Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton or Rootkit


  • This topic is locked This topic is locked
4 replies to this topic

#1 fancache

fancache

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 15 February 2011 - 08:18 AM

Hello,

Thank you in advance for your time and support.

I run Windows 7 Ultimate, Norton AV 2010, and Norton Ghost 15 for regular backups. Recently I noticed the computer seems like it runs a little bogged down. When running resource monitor I see that ccsvchst.exe runs routinely at around 85-95% cpu usage. Now I know Norton has a history of eating up cpu cycles and a good portion of what I read will tell you to switch to something else. I am looking into what to switch to.

However, before I switch I wanted to make sure I am pointing the finger in the right direction. In other words, I wanted to make sure there wasn't an underlying cause like a trojan, virus, rootkit, etc running on my machine.

So I was hoping someone might look thru my log files and point me in the right direction. Also, if you have suggestions on an antivirus product that doesn't consume cpu cycles as Norton does, that would be appreciated also.

Here's my log files, and thank you again.


DDS (Ver_10-10-21.02) - NTFSx86  
Run by main at  7:47:54.45 on Tue 02/15/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.3317.1533 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\msdtc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\main\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.8.0.5\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [Norton Ghost 15.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SonicWALLNetExtender] c:\program files\sonicwall\ssl-vpn\netextender\NEGui.exe -hideGUI -clearReboot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [snpstd] c:\windows\vsnpstd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
LSP: c:\program files\vmware\vmware server\vsocklib.dll
Trusted Zone: upstairs
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.3.cab
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://vpn.kkm.com/NELX.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\main\appdata\roaming\mozilla\firefox\profiles\plq0qk6p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1108000.005\symds.sys [2011-1-30 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1108000.005\symefa.sys [2011-1-30 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-14 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1108000.005\cchpx86.sys [2011-1-30 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20110214.001\IDSvix86.sys [2011-2-14 353912]
R1 nm3;Microsoft Network Monitor 3 Driver;c:\windows\system32\drivers\nm3.sys [2010-6-9 39736]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1108000.005\ironx86.sys [2011-1-30 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1108000.005\symtdiv.sys [2011-1-30 339504]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.8.0.5\ccsvchst.exe [2011-1-30 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-2-10 102448]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [2009-9-21 46192]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2009-2-23 20504]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2009-9-21 1964528]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 GenericMount Helper Service;GenericMount Helper Service;c:\program files\norton ghost\shared\drivers\GenericMountHelper.exe [2009-9-21 1571336]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2009-7-13 7168]
S3 VMwareHostd;VMware Host Agent;c:\program files\vmware\vmware server\vmware-hostd.exe [2009-10-20 322096]
S3 VMwareServerWebAccess;VMware Server Web Access;c:\program files\vmware\vmware server\tomcat\bin\tomcat6.exe [2009-10-20 57344]
S3 vmwriter;VMware VSS Writer;c:\program files\vmware\vmware server\vmVssWriter.exe [2009-10-20 22528]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-2 1343400]

=============== Created Last 30 ================

2011-02-12 15:30:44	--------	d-sh--w-	c:\progra~2\System Restore
2011-02-11 15:26:37	--------	d-----w-	c:\program files\iTunes
2011-02-11 15:26:37	--------	d-----w-	c:\program files\iPod
2011-02-11 15:26:37	--------	d-----w-	c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-02-11 15:24:52	--------	d-----w-	c:\program files\Bonjour
2011-02-11 00:04:59	801792	----a-w-	c:\windows\system32\FntCache.dll
2011-01-30 19:57:00	103864	----a-w-	c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-01-30 19:57:00	103864	----a-w-	c:\program files\internet explorer\plugins\nppdf32.dll
2011-01-30 05:15:28	339504	----a-w-	c:\windows\system32\drivers\nav\1108000.005\symtdiv.sys
2011-01-30 05:15:28	173104	----a-w-	c:\windows\system32\drivers\nav\1108000.005\symefa.sys
2011-01-30 05:15:27	501888	----a-w-	c:\windows\system32\drivers\nav\1108000.005\cchpx86.sys
2011-01-30 05:15:27	43696	----a-w-	c:\windows\system32\drivers\nav\1108000.005\srtspx.sys
2011-01-30 05:15:27	328752	----a-r-	c:\windows\system32\drivers\nav\1108000.005\symds.sys
2011-01-30 05:15:27	325680	----a-w-	c:\windows\system32\drivers\nav\1108000.005\srtsp.sys
2011-01-30 05:15:27	116784	----a-w-	c:\windows\system32\drivers\nav\1108000.005\ironx86.sys
2011-01-30 05:14:42	--------	d-----w-	c:\windows\system32\drivers\nav\1108000.005
2011-01-30 02:14:05	124976	----a-w-	c:\windows\system32\drivers\SYMEVENT.SYS
2011-01-30 02:13:47	--------	d-----w-	c:\windows\system32\drivers\NAV
2011-01-30 02:13:46	--------	d-----w-	c:\program files\Norton AntiVirus
2011-01-30 02:12:42	--------	d-----w-	c:\program files\NortonInstaller

==================== Find3M  ====================

2011-01-07 07:27:11	34304	----a-w-	c:\windows\system32\atmlib.dll
2011-01-07 05:33:11	294400	----a-w-	c:\windows\system32\atmfd.dll
2011-01-05 05:37:33	428032	----a-w-	c:\windows\system32\vbscript.dll
2011-01-05 03:37:38	2329088	----a-w-	c:\windows\system32\win32k.sys
2010-12-21 05:38:24	73728	----a-w-	c:\windows\system32\wscsvc.dll
2010-12-21 05:38:24	51200	----a-w-	c:\windows\system32\wscapi.dll
2010-12-21 05:38:22	981504	----a-w-	c:\windows\system32\wininet.dll
2010-12-21 05:38:22	350720	----a-w-	c:\windows\system32\winhttp.dll
2010-12-21 05:38:21	204800	----a-w-	c:\windows\system32\WebClnt.dll
2010-12-21 05:38:19	204288	----a-w-	c:\windows\system32\upnp.dll
2010-12-21 05:38:16	14336	----a-w-	c:\windows\system32\slwga.dll
2010-12-21 05:36:17	1389568	----a-w-	c:\windows\system32\msxml6.dll
2010-12-21 05:36:16	1236992	----a-w-	c:\windows\system32\msxml3.dll
2010-12-21 05:34:12	80384	----a-w-	c:\windows\system32\davclnt.dll
2010-12-18 05:29:40	44544	----a-w-	c:\windows\system32\licmgr10.dll
2010-12-18 05:29:31	541184	----a-w-	c:\windows\system32\kerberos.dll
2010-12-18 04:20:55	386048	----a-w-	c:\windows\system32\html.iec
2010-12-18 03:47:59	1638912	----a-w-	c:\windows\system32\mshtml.tlb
2010-12-14 23:51:20	4184352	----a-w-	c:\windows\system32\usbaaplrc.dll
2010-11-29 22:38:30	94208	----a-w-	c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30	69632	----a-w-	c:\windows\system32\QuickTime.qts

============= FINISH:  7:49:47.64 ===============


Thank you to all. :thumbsup:

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 PM

Posted 20 February 2011 - 11:05 AM

Hello,

I don't see anything malicious here. :) Do you still need help with this?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 fancache

fancache
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 20 February 2011 - 05:54 PM

If it looks clean than no...I should be all set in that regards. However, do you have a recommendation on an antivirus application to use in place of Norton?

I've heard good things about Avast, ESET NOD32, Avira...

I'm looking for one that is not such a resource hog but provides adequate protection.

Any feedback would be greatly appreciated.

Thanks again.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 PM

Posted 21 February 2011 - 05:14 PM

Hello there,

Glad all is well. :)

My personal favorite (and I've used them all) is Avira. It's comparatively light, and very effective.....and free. Can't beat that. :lol: http://www.free-av.com/

Please feel free to ask if you have any further questions. Otherwise........

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 PM

Posted 21 March 2011 - 05:21 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users