the crashing system restore and add/remove programs)
The reason why safe mode is needed to test is because Norton isn't active in safe mode.

Extra note.. I see you are logged in with several users at the same time as well. Please only log in under one user and see if the problems are still the same when only one useraccount is active.
  • 0

#5
miekiemoes
Posted 02 January 2007 - 09:35 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi david.sorenson,

I just did some google searches to find similar issues and in 90% of the cases where users were having the same issues was indeed caused by Norton, including the System restore freezings, add/remove programs freezing and the delayed startup.

That's why, I want you to temporary uninstall Norton. That's the way to figure out if it's indeed Norton causing this or not.
You can always reinstall it afterwards again if norton is not the cause here.

To fully remove Norton AntiVirus, you should go here and download the files and print the instructions for removal, and follow them:
How to uninstall Norton AntiVirus 2004/2005/2006 (note: this removes ALL Norton 2004/2005/2006 products from your computer, and also uninstalls Norton Ghost 10.0/9.0/2003)
How to uninstall Norton AntiVirus 2003 or Norton AntiVirus 2003 Professional Edition
How to uninstall Norton AntiVirus 2000/2001/2002

Also read this article in case you're having problems with uninstalling Norton if above instructions didn't work, or noticed problems after uninstalling Norton:
http://basconotw.mvps.org/SymRem.htm

Reboot afterwards!! Really important!!

After reboot, install a free Antivirus and Firewall instead (so you'll be still protected).
A good free Antivirus is Avira and a good free Firewall is Kerio. Look in my signature under Antivirus and Firewalls for their downloadlocations or other free alternatives.
  • 0

#6
david.sorenson
Posted 03 January 2007 - 08:12 AM

david.sorenson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Notes:

1.) System Restore and add/remove programs still behaved the same in Safe Mode.
2.) During the RegSvr32 process, the following errors were encountered:
a. C:\WINDOWS\System32\Mshtml.dll was loaded, but the DllRegisterServer entry point was not found. This file can not be loaded.
b. DllRegisterServer in C:\WINDOWS\System32\webvw.dll failed. Return code was: 0x80004005.

Blacklight Log:

01/02/07 18:59:06 [Info]: BlackLight Engine 1.0.55 initialized
01/02/07 18:59:06 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/02/07 18:59:07 [Note]: 7019 4
01/02/07 18:59:07 [Note]: 7005 0
01/02/07 18:59:19 [Note]: 7006 0
01/02/07 18:59:19 [Note]: 7011 388
01/02/07 18:59:19 [Note]: 7026 0
01/02/07 18:59:19 [Note]: 7026 0
01/02/07 18:59:37 [Note]: FSRAW library version 1.7.1021
01/02/07 19:07:46 [Note]: 4027 2793 183042048
01/02/07 19:07:46 [Note]: 4020 90 5898240
01/02/07 19:07:46 [Note]: 4018 90 5898240
01/02/07 19:20:09 [Note]: 7007 0

DrWeb.csv Log was empty - no viruses found
Files scanned: 560444
Run time: 2:23:24

ComboFix.txt Log:

David - 07-01-03 6:59:24.21 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\David\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-03 to 2007-01-03 ))))))))))))))))))))))))))))))))))


2007-01-02 19:20 <DIR> d-------- C:\Documents and Settings\David\DoctorWeb
2006-12-22 04:08 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-12-22 04:07 <DIR> d-------- C:\Program Files\Grisoft
2006-12-19 16:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2006-12-19 15:29 <DIR> d--h----- C:\Documents and Settings\David\Application Data\GTek
2006-12-19 15:28 6,977 --a------ C:\WINDOWS\SYSTEM32\DDMI2.sys
2006-12-19 15:28 6,656 --a------ C:\WINDOWS\SYSTEM32\DLPT2.sys
2006-12-19 15:28 29,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\goprot51.sys
2006-12-19 15:28 135,168 --a------ C:\WINDOWS\SYSTEM32\GoProto.dll
2006-12-19 15:28 1,851,546 --a------ C:\WINDOWS\SYSTEM32\gdql_lsa.dll
2006-12-19 15:28 <DIR> d-ah----- C:\Documents and Settings\All Users\Application Data\GTek
2006-12-19 15:28 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2006-12-13 09:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2006-12-13 08:30 <DIR> d-------- C:\Program Files\1 Click PC Fix 2007
2006-12-12 21:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2006-12-12 21:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-12-12 21:59 <DIR> d-------- C:\Documents and Settings\David\Application Data\SUPERAntiSpyware.com
2006-12-10 11:44 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-02 20:38 -------- d-------- C:\Documents and Settings\David\Application Data\MailWasherPro
2007-01-01 19:00 -------- d-------- C:\Program Files\HiJackThis
2006-12-22 10:48 -------- d-------- C:\Program Files\Norton AntiVirus
2006-12-22 10:48 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-22 10:46 48776 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2006-12-22 10:46 115000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2006-12-22 10:46 -------- d-------- C:\Program Files\Symantec
2006-12-22 03:50 -------- d-------- C:\Documents and Settings\David\Application Data\OpenOffice.org2
2006-12-19 18:31 28672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2006-12-18 17:04 -------- d-------- C:\Documents and Settings\David\Application Data\Google
2006-12-18 17:03 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-18 17:03 -------- d-------- C:\Program Files\Google
2006-12-16 17:38 -------- d-------- C:\Program Files\Outlook Express
2006-12-16 17:38 -------- d-------- C:\Program Files\Common Files\System
2006-12-13 12:47 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-13 10:38 -------- d-------- C:\Program Files\WinZip
2006-12-13 10:36 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-13 10:10 -------- d-------- C:\Program Files\iTunes
2006-12-13 10:10 -------- d-------- C:\Program Files\Internet Explorer
2006-12-13 10:05 -------- d-------- C:\Program Files\Common Files\Zinio
2006-12-13 09:14 -------- d-------- C:\Documents and Settings\David\Application Data\Symantec
2006-12-13 09:09 -------- d-------- C:\Program Files\Messenger
2006-12-12 21:59 -------- d-------- C:\Program Files\Common Files
2006-12-10 11:44 -------- d-------- C:\Program Files\Trend Micro
2006-12-07 00:40 2362184 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-11-29 12:48 -------- d-------- C:\Program Files\eclipse
2006-11-25 09:12 -------- d---s---- C:\Documents and Settings\David\Application Data\Microsoft
2006-11-25 09:11 -------- d-------- C:\Program Files\OpenOffice.org 2.0
2006-11-25 08:07 -------- d-------- C:\Program Files\Java
2006-11-24 17:50 -------- d-------- C:\Program Files\TrojanHunter 4.2
2006-11-24 17:50 -------- d-------- C:\Program Files\TESTOUT
2006-11-24 17:49 -------- d-------- C:\Program Files\eGames
2006-11-15 16:18 -------- d-------- C:\Program Files\QuickTime
2006-11-07 23:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\SYSTEM32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\SYSTEM32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\SYSTEM32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\SYSTEM32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\SYSTEM32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\SYSTEM32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\SYSTEM32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\SYSTEM32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\SYSTEM32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\SYSTEM32\ieakui.dll
2006-10-19 07:56 713216 --a------ C:\WINDOWS\SYSTEM32\sxs.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\SYSTEM32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\SYSTEM32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\SYSTEM32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\SYSTEM32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\SYSTEM32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\SYSTEM32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\SYSTEM32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\SYSTEM32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\SYSTEM32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\SYSTEM32\ieapfltr.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\SYSTEM32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"EasyLinkAdvisor"="\"C:\\Program Files\\Linksys EasyLink Advisor\\LinksysAgent.exe\" /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"nwiz"="nwiz.exe /installquiet"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NAV CfgWiz"="\"C:\\Program Files\\Norton AntiVirus\\CfgWiz.exe\" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE \"REBOOT\""
"MMTray"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe\""
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="c:\\progra~1\\common~1\\instal~1\\update~1\\isuspm.exe -startup"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Regular Scan - David.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - David.job

