Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknown infection(s)... started with Pokapoka and Trojan.Elitebar. Ple


  • Please log in to reply

#31
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Great. How is the computer running now?

Post a new Hijack log too.

Thanks
  • 0

Advertisements


#32
newe03

newe03

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hi loophole!

Ooooh :) The computer seems to be working better! So far, no popups. I also signed on to AIM and the weird mouse thing is not happening! So great, thank you!!! :tazz:
Question... should I turn on the System Restore function?

The following things are still happening tho... any ideas?
- upon sign-on, get the balloon saying "Your system may be at risk. Symantec has been disabled. "
- 4 or 5 balloons pop up consecutively saying the same thing: (paraphrased) "Norton Antivirus Speed Disk Drivers have been disabled to keep your system working properly"
Are these things normal? Fixable?



Here's the HJT logfile:
Logfile of HijackThis v1.99.1
Scan saved at 10:42:24 PM, on 11/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kerberos\leash32.exe
C:\Program Files\Kerberos\krbcc32s.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wisc.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Leash Kerberos Ticket Manager.lnk = C:\Program Files\Kerberos\leash32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103167582532
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Administrator\My Documents\My Downloads\cwshredder-1.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#33
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Firstly (i know you may have tried this) Can you reenable Norton and reboot and tell me if the problem is fixed . If not we will see what we can do :tazz:
  • 0

#34
newe03

newe03

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
hey :tazz:

to reenable norton, i usually would right-click on the icon on the lower right of my screen, and click "Enable". but in this case, the only things I see are "Open Symantec Antivirus" and "Enable Auto-protect"... and the Auto-protect does have a checkmark next to it already....


so what do i do? i'm probably just not looking in the right place.


(i'll be gone until about 7pm but I'll check this site again when I get back to see if you've posted anything. thanks again!)
  • 0

#35
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Lets find out if your anti virus is actually working..Reboot the computer and let it run for a couple of minutesand clear all the warning balloons out. The following is only a standardized test and not a virus

Click this link

Let me know if it is working
  • 0

#36
newe03

newe03

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
hey :tazz:

i clicked the link but it just opened up text. did i do it wrong?
  • 0

#37
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
No, your antivirus should have caught it. Make sure enable auto protection is checked and try it one more time
  • 0

#38
newe03

newe03

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
okay. :tazz:

yup it's enabled.

when i click the link it takes me to this website:
http://www.eicar.org...d/eicar.com.txt

and here is the text i see:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


am i supposed to see text or is it supposed to do something?
  • 0

#39
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Your supposed to get a virus warning. It works for me everytime and I have norton :tazz: . Did your Norton come on disk or was it a download. How long do you have on the subscription?
  • 0

#40
newe03

newe03

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
this may be a really dumb question... but is "Symantec" the same thing as Norton? because I have Symantec.... I downloaded it from our school website where the school computer people told me I should DL it.

if i right-click and disable the auto-protect, the balloon pops up saying my system might be at risk. but if i rigkt-click then again and enable it, it goes away. i turned on System Restore and restarted and it seemed to start in the Enabled state and not the Disabled state finally, so maybe that was it?

but now I'm wondering why the virus test doesn't work... lemme know waht you think. thanks so much!
  • 0

Advertisements


#41
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Nope not a dumb questionat all. Actually your right it is now Symantec.... I'm used to calling it Norton because everybody I reply to says nortonTry this link and let me know if you get a virus warning link If you dont then your Symantec has probably been compromised. We can fix it but I will have to do some digging to find the right registry key to fix or you can uninstall it and get a different program.
  • 0

#42
newe03

newe03

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
thanks for explaining! :tazz: oooh okay the link works this time...

am i supposed to click Run or Save?
  • 0

#43
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Neither this is a test. You click the link and Symantec should pop up and say it is a virus. If it doesn't then theres a problem somewhere
  • 0

#44
newe03

newe03

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
hmmm okay.

well when i click the link, a window pops up that says:

File Download-Security Warning
Do you want to Run or Save this file?
(And then I just clicked cancel)


But I don't get anything from Symantec. Does that mean my Symantec is not working?
  • 0

#45
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
I would guess so??? I'm guessing this is free since you got it through school. We can uninstall it then reinstall. We can uninstall then Install a free antivirus like AVG which is good. Or I can try to figure out what registry keys we need to fix.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP