 Norton Antivirus shows spyware infection, Cannot remove spyware shown during scan |
Forum Rules
Greetings,
Before you post in this forum,please read and follow the instructions in this post: Guidelines for Posting in This Forum
Failure to follow these instructions will only result in delays of the cleaning and removal process.
If you ran other AntiVirus and/or AntiSpyware programs and have the logs available, please post them as well.
Our goal is to help you clean your PC and restore it to pre-infection condition wherever possible.
Thank You
  |
 Dec 17 2005, 08:22 PM
Post
#1
|
|
|
New Member  Group: Member Posts: 2 Joined: 17-December 05 Member No.: 17222  |
Hello,
I am a newbie to all of this. I have run Adaware SE, Spybot, Norton, etc... Norton is showing that I have spyware described as follows: C:\RECYCLER\S-1-5-21-1123561945-682003330-307799911-1007\Dc7.exe I tried following the advice in this forums stickies... Ran Panda online scan.. showed the same thing and showed Save.now in windows registry. Ran HiJack This - Here is the log. Would appreciate any help to figure this out. Logfile of HijackThis v1.99.1 Scan saved at 2:16:42 PM, on 12/17/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Pop Blocker\updatedl.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS13 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Updated.Toolbar - {9F6A22E6-1682-4F82-9B72-6314794CB253} - C:\Program Files\Pop Blocker\Updated.dll O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109129736046 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1122693310765 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F96AFD80-BC9A-4298-B712-C2B7F1B016B0}: NameServer = 207.179.200.2,207.179.200.10 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
 |
|
|
Dec 17 2005, 09:45 PM
Post
#2
|
|
|
Most Respected SuperExpert Group: Member Posts: 4576 Joined: 9-June 04 Member No.: 8164 |
The files is in the Recycle bin.
Empty the Recycle bin. If the file still there? If so, go to Start >Run and type regedit. Press enter. Go to this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1123561945-682003330-307799911-1007 Highlight S-1-5-21-1123561945-682003330-307799911-1007 in the left pane and look in the right pane for this value: ProfileImagePath That will give you the User name for that account. Sign in as that User and delete the contents of the recycle bin. |
|
|
|
|
Dec 17 2005, 10:29 PM
Post
#3
|
|
|
New Member Group: Member Posts: 2 Joined: 17-December 05 Member No.: 17222 |
That did the trick! Learn something new every day>
Thank you very much. 
|
|
|
|
|
Dec 17 2005, 10:42 PM
Post
#4
|
|
|
Most Respected SuperExpert Group: Member Posts: 4576 Joined: 9-June 04 Member No.: 8164 |
You're welcome. I am not sure what infection was cleaned out so let's be safe.
Once you have rebooted a time or two, be sure everything is in working order. It is time to flush your system restore points. Once you do that you will not be able to correct any problems you may have now by going back to a point before today. After something like this it is a good idea to Flush the Restore Points and start fresh. To flush the XP system Restore Points. Go to Start>Run and type msconfig Press enter. When msconfig opens, click the Launch System Restore Button. On the next page, click the System Restore Settings Link on the left. Check the box labeled Turn off System restore. Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created. ---------------------------- Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future. http://www.computercops.biz/postt7736.html |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2009 - 11:35 PM |
