TechSpot

Strange events indicate problem?

By captainrob
Apr 12, 2008
  1. Hello,
    Any thoughts/ideas on Norton Internet Security 2008?

    I'm suspicious it may have let something through, and wondering if I need supplemental protection.

    CaptRob
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're going to have to be more specific. IF you just want an opinion on Norton, I can give you one- I prefer other products over Norton.

    Now, what is your problem?
     
  3. captainrob

    captainrob TS Rookie Topic Starter

    Bobbye,
    Thanks for the reply. I had typed out a very detailed account of the problem, but since I'm new to TechSpot, I have to post 5 times before I can paste a link! The HiJackThis log is of links, so I'll have to post later.

    I just returned home from work, so I'll post my other 3 or 4 responses, then I'll be able to give you the details.

    Annoying, but I understand TechSpot has to protect itself against becoming abused for marketing ...
    CaptRob
     
  4. captainrob

    captainrob TS Rookie Topic Starter

    The reason I'm asking about Norton... I've read some remarks that it is not as good as its marketing.

    I'm wondering if there is a higher level of protection afforded via supplementing Norton with other software.

    CaptRob
     
  5. captainrob

    captainrob TS Rookie Topic Starter

    Here's the first part of the story:

    Good morning,
    Several recent red flags are suspicious. First, some background.

    I bought new HP pc Dec'07 & installed Norton Internet Security 2008. The pc is for home/family use, and I set high levels of parental contols for the kids and wife (you can imagine how the wife likes that!). I switched to Firefox Beta 3 about a month ago.

    Last night, Firefox blocked my daughter from Wunderground. When I tried to give permission via the pop-up, Firefox began opening tabs in rapid succession. When I finally was able to stop it, more than 80 tabs had to be deleted when Firefox closed.

    I logged on & checked Norton; it did not indicate a problem. I commanded a Live Update, then a full system scan. I left it running & went to bed. When I awoke this am, I woke up the pc, but it l locked up in the "Loffing Off" mode. I evnetually had to do a hard shutdown by powering off.

    I powered up, then did a normal shut down. After the successful shutdown, I turned pc on & checked the Norton Log. Apparently last night's Full System Scan didn't complete; there was no record in the Log. I noticed a "Launcher.exe" made 105 changes to Windows Startup Settings this morning.
     
  6. captainrob

    captainrob TS Rookie Topic Starter

    the rest of the story:
    I googled launcher.exe and discovered Techspot. I am impressed by the technical proficiency of members, and took the advice to use HiJackThis. Here is the log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:01:54 AM, on 4/12/2008
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16643)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\wpcumi.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\schtasks.exe
    C:\Windows\ehome\ehmsas.exe
    C:\hp\kbd\kbd.exe
    C:\Program Files\Mozilla Firefox 3 Beta 3\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
    O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
    O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O13 - Gopher Prefix:
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 8382 bytes



    I have two questions:
    1. Anything suspicious in the HJT log?
    2. Any suggestions regarding supplemental security software in addition to Norton?

    Thanks very much,
    CaptRob
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, I'm follow you here. about Norton, I twice got the free version with 2 new Dell systems. Replaced NIS on laptop as quickly as possible. My personal choice is for separate, free-standing programs, rather that a security suite- from anyone. IF there is a problem and you have a suite, it is often difficult to find the part that is causing it.

    Many "loyal" Norton users have given it up in favor of other security software. I think it was about 2 years ago that those users realized what a 'resource hog' the Norton programs are. IT was that and difficulties getting the Live Updates in a timely manner and without problems.

    I have been using Firefox for 3 years- I have the latest full release, v2.0.0.13. I don't get beta versions- why ask for trouble?! I opened the Wunderground site in Firefox with no problems or warnings. But I did use the Adblock extension so I checked it. There are a ton of icon ads on the site and Adblock blocked 7 of them. I did not gt any notice of a blocked pop-up so think it must be a beta 'thing'.

    Go back tot he current full release of Firefox. Use the Adblock extension and it's companion Filterset updater:
    For Adblock:
    https://addons.update.mozilla.org/en-US/firefox/addon/10?id=10&application=firefox

    For Adblock Filterset G:
    https://addons.mozilla.org/en-US/firefox/addon/1136

    I went to a router for added security. I also have AVG AV (paid) 2 spyware/adware programs and use the Windows Firewall. That has kept me safe, along with safe surfing habits. II don't have to use the Content section.

    Re: Launcher.exe: launcher.exe is an executable belonging to many applications including Webshots- a Windows desktop downloader, Uinterface Mouselaunch- a file and application initiator, and also a hardware interface for Samsung products. Note: launcher.exe is an advertising program by Intercort Systems. (From Uniblue Process Library)

    This smacks of spyware. I suggest you get Spybot & Destroy on board:
    http://www.safer-networking.org/en/index.html

    And SpywareBlaster:
    http://www.javacoolsoftware.com/spywareblaster.html
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  9. captainrob

    captainrob TS Rookie Topic Starter

    Bobbye,
    Thanks a bunch! I appreciate your advice, and I guess I should have the hjt log reviewed further. Any suggestions where I should send it?
    CaptRob
     
  10. captainrob

    captainrob TS Rookie Topic Starter

    Hey Bobbye, I guess I am ignorant regarding the Firefox Beta... I had Beta 2 until recently upgraded to Beta 3. I didn't know there was a difference...
    CaptRob
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    http://www.techspot.com/vb/showthread.php?p=605184#post605184

    Go to the reference site I left for the malware cleaning process. Follow the directions for scanning and posting the logs as attachments. You won't have to go through all you posted except what I have quoted above. The URL above references this thread.

    As for Firefox, v2 has been out of beta for a long time. You should have been getting notice of updates, some of which were for security and updating to the most current version of v2.0.0.13. Please go back an reload that version and make sure the following setting is checked:

    Tools> options> Advanced> Update tab> 'when here is an update' section> check 'automatically download and install the update'. You will then get notice, but the update won't be installed until you close, then reopen Firefox. IF you only had the beta v2, you were at a security risk.

    Wait for v3 to come out in full release.
     
  12. captainrob

    captainrob TS Rookie Topic Starter

    Thanks Bobbye,
    I guess "Beta" means an "experimental" version still in the process of R&D???
    Thanks again,
    CaptRob
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes, it does. I also equate 'beta' with the term 'bugs'- Betas are testing versions of software, better used by those who are 'testers' and they are specifically put out to work out as many 'bugs' as possible before the Final Release to the public.
     
  14. captainrob

    captainrob TS Rookie Topic Starter

    Bobbye,
    Thanks; live & learn... or as Homer Simpson eloquently states: "Doh!!"
    Thanks again for all your help.
    CaptRob
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Please go ahead with the malware cleaning. There are some entries you need to deal with.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...