Norton Internet Security/Internet problem (HJT log)

[Vape]

back from holidays. Info is down a few posts.

 

 

 

 

 

 

 

http://forum.tip.it/viewtopic.php?p=2251938#2251938

 

 

 

 

 

 

 

----Old----

 

 

 

Last night I was on the phone for several hours trying to get our home pc fixed up as it seemed my brother had installed some viruses on it. Aftter quizzing him it seemed he'd clicked on a link in msn from someone asking if a link containing his email was him. Well guess what, tonight I get a message from someone with just such a link. Surprise surprise. Searched around the net, seems it's a fairly new thing, could only find references to it in the last few days. Once your computer has been infected, your msn then automatically sends the links to everyone else on your contacts list. I don't have any other details, but my brother said that on our pc at home he can't run any antivirus software and the internet doesn't work. I found a reference on a forum to one person having to reinstall windows to get rid of it.

 

 

 

 

 

 

 

We had the latest Norton Internet Security which auto-updates, but it's no substitute for common sense. Visiting the link in Firefox I simply get asked to download an exe file, but it's possible that if you're using an old version of windows/IE then just clicking the link itself might be enough to check your pc in to the emergency ward.

 

 

 

 

 

 

 

So yeah, if someone says this to you:

 

 

 

 

 

 

 

Infected_User says:

 

 

 

Heh, is this really you? www-messengertools.org/msn.php?session=y8670&[email protected]

 

 

 

 

 

 

 

DO NOT CLICK TEH LINK!

[Mercifull]

pffft

[Mercifull]

pfft

[Mercifull]

About having to reinstall windows to fix. You cant really take this as being the only solution to fix. People panic when they get a virus and something goes horribly wrong and novice users dont really know what to do so they reformat. Ive had to try and fix computers absolutely riddled with crap in the past and have always managed to clean up without the need for reinstalling windows.

 

 

 

 

 

 

 

MSN virus are spread because people click links and accept files from their friends regardless of how suspect it looks. Always make sure to check with your friend that he/she is meaning to send you something.

[Vape]

What sort of newb do you take me for merc? :P

 

 

 

Clarification: I am on holidays, I was assisting my brother in fixing the pc. We were, however, unsuccesful. I guess it'll have to wait until I get home.

 

 

 

 

 

 

 

As for the comment about reinstalling windows, that was mostly just to increase the fear factor :P

[Mercifull]

After investigation of that site it apears it tries to get you to download an exe file. This should also send alarm bells ringing.

 

 

 

This virus is so obvious i dont understand how someone with up to date Windows and Anti-virus can be fooled.

 

 

 

 

 

 

 

The site also appears to be run by a spammer who is probably more interested in your surfing habits to serve spyware than infect your computer with an irrepeairable virus.

 

 

 

 

 

 

 

Up to date Anti virus software should also be able to remove it easily, it is only a variant of an already existing virus.

 

 

 

 

 

 

 

It drops a file called "svshost" into a hidden directory in the system32 folder and blocks the task manager and regedit which is what scares people. Of course theres more than one way into the registry to you can clean it in safe mode or with HJT

[coltm4carbine]

lol 1 thing for sure and that is i ain't gonna click on the links unless i know which virus it is.

 

 

 

 

 

 

 

lol reinstalling...

[Vape]

My brother was telling me it was blocking hijackthis in regular mode, but the hijackthis log didn't seem to show anything evil in safe mode. Might ring him again tonight.

[coltm4carbine]

you will need an older version of hjt but out of all the logs i have seen only a few infections stop hjt from working.

[Vape]

Just got back from holiday, jumped on pc and it's rooted. Did a quick hjt scan but nothing stands out in the log, could someone have a look at it please and I'll go grab myself some beauty sleep and see what I can do tomorrow. Thanks :)

 

 

 

 

 

 

 

Symptoms I've observed atm (Ignore what I said in my previous posts, that was secondhand info from my brother.)

 

 

 

No internet in regular windows mode.

 

 

 

Norton Internet Security doesn't automatically start in regular windows mode

 

 

 

If you attempt to start NIS through start -> all programs etc., you get the microsoft error message "Symantec Integrator has encountered a problem and needs to close. We are sorry for the inconvenience." Please tell microsoft about this problem etc.

 

 

 

Internet works in safe mode with networking.

 

 

 

Can't start NIS in safe mode either, if you send an error report, the more info link from MS doesn't give you any useful info.

 

 

 

Going to run a Norton Antivirus scan in safe mode while I'm sleeping.

 

 

 

I suspect NIS may just be corrupted in some way and all that is required may be a reinstall... I might try that tomorrow.

 

 

 

 

 

 

 

 

 

 

 

Hijackthis log from regular windows mode:

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

 

 

 

Scan saved at 11:00:49 PM, on 02/11/05

 

 

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

 

 

MSIE: Unable to get Internet Explorer version!

 

 

 

 

 

 

 

Running processes:

 

 

 

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\services[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\nvsvc32[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\Explorer[Caution: ExecutableFile]

 

 

 

C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\mHotkey[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\SOUNDMAN[Caution: ExecutableFile]

 

 

 

C:\Program Files\Java\jre1.5.0_04\bin\jusched[Caution: ExecutableFile]

 

 

 

C:\Program Files\iTunes\iTunesHelper[Caution: ExecutableFile]

 

 

 

C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile]

 

 

 

C:\Program Files\iPod\bin\iPodService[Caution: ExecutableFile]

 

 

 

C:\Program Files\Folding@Home\FAH502-Console[Caution: ExecutableFile]

 

 

 

C:\Program Files\Symantec\LiveUpdate\AUpdate[Caution: ExecutableFile]

 

 

 

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32[Caution: ExecutableFile]

 

 

 

C:\Program Files\Folding@Home\FahCore_82[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\wuauclt[Caution: ExecutableFile]

 

 

 

C:\Program Files\HijackThis\HijackThis[Caution: ExecutableFile]

 

 

 

 

 

 

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

 

 

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,

 

 

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

 

 

 

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

 

 

 

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

 

 

 

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

 

 

 

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

 

 

 

O4 - HKLM\..\Run: [PRONoMgr[Caution: ExecutableFile]] C:\Program Files\Intel\NCS\PROSet\PRONoMgr[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [CHotkey] mHotkey[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [soundMan] SOUNDMAN[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

 

 

O4 - HKLM\..\Run: [nwiz] nwiz[Caution: ExecutableFile] /install

 

 

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]" -atboottime

 

 

 

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper[Caution: ExecutableFile]"

 

 

 

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

 

 

 

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile]" /background

 

 

 

O4 - Startup: FAH502-Console[Caution: ExecutableFile].lnk = C:\Program Files\Folding@Home\FAH502-Console[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: Adobe Gamma Loader[Caution: ExecutableFile].lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA[Caution: ExecutableFile]

 

 

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

 

 

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

 

 

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab

 

 

 

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

 

 

 

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b30149.cab

 

 

 

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab

 

 

 

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

 

 

 

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3582809406

 

 

 

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab

 

 

 

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3370516062

 

 

 

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab

 

 

 

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b30149.cab

 

 

 

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab

 

 

 

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

 

 

 

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab

 

 

 

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

 

 

 

O20 - AppInit_DLLs: MsgPlusLoader.dll

 

 

 

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT[Caution: ExecutableFile]

 

 

 

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService[Caution: ExecutableFile]

 

 

 

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc[Caution: ExecutableFile]

 

 

 

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32[Caution: ExecutableFile]

 

 

 

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC[Caution: ExecutableFile]

[ale_jrb]

I'm not great with HiJack this, so I can't answer your problem, but if you are willing to spend money and are worried, the best really is ZoneAlarm (not the free version - most of the others).

 

 

 

 

 

 

 

It will auto-start when windows runs and is very hard to stop unless the user absolutely agrees. It can detect programs attempting to do things like block the task manager, run other programs, change the registry, duplicate itself, close programs, set itself to auto-run and much more.

 

 

 

 

 

 

 

It will then pop-up a confirmation dialouge where you can choose whether you want to allow it. If you choose no, I can almost guaratee it will stop whatever is causing the problem. Its great.

[Vape]

I don't need software reccomendations ale_jrb, shoo off outta my topic.