Norton virus definitions have disappeared

KAF · 14th June 2006

Tonight I found I've unexpectedly used up a lot of download. Then I got a Norton message that my worm protection was disabled and my virus definitions hadn't been updated since 28 May, though I know I've done many updates since then including this morning. I turned on the worm protection, rebooted and ran liveupdate and Norton quick scan and an Adaware quick scan. In both cases I had to run them twice because they froze. They didn't report anything and there's nothing new in my list of programs but I feel very nervous about this. I have been attacked 3 times in the last year and had to get all my programmes reinstalled the first 2 times. Last time I fixed it using Smitfraud fix after reading things on this site. I was very grateful for the help, though I didn't actually post anything. I will run some full system scans now. My earlier problems seemed to get worse with time so I am posting this now, hoping someone can help me before things deteriorate. Maybe I'm just panicking unecessarily and it's just Norton going weird on me again?

**charlesvar** · 14th June 2006

Hello KAF and welcome,

Post a HJT scan, we'll have a look. This may well be a NAV glitch, maybe not.

Download and run HijackThis:

Download from here http://radiosplace.com/ latest version 1.99

Download it to it's own folder, for example create a folder C:\HijackThis

Unzip (double click on zipped folder)

Click on the execute

Click scan button, scan in safe mode as well

Click save log and save to the folder you just created

Copy resultant .txt file and paste into your next post

Regards - Charles

KAF · 14th June 2006

Thanks for replying. I think I have done what you said. However, I right clicked on the hijackthis text file in my program files, and clicked copy, but when I try to right click and copy into this space "copy" is greyed out. Any suggestions?

Thanks

Kerry

**charlesvar** · 14th June 2006

Quote:

Originally Posted by KAF

but when I try to right click and copy into this space "copy" is greyed out.

Hi KAF,

Click "paste".

Regards - Charles

KAF · 14th June 2006

Sorry that was dumb of me. I meant "paste" is greyed out. Cut, copy, and paste are all grey.

Thanks again

Kerry

**TeMerc** · 14th June 2006

Quote:

Originally Posted by KAF

Thanks for replying. I think I have done what you said. However, I right clicked on the hijackthis text file in my program files, and clicked copy, but when I try to right click and copy into this space "copy" is greyed out. Any suggestions?

Thanks

Kerry

I'm stepping in for Charlesvar, he needed to be away from the PC for a time.

The logfile should not have been saved into your program files, run annother scan, and save the log file to your desktop.

If when you right-click it again, the options are greyed out, try using Ctrl + C to copy and Ctrl + V to paste.

**Whiskeyman** · 14th June 2006

Did you highlight the content within the .txt file or go to Edit > Select all before trying to copy & paste?

KAF · 14th June 2006

Thanks Whiskeyman, that was the problem. This is it.

Logfile of HijackThis v1.99.1
Scan saved at 2:08:54 AM, on 15/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MessengerPlus! 3\MsgPlus1.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo RX430 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CP.EXE /P31 "EPSON Stylus Photo RX430 Series" /O6 "USB001" /M "Stylus Photo RX430"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: MediaKey.lnk = C:\Program Files\MediaKey\Versato.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

KAF · 14th June 2006

It's 3.20am here. If you reply to me and don't get an answer too soon, it's because I've gone to bed. Thanks all for the help so far.

**TeMerc** · 14th June 2006

If Norton found something and deleted it, then you're ok. Can you tell us specifically what it was?

I don't see anything odd in your log file, but that doesn't mean there cannot be anything there.

Other than the Norton findings are there any other odd activities going on with your machine?

I also notice you have zero anti-spyware protection, just the Norton av. Nor do I see any firewall. Those two exclusions on your system can account for you getting infected.

XP SP2 fw is not worthy unless you're an advanced user and know where not to go, and based on the statement that this is the third time you have gotten infected, you do not qualify as an advanced user.

I suggest you install some of the following, if not all to keep you more secure.

