NORTON SYSTEM WORKS WORM?

I am new to this... I keep getting a bug with Norton System works 2004 and so far the only solution has been to reformat the hard drive (4X so far).
SYMPTOMS
1. 1st Notice that Intrusion detection and security window indicate both switched off. All attempts to switch on using configure button ignored.
2. Nothing shows up using Norton virus check
3. Nothing shows up using Norton on-line virus check
4. Nothing shows up using f8 boot virus check straight from Norton disk
5. In desperation downloaded AVG only to find that that refused to download its update files
6. on attempting to remove Norton via windows add remove programs was informed that I was not authorised to do so only. I am the authorised administrator and was in my own user area. I removed all other spyware programs including spybot and adaware prior to making these attempts so no conflict problems. Norton reply to my enquiry with letter telling me not too duplicate anti virus software.

I include spybots bugreport for after recent reformating Please tell me if the bug is still present?

You may have noticed that i have disabled the following file as spybot tells me it is a coolwebsearch parasite hijacking to slawsearch HK_CU:Run, ctfmon.exe
--- Search result list ---

--- Spybot - Search && Destroy version: 1.3 ---
2004-08-11 Includes\Cookies.sbi
2004-11-17 Includes\Dialer.sbi
2004-11-17 Includes\Hijackers.sbi
2004-11-17 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-11-17 Includes\Malware.sbi
2004-10-05 Includes\Revision.sbi
2004-10-25 Includes\Security.sbi
2004-11-17 Includes\Spybots.sbi
2004-10-21 Includes\Tracks.uti
2004-11-17 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB885884


--- Startup entries list ---
Located: HK_LM:Run, AWMON
command: "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
file: C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
size: 538112
MD5: ed7f4140bc9f05781355c2a36d0ad37c

Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 70776
MD5: 45e61d76c7f00d5feeae854ef27b576d

Located: HK_LM:Run, SpeedTouch USB Diagnostics
command: "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
file: C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
size: 866816
MD5: d40191aa225638ab20e59524cdd74030

Located: HK_LM:Run, Symantec NetDriver Monitor
command: C:\PROGRA~1\SYMNET~1\SNDMon.exe
file: C:\PROGRA~1\SYMNET~1\SNDMon.exe
size: 95456
MD5: 46462b246bcb76450178a7260617cebd

Located: HK_LM:Run, URLLSTCK.exe
command: C:\Program Files\Norton Internet Security\UrlLstCk.exe
file: C:\Program Files\Norton Internet Security\UrlLstCk.exe
size: 70800
MD5: 82ad82d69906784633f51dd7ca2248d8

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1667584
MD5: b53343fe60a33ee765c2476d50d27b26

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1038336
MD5: 58f7e6434d285f4c98ad3621e0bd8c8d

Located: HK_CU:Run, STManager
command: "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
file: C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
size: 118784
MD5: ba4825a014f996d5ba19652e03671277

Located: HK_CU:Run, ctfmon.exe (DISABLED)
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a



--- Browser helper object list ---
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 12/05/2004 01:03:00
Date (last access): 26/11/2004 17:13:28
Date (last write): 12/05/2004 01:03:00
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3

{9ECB9560-04F9-4bbc-943D-298DDF1699E1} (Web assistant)
BHO name: Web assistant
CLSID name: CNisExtBho Class
Path: C:\Program Files\Common Files\Symantec Shared\AdBlocking\
Long name: NISShExt.dll
Short name:
Date (created): 11/12/2003 19:31:12
Date (last access): 26/11/2004 17:13:28
Date (last write): 11/12/2003 19:31:12
Filesize: 126976
Attributes: archive
MD5: 390169C6946418C6679DDA6342776224
CRC32: 764140FC
Version: 0.7.0.0

{BDF3E430-B101-42AD-A544-FADC6B084872} (NAV Helper)
BHO name: NAV Helper
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/
info source: TonyKlein
Path: C:\Program Files\Norton Internet Security\Norton AntiVirus\
Long name: NAVShExt.dll
Short name:
Date (created): 24/11/2003 15:46:38
Date (last access): 26/11/2004 17:13:28
Date (last write): 24/11/2003 15:46:38
Filesize: 103368
Attributes: archive
MD5: 65C8A602DFA9D5860F1E328CB8575317
CRC32: 929FB7E0
Version: 0.10.0.0



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class)
DPF name:
CLSID name: ActiveDataInfo Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SymAData.dll
Short name:
Date (created): 17/05/2004 10:05:58
Date (last access): 26/11/2004 09:51:12
Date (last write): 17/05/2004 10:05:58
Filesize: 156792
Attributes: archive
MD5: B7A28CBD0022210FD0D877C9951694F1
CRC32: C44DD1D5
Version: 0.2.0.0

{E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class)
DPF name:
CLSID name: ActiveDataObj Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ActiveData.dll
Short name: ACTIVE~1.DLL
Date (created): 12/06/2002 13:16:22
Date (last access): 26/11/2004 09:52:22
Date (last write): 12/06/2002 13:16:22
Filesize: 112312
Attributes: archive
MD5: C0A5720A581109543B113A8BEAE7868C
CRC32: 1B08DE36
Version: 0.1.0.0



--- Process list ---
Spybot - Search && Destroy process list report, 26/11/2004 18:04:07

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 404 ( 4) \SystemRoot\System32\smss.exe
PID: 460 ( 404) csrss.exe
PID: 484 ( 404) \??\C:\WINDOWS\system32\winlogon.exe
PID: 528 ( 484) C:\WINDOWS\system32\services.exe
PID: 540 ( 484) C:\WINDOWS\system32\lsass.exe
PID: 688 ( 52 C:\WINDOWS\system32\svchost.exe
PID: 744 ( 52 svchost.exe
PID: 784 ( 52 C:\WINDOWS\System32\svchost.exe
PID: 812 ( 436) C:\WINDOWS\Explorer.EXE
PID: 844 ( 52 svchost.exe
PID: 908 ( 52 svchost.exe
PID: 960 ( 52 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PID: 976 ( 52 C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
PID: 1012 ( 52 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PID: 1188 ( 52 C:\WINDOWS\system32\spoolsv.exe
PID: 1288 ( 52 C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
PID: 1332 ( 52 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PID: 1384 ( 52 C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
PID: 1420 ( 52 C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
PID: 1504 ( 52 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PID: 1540 ( 52 wdfmgr.exe
PID: 1628 ( 52 C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
PID: 1884 ( 52 alg.exe
PID: 2008 ( 812) C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
PID: 2020 ( 812) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PID: 2052 ( 812) C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
PID: 2076 ( 812) C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
PID: 2092 ( 812) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 2104 ( 812) C:\WINDOWS\system32\ctfmon.exe
PID: 2320 ( 812) C:\WINDOWS\system32\devldr32.exe
PID: 2608 ( 812) C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE
PID: 2824 ( 812) C:\Program Files\Outlook Express\msimn.exe
PID: 2892 ( 812) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 3028 ( 812) C:\Program Files\Internet Explorer\iexplore.exe
PID: 3612 ( 812) C:\Program Files\Internet Explorer\iexplore.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 26/11/2004 18:04:07

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.wanadoo.co.uk/iesearch/default.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.bbc.co.uk/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.wanadoo.co.uk
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61586B1C-CABC-4BED-97AD-B127CD2007FE}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61586B1C-CABC-4BED-97AD-B127CD2007FE}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{03A80A2C-9C15-4C27-86A4-0DB98A760DAE}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{03A80A2C-9C15-4C27-86A4-0DB98A760DAE}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5BE4FBB1-B7C5-4306-ACF4-4B86E157130C}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5BE4FBB1-B7C5-4306-ACF4-4B86E157130C}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{632CFBD9-1D72-4B26-9B26-B2797E4D950C}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{632CFBD9-1D72-4B26-9B26-B2797E4D950C}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

 

See if you can remove other components of SystemWorks like LiveUpdate, LiveReg before deleting SystemWorks. Also try these tasks under SAFE MODE.

Encountered a similar problem with NAV 2003 on the neighbor's PC. Took me almost 1/2 a day to remove this crap.

You may want to repair/reload Systemworks on top of your current installation. Often, the best option is to reformat the HD. And stay away from Norton!

 

Thank you Nod . Although it was too late to put your advice into practice as I lost my patience with Norton and junked it. I completely reformatted the HD and destroyed my previous back up in case that was the source of the infection and now use AVG Free which seems to do the same job without slowing my pc down.

In conjunction with AVG anti virus I am testing PREVX2.0 in combination with spybot/spyware blaster and using Zone Alarm Free as my firewall. So far I am very happy. PREVX has a brilliantly simple advantage of allowing you to view other peoples approaches to dealing with occurrences/warnings - this herd approach is better than nothing and really helps as I hav'nt a clue as to what some of the file names mentioned in warnings do.

 

AVG Free is a good free antivirus that run smoothly and don't make trouble, it offers real-time antivirus protection without noticeable slowdown or even without unacceptable slowdown on slow machine. AVG Free has no lot of features but it does the job that it should do but the main drawback is that it has no complete auto update you should check it yourself regularly for sure.

I use AVG Free+Prevx Home this is excellent combination for freebie it can protect zero-day attack or unknown malware that try to hit you on-the-fly in real-world-real-time without slowdown a machine. I've used it for a while and I don't use any apps to protect IE but there're no unknown adware/downloader/BHO/trojans/worms (in my live-malware collection, warez sites, porn sites) can pass AVG Free+Prevx Home if you don't allow them to install on you machine.