NORTON SYSTEM WORKS WORM?

Discussion in 'other anti-virus software' started by ruemonkee, Nov 26, 2004.

Thread Status:
Not open for further replies.
  1. ruemonkee

    ruemonkee Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    3
    I am new to this... I keep getting a bug with Norton System works 2004 and so far the only solution has been to reformat the hard drive (4X so far).
    SYMPTOMS
    1. 1st Notice that Intrusion detection and security window indicate both switched off. All attempts to switch on using configure button ignored.
    2. Nothing shows up using Norton virus check
    3. Nothing shows up using Norton on-line virus check
    4. Nothing shows up using f8 boot virus check straight from Norton disk
    5. In desperation downloaded AVG only to find that that refused to download its update files
    6. on attempting to remove Norton via windows add remove programs was informed that I was not authorised to do so only. I am the authorised administrator and was in my own user area. I removed all other spyware programs including spybot and adaware prior to making these attempts so no conflict problems. Norton reply to my enquiry with letter telling me not too duplicate anti virus software.

    I include spybots bugreport for after recent reformating Please tell me if the bug is still present?

    You may have noticed that i have disabled the following file as spybot tells me it is a coolwebsearch parasite hijacking to slawsearch HK_CU:Run, ctfmon.exe
    --- Search result list ---

    --- Spybot - Search && Destroy version: 1.3 ---
    2004-08-11 Includes\Cookies.sbi
    2004-11-17 Includes\Dialer.sbi
    2004-11-17 Includes\Hijackers.sbi
    2004-11-17 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2004-11-17 Includes\Malware.sbi
    2004-10-05 Includes\Revision.sbi
    2004-10-25 Includes\Security.sbi
    2004-11-17 Includes\Spybots.sbi
    2004-10-21 Includes\Tracks.uti
    2004-11-17 Includes\Trojans.sbi


    --- System information ---
    Windows XP (Build: 2600) Service Pack 2
    / Windows XP / SP2: Windows XP Service Pack 2
    / Windows XP / SP3: Windows XP Hotfix - KB885884


    --- Startup entries list ---
    Located: HK_LM:Run, AWMON
    command: "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
    file: C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
    size: 538112
    MD5: ed7f4140bc9f05781355c2a36d0ad37c

    Located: HK_LM:Run, ccApp
    command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    size: 70776
    MD5: 45e61d76c7f00d5feeae854ef27b576d

    Located: HK_LM:Run, SpeedTouch USB Diagnostics
    command: "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    file: C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    size: 866816
    MD5: d40191aa225638ab20e59524cdd74030

    Located: HK_LM:Run, Symantec NetDriver Monitor
    command: C:\PROGRA~1\SYMNET~1\SNDMon.exe
    file: C:\PROGRA~1\SYMNET~1\SNDMon.exe
    size: 95456
    MD5: 46462b246bcb76450178a7260617cebd

    Located: HK_LM:Run, URLLSTCK.exe
    command: C:\Program Files\Norton Internet Security\UrlLstCk.exe
    file: C:\Program Files\Norton Internet Security\UrlLstCk.exe
    size: 70800
    MD5: 82ad82d69906784633f51dd7ca2248d8

    Located: HK_CU:Run, ctfmon.exe
    command: C:\WINDOWS\system32\ctfmon.exe
    file: C:\WINDOWS\system32\ctfmon.exe
    size: 15360
    MD5: 24232996a38c0b0cf151c2140ae29fc8

    Located: HK_CU:Run, MSMSGS
    command: "C:\Program Files\Messenger\msmsgs.exe" /background
    file: C:\Program Files\Messenger\msmsgs.exe
    size: 1667584
    MD5: b53343fe60a33ee765c2476d50d27b26

    Located: HK_CU:Run, SpybotSD TeaTimer
    command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    size: 1038336
    MD5: 58f7e6434d285f4c98ad3621e0bd8c8d

    Located: HK_CU:Run, STManager
    command: "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
    file: C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    size: 118784
    MD5: ba4825a014f996d5ba19652e03671277

    Located: HK_CU:Run, ctfmon.exe (DISABLED)
    command: C:\WINDOWS\system32\ctfmon.exe
    file: C:\WINDOWS\system32\ctfmon.exe
    size: 15360
    MD5: 24232996a38c0b0cf151c2140ae29fc8

    Located: Startup (common), Microsoft Office.lnk
    command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
    file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
    size: 83360
    MD5: 5bc65464354a9fd3beaa28e18839734a



    --- Browser helper object list ---
    {53707962-6F74-2D53-2644-206D7942484F} ()
    BHO name:
    CLSID name:
    description: Spybot-S&D IE Browser plugin
    classification: Legitimate
    known filename: SDhelper.dll
    info link: http://spybot.eon.net.au/
    info source: Patrick M. Kolla
    Path: C:\PROGRA~1\SPYBOT~1\
    Long name: SDHelper.dll
    Short name:
    Date (created): 12/05/2004 01:03:00
    Date (last access): 26/11/2004 17:13:28
    Date (last write): 12/05/2004 01:03:00
    Filesize: 744960
    Attributes: archive
    MD5: ABF5BA518C6A5ED104496FF42D19AD88
    CRC32: 5587736E
    Version: 0.1.0.3