Spybot Search & Destroy v1.4
Ad-Aware SE Free v1.06r

With AdAware and Spybot: DL, check for updates, then scan, repair/remove/quarantine anything found. Reboot before next scan with whichever app is next.

SpywareBlaster will prevent known ActiveX installs, by setting killbits into the registry.
With Spyware Blaster, just DL, check for updates, enable Internet Explorer protection, and your done! I don't recommend using 'Restricted Sites' protection, you can get far greater coverage with IE-SPYADs, listed below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will provide another layer of protection.

And to prevent unknown applications from being installed on your machine install WinPatrolv9.8.1.0.

Let me know about the other items I asked about.

KAF · 15th June 2006

Thanks TeMerc.

Norton didn't say it had found or deleted anything. Just the alert re worm protection and virus definitions. When I have found the worm protection switched off before I have been attacked though it's never said the virus definitions were so much older than they were b4. It has happened b4 that it's wrongly given yesterday's date for virus defns, so I thought maybe Norton just didn't load properly and rebooting has fixed it. This time rebooting didn't fix it. When I then ran liveupdate it said it "installed defns 1 of 1 - 652.3 KB". I ran a quick scan then, but it showed nothing.

The only other unusual thing I noticed was that the computer completely froze during the scans. The Norton scan wouldn't start - program not responding, but worked when I had another go (ie restarted the computer and tried again). The first AdAware scan I did totally froze when it got to the very last section before results. But then it worked ok when I tried again after rebooting. The internet has been working ok.

I was really surprised at the amount of download used recently, but I can't swear we didn't use it ourselves.

The 1st 2 times I got infected I was running Norton Internet Security 2005, including a firewall, and the technician I saw said he thought the firewall caused problems for everyday users like me, so I when I got new software I limited myself to Norton AV on his advice. I have been using AdAware SE Personal which I downloaded in January and have kept up to date. The AdAware quick scan I did showed only negligible threat items. Is this different to AdAware SE Free?

I agree I am not an advanced user plus my son also uses this computer.

I didn't complete the full system scan last night because I had to turn it off to run HJT and I forgot to restart b4 bed. I will now download the other things you suggest and then run a full system scan.

Last time I tried to download SpyBot it seemed to clash with something else on my computer - like it was suspicious of me and wouldn't give me the updates. Also I have been warned SpyBot might cause other problems - deleting files I need while it's removing problems. If I can download it, is there any precaution I should take when running it?

When I was trying to clean up the computer last time I deleted Limewire. My son was extremely upset and says all his friends use it and they never have these problems, and probably we have these problems because the motherboard is so old and not big enough. After a couple of weeks, he downloaded Limewire again, and I left it on. He was really distraught about losing it, though he says he doesn't download much from it, and I don't want to stop him having it unnecessarily. Do you have any reason to think it's likely to cause problems?

I am really appreciative of your help. This site is amazing. I saw something about donations - can that be done without using a credit card on the net?

Thanks again
Kerry

KAF · 15th June 2006

TeMerc

I found this information in my Norton Log Viewer in Internet> System. I don't know whether it is just routine or not, so I copied and pasted in case it is of any relevance. I didn't actually know this stuff was there before now. I just found it because I was wondering if there was a record of Norton delecting something without me noticing. It hasn't.

For some reason the dates did not come across with this. Aside from the ones that just say user logged in or no user logged in, the top 2 were from today about an hour ago, the next couple were from last night about the time I got the message from Norton, the bunch before that were from yesterday morning. The earliest are in April, so maybe they are all just routine?

Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.104.22.210).
IP address HOME-5K2ILI644Q(58.104.22.210) has disappeared and is no longer being protected.
User logged in.
User logged in.
No user is logged in.
User logged in.
No user is logged in.
User logged in.
No user is logged in.
No user is logged in.
No user is logged in.
Internet Worm Protection setting "Internet Activity Scanner Enable" changed.
Old Value: 9.
New Value: 1.
Internet Worm Protection setting "Port Block Allow NetBIOS" changed.
Old Value: 1.
New Value: 0.
Internet Worm Protection has been turned on.
User logged in.
User logged in.
User logged in.
Startup Mode has been set to Automatic.
No user is logged in.
No user is logged in.
User logged in.
User logged in.
User logged in.
User logged in.
User logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.221.145).
IP address 58.105.221.145 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.221.145).
IP address 58.105.221.145 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.221.145).
IP address 58.105.221.145 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.221.145).
IP address 58.105.221.145 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.221.145).
IP address 58.105.221.145 has disappeared and is no longer being protected.
User logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.221.145).
IP address 58.105.221.145 has disappeared and is no longer being protected.
User logged in.
User logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.221.145).
IP address 58.105.221.145 has disappeared and is no longer being protected.
User logged in.
User logged in.
User logged in.
User logged in.
User logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.221.145).
IP address 58.105.221.145 has disappeared and is no longer being protected.
User logged in.
User logged in.
User logged in.
User logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.221.145).
IP address 58.105.221.145 has disappeared and is no longer being protected.
User logged in.
User logged in.
User logged in.
User logged in.
User logged in.
User logged in.
User logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.126.192).
IP address 58.104.124.224 has disappeared and is no longer being protected.
No user is logged in.
No user is logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.104.124.224).
IP address 10.1.1.3 has disappeared and is no longer being protected.
IP address 169.254.52.182 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 10.1.1.3).
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 169.254.52.182).
IP address 220.238.185.114 has disappeared and is no longer being protected.
User logged in.
Internet Worm Protection setting "Internet Activity Scanner Enable" changed.
Old Value: 9.
New Value: 1.
User logged in.
No user is logged in.
User logged in.
SYMFW failed to load (0xc000026c).
No user is logged in.
No user is logged in.
No user is logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.185.114).
IP address 220.238.185.114 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.185.114).
IP address 220.238.185.114 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.185.114).
IP address 220.238.185.114 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.185.114).
IP address 58.104.76.193 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.104.76.193).
IP address 58.104.76.193 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.104.76.193).
IP address 220.238.167.153 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.167.153).
IP address 220.238.167.153 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.167.153).
IP address 220.238.167.153 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.167.153).
IP address 220.238.167.153 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.167.153).
IP address 220.238.167.153 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.167.153).
IP address 220.238.167.153 has disappeared and is no longer being protected.
User logged in.
User logged in.
User logged in.
User logged in.
User logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.167.153).
IP address 10.1.1.3 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 10.1.1.3).
IP address 220.238.167.153 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.167.153).
IP address 58.105.222.107 has disappeared and is no longer being protected.
User logged in.
User logged in.
User logged in.
No user is logged in.
No user is logged in.
User logged in.
Internet Worm Protection setting "Internet Activity Scanner Enable" changed.
Old Value: 9.
New Value: 1.
Internet Worm Protection has been turned on.
Internet Worm Protection setting "Port Block Allow NetBIOS" changed.
Old Value: 1.
New Value: 0.
Startup Mode has been set to Automatic.
User logged in.
User logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.208.174).
IP address 58.108.2.20 has disappeared and is no longer being protected.
User logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.108.2.20).
IP address 220.238.206.49 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.206.49).
IP address 58.105.208.174 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.208.174).
IP address 220.238.206.49 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.206.49).
IP address 58.105.208.174 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.208.174).
IP address 220.238.206.49 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.206.49).
IP address 58.104.35.10 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.104.35.10).
IP address 220.238.206.49 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.206.49).
IP address 58.104.35.10 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.104.35.10).
IP address 220.238.206.49 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.206.49).
IP address 58.105.208.174 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.208.174).
IP address 220.238.206.49 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.206.49).
IP address 58.105.208.174 has disappeared and is no longer being protected.
User logged in.
No user is logged in.
User logged in.
User logged in.
No user is logged in.
No user is logged in.
No user is logged in.
User logged in.
User logged in.
User logged in.
No user is logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.208.174).
IP address 58.105.208.174 has disappeared and is no longer being protected.
User logged in.
No user is logged in.
User logged in.
No user is logged in.
User logged in.
No user is logged in.
No user is logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.208.174).
IP address 10.1.1.3 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 10.1.1.3).
User logged in.
IP address 58.105.208.174 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.208.174).
IP address 10.1.1.3 has disappeared and is no longer being protected.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 10.1.1.3).
User logged in.
No user is logged in.
No user is logged in.
No user is logged in.
User logged in.
User logged in.
User logged in.
No user is logged in.
IP address 58.105.208.174 has disappeared and is no longer being protected.
User logged in.
No user is logged in.
User logged in.
No user is logged in.
No user is logged in.
User logged in.
User logged in.
User logged in.
User logged in.
No user is logged in.
User logged in.
No user is logged in.
User logged in.
User logged in.
User logged in.
No user is logged in.
No user is logged in.
User logged in.
User logged in.
No user is logged in.
No user is logged in.
No user is logged in.
User logged in.
User logged in.
User logged in.
No user is logged in.
No user is logged in.
User logged in.
User logged in.
User logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 58.105.208.174).
IP address 220.238.82.28 has disappeared and is no longer being protected.
User logged in.
No user is logged in.
User logged in.
No user is logged in.
Internet Worm Protection setting "Internet Activity Scanner Enable" changed.
Old Value: 9.
New Value: 1.
Internet Worm Protection has been turned on.
Internet Worm Protection setting "Port Block Allow NetBIOS" changed.
Old Value: 1.
New Value: 0.
User logged in.
Startup Mode has been set to Automatic.
No user is logged in.
User logged in.
User logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.225.83).
IP address 220.238.225.83 has disappeared and is no longer being protected.
No user is logged in.
User logged in.
User logged in.
Protecting your connection to a newly detected network on adapter "Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport" (IP address: 220.238.225.83).
IP address 220.238.225.83 has disappeared and is no longer being protected.
User logged in.
User logged in.
No user is logged in.
User logged in.
No user is logged in.
No user is logged in.
No user is logged in.
User logged in.
User logged in.
No user is logged in.
User logged in.
No user is logged in.
User logged in.
User logged in.
User logged in.
No user is logged in.
User logged in.
No user is logged in.

