Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Upon startup of the computer, the system attempts to dial-out (prior to the Norton Anti-Virus Auto-Protect icon appearing in the System Tray). I can cancel the dial-out in process, and the boot-up completes. When I shut down, the system tries to dial out again.
I ran HiJackThis using both the "Scan" feature and the "StartUpList" feature. Here are the logs.
I would appreciate any advice you can provide.
Logfile of HijackThis v1.97.3
Scan saved at 10:49:27 PM, on 04/11/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.exe
C:\WINDOWS\SYSTEM\STIMON.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\ESSD.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.exe
C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.exe
C:\WINDOWS\SYSTEM\S3TRAYHP.exe
C:\WINDOWS\SYSTEM\PRPCUI.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.exe
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.exe
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.exe
C:\TEMP\HIJACKTHIS\HIJACKTHIS.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magma.ca/~legaultp/paul.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://fastmail.ca/
F1 - win.ini: load=essspk.exe
F1 - win.ini: run=hpfsched
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [ESS Daemon] C:\WINDOWS\ESSD.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - User Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - User Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/go/business-notebook
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37877.3481597222
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
StartupList report, 04/11/2003, 10:58:39 PM
StartupList version: 1.52
Started from : C:\TEMP\HIJACKTHIS\HIJACKTHIS.exe
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.exe
C:\WINDOWS\SYSTEM\STIMON.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\ESSD.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.exe
C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.exe
C:\WINDOWS\SYSTEM\S3TRAYHP.exe
C:\WINDOWS\SYSTEM\PRPCUI.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.exe
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.exe
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.exe
C:\WINDOWS\NOTEPAD.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\TEMP\HIJACKTHIS\HIJACKTHIS.exe---------------------
Listing of startup folders:
Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\Windows Stuff\StartUp]
Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exeUser shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\Windows Stuff\StartUp]
Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.exe
ESS Daemon = C:\WINDOWS\ESSD.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
CP32NOT = C:\PROGRA~1\ONE-TO~1\CP32NBTN.exe
S3TRAYHP = S3trayhp.exe
PRPCMonitor = PRPCUI.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Dcfssvc = C:\WINDOWS\System32\Drivers\dcfssvc.exe---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesLoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.exe---------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=essspk.exe
run=hpfsched---------------------
C:\WINDOWS\WININIT.BAK listing:
(Created 4/11/2003, 22:3:30)[Rename]
NUL=c:\windows\cookies\default@ehg-idg.hitbox[2].txt
NUL=c:\windows\cookies\default@hitbox[1].txt
NUL=c:\windows\cookies\default@atdmt[1].txt
NUL=c:\windows\cookies\default@fastclick[2].txt
NUL=c:\windows\cookies\default@tribalfusion[1].txt---------------------
C:\AUTOEXEC.BAT listing:
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET CLASSPATH="C:\WINDOWS\SYSTEM\QTJava.zip"
SET QTJAVA="C:\WINDOWS\SYSTEM\QTJava.zip"---------------------
C:\WINDOWS\WINSTART.BAT listing:
C:\WINDOWS\tmpcpyis.bat
---------------------
Enumerating Browser Helper Objects:NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
---------------------
Enumerating Task Scheduler jobs:
Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Symantec NetDetect.job---------------------
Enumerating Download Program Files:
[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37877.3481597222[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SYMADATA.DLL
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.dll[EPSImageControl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EPSCONTROL.DLL
CODEBASE = http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab---------------------
End of report, 6,390 bytes
Report generated in 0.123 secondsCommand line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
hello
d/l spybot search and destroy,update it,run it.d/l ad-ware do the same.
d/l spybot here.
http://security.kolla.de/index.php?lang=en&page=download
0 
Thanks for the input.
I downloaded both ad-aware and Spybot, updated them, and ran them. Fixed what they found.
I have re-booted my computer several times, however, and the dial-up attempts still occur when I start the computer, and when I shut down.
(FYI, my Windows Update is not set for auto update verifications, and the problem occurs even if I turn off the auto-update for Norton Anti-Virus).
If you have other suggestions, I'd appreciate them.
Thank you in advance.
0
It's probably microsoft phoning home.
Download free fire wall ZoneAlert from Zonelabs.com. It will display which program is dialing out and ask you if you want to allow that program to have internet access.
If it shows "Distributed COM Services" that is microsoft.
0
Thank you for your input.
I downloaded ZoneAlarm from Zonelabs, and installed it.
The information for the program that dials out is indicated below. The "More Info" button tells me that this is a Symantec application, but it could also be a Trojan virus disguised as CCAPP. Not sure how to proceed...Application that attempts to dial out:
Common Client CCApp
Destination IP: 206.191.0.140:DNS
Application: CCAPP.exe
Version: 1.0.9.002
0
See http://service1.symantec.com/Support/nav.nsf/docid/2002012513283206
ccApp.exe is causing the dialing. Apparently it's trying to verify a security certificate. The solution is to go to Internet Explorer Tools-->Internet Options-->Advanced Options and disable the checks for Publisher Certificate revocation and Server Certificate Revocation.
Bob
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
