Hacktool.Rootkit PROBLEMS

Status
Not open for further replies.

Jenni3587

Posts: 60   +0
:confused: I sent a message to RealBlackStuff (?) asking for support with this. It was only afterwards that i saw he had written in one of his posts specifically asking not to do this and to post on the forums so that everyone can benefit.

I have norton which detected it, could not delete it. I also have webroot spy sweeper which had come up and asked me if i wanted to keep the files i had just downloaded. i clicked to delete them and they were gone. I havent gotten any popups from norton since, but i read up on this virus and seems that it gets itself into your computer sneakylike. I scanned my coputer with online scans and norton and the spysweeper and they all say clean but i read that this virus can change the infected file names to names that will not be detected in the scans. So i want to just make sure.

I downloaded the hijack program and i have the list right here, but unfortunately its all GIBERISH to me, maybe someone could teach me to read it? . maybe someone could guide me through the rest of this painful process.

Well, anyone who can help, please do!

Logfile of HijackThis v1.99.1
 
As I mentioned in the other thread you posted this in, the biggest problem that pops out at me is this entry:

O23 - Service: GDQH - ??????????????????????????????????? - C:\DOCUME~1\Owner\LOCALS~1\Temp\GDQH.exe


Press ctrl-alt-del on the keyboad and go in Task Manager. Click the Processes tab and CLOSE the GDQH.exe process. Keep a sharp eye on the process list, it may come right back. And then again another process just like it may pop up with a similar but different name.

If HJT can't remove it, you'll have to delete the service manually from Safe Mode. But we'll cross that bridge when we get there.

If you can manage to delete the process, run the program called CrapCleaner. Get it from http://www.ccleaner.com/
All the default settings are fine, just click clean. Do this when the process is gone. CC will clean out those temps where it resides.
Then check HJT again. If it's good, restart and hope it doesn't come back.

You have to close the process with Task Manager, before HJT can remove the service, because the nasty will likely just recreate the service. But if you hit it with the 3 punch (process, HJT, CC), it may just be gone for good.
 
ok, so i havent done what you said yet, but i just wanted to let you know that i think your the coolest person ever for responding so quickly. i was getting nervous because i thought that i would have to wait a couple days for a response.

OK, going to to what you said now.

so yea, your cool. thank you so much.
 
ok well, i did the whole cntrl+alt+del and i didn't see any GDQH.exe process running at all.

what now? :eek: .....and hey, how did you know to pick that ONE file out of that whole big list?!
 
Please do NOT double-post and/or do NOT post your new thread in someone else's!

Next time, see How to post your Hijackthis log-files as an attachment.

C:\Documents and Settings\Owner\Desktop\HijackThis.exe
put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.

Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
lockx.exe
GDQH.exe

Next, click Start/Control Panel/Add/Remove Programs. If there, UNinstall anything to do with:
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

Next, click Start/Run and type services.msc and click OK. Look for the service (if there):
GDQH.exe
PRISMXL.SYS
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\lockx.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\GDQH.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://products.webroot.com/disp020...t=done&action=1
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: GDQH - ??????????????????????????????????? - C:\DOCUME~1\Owner\LOCALS~1\Temp\GDQH.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.
 
You've got a common type of virus or spyware in there. It is quite EASY to tell when there is a bad entry, because for the most part you won't know what it is. For example, you can see by the path if it's part of your system, or AOL or something else. But you NEVER want something running from a TEMP folder.

Secondly the file name is completely random, it makes no sense. And the reason you didn't see it is likely because it hadn't started yet, or you already deleted it with Crap Cleaner. Or it changed it's name to something else.

When you look at 100 HJT logs a week, you begin to see the bad ones pop out pretty easy.

Read this page for a decent guide on reading HJT logs and what to remove: http://aumha.org/a/hjttutor.php

Thanks for your comment. I just happened to be on late last night, and I just happened to respond to your same post in the other thread a minute before. Welcome to TS!
 
If not Norton, then what?

I want to delete Norton Anitvirus off my computer, but dont have the cash right now to go out and buy a different one. What do you all suggest? Maybe i can download something? Any ideas? i do have something called webroot spy sweeper which i like so far, doesn't seem to give me any problems, and i just downloaded Ewido Security Suite, should i get anything else to scan with if and when i delete Norton?
 
OK, well, i hate to sound like a big *****. but i got really confused with everything last night. I started over. I downloaded spybot and deleted a bunch of spyware that was apparently on my comp, i also downloaded ewindo and there were like 150-somewhat infected files. I was very suprised. but here is my highjack this log again.....im kinda confused. so please, if you guys could totally bare with me, if im being slow, im sorry.
 
My HJT Log, anyone get this?

Hey, i posted this in my last thread too, but imafraid that no one will notice it there, and ima bit antsy anyway. Take a look, i read a tutorial on how to read those logs and made a few assumptions of my own. i checked some that i thought were "bad" but did not fix anything because i figured i should get advince from someone who knows what they are looking at and for. Please help, and let me know, Thank you all so much. this site is truely amazing.
 
Jenni3587 said:
OK, well, i hate to sound like a big *****. but i got really confused with everything last night. I started over. I downloaded spybot and deleted a bunch of spyware that was apparently on my comp, i also downloaded ewindo and there were like 150-somewhat infected files. I was very suprised. but here is my highjack this log again.....im kinda confused. so please, if you guys could totally bare with me, if im being slow, im sorry.
It looks better then before, but you still have the Prism thing running.

Put a check next to these and fix them:

---------------------------------------------------------
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://products.webroot.com/disp020...sc=&kc=ppacobqi^^^^q^eqmfk`&act=done&action=1
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--------------------------------------------------------

Not all those are bad per se', but just not needed or not required. I see you have Webroot Spysweeper as well. I only half-heartedly care for that program. But it wouldn't hurt to update it and run it as well.
Your system isn't to dirty from the looks of things. Just run the usual cleaners such as:

Adaware
Spybot
CrapCleaner
Ewido
HJT
CWShredder

And do your Windows critical updates.

Go in Control Panel to Add/Remove programs. Look through that list and uninstall anything you don't want or don't need anymore. Such as duplicate IE toolbars (Google and AOL?) or any system cleaners you found to be less then adequate. Don't uninstall anything if you don't know what it is. Search for it on Google.

If your Windows has multiple user accounts, you'll have to clean EACH account with these programs. As each account can have their own share of junk.

I see you're already using Firefox, continue to do so. Make sure your Norton suite is up to date and all functions working.

You'll be fine!
 
LOL! i was sending you a message while you were viewing my HJT log, asking you to view it! oh man! i just had a good laugh! THANK YOU btw!
 
OH hey, another question. heh, at this point. i dont know if i will ever leave you alone. i love asking questions. I downloaded adaware like you suggested and ran the scan. i got back a file that is said to be dangerous but its from my registry. should i delete it?

Friends always told me "jen, dont f*ck with your registry" so i dont know what to do. everything else was tracking cookies so i think its safe to discard those.

Wacha think?
 
I also ran crapcleaner and deleted a bunchof cookies. i never knew how much junk there was in here. Norton and spysweeper never caught all of this stuff?

Oh, question! Why is it that ill download spybot and run a scan and it will find 150 infected files. I will delete them and then wen i downlaod ccleaner and runa scan with *that* it finds MORE? Shouldn't it be clean once i scanned it with another program?

Also! now that i scanned with ccleaner i used the button called issues and i have a bunch of registry things but it wont let me copy it or save it to anything so i dont know how to show it to you and i definitly do not want to start deleting things without consulting.

???
 
ANOTHER VIRUS- Backdoor.greybird!

what do i look like to these things?! i restarted my computer because i was cleaning out my programs to make space on my computer. My ad/remove programs froze soi restarted my comp.


when i t started up again, my norton came up saying that i was at high risk because it was not on, which makes no sence becausei fied the settings so that it would always be on when i first installed it.

Then right afterwards, i got a popup saying i had this virus and norton was automatically enabled again. Dont know what to do. im running scans again.

seems like i hav been doing nothing but running scans and i keep finding more cookies and spyware and all that crap. but now this. i dont know how to deal with it. HELP
 
AND ANOTHER Backdoor.sdbot

What the hell do i do? im so fed up. i am actually holding back the tears, i feel like imgetting no where. Please someone help me.
 
Jenni3587

This is a SERIOUS warning!

Do NOT open up a new thread for every question you have!
When given advice, you don't even follow it!

I suggest you read some posts from people with similar problems, and/or do a Search on the forum with your questions.

Annoying ME is detrimental to your computer's health, I can guarantee you!

PS: I merged all those other new posts into this one, (in case anyone wonders).
 
WHOA, don't panic!

Have peace in the fact like you are joining the millions of other PC users world-wide with the same problems. You've got nothing new!

Lemme see if I can clear up some more of yer questions before bed.

1) As for Adaware, it only searches for specific problems that are known bad. In other words, it doesn't find "good" stuff that you have to be careful about removing. Whatever Adaware finds, remove it!

2) I have not used Crap Cleaner's registry scanner. So I don't fully trust it. I would not do any cleaning of the registry with it. And use it strickly to clean temps with the clean button. Nothing more.

3) You stumbled upon the very essence of running 3 or 4 programs for cleaning. Adaware, Spybot, Spysweeper, Microsoft Antispyware Beta; they all find spyware, but they also find things that the others don't. You almost ALWAYS have to run 2 cleaners to get 95% of the junk gone.

4) There are major differences between the programs you are using, and what they find.
Adaware, Spybot, and Spysweeper will find software catagorized as "spyware" and "adware". Meaning programs that send you ads, popups, and "spy" on you to see where you go online, and mine personal data from you. Such as E-mail addresses, user names and passwords.
Crap Cleaner does not search for ANY "Junkware". It simply deletes everything in Windows temp file locations. Which those other programs don't deal with. Temp files are just that, temporary files that nearly every program you use, create to hold data as they work. Some temp files are perfectly okay, like most cookies, Windows own temp files, and files created by your Antivirus program. Or temp locations are used as buffers for when you download things from the Internet or do Windows updates. Crap Cleaner deletes all the old temps past, I think, 48 hours old or something like that.

Your Norton, of course, scans only for viruses. So it will neither clean temps, or fix spyware. Unless Norton categorizes a certain spyware program as a virus. Which it does sometimes.

Ewido Security Suite scans for a very specific type of virus/spyware called a "Trojan". Which was a term used only for viruses. But now even some adware, spyware apps are treated as such. Trojans use specific functions of Windows to get in and do it's thing. Because the number of them is growing so much, they created this program specifically to find them. And do a better job then Antivirus and Antispyware programs can. Which is why it also finds additional "stuff". And Trojans are sometimes called "Backdoor" viruses, as your Norton calls them, because that kind of describes how they work. Using those "backdoor" functions of Windows to slip around and you don't even know it.


Okay. Now about your current issues.
Read this page all about your Backdoor.sdbot. http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html
Read the whole page and follow any new instruction you haven't done. Especially turning off System Restore.

And this page about your Backdoor.greybird.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.greybird.l.html

It's alright that Norton finds these things, that is its job. Perhaps Norton wasn't even working until you cleaned everything up? Then it turned on and found these? No telling, but I think this stuff is jumping at you because it sees its doom approaching!

If I might make a suggestion. Open all your new tools, be SURE to check updates on all them. But don't run them yet.

Turn off System Restore. Right-Click My Computer and click Properties to find the tab.

Restart into Safe Mode. Do this by restarting Windows, and continue to hit F8 on the keyboard BEFORE you ever see the Windows logo. Just keep pressing F8 until you get the menu with Safe Mode option.

Once in Safe Mode, things will look a lot different, that's normal.
Now run all your tools. Adaware, Spybot, Spysweeper, CrapCleaner, Ewido, HJT. Clean everything the spyware tools find.
If you choose Safe Mode with Networking, you can still go online, even to this forum. If so, post your HJT log after everything is done. I would suggest to NOT go back in to Normal Mode (i.e. restart) until we know FOR SURE that you are clean. If you restart and still have one piece of junk left, it will return itself to full working order.
Also, while in Safe Mode with Networking, run a virus scan by going to the web page "housecall.trendmicro.com".

If you want a couple new tools. Download one called BHO Captor from http://www.snapfiles.com/get/bho.html
And download the Microsoft Antispyware Beta. There is link to it right on their home page in the middle. www.microsoft.com. It only works on XP, but will find yet more (different) files then the other 3 of yours. Plus it runs in the background which will help you from getting reinfected.

If you want to, before doing any of that. UPDATE your Norton, make sure it's working, and run a FULL scan of your system. Being sure to DELETE anything it finds. It should have deleted the two it found already. Make sure it did! Whatever the file is that is infected, delete it!

Good luck, pretty soon you'll be a pro. These bleeping people who write this stuff don't deserve your tears. Hit em' hard!
 
Oh, posted mine before I saw yours RBS. Yes Jenni, you don't want to annoy RBS! He is a tuff old fart who squashes people with his digitized fingers if they don't do what he says! lol
 
Thank you so much Vigilante, imglad you posted even though realblackstuff already had. You brok everything down for me piece by piece and that was the best. I wrote everything down so i can do it all. I am going to update my norton now and run a scan, in normal mode, i guess. and then when i get home ill do all the rest in safe mode. I am going back home from college in a couple of hours for a wedding, so i am afraid that if i start all this now, when i simply close my laptop it will restart and get out of safe mode which you specifically said not to do.

As for realblackstuff, i did not know that you were not supposed to make new threads for new and different viruses. I thought that you actually wanted us to so that if people have the same concern as maybe i did, they can find the specific thread for their problem easier. I may not be as quick to understand as many others here, but dont get so angry at me. I wont do anything to upset you intentionally,i can promise you that. So if something comes up and you realize that i did something wrong, keep in mind that i am not trying to annoy you. I didn't follow your original advice because it confused me. I tried, but i ended up getting all tweisted. I just needed someone to really break it down for me because i was having a hard time. I didn't ignore your help, i just got very vonfused very fast, sorry.


I will get back to you guys with the HJF asap, thanks again, you guys are awsome.
 
Here is the HJT log. I tried to download that microsoft thing you told me to download, vigilante, but it said that my installer wont work because its in safe mode. so i cant install it. i ran everything i have and so far they only found 8 spyware thingies. I haven run norton yet, though. I dont know how i am going to get rid of these two backdoors because i dont seem to be finding much. and now all of a sudden im getting popups every time i turn on the computer that says that norton is not compatible with repair? or something like that?

But anyway, yea i am getting those popups from norton saying that i have those two backdoors. i dont really know what im looking for, i dont know what it looks like so how am i supposed to know when its gone and i have actually deleted it?

Anway, here if the hjt log. thank you again!

tell me what you think. i will stay in safe mode till i hear back from you guys.

I know that you prefer that i have the HJT log as an attatchment but i dont know why it wont let me. i keep clicking on the attatch button and nothing happens. so i will post it after this post. sorry.
 
Logfile of HijackThis v1.99.1
Scan saved at 4:23:07 PM, on 9/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\High Jack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 
Your HJT log looks clean! As you can see, most of it is full of Norton stuff. Though I don't know why you have this running: "C:\WINDOWS\system32\sessmgr.exe". That is form Remote Help, or Remote Desktop. Which you wouldn't be using in Safe Mode. Just to be on the safe side, right-click My Computer and choose Properties. Then Remote tab, and UNcheck the remote options.

Look back at my last thread, I posted two links from Symantec about your two viruses. It should have plenty of info on how to remove it. But Doesn't Norton give any kind of option to remove or repair or quantine these viruses? Does it just say they exist and then that's it? No option to fix?
If that is the case, find out what the file names of the viruses actually are, and go delete them yourself in Safe Mode. If Norton finds a virus, it WILL tell you where it is and what it's called. You may have to read the log or view a report, but you can get the path and file name of the virus. Which will likely be in a temp folder, or in windows or system32 folder.

Yes, you can't install Microsoft Beta in Safe Mode. But can you run another Norton virus scan? Will it let you? If not, go to the web site I mentioned, "housecall.trendmicro.com" and do their online virus scan. Write down the names of any found viruses, and make sure they are deleted.

Your Norton popup about "norton is not compatible with repair" is odd. I don't know what they mean, but if you could post the exact error message, we could look it up. Perhaps it isn't compatible to "repair" the virus it found? Or some other program perhaps. In any case, those oddities are why you won't find many, if any, people on this forum to recommend Norton products.
With their, finding viruses and not removing them or giving you options. Sending cryptic errors with no details. Forcing you to call their tech support lines at goodness knows how much per minute. And you can see in your HJT log how much "stuff" they put in your system. What is there like 7 or 8 items? Where most AVs will have maybe 3. With all that junk Norton put on there, they can't even clean 2 little backdoor viruses? So I would suggest, when this is cleared up, get another product to protect you. Like Panda or AVG or Kaspersky.

So again, run housecall, delete the infected files Norton told you about. And you'll probably be safe to go back in to Normal mode. Where you can scan again with Norton if needed. And install Microsoft Beta, update, and run it.

Lastly I might mention, if you are using Firefox on this forum, that's fine, but the attachment thing uses a popup, which usually is fine as well. Only you may have to turn off FF's popup blocker to do an attachment, or use IE.

Good luck
 
Status
Not open for further replies.
Back