**TeMerc** · 15th June 2006

Quote:

Originally Posted by KAF

Thanks TeMerc.

I was really surprised at the amount of download used recently, but I can't swear we didn't use it ourselves.

The 1st 2 times I got infected I was running Norton Internet Security 2005, including a firewall, and the technician I saw said he thought the firewall caused problems for everyday users like me, so I when I got new software I limited myself to Norton AV on his advice. I have been using AdAware SE Personal which I downloaded in January and have kept up to date. The AdAware quick scan I did showed only negligible threat items. Is this different to AdAware SE Free?

I agree I am not an advanced user plus my son also uses this computer.

I didn't complete the full system scan last night because I had to turn it off to run HJT and I forgot to restart b4 bed. I will now download the other things you suggest and then run a full system scan.

Last time I tried to download SpyBot it seemed to clash with something else on my computer - like it was suspicious of me and wouldn't give me the updates. Also I have been warned SpyBot might cause other problems - deleting files I need while it's removing problems. If I can download it, is there any precaution I should take when running it?

When I was trying to clean up the computer last time I deleted Limewire. My son was extremely upset and says all his friends use it and they never have these problems, and probably we have these problems because the motherboard is so old and not big enough. After a couple of weeks, he downloaded Limewire again, and I left it on. He was really distraught about losing it, though he says he doesn't download much from it, and I don't want to stop him having it unnecessarily. Do you have any reason to think it's likely to cause problems?

I am really appreciative of your help. This site is amazing. I saw something about donations - can that be done without using a credit card on the net?

Thanks again
Kerry

OK, I'm not gonna say that Norton apps are not a lil bit buggy, but this also depends alot on your system. I have had it on mine with no troubles for about 6 years, others have lots of problems an hate it.

