[Fixed] heres yet another hijackthis log

genie3251 · 06-21-2006

hey everybody heres another log

okay i'll explain the situation one minute my internet is fine and the next it is running slow i ran ewido found nothing spybot found nothing and have cleaned my temp files with atf cleaner

thanks guys
genie

ladygreenwitch · 06-21-2006

Hey Genie,

Download Spy Sweeper from my signature, make sure that you run a full system scan on all your HDDs. Check the option to scan for Rootkits as well. Post the log back here.

What I am seeing in your log is an ActiveX controller (016 entry) that didn't show up anywhere except in infected logs. The company is listed in multiple places as containing ad and spyware, that's why I am including it to remove. You also do not appear to be running with a firewall, and while I don't see any Symantec programs on your computer, you still have a service running. If you used to have Symantec, Norton, and uninstalled it, we need to get this service to stop running.

Right click on My Computer, select Manage, click on Services. Locate Symantec Network Drivers Service, right click on it and choose Properties. Under Start Up Type change that to Disabled. Find and delete the following C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe. Next in HijackThis, click on Config., Misc. Tools, Delete an NT Service. In the Dialog box type SNDSrvc, then click on OK. (Because this is a Symantec service, HJT may not be able to delete it.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/getPlugin.do
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (if this item still exists.)

Read the article in my signature PCHF Protect Your PC for more information about free firewalls.

Looking forward to your reply,

TTFN

LGW

genie3251 · 06-21-2006

hey lgw i ran spyseeper and to my suprise it actually found some nastys on the pc. as for the symamtec i tried what u told me to do i disabled it but couldn't delete as nt service it says that it is a system critical file

p.s my pc is in pieces right now i need to get a new psu as my old one let go on me i'm using my sisters

ladygreenwitch · 06-21-2006

Hey Genie,

In order to remove the Symantec Service from your PC you are going to have to do some editing of your registry. BTW, looking at these instructions, I remember why I don't use Symantec any more.

.

Go back into Services as before and look for these
ccApp.exe
NMain.exe
VPC32.exe
VP Tray.exe
ISSVC.exe
Stop any of them that you find. Pull up Task Manager and see if Network Drivers Service is listed, if you find it, right click it and click End Process.

Click on Start Run, type REGEDIT, hit enter. The following is mandatory before performing any changes to your registry; Click on File, Export, choose an identifiable location such as your desktop, name the registry backup today's date, click on Save.

Now you will need to navigate through the registry, when the instructions specify an HKEY location, you can simply find the address, if the instructions tell you to find all instances of an entry, make sure that you have highlighted the the area that you want to search, hit Ctrl+F, and type in the entry you are looking for, hit Enter. For each instance, you will need to close the Find box, delete the entry, then hit Ctrl+F, Enter, to locate the next occurrence. Continue until the response comes back that the entire registry has been checked. Some of these entries may not be in your registry.

In the Windows registry editor, in the left pane, go to the following key:

HKEY_CLASSES_ROOT\*\Shellex\ContextMenuHandlers

In the left pane, right-click LDVPMenu, and then click Delete.

Expand the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall

This key contains many <Package Code> keys.

Use the Ctrl+F instructions above to locate references to Symantec Client Security listed in the right pane.
If you see any references to Symantec Client Security in the right pane, then delete the entire <Package Code> key.

Go to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec

Delete the following keys:
CCPD

IDS

PatchInst

SecurePort

SPBBC

Symantec AntiVirus

SymNetDrv

Go to and delete the following registry keys:
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\E761730C4 08BDBC4D825D7A248EB45F3

HKEY_CLASSES_ROOT\Installer\Features\7403AF9E51B09 1E458ECEEF76C6EF099

HKEY_CLASSES_ROOT\Installer\Products\7403AF9E51B09 1E458ECEEF76C6EF099

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Upgr adeCodes\E761730C408BDBC4D825D7A248EB45F3

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Feat ures\7403AF9E51B091E458ECEEF76C6EF099

