| [Fixed] Hijackthis! Logs - [Fixed] heres yet another hijackthis log posted in the Security & Safety forums; hey everybody heres another log
okay i'll explain the situation one minute my internet is fine and the next it is running slow i ran ewido found nothing spybot found ... |
  |
|
|
06-21-2006
|
|
 |
Elite Member
|
|
Join Date: May 2006
Location: New Brunswick,Canada
Posts: 631
|
|
[Fixed] heres yet another hijackthis log
hey everybody heres another log
okay i'll explain the situation one minute my internet is fine and the next it is running slow i ran ewido found nothing spybot found nothing and have cleaned my temp files with atf cleaner
thanks guys
genie
|
|
06-21-2006
|
|
 |
Elite Member
|
|
Join Date: Jul 2005
Location: Bay Area California
Posts: 4,642
|
|
 Hey Genie,
Download Spy Sweeper from my signature, make sure that you run a full system scan on all your HDDs. Check the option to scan for Rootkits as well. Post the log back here.
What I am seeing in your log is an ActiveX controller (016 entry) that didn't show up anywhere except in infected logs. The company is listed in multiple places as containing ad and spyware, that's why I am including it to remove. You also do not appear to be running with a firewall, and while I don't see any Symantec programs on your computer, you still have a service running. If you used to have Symantec, Norton, and uninstalled it, we need to get this service to stop running.
Right click on My Computer, select Manage, click on Services. Locate Symantec Network Drivers Service, right click on it and choose Properties. Under Start Up Type change that to Disabled. Find and delete the following C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe. Next in HijackThis, click on Config., Misc. Tools, Delete an NT Service. In the Dialog box type SNDSrvc, then click on OK. (Because this is a Symantec service, HJT may not be able to delete it.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/getPlugin.do
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (if this item still exists.)
Read the article in my signature PCHF Protect Your PC for more information about free firewalls.
Looking forward to your reply,
TTFN
LGW
|
|
06-21-2006
|
|
|
Elite Member
|
|
Join Date: May 2006
Location: New Brunswick,Canada
Posts: 631
|
|
hey lgw i ran spyseeper and to my suprise it actually found some nastys on the pc. as for the symamtec i tried what u told me to do i disabled it but couldn't delete as nt service it says that it is a system critical file
p.s my pc is in pieces right now i need to get a new psu as my old one let go on me i'm using my sisters
|
|
06-21-2006
|
|
|
Elite Member
|
|
Join Date: Jul 2005
Location: Bay Area California
Posts: 4,642
|
|
Hey Genie,
In order to remove the Symantec Service from your PC you are going to have to do some editing of your registry. BTW, looking at these instructions, I remember why I don't use Symantec any more.  .
Go back into Services as before and look for these
ccApp.exe
NMain.exe
VPC32.exe
VP Tray.exe
ISSVC.exe
Stop any of them that you find. Pull up Task Manager and see if Network Drivers Service is listed, if you find it, right click it and click End Process.
Click on Start Run, type REGEDIT, hit enter. The following is mandatory before performing any changes to your registry; Click on File, Export, choose an identifiable location such as your desktop, name the registry backup today's date, click on Save.
Now you will need to navigate through the registry, when the instructions specify an HKEY location, you can simply find the address, if the instructions tell you to find all instances of an entry, make sure that you have highlighted the the area that you want to search, hit Ctrl+F, and type in the entry you are looking for, hit Enter. For each instance, you will need to close the Find box, delete the entry, then hit Ctrl+F, Enter, to locate the next occurrence. Continue until the response comes back that the entire registry has been checked. Some of these entries may not be in your registry.
- In the Windows registry editor, in the left pane, go to the following key:
HKEY_CLASSES_ROOT\*\Shellex\ContextMenuHandlers
- In the left pane, right-click LDVPMenu, and then click Delete.
- Expand the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall
This key contains many <Package Code> keys.
- Use the Ctrl+F instructions above to locate references to Symantec Client Security listed in the right pane.
If you see any references to Symantec Client Security in the right pane, then delete the entire <Package Code> key.
- Go to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec
- Delete the following keys:
- CCPD
- IDS
- PatchInst
- SecurePort
- SPBBC
- Symantec AntiVirus
- SymNetDrv
- Go to and delete the following registry keys:
- HKEY_CLASSES_ROOT\Installer\UpgradeCodes\E761730C4 08BDBC4D825D7A248EB45F3
- HKEY_CLASSES_ROOT\Installer\Features\7403AF9E51B09 1E458ECEEF76C6EF099
- HKEY_CLASSES_ROOT\Installer\Products\7403AF9E51B09 1E458ECEEF76C6EF099
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Upgr adeCodes\E761730C408BDBC4D825D7A248EB45F3
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Feat ures\7403AF9E51B091E458ECEEF76C6EF099
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Prod ucts\7403AF9E51B091E458ECEEF76C6EF099
- HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\DllUsage\VP6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\App Management\ARPCache\{E9FA3047-0B15-4E19-85CE-EE7FC6E60F99}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Installer\UpgradeCodes\E761730C408BDBC4 D825D7A248EB45F3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Installer\UserData\S-1-5-18\Products\7403AF9E51B091E458ECEEF76C6EF099
- Go to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps
- In the right pane, delete the following entries:
- AVENGEDEFS
- Common Client
- Common Client Data
- Common Client Decomposers
- NAVNT
- SCS Install Directory
- SAVCE
- SPBBC
- SymNetDrv
- VP6ClientInstalled
- VP6UsageCount
- AdBlocking
- ConfigWizard
- Go to the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es
- Delete the following keys:
- ccEvtMgr
- ccSetMgr
- ccPwdSvc
- ccProxy
- DefWatch
- NAVENG
- NAVEX15
- SAVRoam
- SCSRT
- SAVRTPEL
- SNDSrvc
- SPBBCDrv
- SPBBCSvc
- Symantec AntiVirus
- SYMREDRV
- SYMTDI
- Under HKEY_LOCAL_MACHINE\System, use the Ctrl+F instructions search for and delete any occurance of the following;
- ccEvtMgr
- ccSetMgr
- ccPwdSvc
- ccProxy
- DefWatch
- NAVENG
- NAVEX15
- SAVRoam
- SCSRT
- SAVRTPEL
- SNDSrvc
- SPBBCDrv
- SPBBCSvc
- Symantec AntiVirus
- SYMREDRV
- SYMTDI
- Go to the following key in the left pane:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\EventLog\Application
- Delete the following entries:
- ccEvtMgr
- ccProxy
- ccPwdSvc
- ccSetMgr
- Defwatch
- LiveUpdate
- SAVRoam
- SNDSrvc
- SPBBCSvc
- Symantec AntiVirus
- Go to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Eventlog\System, and delete the SAVRT key.
- Go to any existing "ControlSet*"\Services\EventLog\Application and "ControlSet*"\Services\EventLog\System keys and delete the same entries as in the previous three steps.
- In the left pane, click My Computer. On the Edit menu, click Find. Search for VirusProtect6. Delete all keys and values that contain this string.
- In the left pane, click My Computer. On the Edit menu, click Find. Search for E761730C408BDBC4D825D7A248EB45F3. Delete all keys and values that contain this string.
WARNING: Follow the next seven steps only if the conditions described in the steps are met. These instructions affect registry entries that are used by other Symantec products. If you delete a key or value that is used by another Symantec product, that product must be removed and installed again. - If no other Symantec applications that use virus definitions are installed, go to the HKEY_LOCAL_MACHINE\Software\Symantec key. In the right pane, delete the SharedDefs value.
- If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec and delete the following keys: Common Client, SymEvent
- If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps and delete the following values:
- AMSUsage
- Symantec Shared Directory
- SymcData-scfidsdefs
- Internet Security
- Internet Security Data
- Shared Options
- If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run and delete the ccApp value.
- If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run and delete the vptray value.
- If Symantec Client Security is the only Symantec program installed, go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es, and delete the following keys:
- SymEvent
- SymIDS
- SymIDSCo
- SymnDIS
- Symantec Secure Port
- Under HKEY_LOCAL_MACHINE\System, go to any existing ControlSet*\Services keys and delete the same entries as under CurrentControlSet\Services above.
Restart the computer.
Symantec Client Security is now disabled, even though traces of it remain in the registry. These traces have little impact on how your computer operates. It is not necessary to remove them.
Remove Symantec Client Security from the Start menu and the hard drive
After Symantec Client Security is disabled, all that remains is to remove leftover files and shortcuts to the program.
To remove Symantec Client Security from the Start menu
- Right-click Start, and then click Open All Users.
- Double-click Programs.
- Right-click Symantec Client Security, and then click Delete.
To remove Symantec Client Security from the hard drive - Click Start > Programs > Windows Explorer.
- Go to the Program Files folder.
- Right-click Symantec Client Security, and then click Delete.
WARNING: Follow the next five steps only if the conditions described in the steps are met. These instructions affect files and folders that are used by other Symantec products. If you delete a file or folder that is used by another Symantec product, that product must be removed and installed again. - If Symantec Client Security is the only Symantec product on your computer, delete the Symantec folder.
- Go to the Program Files\Common Files\Symantec Shared folder.
- If Symantec Client Security is the only Symantec product on your computer, delete the following folders:
- AdBlocking
- Decomposers
- Help
- IDS
- Options
- SPBBC
- SPManifests
- SSC
- SymcData
- VirusDefs
- Go to the folder C:\Documents and Settings\All Users\Application Data\Symantec\.
- Delete the Symantec AntiVirus Corporate Edition folder.
Close Windows Explorer.
Last edited by ladygreenwitch; 06-21-2006 at 09:05 PM.
|
|
06-21-2006
|
|
|
Elite Member
|
|
Join Date: Jul 2005
Location: Bay Area California
Posts: 4,642
|
|
Sorry about the extensive instructions on getting rid of that Symantec service Genie, they are a bear to get rid of, maybe if we are lucky one of the other guys will have a utility or something to automate it.
Let us know when your PC is back up and running.
Looking forward to your reply,
TTFN
LGW
|
|
06-21-2006
|
|
|
Elite Member
|
|
Join Date: May 2006
Location: New Brunswick,Canada
Posts: 631
|
|
hey lgw
i'm in registry right now and am in HKEY_LOCAL_MACHINE\SOFTWARE\Symantec and have found some of the items that u listed and i found some other ones too like installed apps, shared usage and symevent
should i delete those aswell
|
New! Norton Internet Security 2008 – Download Now Click Here |
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
PC Help Forum
» Security & Safety
» [Fixed] Hijackthis! Logs
»
[Fixed] heres yet another hijackthis log
