Norton Antivirus 2004 Auto Bein Disabled; Win Xp.

**gregster007** · 08-03-2004, 05:32 PM

Originally posted by bawa@Klite_user+3 August 2004 - 17:10--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (bawa@Klite_user @ 3 August 2004 - 17:10)</td></tr><tr><td id='QUOTE'>

Originally posted by gregster007@3 August 2004 - 21:01
<!--QuoteBegin-bawa@Klite_user

@3 August 2004 - 16:06
1)if u have NAV2004 pro then u didnt crack it well or used crack on diffrent version
or
2)uve efficted with thoes kinda of viruses that shutdown's NAV

1/ Cracked it fine and has been working fine for over 2 months until suddenly this started happening.

2/ I agree i have a virus but i have scanned and scanned and haven't found anything on my machine.

u cant find it i think so, it efficts a NAV file and it just looks like the orginal file.
tell me do u get any error when u try to enable auto protect.
try to dissconnect from internet then run NAV, mybe its NAV Anti Fake key scams which used to bug every1 before perfict cracks were released. [/b][/quote]
If I let the command screen run and let it disable NAV when i try to re-enable autoprotect nothing happens; its like clicking on the button to re-enable is just dud.

I have tried re-enabling while not on internet to no avail, also have even re-installed NAV (making sure all files have been deleted before installing) and getting same problem.

I'm not really sure what is happening i will do some more surfing and see if i can come up with anything.

**iMartin** · 08-03-2004, 05:46 PM

Uninstall Norton, and get Kaspersky.

**dopey** · 08-03-2004, 05:47 PM

was the virus scan able to clean it? if it was, please reboot and post a new hijack this log.

edit: I would not recommend installing an antivirus program on an already infected machine. but once he gets clean, i tend to agree with you.

**gregster007** · 08-03-2004, 05:58 PM

Originally posted by dopey@3 August 2004 - 17:48
was the virus scan able to clean it?  if it was, please reboot and post a new hijack this log.

edit:  I would not recommend installing an antivirus program on an already infected machine.  but once he gets clean,  i tend to agree with you. 

I ran an online virus scan succesfully but it did not find any virus on my machine, so it was clean.

Even if i install a new AV software this still won't change the fact that i still have both of these problems upon startup.

New Hijack this log below, dont know if this will help though.

Logfile of HijackThis v1.97.7
Scan saved at 18:58:01, on 03/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\planetscott.ca\PopupBlock\PopupBlock.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\WINDOWS\System32\iexplore.exe
C:\winnt\system32\drivers\etc\csrss.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\winnt\system32\drivers\etc\lsass.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Temp\Greg\Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.30.112.1:8080
O1 - Hosts: 66.159.20.52 www1.ndhosting.com
O1 - Hosts: 66.159.20.52 www3.ndhosting.com
O1 - Hosts: 66.159.20.52 www2.ndhosting.com
O1 - Hosts: 66.159.20.52 www.ndhosting.com
O1 - Hosts: 66.159.20.52 www.kinghost.com
O1 - Hosts: 66.159.20.52 kinghost.com
O1 - Hosts: 66.159.20.52 www1.kinghost.com
O1 - Hosts: 66.159.20.52 www2.kinghost.com
O1 - Hosts: 66.159.20.52 www3.kinghost.com
O1 - Hosts: 66.159.20.52 www4.kinghost.com
O1 - Hosts: 66.159.20.52 www5.kinghost.com
O1 - Hosts: 66.159.20.52 www6.kinghost.com
O1 - Hosts: 66.159.20.52 www7.kinghost.com
O1 - Hosts: 66.159.20.52 www8.kinghost.com
O1 - Hosts: 66.159.20.52 www9.kinghost.com
O1 - Hosts: 66.159.20.52 www10.kinghost.com
O1 - Hosts: 66.159.20.52 www.smutserver.com
O1 - Hosts: 66.159.20.52 smutserver.com
O1 - Hosts: 66.159.20.52 www1.smutserver.com
O1 - Hosts: 66.159.20.52 www2.smutserver.com
O1 - Hosts: 66.159.20.52 www16.smutserver.com
O1 - Hosts: 66.159.20.52 www3.smutserver.com
O1 - Hosts: 66.159.20.52 www4.smutserver.com
O1 - Hosts: 66.159.20.52 www5.smutserver.com
O1 - Hosts: 66.159.20.52 www6.smutserver.com
O1 - Hosts: 66.159.20.52 www7.smutserver.com
O1 - Hosts: 66.159.20.52 www8.smutserver.com
O1 - Hosts: 66.159.20.52 www9.smutserver.com
O1 - Hosts: 66.159.20.52 www10.smutserver.com
O1 - Hosts: 66.159.20.52 www11.smutserver.com
O1 - Hosts: 66.159.20.52 www12.smutserver
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\planetscott.ca\PopupBlock\PBHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [PopupBlock] C:\Program Files\planetscott.ca\PopupBlock\PopupBlock.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [HP Update 4300C] C:\sj657\hpupdate.exe 4300C
O4 - HKLM\..\Run: [windows update] iexplore.exe
O4 - HKLM\..\Run: [AAS] c:\winnt\system32\drivers\etc\check.bat
O4 - HKLM\..\Run: [csrss service] c:\winnt\system32\drivers\etc\csrss.exe
O4 - HKLM\..\Run: [secure] c:\winnt\system32\drivers\etc\secure.exe
O4 - HKLM\..\Run: [lsass service] c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\lsass.exe c:\winnt\system32\drivers\etc\ir.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\RunServices: [windows update] iexplore.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [windows update] iexplore.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-5.8.1.28/f...l-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38201.177974537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