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Prod ucts\7403AF9E51B091E458ECEEF76C6EF099

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\DllUsage\VP6

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\App Management\ARPCache\{E9FA3047-0B15-4E19-85CE-EE7FC6E60F99}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Installer\UpgradeCodes\E761730C408BDBC4 D825D7A248EB45F3

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Installer\UserData\S-1-5-18\Products\7403AF9E51B091E458ECEEF76C6EF099

Go to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps

In the right pane, delete the following entries:
AVENGEDEFS

Common Client

Common Client Data

Common Client Decomposers

NAVNT

SCS Install Directory

SAVCE

SPBBC

SymNetDrv

VP6ClientInstalled

VP6UsageCount

AdBlocking

ConfigWizard

Go to the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es

Delete the following keys:
ccEvtMgr

ccSetMgr

ccPwdSvc

ccProxy

DefWatch

NAVENG

NAVEX15

SAVRoam

SCSRT

SAVRTPEL

SNDSrvc

SPBBCDrv

SPBBCSvc

Symantec AntiVirus

SYMREDRV

SYMTDI

Under HKEY_LOCAL_MACHINE\System, use the Ctrl+F instructions search for and delete any occurance of the following;
ccEvtMgr

ccSetMgr

ccPwdSvc

ccProxy

DefWatch

NAVENG

NAVEX15

SAVRoam

SCSRT

SAVRTPEL

SNDSrvc

SPBBCDrv

SPBBCSvc

Symantec AntiVirus

SYMREDRV

SYMTDI

Go to the following key in the left pane:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\EventLog\Application

Delete the following entries:

ccEvtMgr

ccProxy

ccPwdSvc

ccSetMgr

Defwatch

LiveUpdate

SAVRoam

SNDSrvc

SPBBCSvc

Symantec AntiVirus

Go to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Eventlog\System, and delete the SAVRT key.

Go to any existing "ControlSet*"\Services\EventLog\Application and "ControlSet*"\Services\EventLog\System keys and delete the same entries as in the previous three steps.

In the left pane, click My Computer. On the Edit menu, click Find. Search for VirusProtect6. Delete all keys and values that contain this string.

In the left pane, click My Computer. On the Edit menu, click Find. Search for E761730C408BDBC4D825D7A248EB45F3. Delete all keys and values that contain this string.

WARNING: Follow the next seven steps only if the conditions described in the steps are met. These instructions affect registry entries that are used by other Symantec products. If you delete a key or value that is used by another Symantec product, that product must be removed and installed again.
If no other Symantec applications that use virus definitions are installed, go to the HKEY_LOCAL_MACHINE\Software\Symantec key. In the right pane, delete the SharedDefs value.

If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec and delete the following keys: Common Client, SymEvent

If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps and delete the following values:
AMSUsage

Symantec Shared Directory

SymcData-scfidsdefs

Internet Security

Internet Security Data

Shared Options

If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run and delete the ccApp value.

If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run and delete the vptray value.

If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es, and delete the following keys:
SymEvent

SymIDS

SymIDSCo

SymnDIS

Symantec Secure Port

Under HKEY_LOCAL_MACHINE\System, go to any existing ControlSet*\Services keys and delete the same entries as under CurrentControlSet\Services above.

Restart the computer.

Symantec Client Security is now disabled, even though traces of it remain in the registry. These traces have little impact on how your computer operates. It is not necessary to remove them.

Remove Symantec Client Security from the Start menu and the hard drive
After Symantec Client Security is disabled, all that remains is to remove leftover files and shortcuts to the program.

To remove Symantec Client Security from the Start menu
Right-click Start, and then click Open All Users.

Double-click Programs.

Right-click Symantec Client Security, and then click Delete.

To remove Symantec Client Security from the hard drive
Click Start > Programs > Windows Explorer.

Go to the Program Files folder.

Right-click Symantec Client Security, and then click Delete.

