943,996 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > Symantec Email Proxy!!HELP!!
Ad:
You are currently viewing page 1 of this multi-page discussion thread
Permalink
Jul 13th, 2005
0

Symantec Email Proxy!!HELP!!

Expand Post »
Symantec Email Proxy Keeps Trying To Send Dozens and Dozens Of Emails, but They Fail and Bring Up Like 30 Pop Up Windows Saying The Messages Have Failed To Be Sent, and They All Have Random Email Subjects(?).....My Anti-Virus Software Scans and Comes Up Empty, Same With My Spyware Remover.....Please Help Me I Cant Find A Solution And This Is Only Place I Had Left To Ask For Help
Similar Threads
Reputation Points: 10
Solved Threads: 0
Newbie Poster
RuffRyder357 is offline Offline
10 posts
since Jul 2005
Permalink
Jul 13th, 2005
0

Re: Symantec Email Proxy!!HELP!!

Hi RuffRyder357, welcome to DaniWeb

Please follow the recommendations in these threads to help protect, and start the cleanup process, of your system:

http://www.daniweb.com/techtalkforums/thread27519.html

http://www.daniweb.com/techtalkforums/thread27570.html

Download, install, update, and run these utilities:

CWShredder -- http://www.intermute.com/spysubtract..._download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html

After you've completed that, get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then, close any open browser windows, 'Scan and Save Log' with HijackThis, and then copy and paste the log here.
Team Colleague
Reputation Points: 63
Solved Threads: 213
Posting Maven
dlh6213 is offline Offline
2,962 posts
since Jul 2004
Permalink
Jul 14th, 2005
0

Re: Symantec Email Proxy!!HELP!!

Here's My HijackThis Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 2:21:41 AM, on 7/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\WINDOWS\Explorer.EXE
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
G:\WINDOWS\system.exe
G:\Program Files\CallWave\IAM.exe
G:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
G:\WINDOWS\System32\tcpsvcs.exe
G:\WINDOWS\System32\snmp.exe
G:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
G:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
G:\WINDOWS\lsass.exe
G:\Program Files\Sony\EverQuest\EverQuest.exe
G:\WINDOWS\csrss.exe
G:\WINDOWS\System32\mapi32.exe
G:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
G:\Program Files\Netscape\Netscape Browser\netscape.exe
G:\Program Files\MSN Messenger\msnmsgr.exe
G:\Documents and Settings\Ruff Ryder\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://G:\WINDOWS\system32\ryduf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://G:\WINDOWS\system32\ryduf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://G:\WINDOWS\system32\ryduf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://G:\WINDOWS\system32\ryduf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://G:\WINDOWS\system32\ryduf.dll/sp.html#37049
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=G:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {4EFF303A-9F81-C092-2E28-03548849D849} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iexplore.exe] G:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "G:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [REGSHAVE] G:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Services] G:\WINDOWS\csrss.exe
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Lov4RjGFj] rcims.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] G:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Global Startup: Internet Answering Machine.lnk = G:\Program Files\CallWave\IAM.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me.../bridge-c9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1116035429728
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{525A457A-79D0-4A58-B9F0-6327978E942B}: NameServer = 209.43.75.190 206.246.140.14
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - G:\WINDOWS\system32\crlg32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Local Security Authority System Service (Local Security Authority System) - Unknown owner - G:\WINDOWS\lsass.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - G:\WINDOWS\lsass.exe
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - G:\WINDOWS\System32\mapi32.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - G:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - G:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - G:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - G:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - G:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - G:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Process Moniter - Unknown owner - G:\WINDOWS\winmon.exe
Reputation Points: 10
Solved Threads: 0
Newbie Poster
RuffRyder357 is offline Offline
10 posts
since Jul 2005
Permalink
Jul 14th, 2005
0

Re: Symantec Email Proxy!!HELP!!

Please follow these instructions (from the first link above):
"3.) Updates

Get the Critical Updates for Windows using Windows Update (it should be in your Start menu). If your OS is Windows XP, and you do not currently have SP2, don’t get it, at least until your system has been verified as clean. You must have a least SP1 installed, if you don’t currently have any XP updates, get SP1a. If you do not have your PC set to check for updates automatically, check manually at least weekly.

Get the Critical Updates for Internet Explorer using Windows Update (open IE, click on Tools, and then Windows Update). You need to have the latest version of Internet Explorer, which is currently version 6 (IE6). If you do not already have SP2, do not get it, at least until your system has been verified as clean. You must have a least SP1 installed; if you don’t currently have any IE updates, get SP1a."

Then follow the instructions in this thread:
http://www.daniweb.com/techtalkforums/thread24085.html

After you've moved HijackThis, close any open browser windows, scan with HJT, and post a new log please.
Team Colleague
Reputation Points: 63
Solved Threads: 213
Posting Maven
dlh6213 is offline Offline
2,962 posts
since Jul 2004
Permalink
Jul 14th, 2005
0

Re: Symantec Email Proxy!!HELP!!

Is There Anything In HJT That I Need To Fix? I Have All Necessary Security Updates Installed
Reputation Points: 10
Solved Threads: 0
Newbie Poster
RuffRyder357 is offline Offline
10 posts
since Jul 2005
Permalink
Jul 14th, 2005
0

Re: Symantec Email Proxy!!HELP!!

According to your HijackThis log, you don't have any Windows Updates at all.

Yes there are things that should be fixed in your HJT log, but it needs to be in its own permanent folder first -- so that it, and the backups it will create, will not be deleted during the cleanup process.
Team Colleague
Reputation Points: 63
Solved Threads: 213
Posting Maven
dlh6213 is offline Offline
2,962 posts
since Jul 2004
Permalink
Jul 14th, 2005
0

Re: Symantec Email Proxy!!HELP!!

Ok, HJT Is In Its Own Folder Now and I Re-Installed The Windows Security Pack...Here Is New HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:29:09 AM, on 7/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\WINDOWS\System32\mapi32.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
G:\WINDOWS\csrss.exe
G:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
G:\Program Files\MSN Messenger\MsnMsgr.Exe
G:\Program Files\CallWave\IAM.exe
G:\WINDOWS\System32\tcpsvcs.exe
G:\WINDOWS\System32\snmp.exe
G:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\System32\phqghu.exe
G:\WINDOWS\lsass.exe
G:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://G:\WINDOWS\system32\ryduf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://G:\WINDOWS\system32\ryduf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet E
xplorer\Main,Search Bar = res://G:\WINDOWS\system32\ryduf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://G:\WINDOWS\system32\ryduf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://G:\WINDOWS\system32\ryduf.dll/sp.html#37049
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=G:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {4EFF303A-9F81-C092-2E28-03548849D849} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iexplore.exe] G:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "G:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Services] G:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O4 - HKLM\..\RunServices: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Lov4RjGFj] rcims.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] G:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Global Startup: Internet Answering Machine.lnk = G:\Program Files\CallWave\IAM.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me.../bridge-c9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1116035429728
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{525A457A-79D0-4A58-B9F0-6327978E942B}: NameServer = 209.43.75.190 206.246.140.14
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Local Security Authority System Service (Local Security Authority System) - Unknown owner - G:\WINDOWS\lsass.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - G:\WINDOWS\lsass.exe
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - G:\WINDOWS\System32\mapi32.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - G:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - G:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - G:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - G:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - G:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - G:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Process Moniter - Unknown owner - G:\WINDOWS\winmon.exe
Reputation Points: 10
Solved Threads: 0
Newbie Poster
RuffRyder357 is offline Offline
10 posts
since Jul 2005
Permalink
Jul 14th, 2005
0

Re: Symantec Email Proxy!!HELP!!

Please go here to get the Critical Updates for your system:
http://update.microsoft.com/windowsu....aspx?ln=en-us

Download, install, update, and run these utilities:

CWShredder -- http://www.intermute.com/spysubtract..._download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html

Then post a new HJT log to cleanup the remaining items.
Team Colleague
Reputation Points: 63
Solved Threads: 213
Posting Maven
dlh6213 is offline Offline
2,962 posts
since Jul 2004
Permalink
Jul 14th, 2005
0

Re: Symantec Email Proxy!!HELP!!