**CornerPocket** · 08-03-2004, 06:01 PM

Many variants that can cause this (if indeed virii related) Nachi worm, Gaobot.A.; Gaobot.B, and some others cannot remember.

Gaobot (or some variation of this) can cause the antivirus (norton) to be disable as soon as boot up time.

Try this:

1. Detach machine from Lan/internet
2. use any other antivirus(other than norton) or use the free tool "stinger" from network associates
3. Clean the machine using the above tool
4. Install a firewall (sygate personal is free)
5. Install your antivirus
6. connect to lan/internet and download all security patches for ms xp.

If you indeed have a variant of this type, try using one of these to track it down:

STINGER
http://vil.nai.com/vil/stinger/

PANDA QUICK REMOVER:
http://www.pandasoftware.com/download/utilities/

*note* some of these viruses are pretty nasty with some replacing files such as svchost for SCVHOST (NOTICE THE SWITCHED V AND C). For some of the variants you might have to go to the registry and delete some entries manually.

Good luck!

**Snee** · 08-03-2004, 06:34 PM

I was browsing around lately when I had a wee infection on an unprotected system, and I found this board very useful. They have ppl who know what to look for in a hijackthis-log better than me, at least. So if all else fails it might be worth a try.

**dopey** · 08-03-2004, 07:56 PM

make a folder for hijack this, the program makes backups and your program files folder will get very cluttered.

rescan and check the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O1 - Hosts: 66.159.20.52 www1.ndhosting.com
O1 - Hosts: 66.159.20.52 www3.ndhosting.com
O1 - Hosts: 66.159.20.52 www2.ndhosting.com
O1 - Hosts: 66.159.20.52 www.ndhosting.com
O1 - Hosts: 66.159.20.52 www.kinghost.com
O1 - Hosts: 66.159.20.52 kinghost.com
O1 - Hosts: 66.159.20.52 www1.kinghost.com
O1 - Hosts: 66.159.20.52 www2.kinghost.com
O1 - Hosts: 66.159.20.52 www3.kinghost.com
O1 - Hosts: 66.159.20.52 www4.kinghost.com
O1 - Hosts: 66.159.20.52 www5.kinghost.com
O1 - Hosts: 66.159.20.52 www6.kinghost.com
O1 - Hosts: 66.159.20.52 www7.kinghost.com
O1 - Hosts: 66.159.20.52 www8.kinghost.com
O1 - Hosts: 66.159.20.52 www9.kinghost.com
O1 - Hosts: 66.159.20.52 www10.kinghost.com
O1 - Hosts: 66.159.20.52 www.smutserver.com
O1 - Hosts: 66.159.20.52 smutserver.com
O1 - Hosts: 66.159.20.52 www1.smutserver.com
O1 - Hosts: 66.159.20.52 www2.smutserver.com
O1 - Hosts: 66.159.20.52 www16.smutserver.com
O1 - Hosts: 66.159.20.52 www3.smutserver.com
O1 - Hosts: 66.159.20.52 www4.smutserver.com
O1 - Hosts: 66.159.20.52 www5.smutserver.com
O1 - Hosts: 66.159.20.52 www6.smutserver.com
O1 - Hosts: 66.159.20.52 www7.smutserver.com
O1 - Hosts: 66.159.20.52 www8.smutserver.com
O1 - Hosts: 66.159.20.52 www9.smutserver.com
O1 - Hosts: 66.159.20.52 www10.smutserver.com
O1 - Hosts: 66.159.20.52 www11.smutserver.com
O1 - Hosts: 66.159.20.52 www12.smutserver

O4 - HKLM\..\Run: [windows update] iexplore.exe
O4 - HKLM\..\Run: [AAS] c:\winnt\system32\drivers\etc\check.bat
O4 - HKLM\..\Run: [csrss service] c:\winnt\system32\drivers\etc\csrss.exe
O4 - HKLM\..\Run: [secure] c:\winnt\system32\drivers\etc\secure.exe
O4 - HKLM\..\Run: [lsass service] c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\lsass.exe c:\winnt\system32\drivers\etc\ir.dll
O4 - HKLM\..\RunServices: [windows update] iexplore.exe
O4 - HKCU\..\Run: [windows update] iexplore.exe

this one is optional but really not needed:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

close all browser windows and hit fix checked.
make sure hidden files are showing

Code:

http&#58;//www.xtra.co.nz/help/0,,4155-1916458,00.html

reboot into safe mode (hit f8 during startup) and delete this file:

C:\WINDOWS\System32\iexplore.exe <--- (only the one in the system32 folder)

these files are very suspicious. can you navigate to the location and see if there's any info in the properties? (version, date created, etc)

C:\winnt\system32\drivers\etc\csrss.exe
c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\lsass.exe c:\winnt\system32\drivers\etc\ir.dll
c:\winnt\system32\drivers\etc\check.bat
c:\winnt\system32\drivers\etc\secure.exe

reboot into normal mode and post a new log, and whatever info you could find.

**Chewie** · 08-03-2004, 10:44 PM

Originally posted by dopey@3 August 2004 - 19:57
these files are very suspicious.  can you navigate to the location and see if there's any info in the properties?  (version, date created, etc)

C:\winnt\system32\drivers\etc\csrss.exe
c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\lsass.exe c:\winnt\system32\drivers\etc\ir.dll
c:\winnt\system32\drivers\etc\check.bat
c:\winnt\system32\drivers\etc\secure.exe

reboot into normal mode and post a new log, and whatever info you could find.

Yes, they're malicious alright.
Notice they're in C:\WINNT\? A little odd given that the rest of the system is on C:\WINDOWS\!

I'd say get a second opinion online scan - Trend? There's a pinned topic somewhere (softwareworld?) that links to several online scanners.

In fact, after looking around a little... HERE'S a user with a very similar problem.

**Mïcrösöül°V³** · 08-03-2004, 11:45 PM

I have always found that the best thing to do, is either PAY for your anti-virus software (seeing as how its pretty much your ONLY defense), or using some of the free stuff that is out there. I will be the first to use cracked software of any kind EXCEPT for anti-virus or Firewall. Now, I had an issue similar to this one, and although i never got it figured out, I noticed that the problem was caused by something changing my sytem clock (when i would mouse over my clock, it would say "may 10, 9999" for example. I just reformatted and chalked it up to a badly cracked program (which i have many of

) so, narrowing it down was almost impossible, cuz Im impatient. :helpsmile:

**gregster007** · 08-04-2004, 10:21 AM

I have fixed the main problem (thanks to dopey and Chewie UK) with NAV not loading because of some bogus command prompt.
It was to do with files within the c:\winnt subfolders; I just renamed and moved the folder to a temp location and all is ok now because its not running the bogus exe file as you can see below:

***********

Directory of C:\Temp\winnt.old\system32

31/07/2004 13:59 <DIR> .
31/07/2004 13:59 <DIR> ..
31/07/2004 13:59 <DIR> drivers
02/08/2004 12:05 <DIR> wins
0 File(s) 0 bytes