Completion time: 07-01-03 7:04:18.68
C:\ComboFix.txt ... 07-01-03 07:04
  • 0

#7
miekiemoes
Posted 03 January 2007 - 08:29 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Don't worry about the error messages, I got those as well when reregistering those files.

I can't see anything suspicious in the logs though, and as I already said, this isn't a malware related issue, but something that got corrupted in Windows.

I see you installed or updated Symantec/Norton recently as well.. and as I already said in my previous post, Symantec may be the cause.

So, uninstall Norton/symantec, REBOOT afterwards and look if that solved the problem. In case when it didn't, then I suggest you perform a Windows repair install. http://www.michaelst...pairinstall.htm

A Repair Install will replace the system files with the files on the XP CD used for the Repair Install. It will leave your applications and settings intact, but Windows updates will need to be reapplied.


  • 0

#8
miekiemoes
Posted 03 January 2007 - 10:23 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Extra addition.

In case you decide to perform a Windows repair install, make sure you uninstall your Internet Explorer 7 first via software > add/remove programs and reboot afterwards. Then perform the Windows repair install.

Forgot the fact that you're not able to use add/remove programs to uninstall. So in this case, to uninstall Internet Explorer 7, go to start > run and copy and paste next command in the field and hit enter:

"C:\WINDOWS\ie7\spuninst\spuninst.exe"

To uninstall Norton, open your Hijackthis > config > misc tools and select the "Open Uninstall Manager" there.
You'll find in the list the Norton/symantec related entries. Don't click to delete!!!! , but select the entry and look in the right pane where it says: Uninstall command. There it will display the right uninstall command for each entry you select.

So in this case, select the Norton related entries, and copy what's present in the "Uninstall command"-field and go to start > run and paste the uninstall command there.

Edited by miekiemoes, 03 January 2007 - 10:41 AM.

  • 0

#9
david.sorenson
Posted 05 January 2007 - 11:51 PM

david.sorenson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
miekiemoes:

Just wanted to thank you for your help. The System Restore and add/remove programs under Control panel are still causing freezing and hanging respectively. I am going to perform the XP re-install this weekend and will let you know how it all goes.

Don't close out this topic/thread until you hear from me again.

:whistling:

Regards,

David
  • 0

#10
miekiemoes
Posted 06 January 2007 - 12:21 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Did you uninstall your Norton now?
The fact that it affects both system restore and Add/remove programs to freeze still makes me think that this is an issue with Mshtml.dll/jscript.dll
However, more dlls can be affected ofcourse.
Before the repair install, Can you try next as well?

* Download Dial-a-fix from here:
http://wiki.djlizard...tandard_version

Open dial-a-fix and select under the "Registration Center" part, select everything there and then click the "Go" button below.

Then reboot.

If that didn't solve the problem, do the repair install. But don't forget to uninstall IE7 before doing the repair install! This is really important!

However, If you can still remember since when this issue started, that could give us a clue where to look.
  • 0

#11
david.sorenson
Posted 06 January 2007 - 08:48 AM

david.sorenson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Norton has been unistalled. That did improve response time, but the issues with System Restore and add/remove programs still exist. I know that the system started slowing down when I was "forced" to upgrade to XP SP2 on October 18, 2006.

The other issue was an upgrade to Norton in early December (on or about the 10th).

I will try the dial-a-fix and keep you posted.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP