Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Vundo, popups, rootkit problem, have many popups, norton 360 won't open but still enabled


  • This topic is locked This topic is locked
34 replies to this topic

#1 srk_fan22

srk_fan22

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 04 January 2009 - 03:24 PM

a few days ago, while browsing online, an error message came up saying that norton has encountered an error and the computer must restart. so i restarted the computer and then when i opend up the internet, many popups came up (popups such as antivirus 2009 and ads to buy products) and i couldn't even navigate because the website would just change. there was also an icon of the red windows shield in the icon tray on the bottom right giving off notices that '___ virus has been encountered on your computer, click here to fix it", but i did NOT click there because i suspect it to be a component of antivirus 2009. also, there was a desktop shortcut about porn, and whenever i tried dragging it into the recycle bin, it kept on coming back. eventually, after 5 tries, it finally went away.
i got help in the 'am i infected? what do i do' forum. we did many scans, but the same 5 infections keep on coming up in mbam, and mbam will not update. heres a link to the thread:

http://www.bleepingcomputer.com/forums/t/190994/trojan-vundo-popups-antivirus-2009-windows-defender/

i was advised to post a log in this forum. here it is. and i really appreciate all the help. thank you so much:

DDS (Version 1.1.0) - NTFSx86
Run by Ownder at 15:13:18.71 on Sun 01/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.257 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ownder\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [TVTunerLib] c:\program files\common files\sony shared\tvtunerlib\TVTLInstTool.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [VZRemoteCommander] c:\program files\sony\vaio zone remote commander\AvRmtCtr.exe
mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: malwarebytes.org\www
TCP: {B4558F38-30B6-4D76-A8C3-DF4CA4E9206B} = 207.172.3.8,207.172.3.9
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\wvUlliFX

============= SERVICES / DRIVERS ===============

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-28 99376]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-12-28 1251720]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-9 108648]
R4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-9 108648]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081230.004\NAVENG.SYS [2008-12-30 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081230.004\NAVEX15.SYS [2008-12-30 876112]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-01-03 22:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-03 22:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 22:10 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 15:30 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-03 15:25 --d----- c:\windows\ERUNT
2009-01-03 14:31 --d----- C:\SDFix
2008-12-31 02:06 679,591 a--sh--- c:\windows\system32\XFillUvw.ini2
2008-12-31 02:06 679,591 a--sh--- c:\windows\system32\XFillUvw.ini
2008-12-29 00:30 --d----- c:\docume~1\ownder\applic~1\Symantec
2008-12-28 22:14 706 a------- c:\windows\system32\drivers\COH_Mon.inf
2008-12-28 22:14 23,888 a------- c:\windows\system32\drivers\COH_Mon.sys
2008-12-28 22:14 10,537 a------- c:\windows\system32\drivers\COH_Mon.cat
2008-12-28 21:17 --d----- c:\program files\Norton 360
2008-12-28 21:17 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-28 21:17 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-28 21:16 --d----- c:\program files\Symantec
2008-12-26 23:14 --d----- C:\fsaua.data
2008-12-26 13:34 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-26 13:34 --d----- c:\program files\SUPERAntiSpyware
2008-12-26 13:34 --d----- c:\docume~1\ownder\applic~1\SUPERAntiSpyware.com
2008-12-26 13:16 161,792 a------- c:\windows\SWREG.exe
2008-12-26 13:16 98,816 a------- c:\windows\sed.exe
2008-12-26 12:43 --d----- C:\VundoFix Backups
2008-12-26 01:14 --d----- c:\docume~1\ownder\applic~1\Malwarebytes
2008-12-26 01:14 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-06 18:39 7,552 ac------ c:\windows\system32\dllcache\sonypvu1.sys
2008-12-06 18:39 7,552 a------- c:\windows\system32\drivers\SONYPVU1.SYS

==================== Find3M ====================

2008-12-28 21:35 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-28 21:35 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-04 17:06 410,976 a------- c:\windows\system32\deploytk.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-08-31 08:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083120080901\index.dat

============= FINISH: 15:14:02.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 PM

Posted 11 January 2009 - 01:37 PM

Hello and welcome to BC forums.

As I'm sure you have noticed, the HJT forum is super-busy. If you still have issues, please do the following. And if you have resolved the problem, Please reply to advise us of that.

Has Norton 360 always been installed on this system, since day 1? and why do I think you misght only have had it installed in late December ? and why did I not see it listed as active?

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member srk_fan22 only. If you are a lurker, do NOT try this on your system!
If you are not srk_fan22 and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:
http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
=

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 1638 or later.

When done, click the Scanner tab.
Do a Quick Scan. Let it quarantine or remove tagged items. Get a copy of that log in your next reply.

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop!
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copies of the MBAM report,
and the C:\Combofix.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 11 January 2009 - 01:50 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 srk_fan22

srk_fan22
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 12 January 2009 - 03:54 PM

Norton has been installed since day 1. When this problem occured, I ran some antispywares/antimalwares, etc. and it seemed like the problem had gone away, but the NOrton window would not open. so i reinstalled norton and it worked fine until i restarted my computer. the problem started again, so i asked for help. I'm not sure why it isn't active because I havent turned it off or anything...in fact, the window will not even open

so while doing these scans, a few things happened. mbam would not update...a notice kept coming up saying 'make sure you are connected to the internet'. i have definitions upto 1616 of mbam. so i ran the scan without updating. also, while running combofix, it detected that norton 360 was active and told me to disable it. since the norton symbol isn't in the icon tray and the window would not open, i could not disable it. so i clicked exit, but then a window came up saying 'do you agree to these terms.' i clicked yes and combofix started (with norton still running). then the window came up asking if i wanted to install the windows recovery console. i clicked yes, but after about half of the procedure, it said it couldn't download all the files (even though i was properly connected to the internet) and aborted. so combofix continued without the install i believe. and i have its log here.

here is the mbam log, and i did reboot after the scan:

Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 3

1/12/2009 4:31:26 PM
mbam-log-2009-01-12 (16-31-26).txt

Scan type: Quick Scan
Objects scanned: 57858
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Ownder\Local Settings\temp\seneka2cb8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekakmpuxfuj.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekavrowprqr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekadsxmodlv.sys (Trojan.Agent) -> Quarantined and deleted successfully.


here is the combofix log:
ComboFix 09-01-11.04 - Ownder 2009-01-12 16:46:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.156 [GMT -5:00]
Running from: c:\documents and settings\Ownder\Desktop\Combo-Fix.exe
AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\XFillUvw.ini
c:\windows\system32\XFillUvw.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-07 14:58 . 2009-01-07 14:58 <DIR> d-------- c:\program files\Viewpoint
2009-01-07 14:58 . 2009-01-07 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-01-07 14:56 . 2009-01-07 14:58 <DIR> d-------- c:\program files\AIM6
2009-01-07 13:38 . 2009-01-07 13:38 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-03 22:11 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 22:11 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 22:10 . 2009-01-12 16:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 15:30 . 2009-01-03 15:30 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-03 15:25 . 2009-01-03 15:25 <DIR> d-------- c:\windows\ERUNT
2009-01-03 14:31 . 2009-01-03 15:45 <DIR> d-------- C:\SDFix
2008-12-29 00:30 . 2008-12-29 00:30 <DIR> d-------- c:\documents and settings\Ownder\Application Data\Symantec
2008-12-28 22:14 . 2008-07-30 17:42 23,888 --a------ c:\windows\system32\drivers\COH_Mon.sys
2008-12-28 22:14 . 2008-07-30 17:28 10,537 --a------ c:\windows\system32\drivers\COH_Mon.cat
2008-12-28 22:14 . 2008-07-30 17:28 706 --a------ c:\windows\system32\drivers\COH_Mon.inf
2008-12-28 21:17 . 2008-12-31 01:22 <DIR> d-------- c:\program files\Norton 360
2008-12-28 21:17 . 2008-12-28 21:35 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-28 21:17 . 2008-12-28 21:35 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-28 21:16 . 2008-12-28 21:35 <DIR> d-------- c:\program files\Symantec
2008-12-26 23:14 . 2008-12-26 23:14 <DIR> d-------- C:\fsaua.data
2008-12-26 13:34 . 2009-01-03 14:32 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-26 13:34 . 2009-01-03 14:32 <DIR> d-------- c:\documents and settings\Ownder\Application Data\SUPERAntiSpyware.com
2008-12-26 13:34 . 2008-12-26 13:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-26 12:43 . 2008-12-26 12:43 <DIR> d-------- C:\VundoFix Backups
2008-12-26 01:14 . 2008-12-26 01:14 <DIR> d-------- c:\documents and settings\Ownder\Application Data\Malwarebytes
2008-12-26 01:14 . 2008-12-26 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 21:52 --------- d-----w c:\documents and settings\Ownder\Application Data\uTorrent
2009-01-11 21:25 --------- d-----w c:\documents and settings\Ownder\Application Data\LimeWire
2009-01-07 19:58 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-07 19:57 --------- d-----w c:\program files\Common Files\AOL
2008-12-31 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-31 06:41 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-29 05:32 --------- d-----w c:\program files\Panda Security
2008-12-29 02:35 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-12-29 02:35 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-26 05:37 --------- d-----w c:\program files\uTorrent
2008-12-25 07:14 --------- d-----w c:\program files\Google
2008-12-22 21:55 --------- d-----w c:\program files\LimeWire
2008-12-15 21:18 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-04 22:05 --------- d-----w c:\program files\Java
2008-11-24 21:44 --------- d-----w c:\program files\DivX
2008-08-31 13:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-26_13.28.29.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-30 15:39:58 128,256 ----a-w c:\windows\Downloaded Program Files\as2stubie.dll
+ 2008-02-27 20:59:28 290,816 ----a-w c:\windows\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 20:59:28 495,616 ----a-w c:\windows\Downloaded Program Files\daas_s.dll
+ 2008-02-27 21:00:12 262,144 ----a-w c:\windows\Downloaded Program Files\fscax.dll
+ 2008-02-27 20:59:16 588,392 ----a-w c:\windows\Downloaded Program Files\gatelauncher.exe
- 2008-04-06 03:15:56 38,428 ----a-w c:\windows\Downloaded Program Files\unagiuninst.exe
+ 2009-01-07 19:58:19 38,428 ----a-w c:\windows\Downloaded Program Files\unagiuninst.exe
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-01-03 20:26:23 4,136,960 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-01-03 20:26:23 188,416 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-01-03 20:25:52 4,136,960 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-01-03 20:25:53 188,416 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-08-06 20:30:48 202,168 ----a-w c:\windows\system32\Adobe\Director\swdir.dll
+ 2009-01-06 22:14:08 202,168 ----a-w c:\windows\system32\Adobe\Director\swdir.dll
- 2008-08-06 20:31:08 67,000 ----a-w c:\windows\system32\Adobe\Director\SwDnld.exe
+ 2009-01-06 22:14:28 67,000 ----a-w c:\windows\system32\Adobe\Director\SwDnld.exe
- 2008-08-31 13:13:32 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-11 17:55:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-08-31 13:13:32 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-11 17:55:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-31 07:20:25 78,924 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat
- 2008-08-31 13:13:32 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-11 17:55:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-01 03:57:12 279,088 ----a-w c:\windows\system32\drivers\srtsp.sys
+ 2007-12-01 04:57:12 279,088 ----a-w c:\windows\system32\drivers\srtsp.sys
- 2007-12-01 03:57:12 317,616 ----a-w c:\windows\system32\drivers\srtspl.sys
+ 2007-12-01 04:57:12 317,616 ----a-w c:\windows\system32\drivers\srtspl.sys
- 2007-12-01 03:57:12 43,696 ----a-w c:\windows\system32\drivers\srtspx.sys
+ 2007-12-01 04:57:12 43,696 ----a-w c:\windows\system32\drivers\srtspx.sys
- 2007-07-17 16:21:38 186,256 ----a-w c:\windows\system32\SymNPPWA.dll
+ 2007-07-17 17:21:38 186,256 ----a-w c:\windows\system32\SymNPPWA.dll
+ 2009-01-12 21:51:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_280.dat
+ 2009-01-12 21:51:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_e4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-09 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-12-29 270128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-09 6746112]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]
"TVTunerLib"="c:\program files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe" [2005-02-16 245760]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-29 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-29 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-29 114688]
"VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512]
"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 c:\windows\RTHDCPL.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 19:42 73728 c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-28 99376]
R4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009-01-07 24652]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: www.malwarebytes.org
TCP: {B4558F38-30B6-4D76-A8C3-DF4CA4E9206B} = 207.172.3.8,207.172.3.9
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 16:52:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\windows\system32\VESWinlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-12 16:56:14 - machine was rebooted [Ownder]
ComboFix-quarantined-files.txt 2009-01-12 21:56:07
ComboFix2.txt 2008-12-26 18:29:12