WARNING: Follow the next five steps only if the conditions described in the steps are met. These instructions affect files and folders that are used by other Symantec products. If you delete a file or folder that is used by another Symantec product, that product must be removed and installed again.
If Symantec Client Security is the only Symantec product on your computer, delete the Symantec folder.

Go to the Program Files\Common Files\Symantec Shared folder.

If Symantec Client Security is the only Symantec product on your computer, delete the following folders:
AdBlocking

Decomposers

Help

IDS

Options

SPBBC

SPManifests

SSC

SymcData

VirusDefs

Go to the folder C:\Documents and Settings\All Users\Application Data\Symantec\.

Delete the Symantec AntiVirus Corporate Edition folder.

Close Windows Explorer.

ladygreenwitch · 06-21-2006

Sorry about the extensive instructions on getting rid of that Symantec service Genie, they are a bear to get rid of, maybe if we are lucky one of the other guys will have a utility or something to automate it.

Let us know when your PC is back up and running.

Looking forward to your reply,

TTFN

LGW

genie3251 · 06-21-2006

hey lgw

i'm in registry right now and am in HKEY_LOCAL_MACHINE\SOFTWARE\Symantec and have found some of the items that u listed and i found some other ones too like installed apps, shared usage and symevent

should i delete those aswell

ladygreenwitch · 06-22-2006

Hey Genie,

The several times that I had to remove Symantec problems from my registry, I deleted those without incident. However, if you are uncomfortable, stick with only the suggested entries by Symantec.

TTFN

LGW

06-21-2006	#2
ladygreenwitch Elite Member Join Date: Jul 2005 Location: Bay Area California Posts: 6,625 PC Experience: Very Experienced	Hey Genie, Download Spy Sweeper from my signature, make sure that you run a full system scan on all your HDDs. Check the option to scan for Rootkits as well. Post the log back here. What I am seeing in your log is an ActiveX controller (016 entry) that didn't show up anywhere except in infected logs. The company is listed in multiple places as containing ad and spyware, that's why I am including it to remove. You also do not appear to be running with a firewall, and while I don't see any Symantec programs on your computer, you still have a service running. If you used to have Symantec, Norton, and uninstalled it, we need to get this service to stop running. Right click on My Computer, select Manage, click on Services. Locate Symantec Network Drivers Service, right click on it and choose Properties. Under Start Up Type change that to Disabled. Find and delete the following C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe. Next in HijackThis, click on Config., Misc. Tools, Delete an NT Service. In the Dialog box type SNDSrvc, then click on OK. (Because this is a Symantec service, HJT may not be able to delete it. R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/getPlugin.do O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (if this item still exists.) Read the article in my signature PCHF Protect Your PC for more information about free firewalls. Looking forward to your reply, TTFN LGW __________________ PreWork/ AfterWork/ CCleaner/Spybot S&D/ Spyware Blaster/ Adaware SE/ Memtest86/ Shoot the Messenger/ Housecall/ Belarc/ Registry Cleaner/ Bootdisk.com/ XP Install/PCHF Protect Your PC

06-21-2006	#4
ladygreenwitch Elite Member Join Date: Jul 2005 Location: Bay Area California Posts: 6,625 PC Experience: Very Experienced	Hey Genie, In order to remove the Symantec Service from your PC you are going to have to do some editing of your registry. BTW, looking at these instructions, I remember why I don't use Symantec any more. . Go back into Services as before and look for these ccApp.exe NMain.exe VPC32.exe VP Tray.exe ISSVC.exe Stop any of them that you find. Pull up Task Manager and see if Network Drivers Service is listed, if you find it, right click it and click End Process. Click on Start Run, type REGEDIT, hit enter. The following is mandatory before performing any changes to your registry; Click on File, Export, choose an identifiable location such as your desktop, name the registry backup today's date, click on Save. Now you will need to navigate through the registry, when the instructions specify an HKEY location, you can simply find the address, if the instructions tell you to find all instances of an entry, make sure that you have highlighted the the area that you want to search, hit Ctrl+F, and type in the entry you are looking for, hit Enter. For each instance, you will need to close the Find box, delete the entry, then hit Ctrl+F, Enter, to locate the next occurrence. Continue until the response comes back that the entire registry has been checked. Some of these entries may not be in your registry. In the Windows registry editor, in the left pane, go to the following key: HKEY_CLASSES_ROOT\\Shellex\ContextMenuHandlers In the left pane, right-click LDVPMenu, and then click Delete. Expand the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall This key contains many <Package Code> keys. Use the Ctrl+F instructions above to locate references to Symantec Client Security listed in the right pane. If you see any references to Symantec Client Security in the right pane, then delete the entire <Package Code> key. Go to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec Delete the following keys: CCPD IDS PatchInst SecurePort SPBBC Symantec AntiVirus SymNetDrv Go to and delete the following registry keys: HKEY_CLASSES_ROOT\Installer\UpgradeCodes\E761730C4 08BDBC4D825D7A248EB45F3 HKEY_CLASSES_ROOT\Installer\Features\7403AF9E51B09 1E458ECEEF76C6EF099 HKEY_CLASSES_ROOT\Installer\Products\7403AF9E51B09 1E458ECEEF76C6EF099 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Upgr adeCodes\E761730C408BDBC4D825D7A248EB45F3 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Feat ures\7403AF9E51B091E458ECEEF76C6EF099 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Prod ucts\7403AF9E51B091E458ECEEF76C6EF099 HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\DllUsage\VP6 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\App Management\ARPCache\{E9FA3047-0B15-4E19-85CE-EE7FC6E60F99} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Installer\UpgradeCodes\E761730C408BDBC4 D825D7A248EB45F3 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Installer\UserData\S-1-5-18\Products\7403AF9E51B091E458ECEEF76C6EF099 Go to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps In the right pane, delete the following entries: AVENGEDEFS Common Client Common Client Data Common Client Decomposers NAVNT SCS Install Directory SAVCE SPBBC SymNetDrv VP6ClientInstalled VP6UsageCount AdBlocking ConfigWizard Go to the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es Delete the following keys: ccEvtMgr ccSetMgr ccPwdSvc ccProxy DefWatch NAVENG NAVEX15 SAVRoam SCSRT SAVRTPEL SNDSrvc SPBBCDrv SPBBCSvc Symantec AntiVirus SYMREDRV SYMTDI Under HKEY_LOCAL_MACHINE\System, use the Ctrl+F instructions search for and delete any occurance of the following; ccEvtMgr ccSetMgr ccPwdSvc ccProxy DefWatch NAVENG NAVEX15 SAVRoam SCSRT SAVRTPEL SNDSrvc SPBBCDrv SPBBCSvc Symantec AntiVirus SYMREDRV SYMTDI Go to the following key in the left pane: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\EventLog\Application Delete the following entries: ccEvtMgr ccProxy ccPwdSvc ccSetMgr Defwatch LiveUpdate SAVRoam SNDSrvc SPBBCSvc Symantec AntiVirus Go to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Eventlog\System, and delete the SAVRT key. Go to any existing "ControlSet"\Services\EventLog\Application and "ControlSet"\Services\EventLog\System keys and delete the same entries as in the previous three steps. In the left pane, click My Computer. On the Edit menu, click Find. Search for VirusProtect6. Delete all keys and values that contain this string. In the left pane, click My Computer. On the Edit menu, click Find. Search for E761730C408BDBC4D825D7A248EB45F3. Delete all keys and values that contain this string. WARNING:* Follow the next seven steps only if the conditions described in the steps are met. These instructions affect registry entries that are used by other Symantec products. If you delete a key or value that is used by another Symantec product, that product must be removed and installed again. If no other Symantec applications that use virus definitions are installed, go to the HKEY_LOCAL_MACHINE\Software\Symantec key. In the right pane, delete the SharedDefs value. If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec and delete the following keys: Common Client, SymEvent If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps and delete the following values: AMSUsage Symantec Shared Directory SymcData-scfidsdefs Internet Security Internet Security Data Shared Options If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run and delete the ccApp value. If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run and delete the vptray value. If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es, and delete the following keys: SymEvent SymIDS SymIDSCo SymnDIS Symantec Secure Port Under HKEY_LOCAL_MACHINE\System, go to any existing ControlSet\Services keys and delete the same entries as under CurrentControlSet\Services above. Restart the computer. Symantec Client Security is now disabled, even though traces of it remain in the registry. These traces have little impact on how your computer operates. It is not necessary to remove them. Remove Symantec Client Security from the Start menu and the hard drive* After Symantec Client Security is disabled, all that remains is to remove leftover files and shortcuts to the program. To remove Symantec Client Security from the Start menu Right-click Start, and then click Open All Users. Double-click Programs. Right-click Symantec Client Security, and then click Delete. To remove Symantec Client Security from the hard drive Click Start > Programs > Windows Explorer. Go to the Program Files folder. Right-click Symantec Client Security, and then click Delete. WARNING: Follow the next five steps only if the conditions described in the steps are met. These instructions affect files and folders that are used by other Symantec products. If you delete a file or folder that is used by another Symantec product, that product must be removed and installed again. If Symantec Client Security is the only Symantec product on your computer, delete the Symantec folder. Go to the Program Files\Common Files\Symantec Shared folder. If Symantec Client Security is the only Symantec product on your computer, delete the following folders: AdBlocking Decomposers Help IDS Options SPBBC SPManifests SSC SymcData VirusDefs Go to the folder C:\Documents and Settings\All Users\Application Data\Symantec\. Delete the Symantec AntiVirus Corporate Edition folder. Close Windows Explorer. __________________ PreWork/ AfterWork/ CCleaner/Spybot S&D/ Spyware Blaster/ Adaware SE/ Memtest86/ Shoot the Messenger/ Housecall/ Belarc/ Registry Cleaner/ Bootdisk.com/ XP Install/PCHF Protect Your PC Last edited by ladygreenwitch; 06-21-2006 at 09:05 PM.