    {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (Web assistant)
    BHO name: Web assistant
    CLSID name: CNisExtBho Class
    Path: C:\Program Files\Common Files\Symantec Shared\AdBlocking\
    Long name: NISShExt.dll
    Short name:
    Date (created): 11/12/2003 19:31:12
    Date (last access): 26/11/2004 17:13:28
    Date (last write): 11/12/2003 19:31:12
    Filesize: 126976
    Attributes: archive
    MD5: 390169C6946418C6679DDA6342776224
    CRC32: 764140FC
    Version: 0.7.0.0

    {BDF3E430-B101-42AD-A544-FADC6B084872} (NAV Helper)
    BHO name: NAV Helper
    CLSID name: CNavExtBho Class
    description: Norton Antivirus
    classification: Legitimate
    known filename: NavShExt.dll
    info link: http://www.symantec.com/nav/nav_9xnt/
    info source: TonyKlein
    Path: C:\Program Files\Norton Internet Security\Norton AntiVirus\
    Long name: NAVShExt.dll
    Short name:
    Date (created): 24/11/2003 15:46:38
    Date (last access): 26/11/2004 17:13:28
    Date (last write): 24/11/2003 15:46:38
    Filesize: 103368
    Attributes: archive
    MD5: 65C8A602DFA9D5860F1E328CB8575317
    CRC32: 929FB7E0
    Version: 0.10.0.0



    --- ActiveX list ---
    DirectAnimation Java Classes (DirectAnimation Java Classes)
    DPF name: DirectAnimation Java Classes
    CLSID name:
    description:
    classification: Legitimate
    known filename: %WINDIR%\Java\classes\dajava.cab
    info link:
    info source: Patrick M. Kolla

    Microsoft XML Parser for Java (Microsoft XML Parser for Java)
    DPF name: Microsoft XML Parser for Java
    CLSID name:
    description:
    classification: Legitimate
    known filename: %WINDIR%\Java\classes\xmldso.cab
    info link:
    info source: Patrick M. Kolla

    {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class)
    DPF name:
    CLSID name: ActiveDataInfo Class
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: SymAData.dll
    Short name:
    Date (created): 17/05/2004 10:05:58
    Date (last access): 26/11/2004 09:51:12
    Date (last write): 17/05/2004 10:05:58
    Filesize: 156792
    Attributes: archive
    MD5: B7A28CBD0022210FD0D877C9951694F1
    CRC32: C44DD1D5
    Version: 0.2.0.0

    {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class)
    DPF name:
    CLSID name: ActiveDataObj Class
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: ActiveData.dll
    Short name: ACTIVE~1.DLL
    Date (created): 12/06/2002 13:16:22
    Date (last access): 26/11/2004 09:52:22
    Date (last write): 12/06/2002 13:16:22
    Filesize: 112312
    Attributes: archive
    MD5: C0A5720A581109543B113A8BEAE7868C
    CRC32: 1B08DE36
    Version: 0.1.0.0



    --- Process list ---
    Spybot - Search && Destroy process list report, 26/11/2004 18:04:07

    PID: 0 ( 0) [System]
    PID: 4 ( 0) System
    PID: 404 ( 4) \SystemRoot\System32\smss.exe
    PID: 460 ( 404) csrss.exe
    PID: 484 ( 404) \??\C:\WINDOWS\system32\winlogon.exe
    PID: 528 ( 484) C:\WINDOWS\system32\services.exe
    PID: 540 ( 484) C:\WINDOWS\system32\lsass.exe
    PID: 688 ( 52:cool: C:\WINDOWS\system32\svchost.exe
    PID: 744 ( 52:cool: svchost.exe
    PID: 784 ( 52:cool: C:\WINDOWS\System32\svchost.exe
    PID: 812 ( 436) C:\WINDOWS\Explorer.EXE
    PID: 844 ( 52:cool: svchost.exe
    PID: 908 ( 52:cool: svchost.exe
    PID: 960 ( 52:cool: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    PID: 976 ( 52:cool: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    PID: 1012 ( 52:cool: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    PID: 1188 ( 52:cool: C:\WINDOWS\system32\spoolsv.exe
    PID: 1288 ( 52:cool: C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    PID: 1332 ( 52:cool: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    PID: 1384 ( 52:cool: C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    PID: 1420 ( 52:cool: C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    PID: 1504 ( 52:cool: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    PID: 1540 ( 52:cool: wdfmgr.exe
    PID: 1628 ( 52:cool: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    PID: 1884 ( 52:cool: alg.exe
    PID: 2008 ( 812) C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    PID: 2020 ( 812) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    PID: 2052 ( 812) C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
    PID: 2076 ( 812) C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    PID: 2092 ( 812) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    PID: 2104 ( 812) C:\WINDOWS\system32\ctfmon.exe
    PID: 2320 ( 812) C:\WINDOWS\system32\devldr32.exe
    PID: 2608 ( 812) C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE
    PID: 2824 ( 812) C:\Program Files\Outlook Express\msimn.exe
    PID: 2892 ( 812) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    PID: 3028 ( 812) C:\Program Files\Internet Explorer\iexplore.exe
    PID: 3612 ( 812) C:\Program Files\Internet Explorer\iexplore.exe


    --- Browser start & search pages list ---
    Spybot - Search && Destroy browser pages report, 26/11/2004 18:04:07

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
    C:\WINDOWS\system32\blank.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
    http://www.wanadoo.co.uk/iesearch/default.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.bbc.co.uk/
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
    %SystemRoot%\system32\blank.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    http://www.wanadoo.co.uk
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


    --- Winsock Layered Service Provider list ---
    Protocol 0: MSAFD Tcpip [TCP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip [*]

    Protocol 1: MSAFD Tcpip [UDP/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip [*]

    Protocol 2: MSAFD Tcpip [RAW/IP]
    GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP IP protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD Tcpip [*]

    Protocol 3: RSVP UDP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 4: RSVP TCP Service Provider
    GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
    Description: Microsoft Windows NT/2k/XP RVSP
    DB filename: %SystemRoot%\system32\rsvpsp.dll
    DB protocol: RSVP * Service Provider

    Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61586B1C-CABC-4BED-97AD-B127CD2007FE}] SEQPACKET 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61586B1C-CABC-4BED-97AD-B127CD2007FE}] DATAGRAM 1
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{03A80A2C-9C15-4C27-86A4-0DB98A760DAE}] SEQPACKET 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{03A80A2C-9C15-4C27-86A4-0DB98A760DAE}] DATAGRAM 2
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5BE4FBB1-B7C5-4306-ACF4-4B86E157130C}] SEQPACKET 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5BE4FBB1-B7C5-4306-ACF4-4B86E157130C}] DATAGRAM 0
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{632CFBD9-1D72-4B26-9B26-B2797E4D950C}] SEQPACKET 3
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{632CFBD9-1D72-4B26-9B26-B2797E4D950C}] DATAGRAM 3
    GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP NetBios protocol
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: MSAFD NetBIOS *

    Namespace Provider 0: Tcpip
    GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
    Filename: %SystemRoot%\System32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: TCP/IP

    Namespace Provider 1: NTDS
    GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
    Filename: %SystemRoot%\System32\winrnr.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\winrnr.dll
    DB protocol: NTDS

    Namespace Provider 2: Network Location Awareness (NLA) Namespace
    GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
    Filename: %SystemRoot%\System32\mswsock.dll
    Description: Microsoft Windows NT/2k/XP name space provider
    DB filename: %SystemRoot%\system32\mswsock.dll
    DB protocol: NLA-Namespace
     
  2. nod32_9

    nod32_9 Guest

    See if you can remove other components of SystemWorks like LiveUpdate, LiveReg before deleting SystemWorks. Also try these tasks under SAFE MODE.

    Encountered a similar problem with NAV 2003 on the neighbor's PC. Took me almost 1/2 a day to remove this crap.

    You may want to repair/reload Systemworks on top of your current installation. Often, the best option is to reformat the HD. And stay away from Norton!
     
  3. ruemonkee

    ruemonkee Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    3
    Thank you Nod :D. Although it was too late to put your advice into practice as I lost my patience with Norton and junked it. I completely reformatted the HD and destroyed my previous back up in case that was the source of the infection and now use AVG Free which seems to do the same job without slowing my pc down.

    In conjunction with AVG anti virus I am testing PREVX2.0 in combination with spybot/spyware blaster and using Zone Alarm Free as my firewall. So far I am very happy. PREVX has a brilliantly simple advantage of allowing you to view other peoples approaches to dealing with occurrences/warnings - this herd approach is better than nothing and really helps as I hav'nt a clue as to what some of the file names mentioned in warnings do.
     
  4. TAP

    TAP Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    344
    AVG Free is a good free antivirus that run smoothly and don't make trouble, it offers real-time antivirus protection without noticeable slowdown or even without unacceptable slowdown on slow machine. AVG Free has no lot of features but it does the job that it should do but the main drawback is that it has no complete auto update you should check it yourself regularly for sure.

    I use AVG Free+Prevx Home this is excellent combination for freebie it can protect zero-day attack or unknown malware that try to hit you on-the-fly in real-world-real-time without slowdown a machine. I've used it for a while and I don't use any apps to protect IE but there're no unknown adware/downloader/BHO/trojans/worms (in my live-malware collection, warez sites, porn sites) can pass AVG Free+Prevx Home if you don't allow them to install on you machine. :D
     
Loading...
Thread Status:
Not open for further replies.