Directory of C:\Temp\winnt.old\system32\drivers

31/07/2004 13:59 <DIR> .
31/07/2004 13:59 <DIR> ..
04/08/2004 09:34 <DIR> etc
0 File(s) 0 bytes

Directory of C:\Temp\winnt.old\system32\drivers\etc

04/08/2004 09:34 <DIR> .
04/08/2004 09:34 <DIR> ..
03/07/2003 20:41 32,842 BugSlayerUtil.dll
20/07/2004 00:25 1,139 check.bat
06/04/2004 11:23 6,656 cygcrypt-0.dll
06/07/2003 21:46 68,016 cygregex.dll
20/07/2004 00:29 1,168 DCCINST.reg
29/08/2002 16:55 29,696 hidden32.exe
02/08/2004 12:06 1,400 ir.dll
31/07/2004 13:59 0 lhost.lm
31/07/2004 13:59 <DIR> logs
13/02/2004 17:11 226,276 lsass.exe
14/04/2003 20:11 44 reg1.bat
04/08/2004 09:34 1,969 ServUDaemon.ini
04/08/2004 09:34 529 ServUStartUpLog.txt
02/08/2004 12:06 5 shost.ls
20/07/2004 00:22 237 startme.bat
28/06/2003 17:47 227 sys.txt
29/07/2004 23:39 40,491 wingen.EXE
29/07/2004 23:33 1,203 wm.txt
17 File(s) 411,898 bytes

Directory of C:\Temp\winnt.old\system32\drivers\etc\logs

31/07/2004 13:59 <DIR> .
31/07/2004 13:59 <DIR> ..
0 File(s) 0 bytes

Directory of C:\Temp\winnt.old\system32\wins

02/08/2004 12:05 <DIR> .
02/08/2004 12:05 <DIR> ..
29/08/2002 16:55 22,016 KILL.EXE
29/07/2004 23:41 2,026,450 nsane.exe *******I noticed this file in c:\ and deleted it initially before the post and forgot to mention******
25/07/2004 17:40 1,187 start.bat
3 File(s) 2,049,653 bytes

Total Files Listed:
20 File(s) 2,461,551 bytes
14 Dir(s) 3,780,800,512 bytes free

C:\Temp\winnt.old\system32>

*********

Contents of the start.bat file is as follows:

@echo off

cd C:\winnt\system32\wins\
net stop anti-trojan
net stop antivirus

C:\WINNT\SYSTEM32\wins\kill.exe nvsvc32.exe
C:\WINNT\SYSTEM32\wins\kill.exe anti-trojan
C:\WINNT\SYSTEM32\wins\kill.exe antivirus
C:\WINNT\SYSTEM32\wins\kill.exe vrmonsvc.exe
C:\WINNT\SYSTEM32\wins\kill.exe killprocesssetup161.exe
C:\WINNT\SYSTEM32\wins\kill.exe vrmonNT.exe
C:\WINNT\SYSTEM32\wins\kill.exe monsvcNT.exe
C:\WINNT\SYSTEM32\wins\kill.exe navsched.exe
C:\WINNT\SYSTEM32\wins\kill.exe fxsvc.exe
C:\WINNT\SYSTEM32\wins\kill.exe clisvc.exe
C:\WINNT\SYSTEM32\wins\kill.exe mcshield.exe
C:\WINNT\SYSTEM32\wins\kill.exe mspmspsv.exe
C:\WINNT\SYSTEM32\wins\kill.exe norton_internet_secu_3.0_407.exe
C:\WINNT\SYSTEM32\wins\kill.exe ccap.exe
C:\WINNT\SYSTEM32\wins\kill.exe nprotect.exe
C:\WINNT\SYSTEM32\wins\kill.exe McVSEscn.exe
C:\WINNT\SYSTEM32\wins\kill.exe mcagent.exe
C:\WINNT\SYSTEM32\wins\kill.exe mcvsftsn.exe
C:\WINNT\SYSTEM32\wins\kill.exe CCAPP.exe
C:\WINNT\SYSTEM32\wins\kill.exe rmtcfg.exe
C:\WINNT\SYSTEM32\wins\kill.exe PCCPFW.exe
C:\WINNT\SYSTEM32\wins\kill.exe PCClient.exe
C:\WINNT\SYSTEM32\wins\kill.exe pccguide.exe
C:\WINNT\SYSTEM32\wins\nsane.exe

As you can see this was the bugger causing the problems; i suggest you all keep an eye-out for this as its new to me and looks like it was doing a lot of mis-chief!!