06-21-2006	#5
ladygreenwitch Elite Member Join Date: Jul 2005 Location: Bay Area California Posts: 6,625 PC Experience: Very Experienced	Sorry about the extensive instructions on getting rid of that Symantec service Genie, they are a bear to get rid of, maybe if we are lucky one of the other guys will have a utility or something to automate it. Let us know when your PC is back up and running. Looking forward to your reply, TTFN LGW __________________ PreWork/ AfterWork/ CCleaner/Spybot S&D/ Spyware Blaster/ Adaware SE/ Memtest86/ Shoot the Messenger/ Housecall/ Belarc/ Registry Cleaner/ Bootdisk.com/ XP Install/PCHF Protect Your PC

06-21-2006	#6
genie3251 Elite Member Join Date: May 2006 Location: New Brunswick,Canada Posts: 625	hey lgw i'm in registry right now and am in HKEY_LOCAL_MACHINE\SOFTWARE\Symantec and have found some of the items that u listed and i found some other ones too like installed apps, shared usage and symevent should i delete those aswell __________________ //Prework\\ PCHF Rules Blue Screen of Death - Beginners Guide formatting and installing windows xp

06-22-2006	#7
ladygreenwitch Elite Member Join Date: Jul 2005 Location: Bay Area California Posts: 6,625 PC Experience: Very Experienced	Hey Genie, The several times that I had to remove Symantec problems from my registry, I deleted those without incident. However, if you are uncomfortable, stick with only the suggested entries by Symantec. TTFN LGW __________________ PreWork/ AfterWork/ CCleaner/Spybot S&D/ Spyware Blaster/ Adaware SE/ Memtest86/ Shoot the Messenger/ Housecall/ Belarc/ Registry Cleaner/ Bootdisk.com/ XP Install/PCHF Protect Your PC

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode