Tech Support Forum banner
Not open for further replies.
1 - 6 of 6 Posts

127 Posts
Discussion Starter · #1 ·
Hello, I haven't had to ask for help for myself from you all in quite awhile. A few days ago I experienced what I thought was a quirk with Norton System Works. For no reason, Norton reported that I need to activate my AV with symantec. I was extremely busy at the time so I didn't really think much about it and went ahead and clicked on the link to re-activate my software. As stated in the subject of the post, I may have actually picked up a virus from the supposed activation. Some of the files mentioned on the description of the W32.Gunsan worm as posted on Symantecs site are residing on my computer and causing IE to access without my knowledge.

Spybot S&D reported that Windows security and also ZoneAlarm Pro had been modified so as to disable all warnings. Can you help me?

HJT log included (KRC HJC analyzer results.txt that is)

Thanks, Keith

Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Logfile of HijackThis v1.99.0
Scan saved at 11:57:53 PM, on 8/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /dropdisc
O4 - Startup: purem.exe.lnk = C:\Documents and Settings\Keith\My Documents\CSS\DailyReminders\purem.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O23 - Service: InCD Helper - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

End of KRC HijackThis Analyzer Log.

TSF Security Manager, Emeritus
52,196 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs already - Ad-aware, Spybot and CWShredder. If you didn't, do them now. For more information, go to

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Please download Ewido Security Suite at

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.

Please configure CleanUp with the following settings:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Download StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

So I need logs from:

Panda ActiveScan

127 Posts
Discussion Starter · #3 ·
Requested procedures completed. Logs included-Ewido,Panda,StartDreck

That took awhile. Below is a personal log of the procedures and below I will post the requested logs:

Utilities databases updated and ran with the following results:

Ad-aware SE Plus biuld 1.06
Results: 8 Negligible items
Action: Deleted

CWShredder v2.12
Results: "CoolWebsearch was not found on this system"
Action: Saved report

Spybot Search & Destroy v1.1.3TX
Results: Problems found - Windows Securty Center Anti-VirusDisable.Notify
Action: Selected "Fix Problem"
comment: Everytime I run Spybot S&D this same problem is reported

//Booted into Safe mode for the following scans//

Ewido Security Suite - updated 8/24-2005 / V database #1386
Results: No infections found

Cleanup v4.0
CleanUp! 4.0 recovered 1.7 MB of disk space from 36 files.
CleanUp! finished on 08/24/05 13:14:49

//After Ewido and Cleanup scans, booted the system and noticed
Desktop settings were changed from "Windows XP" to "Windows Classic"//

Normal Boot

Panda ActiveScan v5.50
Results: Found 2 Dialers
Action: Not disenfected

StartDreck build 2.1.7

Action: Saved log file

Thanks, Keith

ewido security suite - Scan report

+ Created on: 11:42:49 AM, 8/24/2005
+ Report-Checksum: 67A874E2

+ Scan result:

No infected objects found.

::Report End

Panda ActiveScan 5.50

Incident Status Location


<< ------------------------------------------------------------------>>
<< ------------------------------------------------------------------>>

StartDreck (build 2.1.7 public stable) - 2005-08-24 @ 14:51:01 (GMT -07:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Keith at CUSTOM-SYSTEMS

»Run Keys
»Current User
*InstantTray=C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
*IW_Drop_Icon=C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /dropdisc
»Default User
»Local Machine
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
*InCD=C:\Program Files\Ahead\InCD\InCD.exe
*NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
*HP Component Manager="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
*HP Software Update=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
*Zone Labs Client=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
*Lexmark X83 Button Monitor=C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
*Lexmark X83 Button Manager=C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
»File Associations (CR)
*batfile="%1" %*
*comfile="%1" %*
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
*exefile="%1" %*
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*JSFile="C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*piffile="%1" %*
*regfile=regedit.exe "%1"
*scrfile="%1" /S
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278}
*StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
»Browser Helper Objects (LM)
`InprocServer32=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
`InprocServer32=C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\system32\blank.htm
*Search Page=
*Start Page=
»Default User
»Local Machine
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=
*Start Page={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
»ShellServiceObjectDelayLoad (LM)
»Special NT Values
»Current User
*Programs=com exe bat pif cmd
»Default User
*Programs=com exe bat pif cmd
»Local Machine
»Autostart Folders
»Current User
*C:\Documents and Settings\Keith\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\Keith\Start Menu\Programs\Startup\purem.exe.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gwum.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
»Text Files
`[boot loader]
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
`dos=high, umb
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
` localhost
»Program Files
»%PATH% Companion Files
»Running Processes
+1200=C:\Program Files\Ahead\InCD\InCDsrv.exe
+1580=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
+1648=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
+508=C:\Program Files\ewido\security suite\ewidoctrl.exe
+552=C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
+1292=C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
+1544=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
+1624=C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
+1876=C:\Program Files\UPHClean\uphclean.exe
+1368=C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
+3576=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
+3632=C:\Program Files\Ahead\InCD\InCD.exe
+2144=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
+3636=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
+3344=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
+2584=C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
+3740=C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
+3812=C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
+3832=C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
+4036=C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
+252=C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
+3764=C:\Documents and Settings\Keith\Desktop\StartDreck\StartDreck.exe
»VMM32Files (LM)
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

127 Posts
Discussion Starter · #4 ·
Dialer.bjp and Dialer.akd / Found during Panda ActiveScan

Additional information. I ran regedit to find the registry keys for ARCHIVIOSEX.NET and SGRUNT.BIZ...and deleted each of them. I ran Panda ActiveScan again and the scan came up clean. Below are the paths I followed to dump them:



It looked to me like there were a lot of illicit sites listed under the zonemap\domains\ key.


127 Posts
Discussion Starter · #5 ·
Cancel my request for help

I have decided to reformat my HDD. I have apps that seem to be attempting to modify files that they don't have permission to to access the internet and It's becoming very difficult to keep them sorted out by which ones are real and which ones are not.

Keith Rutherford
1 - 6 of 6 Posts
Not open for further replies.