Help us please....my husband's computer recently slowed down to a crawl....we ran Stinger and Swat-It and found and removed some stuff--one that swat it found was a back door trojan that showed up as net.exe and cmd.exe...I think (?!) it's gone. But then we noticed that it is still very slow and seems to be running ccApp, save.exe, internat.exe, explorer.exe and fax monitor in the background....Looking on your message board I saw info about this problem, went and got Hijack This and this is the result of that scan...I'm scared to delete anything because--let's face it--I don't really know what I'm doing....I'll receive your answer at my e-mail address, because my computer is--yes! virus free!! Thank you, SIgned: I want-my-life back 'cause all I am doing is trying to solve this problem- Thelma Logfile of HijackThis v1.97.3 Scan saved at 12:41:30 PM, on 10/12/2003 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\explorer.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\webHancer\Programs\whAgent.exe C:\PROGRA~1\NETRAT~1\Premeter\prmt.exe C:\WINNT\System32\gesfm32.exe C:\WINNT\System32\MSWin32bck.exe C:\WINNT\System32\scvhost.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINNT\System32\internat.exe C:\Program Files\Microsoft Home Publishing\Mhprmind.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\WinZip\winzip32.exe C:\unzipped\hijackthis\HijackThis.exe C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ITG O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TaskMan] C:\WINNT\Fonts\rundll32.exe O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exe O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe O4 - HKLM\..\RunServices: [MS Config Loader] MSWin32bck.exe O4 - HKLM\..\RunServices: [Config Loader] scvhost.exe O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.exe O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/navclient/data/deleon/1.1.41-deleon/GoogleNav.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{92C70925-A1FB-445D-91F1-2E894CF64597}: NameServer = 66.81.7.158 66.81.0.252

Hi Thelma, You are not virus free..Yet. You are infected with the following: Backdoor.Dvldr W32.HLLW.Gaobot.AE W32.Randex.C First, Open Control Panel > Add/Remove Programs and uninstall WebHancer. Then Run HijackThis again and check the following items, close any open browser windows and click 'fix checked'. O4 - HKLM\..\Run: [TaskMan] C:\WINNT\Fonts\rundll32.exe O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exe O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe O4 - HKLM\..\RunServices: [MS Config Loader] MSWin32bck.exe O4 - HKLM\..\RunServices: [Config Loader] scvhost.exe Reboot and delete the following files: C:\WINNT\Fonts\rundll32.exe C:\WINNT\Fonts\explorer.exe C:\WINNT\System32\gesfm32.exe C:\WINNT\System32\MSWin32bck.exe *C:\WINNT\System32\scvhost.exe * notice the spelling!! Finally go here and run an online virus scan, if anything is found copy the report and paste it in a reply along with a new Hijack log. RAV

We LOVE you guys. I followed all the steps and eventually got them all done (access denied sometimes on deleting those files because they were in use) and bingo, the CPU use fell from 100% to 3% or something! WHat a relief! I got Norton back up and going and then when to ravati and will post the result from that and the Hijack THis below. BTW, Norton came on during and after the ravanti scan and said it detected and removed W32.Randex.C, Backdoor.Dvldr, W32 Tzet.Worm, IRC Backdoor.Tojan How can we thank you enough. We were already thinking of what/how new computer to buy, now we don't have to! (I also made my hubby promise to go get his patches from Microsoft up to date. Scan started at 10/13/2003 8:42:52 AM Scanning memory... Scanning boot sectors... Scanning files... C:\WINNT\system32\winupdate\msnq32.exe->(ASPack 2.12) - Tool:HideWindows -> Infected Scanned ============================ Objects: 13396 Directories: 842 Archives: 385 Size(Kb): 1458287 Infected files: 1 Found ============================ Viruses found: 1 Suspicious files: 0 Disinfected files: 0 Mail files: 87 Logfile of HijackThis v1.97.3 Scan saved at 9:09:46 AM, on 10/13/2003 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\explorer.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\NETRAT~1\Premeter\prmt.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINNT\System32\internat.exe C:\Program Files\Microsoft Home Publishing\Mhprmind.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\WinZip\winzip32.exe C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ITG O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.exe O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/navclient/data/deleon/1.1.41-deleon/GoogleNav.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Hi Thelma, Just delete that file listed by Rav.. Also uninstall NetRatings, it's spyware by Premeter.

Thank you Tom41 -- I did these things and was able to download critical updates from Microsoft now. However, ccApp is apparently still running in the background--I see from some of the postings that this is connected to a hacking thing or something. ANyway, I don't know how to separate it from legimate Symantic files....or fix it. Norton or RAV didn't see it. Here's a copy of just ran Hijack This, if that info helps. Thank you for your wonderful help. Logfile of HijackThis v1.97.3 Scan saved at 10:54:12 AM, on 10/13/2003 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\explorer.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINNT\System32\internat.exe C:\Program Files\Microsoft Home Publishing\Mhprmind.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\PROGRA~1\WinZip\winzip32.exe C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.microsoft.com/access/allinone.asp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ITG R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.exe O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/navclient/data/deleon/1.1.41-deleon/GoogleNav.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37907.2240162037 O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Hi Thelma, Don't worry about ccApp.. Program Name: CcApp Executable Name: ccApp.exe Required: Yes Comments: Part of Norton AntiVirus 2003. Auto-protect and E-mail check will not function without this

OK! Great. Thanks a million.