fncomputer Posted August 25, 2008 Report Share Posted August 25, 2008 Hi there.....i noticed my computer acting kinda funny over the past few days and today it did something pretty bizarre; it started to shut windows down by itself. So i ran a virus scan which showed Infostealer.Gampass and Hacktool.Rootkit were on my computer. I went to the Symantec site and followed their removal directions very precisely. The problem i am having now is that i cannot connect to LiveUpdate to update my virus definitions in fact i cannot access any part of the symantec website at all. Also i have noticed that when i google "blocked from symantec website" i am denied access to several of the website that would contain info that may be able to help me. It seems that i have been blocked from some antivirus and tech support websites. Any thoughts on what has happened to my computer? I have checked notepad %systemroot%\system32\drivers\etc\hosts and everything appears normal - nothing involving symantec is there. Just in case it may be of use, here is a copy of my hi-jack this log file: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:49:53 PM, on 8/24/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeC:\PROGRA~1\PHAROS~1\Core\CTskMstr.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\ehome\mcrdsvc.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\WINDOWS\system32\lphc3oaj0ep8v.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Apoint\Apntex.exeC:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lsu.edu/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dllO2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exeO4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [lphc3oaj0ep8v] C:\WINDOWS\system32\lphc3oaj0ep8v.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139026325265O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLLO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exeO23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeO23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exeO23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exeO23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe--End of file - 9197 bytesCan anyone point me in the right direction here? Thanks Quote Link to comment Share on other sites More sharing options...
ɹəuəllıʍ ʇɐb Posted August 25, 2008 Report Share Posted August 25, 2008 Welcome to the Windows Forum.Unfortunately we do no longer have the ability to process HJT log files. But of course we will give you the best possible advice for your problem.Can you run an online scan at http://housecall.trendmicro.com/ (v6.6) and see if it finds anything? Quote Link to comment Share on other sites More sharing options...
andsome Posted August 25, 2008 Report Share Posted August 25, 2008 You can also post your log here.http://www.security-forums.com/ Quote Link to comment Share on other sites More sharing options...
Boris Posted August 25, 2008 Report Share Posted August 25, 2008 I am not a HJT expert but Pat's advice is good.Your Java is two versions out of date.You also have this entryO4 - HKLM\..\Run: [lphc3oaj0ep8v] C:\WINDOWS\system32\lphc3oaj0ep8v.exe- which I do not think is good !Post your HJT log where andsome suggests.Good luck. Quote Link to comment Share on other sites More sharing options...
fncomputer Posted August 26, 2008 Author Report Share Posted August 26, 2008 Thanks for all of the help so far. I was able to update my anti-virus by getting the update on my jump drive from another computer. i performed a full scan in safe mode and found 3 new threats: Packed.Generic.111Trojan.Blusod (which explains some of the strange happenings like my desktop background being replaced with a phony spyware alert)Trojan HorseI got to symantec.com from another computer and printed all of the removal instructions; following them very carefully. At present Packed.Generic.111 keeps popping up on my virus scan. i cant seem to get rid of it although symantec.com's removal instructions were pretty simple; i cant seem to get rid of it.I will run the House Call as you advised and let you know what comes up. As far as my java being updated, I noticed something funny when i tried to update my java a few nights ago.....it wouldn't update?? I dont know what the deal is with that. Once again thanks again for the directions and advice. Quote Link to comment Share on other sites More sharing options...
fncomputer Posted August 26, 2008 Author Report Share Posted August 26, 2008 Thanks for all of the help so far. I was able to update my anti-virus by getting the update on my jump drive from another computer. i performed a full scan in safe mode and found 3 new threats: Packed.Generic.111Trojan.Blusod (which explains some of the strange happenings like my desktop background being replaced with a phony spyware alert)Trojan HorseI got to symantec.com from another computer and printed all of the removal instructions; following them very carefully. At present Packed.Generic.111 keeps popping up on my virus scan. i cant seem to get rid of it although symantec.com's removal instructions were pretty simple; i cant seem to get rid of it.I will run the House Call as you advised and let you know what comes up. As far as my java being updated, I noticed something funny when i tried to update my java a few nights ago.....it wouldn't update?? I dont know what the deal is with that. Once again thanks again for the directions and advice.I am a bit hesitant to run housecall as it required me to connect to the internet with my laptop (which is when it has been going apesh*t!) so I posted the HJT log at security-forums.com and they are helping me get things fixed. Thanks again for the help! Quote Link to comment Share on other sites More sharing options...
Dencandy Posted August 26, 2008 Report Share Posted August 26, 2008 If I've understood this post correctly, this appears to show yet another example of an infection getting past a Norton/Symantec product. fncomputer, when you've sorted all this out you might want to consider installing a more reliable anti-virus product as well as other security products. If so, you could browse the forum's Internet & Security board for more advice. Quote Link to comment Share on other sites More sharing options...
ɹəuəllıʍ ʇɐb Posted August 26, 2008 Report Share Posted August 26, 2008 Also, in addition to Dencandy's post, isn't it a bit strange that you must manually remove infections with Symantec? Every other AV I know of will automatically remove infections. Quote Link to comment Share on other sites More sharing options...
andsome Posted August 26, 2008 Report Share Posted August 26, 2008 It gave me a lot of bother, and took several e mails to and fro between me and their technical department, involving multiple removal tools to finally get rid of their program. NEVER AGAIN. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.