[edsutton]

"The service you entered is system critical! It can't be deleted." Is that bad? That was for SymWSC

anyway, in the services, I found a few more symantec items:



Symantec Passowrd Validation
Symantec Core LC
Symantec Event manager
Symantec Settings manager

however, I didn't have to stop the process, it wasn't started.

[Advertisements]

Go ahead and reboot into Safe Mode to delete the Symantec Shared folder - keep track of the file names (and the folder they are in) if you can't delete them. We should be able to delete the services after the files are gone.

These are the display name for the services. I need you to give me the service names for each one so we can delete them:

Symantec Passowrd Validation
Symantec Core LC
Symantec Event manager
Symantec Settings manager

You can get the service name by double-clicking on each one and under the General tab it will say "Service Name".

[Michelle]

Go ahead and reboot into Safe Mode to delete the Symantec Shared folder - keep track of the file names (and the folder they are in) if you can't delete them. We should be able to delete the services after the files are gone.

These are the display name for the services. I need you to give me the service names for each one so we can delete them:

Symantec Passowrd Validation
Symantec Core LC
Symantec Event manager
Symantec Settings manager

You can get the service name by double-clicking on each one and under the General tab it will say "Service Name".

[Michelle]

Nevermind about getting the service names. I know what they are

[edsutton]

SymWSC
ccSetMgr
ccPwdSvc
ccEvtMgr

and
Symantec Core LC is the service name on that one.

brb, gonna restart and delete the folder

[edsutton]

ok, lol

[edsutton]

It let me delete the folder no problem and the service no longer shows up on my hjt log. Any additional steps required?

[Michelle]

Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

SymWSC

Click ok.

It should pull up information about the service, when it asks if you want to reboot now click NO.

Follow the above instructions for these as well:

ccSetMgr
ccPwdSvc
ccEvtMgr
Symantec Core LC

Click OK, after the last one is entered click YES to the reboot now question.

Post one last HiJackThis log!

Edited by bananafanafo, 12 June 2005 - 03:25 AM.

[edsutton]

I think you've done it!

Thank you very much, I know what a pain it must be helping ppl all the time, but I'm sure it's also rewarding.

I thank you again. Let me know if there's something else I should do besides SP2

Here's the final log for ya, hopefully final

Logfile of HijackThis v1.99.1
Scan saved at 4:42:36 AM, on 6/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\DIS\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114106765202
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

[Michelle]

I looks good! And solved in just a few hours is great

Congratulations your log is clean! Nice job on getting rid of Aurora, by the way!

I recommend Service Pack 2 now!!

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Other necessary Programs:

• Firewall<= A firewall is definitely a must have. Three good free versions are Sygate, Kerio, and ZoneAlarm. *NOTE* Service Pack 2 comes with a built-in firewall. If you decide you would rather use one of these, you need to disable Windows Firewall!

[Michelle]

You're very welcome! I'm glad I was able to help

[Michelle]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.