Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.dloader/lx, Syspool.exe, And Probably Much More


  • This topic is locked This topic is locked
14 replies to this topic

#1 stepsinsc

stepsinsc

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 11 March 2007 - 11:11 AM

My girlfriend's laptop is kind of a mess. The main problem is the trojan.Dloader wyrm. It randomly opens up a website that tells me I've been infected with that wyrm and directs me to purchase Spyware Knight. I was also having problems with syspool.exe, but followed some advice in an old thread on what to remove to get rid of it, and the problem appears to be solved with regards to syspool.exe. Thanks.

See below for log:

Edited by stepsinsc, 11 March 2007 - 05:02 PM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:28 PM

Posted 11 March 2007 - 04:26 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

Please post a new HijackThis log and in Notepad be sure to click on Format
and place a check mark beside "word wrap" so the log will be easier to read.

#3 stepsinsc

stepsinsc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 11 March 2007 - 04:58 PM

Hi David, apologies for the format of my ealier post. Here's my most recent log.

Logfile of HijackThis v1.99.1
Scan saved at 4:50:47 PM, on 3/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\lindsay hoylman\Desktop\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=011
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: ASGP32.ASGP - {82B07A2B-F0AF-45FC-BE44-18D83B01EAD9} - C:\WINDOWS\System32\asgp32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\lindsay hoylman\Desktop\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:28 PM

Posted 12 March 2007 - 11:25 AM

Hello there, thanks for posting the log in its new format.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

I would recommend that you uninstall SpyNoMore; it's a rouge antispyware.
You can uninstall it from add/remove in the control panel if you wish.
You can also read more infomation on the following link, where it is listed:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: ASGP32.ASGP - {82B07A2B-F0AF-45FC-BE44-18D83B01EAD9} - C:\WINDOWS\System32\asgp32.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please download SmitfraudFix (by S!Ri)
Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\Program Files\SpyNoMore
C:\WINDOWS\System32\asgp32.dll

Then, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Also post a new Hijackthis log.

David

Edited by D-Trojanator, 12 March 2007 - 11:26 AM.


#5 stepsinsc

stepsinsc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 12 March 2007 - 11:46 PM

Hi David, thank you for your help.

I followed your advice that was applicable (the recommended files for deletion were not present).

I had previously tried to run SmitFraudFix but had a problem which also occurred when I tried again after your advice. When I open the cmd file, an alert pops up stating that:

Symantec Script Blocking has prevented a script action that could be harmful to you.
Application: cscript.exe
Source file: \\| \nologo GetPaths.vbs

Object: FileSystem Object
Method: Create Text file


Thereafter, I can try to run the cleaning option of SFF but it does not go through all the steps that it apparently should. I've been a bit perplexed by this as there are no Symantec security programs running or even installed as far as I can tell.

Here's my most recent HJT log in case it's helpful:

Logfile of HijackThis v1.99.1
Scan saved at 11:43:51 PM, on 3/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\dwwin.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\MsgSys.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=011
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\lindsay hoylman\Desktop\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by stepsinsc, 12 March 2007 - 11:49 PM.


#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:28 PM

Posted 13 March 2007 - 11:25 AM

I can see from the log that you actually do have Norton installed, and this is what is stopping the smitfraudfix from running; there is a Norton service that prevents scripts like smitfraudfix running as a security measure, but it will also stop legitimate programs sometimes. If you do go ahead and uninstall Norton, you will not have an antivirus installed, which as you can probably imagine isn't a good idea at all. Here is my suggestion; we'll stop the script blocking service, run smitfraudfix and clean up the PC. At the end we can decide what to do regarding AVs.

There are two ways of doing this, try the first instructions to start with.

To open Services, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Services.
Find ScriptBlocking services, Right-click the service, and then click and then click Properties. On the General tab, under Startup, click Disabled.
Under Service Status, click Stop button. Click Apply button.
Now reboot the PC and see if you can run smitfraudfix with the previous instructions.

If you still get the error, start Norton Antivirus if you can locate it.
Click Options. If a menu appears when you click Options, then click Norton Antivirus. The Norton Antivirus Options dialog box appears.
Click Script Blocking.
Uncheck Enable Script Blocking (recommended).
Click OK. Then reboot and see if you can run the fix.

If you can't get either of the above to work, let me know.
There is a tool we can use to completely remove all Norton traces from the PC.
If you do get smitfraudfix to work, please post back with the log that it creates.

#7 stepsinsc

stepsinsc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 13 March 2007 - 04:44 PM

Thank you for your help.

I tried the first option but had no luck. I also had no luck with the second option, but only because I could not find any way to turn scriptblocking off via any Norton program. The only Norton installed on this computer with an executable program is the AV Corporate Edition. I've never used this version before, but the program is so extremely bare-boned that when I run it there are no options. It basically looks like this image but with none of the options on the side except for "Configure" and "Look for Help". Under the Configure menu there are two options underneath it; however, clicking on either of these options does absolutely nothing other than open up a blank screen in the right-hand frame of the program that simply repeats the title from the left-hand expandable menu... Thus, I could find no means to do anything in this program, yet alone turn off scriptblocking.

I looked under the add/remove list on the control panel and noticed that Norton AntiVirus 2004 is listed as an installed program. However, I've looked and run a search but I could find no actual Norton AV 2004 program to run. Further, when I tried to uninstall Norton AV 2004 it says that it found Corporate Edition and I must remove that first. But the Corporate Edition likewise cannot be removed; it says only that there was a "fatal error during installation."

Edited by stepsinsc, 13 March 2007 - 06:01 PM.


#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:28 PM

Posted 14 March 2007 - 01:57 PM

I've had quite a few users with problems removing Norton/Symantec.
Luckily a removal tool can uninstall the program completely.

Please download and save SymNRT.exe to your desktop:
ftp://ftp.symantec.com/public/english_us_...sgen/SymNRT.exe

Close all programs and double click on the tool.
Follow the on-screen instructions.
Restart the computer if asked.
Then delete the SymNRT.exe tool from your desktop.
Open the Program Files folder on your local disk ( normally C: )
Find and delete any folders with Norton/Symantec in it.

Now reboot the PC and try and run smitfraudfix again.

#9 stepsinsc

stepsinsc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 18 March 2007 - 03:27 PM

I downloaded SymNRT.exe and tried to run it but it says that the version of Norton Removal Tool I'm using has expired. The version you linked to was 2.01.9. I found the newest version on Norton's website and tried to download and run it, but it told me that I first had to remove the version of Norton AV Corporate Edition that I'm running. However, as I mentioned earlier, I am unable to remove Norton AV Corporate edition from the computer b/c it always pops up that there was an error during installation.

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:28 PM

Posted 03 April 2007 - 06:45 AM

Sorry, this thread slipped through the net.

If you are still having problems, please let me know, and I'll do my best to help.

#11 stepsinsc

stepsinsc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 03 April 2007 - 06:28 PM

Sorry, this thread slipped through the net.

If you are still having problems, please let me know, and I'll do my best to help.


That's alright. I'm still having the same problem as before: the trojan.Dloader wyrm that hijacks internet browsers and forwards them automatically to a page that has ads to remove it.

My status is basically the same as the last post; I've been unable to run smitfraudfix because I am unable to fully remove all Norton products for the reasons I mentioned above (next post above this).

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 05 April 2007 - 03:48 AM

Hello stepsinsc.
I'll be dealing with your log from now on, David has gone away on holiday for a while.
Before we continue with the fix, I have a few questions for you that can hopefully aid us in the future. Firstly, are you the Administrator on this computer, or is it a corperate PC? I'd also like to know if you're sure you'd like to get rid of Norton? You may have paid for this program, and removing it could mean that you have wasted some of your money on it. There is another program we can run instead of SmitFraudFix if you do not want to get rid of it.
Please answer these questions, and then we'll carry on with getting you cleaned up.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 stepsinsc

stepsinsc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 05 April 2007 - 10:21 AM

Hi rookie, thanks for the reply.

I have admin on it; it's a personal laptop. Secondly, it's my girlfriend's computer that she's had for several years without a reformat (she still doesn't want to reformat due to complications of getting an actual copy of windows from the manufacturer, HP). The Norton that was on it was never used; it wasn't even really installed. It seems like there were just partial installations of Norton as it never ran and it was seemingly never functional. I don't know what happened to it over the years, but it seems like it was a crappy install or some files were deleted. Therefore, I have no problem removing it alltogether. She has access to new copies of Norton (and the licenses) through her school anyways, so obtaining a new version is not a problem.

Thanks.

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 05 April 2007 - 02:49 PM

Thanks for clearing that up for me. We'll begin trying to get rid of Norton, trying the easy methods first, and if they fail, we'll go for something a little stronger.
Can you first try uninstalling Norton manually from Safe Mode - if you are unsure how to do that, please follow David's previous instructions. Next, run the SymNRT removal tool again.
Let me know if this removes it.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 27 April 2007 - 10:03 AM

Due to lack of feedback, this topic is now closed.

If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users