Could someone advise if its ok to delete the whole of the above folder (bogus winnt folder) as I am not sure if there are some files that windows may require (windows booted up fine with no errors though, but haven’t tried all my apps).

The problem with the iexplore.exe image is still happening, I tried what you said dopey but couldn’t find the file:
C:\WINDOWS\System32\iexplore.exe
to delete. Any further help would be much appreciated but not as urgent as it doesn’t actually affect my machine at all.

Thanks a lot all.

NB Below is another HiJack this log if anyone would like a look:

Logfile of HijackThis v1.97.7
Scan saved at 11:17:19, on 04/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\planetscott.ca\PopupBlock\PopupBlock.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\WINDOWS\System32\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\iexplore.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Temp\Greg\Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.30.112.1:8080
O1 - Hosts: 66.159.20.52 www1.ndhosting.com
O1 - Hosts: 66.159.20.52 www3.ndhosting.com
O1 - Hosts: 66.159.20.52 www2.ndhosting.com
O1 - Hosts: 66.159.20.52 www.ndhosting.com
O1 - Hosts: 66.159.20.52 www.kinghost.com
O1 - Hosts: 66.159.20.52 kinghost.com
O1 - Hosts: 66.159.20.52 www1.kinghost.com
O1 - Hosts: 66.159.20.52 www2.kinghost.com
O1 - Hosts: 66.159.20.52 www3.kinghost.com
O1 - Hosts: 66.159.20.52 www4.kinghost.com
O1 - Hosts: 66.159.20.52 www5.kinghost.com
O1 - Hosts: 66.159.20.52 www6.kinghost.com
O1 - Hosts: 66.159.20.52 www7.kinghost.com
O1 - Hosts: 66.159.20.52 www8.kinghost.com
O1 - Hosts: 66.159.20.52 www9.kinghost.com
O1 - Hosts: 66.159.20.52 www10.kinghost.com
O1 - Hosts: 66.159.20.52 www.smutserver.com
O1 - Hosts: 66.159.20.52 smutserver.com
O1 - Hosts: 66.159.20.52 www1.smutserver.com
O1 - Hosts: 66.159.20.52 www2.smutserver.com
O1 - Hosts: 66.159.20.52 www16.smutserver.com
O1 - Hosts: 66.159.20.52 www3.smutserver.com
O1 - Hosts: 66.159.20.52 www4.smutserver.com
O1 - Hosts: 66.159.20.52 www5.smutserver.com
O1 - Hosts: 66.159.20.52 www6.smutserver.com
O1 - Hosts: 66.159.20.52 www7.smutserver.com
O1 - Hosts: 66.159.20.52 www8.smutserver.com
O1 - Hosts: 66.159.20.52 www9.smutserver.com
O1 - Hosts: 66.159.20.52 www10.smutserver.com
O1 - Hosts: 66.159.20.52 www11.smutserver.com
O1 - Hosts: 66.159.20.52 www12.smutserver
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\planetscott.ca\PopupBlock\PBHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [PopupBlock] C:\Program Files\planetscott.ca\PopupBlock\PopupBlock.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [HP Update 4300C] C:\sj657\hpupdate.exe 4300C
O4 - HKLM\..\Run: [windows update] iexplore.exe
O4 - HKLM\..\Run: [AAS] c:\winnt\system32\drivers\etc\check.bat
O4 - HKLM\..\Run: [csrss service] c:\winnt\system32\drivers\etc\csrss.exe
O4 - HKLM\..\Run: [secure] c:\winnt\system32\drivers\etc\secure.exe
O4 - HKLM\..\Run: [lsass service] c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\lsass.exe c:\winnt\system32\drivers\etc\ir.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\RunServices: [windows update] iexplore.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [windows update] iexplore.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-5.8.1.28/f...l-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38201.177974537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

Thread: Norton Antivirus 2004 Auto Bein Disabled; Win Xp.

Thread Tools

Bookmarks

Bookmarks

Posting Permissions