Have Done Everything That You've Said To Do....Here's New HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:06:33 PM, on 7/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
G:\WINDOWS\System32\tcpsvcs.exe
G:\WINDOWS\System32\snmp.exe
G:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
G:\WINDOWS\winmon.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
G:\WINDOWS\csrss.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\Program Files\CallWave\IAM.exe
G:\Program Files\Sony\EverQuest\EverQuest.exe
G:\WINDOWS\lsass.exe
G:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=G:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {4EFF303A-9F81-C092-2E28-03548849D849} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iexplore.exe] G:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "G:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Services] G:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O4 - HKLM\..\RunServices: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Lov4RjGFj] rcims.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] G:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O4 - Global Startup: Internet Answering Machine.lnk = G:\Program Files\CallWave\IAM.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me.../bridge-c9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121341222278
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{525A457A-79D0-4A58-B9F0-6327978E942B}: NameServer = 209.43.75.190 206.246.140.14
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Local Security Authority System Service (Local Security Authority System) - Unknown owner - G:\WINDOWS\lsass.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - G:\WINDOWS\lsass.exe
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - G:\WINDOWS\System32\mapi32.exe (file missing)
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - G:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - G:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - G:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - G:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - G:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - G:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows Process Moniter - Unknown owner - G:\WINDOWS\winmon.exe
Reputation Points: 10
Solved Threads: 0
Newbie Poster
RuffRyder357 is offline Offline
10 posts
since Jul 2005
Permalink
Jul 15th, 2005
0

Re: Symantec Email Proxy!!HELP!!

When you have the current updates, your HJT log will show entries like these:
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Your log still shows that you don't have the Critical Updates you should. On an upatched system, infections are very likely to return.

Get Ewido from here:
http://www.download.com/Ewido-Securi...ml?tag=lst-0-1, but don't scan with it yet.

Reboot into Safe Mode.

Scan with Ewido, allowing it to clean whatever it finds (note: you will be posting the log from this scan in your next reply).

Still in Safe Mode, scan with HJT and have it fix the following entries:

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=G:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {4EFF303A-9F81-C092-2E28-03548849D849} - (no file)
O4 - HKLM\..\Run: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O4 - HKLM\..\RunServices: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O4 - HKCU\..\Run: [Lov4RjGFj] rcims.exe
O4 - HKCU\..\Run: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1121341222278
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...pDownloader.cab
If the following IP addresses are not related to your ISP, have HJT fix this entry as well --
O17 - HKLM\System\CCS\Services\Tcpip\..\{525A457A-79D0-4A58-B9F0-6327978E942B}: NameServer = 209.43.75.190 206.246.140.14
O23 - Service: Windows lsass Service (lsass) - Unknown owner - G:\WINDOWS\lsass.exe
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - G:\WINDOWS\System32\mapi32.exe (file missing)
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - G:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: Windows Process Moniter - Unknown owner - G:\WINDOWS\winmon.exe

Close any open windows, other then HijackThis, before hitting Fix checked.

Go to the following locations and delete the highlighted files:

G:\WINDOWS\System32\Userinit.exe
G:\WINDOWS\lsass.exe -- Caution! Do not delete the file located in the system32 folder "G:\WINDOWS\system32\lsass.exe"
G:\WINDOWS\System32\mapi32.exe
G:\WINDOWS\wkssvc.exe
G:\WINDOWS\winmon.exe

Do a search for the following files and delete any instances found:

phqghu.exe
rcims.exe

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with HJT, and post a new log along with the Ewido log.
Team Colleague
Reputation Points: 63
Solved Threads: 213
Posting Maven
dlh6213 is offline Offline
2,962 posts
since Jul 2004

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: ::sigh::...win32 virus
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: vermin attack need help





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC