Log check and a couple of questions

[jholland1964]

Looks like Smitfraudfix did it's job.
Give me a new HJT scan and log.

[InRetro]

Current HJT log in normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 21:23:19, on 15/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Documents and Settings\Administrator\Desktop\Hjtscan.exe

O2 - BHO: C:\WINDOWS\system32\ldhje783.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\system32\ldhje783.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\xxxuuu.dll",realset
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R 2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Restore Operation] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchots.exe
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe
O4 - Global Startup: 3Com Wireless 11g PC Card.lnk = C:\Program Files\3Com\3Com OfficeConnect Wireless Utility\3Com Wireless 11g PC Card\Monitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bicfs/
O15 - Trusted Zone: milestone.cognisco.com (HKLM)
O15 - Trusted Zone: milestone400.cognisco.com (HKLM)
O15 - Trusted Zone: *.cognisco.com (HKLM)
O15 - Trusted Zone: *.passport.net (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.cognisco.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.cognisco.com
O20 - AppInit_DLLs:
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[jholland1964]

Can I ask you why you feel the Norton Anti-virus program is corrupted?

[InRetro]

Whenever I do anything to do with a file (e.g. just right clicking to get a context menu is enough) I get the following dialog box:

'Please wait while Windows configures Symantec Antivirus - gathering required information'

Then

'The feature you are trying to use is on a network resource that is unavailable

Try again or enter an alternate path'

It's looking for the Symantec Antivirus .msi file and the suggested location is in the C:\temp\ folder, which sounds a bit suspicious to me.

Cancelling out of these dialog boxes gives the following message:

'Error 1706: No valid source for product'

I'm guessing this is the file system auto-protect element of the software, but there doesn't seem to be any way to fix it as I don't have the original installer for it.


I think it may be time to finally uninstall symantec AV - contrary to what I had thought it does appear in add/remove programs - I had been frustrated before as I was not able to change any settings despite being logged in as administrator.


On a separate note, it looks like there are a couple of items that could be cleaned up from the HJT log - what should I do with these?

Thanks a lot for the ongoing help, it's much appreciated

[jholland1964]

Yes, there are several things showing in the HJT log...some trojans for one thing, which, if you could use the AVG Anti-spy would probably be removed.
Is your Webroot Spysweeper current?

[jholland1964]

Your BSOD errors generally indicate a driver problem. Have you updated all your drivers lately?

[InRetro]

It's back

I tried re-installing spysweeper from the original installer and as part of the installation it re-booted, now i'm back to instant crashing during the boot sequence.

Now I can't boot into either normal or safe mode.

Is there anything I can do other than going back to the system restore point and starting again?

[InRetro]

No, I haven't upated drivers for a long time.

The BSOD messages only appeared after the original virus/trojan appeared. The first sign of the problem starting was that Firefox crashed then corrupted. IE then wouldn't start, so I downloaded updates for Norton and spybot, ran scans then re-started. It was from that point on that I wasn't able to boot back into normal mode.

[InRetro]

If it helps, the BSODs I get when trying to boot are the generic
'Windows has encountered an unknown error' without a file reference lower down the page.

When I switch on the machine I get the recovery startup options of safe mode, system restore or normal. selecting either safe or normal results in an almost instant BSOD which flashes up for a second before the computer restarts.

[jholland1964]

It's back

I tried re-installing spysweeper from the original installer and as part of the installation it re-booted, now i'm back to instant crashing during the boot sequence.

Why would you need to reinstall spysweeper? It was running in your original logs... I only asked you to Turn It Off, not uninstall. You should be able to just turn it back on.