Anyone who tells the average user that a firewall would impede rather than enhance your expedience online is more or less foolish. With someone who is not that experienced, such as yourself, best to be with it than without. What kind of problems were you having with the firewall that made him suggest it was too troublesome to bother? I'd be interested in knowing his thoughts and ideas on why.

Running a 'quick' scan with Adware is not really recommended. Best to do a full system scan. You shouldn't have any problems, worse case, run it in safe mode, after updating.

In so far as Spybot, yes files can be removed erroneously, but it is very rare. Even if you do, there is a recovery process which puts back what you removed exactly from where it took it from, so thats not a real issue. Seems to me your just getting bad advice from people who don't know any better.

Limewire and any P2P file sharing application can be dangerous. Not so much the simple use of the service, but the problem lies in the unknown. you have no way of knowing if someone else has dropped an infected file for others to share. Most P2P users routinely get infected.

If you must use them, always DL the file to your desktop and either have your resident av scan it, or have the file scanned at one of the online file scanners. In this manner you reduce the chance of getting an infected file installed.

Everything in the Norton logs is routine stuff, I have tons of that activity also, just different programs.

You say your system is old, just how old and what type, if any maintenance do you do for it? Meaning any registry cleaning, temp file cleaning those kinds of things. There are also a few Windows file checking operations which would benefit the systems overall stability.

In so far as donations, I'm new to this site, so I don't know how that works here. I'll look around or ask one of the other forum admins\mods and see what I can find out.

KAF · 15th June 2006

TeMerc

He said that he found people in general had trouble with it, I think because it asks you to make choices you might not know enough to make properly, and he thought they were better with just Norton Antivirus. He didn't say other firewalls were a problem, but recommended just NAV and AdAware. I didn't exactly have problems with it. My problems were that I was getting attacked and he was wiping and reinstalling my programs. He works on the computers of local schools here, we know the same people through our kids schooling and his community involvement and I trust that he would have my best interests at heart. However, maybe he didn't really know what I need. I don't want to call him unless I have no other choice because though he is kind, it's expensive to keep getting his help and he takes the computer away for 1-2 weeks etc.

I have installed Spyware Blaster and SpyBot, and run some scans. I haven't dealt with MVPS HostFile and IESPYADS yet because they looked pretty complicated and I thought I'd better do the other things first. If I add them as well, will that mean I have a firewall? There is a Windows one on here but it was disabled. I think that's because Norton suggested it, but I don't know. However maybe that's the thing you thought would be too hard for me to use properly (ie XP SP2 fw).

I just used quick scan earlier because I was a bit panicked and trying to move quickly. Now that I've done the AdAware full scan it's found a bunch of stuff including Zlob and SpyFalcon and now says they're fixed. I have had these before and they didn't necessarily stay fixed. SpyBot found PestTrap which it says is a version of SpySherif (which I've also had before). All these things appeared about the same time as each other last time I had probs. Last time I also had Securityuptodate at the same time.

SpyBot also found AvenueA, DoubleClick, MediaPlex, StarWare (which I've had before but I don't know how harmful it is), and a message that the WindowsSecurityCentre antivirus and firewall were disabled. I just let SpyBot do what it wanted with all that. I know I disabled the Windows antivirus myself, and probably the firewall too. I figured I could redisable the WindowsSecurityCentre stuff again later if need be.

I guess I should run Smitfraudfix. Do you think I need to redownload it, or just use what I downloaded a month or two back?

I tried to listen to a podcast yesterday. Is that also some kind of P2P sharing?

The operating system is Celeron. Celeron303 I think. We have had it for about 8 years. Everything else that's using it is much newer - the programs and tower and memory(?) and so on.

It always looks like it's got lots of space on here. Right now it says the CDrive has 37.2 GB with 26.6GB free. It looks like the Norton Scan is the only regular task I have scheduled right now. I will try to get on to the maintenance, I know the sort of thing you mean. However I don't know what the "Windows file checking operations" are that you mention .

Thanks again
Kerry

**TeMerc** · 15th June 2006

Quote:

He said that he found people in general had trouble with it, I think because it asks you to make choices you might not know enough to make properly, and he thought they were better with just Norton Antivirus. He didn't say other firewalls were a problem, but recommended just NAV and AdAware. I didn't exactly have problems with it. My problems were that I was getting attacked and he was wiping and reinstalling my programs. He works on the computers of local schools here, we know the same people through our kids schooling and his community involvement and I trust that he would have my best interests at heart. However, maybe he didn't really know what I need. I don't want to call him unless I have no other choice because though he is kind, it's expensive to keep getting his help and he takes the computer away for 1-2 weeks etc.

Ok, most of this advice is typical for people who are only slightly acquainted with malware, and I'm sure he had your best interests in mind.

I have not found that users in general get too many alerts from Norton fw. Him working on local school PCs tho, he may have other things they do at the server level which give him the ideas of not running a firewall.

No need to call anyone for help, if you have some patience, we can help you out here just fine, for free!!

Quote:

I have installed Spyware Blaster and SpyBot, and run some scans. I haven't dealt with MVPS Host File and IE SPYADS yet because they looked pretty complicated and I thought I'd better do the other things first. If I add them as well, will that mean I have a firewall? There is a Windows one on here but it was disabled. I think that's because Norton suggested it, but I don't know. However maybe that's the thing you thought would be too hard for me to use properly (IE XP SP2 fw).

SpywareBlaster & Spybot are fine, just need to make sure that whenever you update either one, you check your protections they don conflict if you use the 'Restricted Sites' in SpywareBlaster along with the 'Immunize' feature in Spybot.

IE-SPYADs and Hosts file are simple to use and update, once you have done them once or twice. They both offer a resource free way of protection of known bad sites.

And those are not firewalls either.

Quote:

I just used quick scan earlier because I was a bit panicked and trying to move quickly. Now that I've done the AdAware full scan it's found a bunch of stuff including Zlob and SpyFalcon and now says they're fixed. I have had these before and they didn't necessarily stay fixed. SpyBot found PestTrap which it says is a version of SpySherif (which I've also had before). All these things appeared about the same time as each other last time I had probs. Last time I also had Securityuptodate at the same time.

SpyBot also found Avenue, DoubleClick, MediaPlex, StarWare (which I've had before but I don't know how harmful it is), and a message that the WindowsSecurityCentre antivirus and firewall were disabled. I just let SpyBot do what it wanted with all that. I know I disabled the Windows antivirus myself, and probably the firewall too. I figured I could redisable the WindowsSecurityCentre stuff again later if need be.

I guess I should run Smitfraudfix. Do you think I need to redownload it, or just use what I downloaded a month or two back?

OK, SpyFalcon and PestTrap are indeed versions of SmithFraud. Download a new tool and run the first part of the fix:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Quote:

I tried to listen to a podcast yesterday. Is that also some kind of P2P sharing?

Pod casts are not really P2P and so far are not being targeted by malware authors, but give them time, if they thing they can use it to infect users, they will figure out a way.

Quote:

The operating system is Celeron. Celeron303 I think. We have had it for about 8 years. Everything else that's using it is much newer - the programs and tower and memory(?) and so on.

It always looks like it's got lots of space on here. Right now it says the CDrive has 37.2 GB with 26.6GB free. It looks like the Norton Scan is the only regular task I have scheduled right now. I will try to get on to the maintenance, I know the sort of thing you mean. However I don't know what the "Windows file checking operations" are that you mention .

Yeah, that's an old processor for sure, but if you (or your son) don't do much gaming or run any big applications, it should work fine for you with the OS.

Space won't affect much aside from adding software, and you have plenty there.

The OS tools I was referring to were things like chkdsk and scannow.

Doing both will make your system noticeably smoother and more stable.

Lets get the SmithFraud fix going first.