Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing Norton


  • Please log in to reply
14 replies to this topic

#1 Baurge

Baurge

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:04:21 PM

Posted 18 April 2006 - 09:55 PM

Okay...having read the how to post a problem thread, i believe I am fully prepared...to post a..problem.

I used to have Norton Installed on my computer because it came pre-installed on my computer, but then my free subscription ran up so I was with out an anti virus...Therefore I quickly scrambled to get a anti-virus and tried a few (Panda and NOD32) before finally arriving with ZoneAlarm pro and I'm quite pleased.

Anyways I knew norton was difficult to remove so I went to their website and used their removal procedures. Then I ran regedit and deleted some of the symantec files and norton files but some I wasn't clear on what was connected to it.

Then upon examing WindowsXP Home it states I have "one or more" running anti-virus programs. I believe it may be norton still lurking arround because the other two removed quite easily. Can anyone suggest any futher steps to assist with my problems?

~Thanks

Edited by Baurge, 18 April 2006 - 09:56 PM.

Everything no matter how great will come to an end.....

BC AdBot (Login to Remove)

 


m

#2 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:03:21 PM

Posted 18 April 2006 - 10:36 PM

Okay...having read the how to post a problem thread, i believe I am fully prepared...to post a..problem.

I used to have Norton Installed on my computer because it came pre-installed on my computer, but then my free subscription ran up so I was with out an anti virus...Therefore I quickly scrambled to get a anti-virus and tried a few (Panda and NOD32) before finally arriving with ZoneAlarm pro and I'm quite pleased.

Anyways I knew norton was difficult to remove so I went to their website and used their removal procedures. Then I ran regedit and deleted some of the symantec files and norton files but some I wasn't clear on what was connected to it.

Then upon examing WindowsXP Home it states I have "one or more" running anti-virus programs. I believe it may be norton still lurking arround because the other two removed quite easily. Can anyone suggest any futher steps to assist with my problems?

~Thanks

It may be parts of the other Antivirus programs you tried.
"2007 & 2008 Windows Shell/User Award"

#3 Baurge

Baurge
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:04:21 PM

Posted 19 April 2006 - 08:09 AM

Sorry I forgot to state that before when I was without a anti-virus Windows was still registering Norton installed and running(and up-to-date to boot) therefore that's why i'm pretty convinced it's still Norton.
Everything no matter how great will come to an end.....

#4 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:03:21 PM

Posted 19 April 2006 - 12:43 PM

What version of Norton were you using?

Then I ran regedit and deleted some of the symantec files and norton files but some I wasn't clear on what was connected to it.

These one's you weren't sure about, did you remove them, or leave them?

.... so I went to their website and used their removal procedures.

Do you have a link to the Norton instrustions, you used?
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#5 Baurge

Baurge
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:04:21 PM

Posted 19 April 2006 - 02:16 PM

I was running NIS 2006

Okay about regedit ones that I was unsure about I left(didn't want to delete anything I might need)

I removed it using SymNRT(sorry could find link to one I used they seem to have updated their site so even the link I had to it in my favorites doesn't work) but after using SymNRT it had two other things you where supposed to open one was to edit registry and I'm sorry but I can't recall what other one was.
Everything no matter how great will come to an end.....

#6 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:03:21 PM

Posted 19 April 2006 - 09:49 PM

I can't find anything at the Symantec site, on how to uninstall NIS 2006.
The only thing I can find on SymNRT, is a page in a language I don't understand:
Fjerne Norton-programmet med SymNRT

You should remove anything Symantec says to remove.
Anything left behind, can cause problems.
Norton can be a real pain, if it isn't removed properly.

Don't forget to backup the Registry before making any changes.
Instructions, on how to do that, can be found here:
How to back up, edit, and restore the registry
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#7 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:03:21 PM

Posted 19 April 2006 - 10:54 PM

tg1911 did you see this page?

http://service1.symantec.com/SUPPORT/tsgen...005033108162039
"2007 & 2008 Windows Shell/User Award"

#8 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:03:21 PM

Posted 19 April 2006 - 11:44 PM

Thanks for the link, acklan.
Thought I had it bookmarked, but I couldn't find it.

That looks like your best option, Baurge.
Just skip Step 3.

If that doesn't work, you can try the Manual file download method:
Using the Norton uninstall tool: Manual file download
Skip Step 4.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#9 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:03:21 PM

Posted 19 April 2006 - 11:46 PM

Glad to help.
"2007 & 2008 Windows Shell/User Award"

#10 Baurge

Baurge
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:04:21 PM

Posted 20 April 2006 - 10:13 PM

yeah I those are the steps I did before (manual version) I tried both of them they didn't work again. Maybe norton is here to stay.....
Everything no matter how great will come to an end.....

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:21 PM

Posted 20 April 2006 - 10:34 PM

Hi folks is this "SymNRT" the same as in D-Trojanator's tutorial? If not it may help.

http://www.bleepingcomputer.com/forums/top...tml#entry270573

Edited by boopme, 20 April 2006 - 10:35 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 PM

Posted 21 April 2006 - 10:56 AM

Yeah, boopme, that should be the same tool.

Baurge, let's not give up yet. :thumbsup: I have a hunch about what might be going on and a way to fix it but I want to see what may be left of Norton on your system. No guarantees, as removing Norton is about like removing malware and in some cases even worse.

Please do the following:

Download Silentrunners from this page:

http://www.silentrunners.org/sr_scriptuse.html

Read over the instructions on that page.

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

When it has finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#13 Baurge

Baurge
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:04:21 PM

Posted 21 April 2006 - 08:25 PM

Got ya a long one...Thanks for all the help guys. Btw you were right about my anti-virus..hehe didn't like it much...Well here goes:

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]
"ForBash" = "C:\DOCUME~1\Raymond\APPLIC~1\RULEWA~1\dart five bin.exe" [null data]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"eabconfg.cpl" = "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start" ["Hewlett-Packard "]
"hpWirelessAssistant" = "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" ["Hewlett-Packard Company"]
"BigDogPath" = "C:\WINDOWS\VM_STI.EXE USB PC Camera 301P" ["VM."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"VC BOOK SOAP EXTRA" = "C:\Documents and Settings\All Users\Application Data\amok user vc book\Grey Ref.exe" [null data]
"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = "C:\Program Files\Google\Gmail Notifier\gnotify.exe" ["Google Inc."]
"HostManager" = "C:\Program Files\Common Files\AOL\1138324450\ee\AOLSoftware.exe" ["America Online, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"IMEKRMIG6.1" = "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0055C089-8582-441B-A0BF-17B458C2A3A8}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IDMIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Internet Download Manager\IDMIECC.dll" ["Internet Download Manager Corp., Tonec Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{34F4B935-17DC-4885-8BC9-CCD1ADF42F93}" = "Record ISO Image to CD"
-> {HKLM...CLSID} = "CISORecorderContextMenu Object"
\InProcServer32\(Default) = "C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll" ["Alex Feinman"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"
-> {HKLM...CLSID} = "ACDWFTHMBPRXY"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "PAVWAIT.DLL" [file not found]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * stera" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Create ISO Image from directory\(Default) = "{34F4B935-17DC-4885-8BC9-CCD1ADF42F93}"
-> {HKLM...CLSID} = "CISORecorderContextMenu Object"
\InProcServer32\(Default) = "C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll" ["Alex Feinman"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


Default executables:
--------------------

HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\system32\notepad.exe" "%1"" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Raymond\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "Raymond" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\Raymond\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
INFECTION WARNING! "LimeWire On Startup.lnk.disabled" [null data]
"Microsoft Office OneNote 2003 Quick Launch" -> shortcut to: "C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE /tsr" [MS]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


Enabled Scheduled Tasks:
------------------------

"AE14913A93BF01EA" -> launches: "c:\docume~1\raymond\applic~1\rulewa~1\Curb open owns.exe" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\idmmbc.dll [null data], 01 - 06, 12
%SystemRoot%\system32\mswsock.dll [MS], 07 - 09, 13 - 46
%SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Research"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_04"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Program Files\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\system32\drivers\CDAC11BA.EXE" ["Macrovision"]
HP WMI Interface, hpqwmi, "C:\Program Files\HPQ\shared\hpqwmi.exe" ["Hewlett-Packard Development Company, L.P."]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
IPv6 Helper Service, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
MATLAB Server, matlabserver, "C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe" [null data]
SAP Agent, NwSapAgent, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipxsap.dll" [MS]}
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 46 seconds, including 18 seconds for message boxes)
Everything no matter how great will come to an end.....

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 PM

Posted 22 April 2006 - 12:22 AM

Well, apparently SymNRT worked for you as I see no signs of Norton. However, you've got a piece of Panda still hanging around.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "PAVWAIT.DLL" [file not found]


Dang it, can't bash Norton on this one. Really, most AV's are like tunnel rats, they have to go deep underground to where the enemy is and all can be hard to remove.

I also have to tell you you also have some pretty nasty malware--LOP, hotoffers and such that should be removed too. Since the AppInit_DLLs part of the registry is pretty tricky to deal with I would suggest you post a HijackThis log and we can fix it with that program and deal with the malware too. Kill two birds with one stone. :thumbsup:

Follow the instructions in this thread that apply to you: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ Be sure to post in the HJT logs forum. I would have you post here, but since we're dealing mostly with the registry some one could give inaccurate and thus dangerous advice--the logs forum is closed to that. Just post back here with a link to your log thread and I'll help you with your log since I know about you wanting to get rid of "the other" AV.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#15 Baurge

Baurge
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:04:21 PM

Posted 22 April 2006 - 06:15 PM

I had already ran a hijackthis report but no ones responded to it yet. I was just about to post in the "not responded to in 5 days" topic but then I saw you post. So here's the link to my post with an updated hijackthis report: http://www.bleepingcomputer.com/forums/ind...75&#entry273075 I hope that someone can help me i'm really would like to clean my computer up as much as possible....
Everything no matter how great will come to an end.....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users