Pre-Run: 28,061,384,704 bytes free
Post-Run: 27,955,060,736 bytes free

237 --- E O F --- 2008-12-18 05:53:10

Edited by srk_fan22, 12 January 2009 - 05:04 PM.


#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 PM

Posted 12 January 2009 - 05:02 PM

Would you kindly advise me if you have started on the steps I outlined in my prior replY?
If not, then kindly do so, so that we can get going.

Is the presence or non-presence of Norton keeping you from doing that?

As a sidenote, providing one had the setup module for Norton saved in safe place...
then I would have de-installed Norton, rebooted one time, ran Norton setup, and then rebooted again for a fresh start.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 srk_fan22

srk_fan22
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 12 January 2009 - 05:22 PM

i have done the steps and posted the logs, etc. in my above post. also, i those are the steps i did when i re-installed norton. should i uninstall norton again and not reinstall it?

#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 PM

Posted 12 January 2009 - 06:05 PM

No, do not make changes as regards your Norton.

Regarding MBAM: It is updated very frequently. I'd like for you to do one more scan with it but only after updating MBAM.
Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 1647 or later.

When done, click the Scanner tab.
Do a Quick Scan. Let it quarantine or remove tagged items, although it should find nothing new. Get a copy of that log in your next reply.

Meantime, I'll be reviewing your last logs. We are not done yet.

~~ Added note ~~
I do not recommend having peer-to-peer filesharing apps, like uTorrent & LimeWire while we attempt to remove malware.
Using Add-or-Remove Programs in Control Panel, un-install
uTorrent & Limewire and confirm when that's done.
Torrent-filesharing is an open avenue for spreading of malware, however un-intentional on your part.

Edited by Maurice Naggar, 12 January 2009 - 06:13 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 srk_fan22

srk_fan22
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 12 January 2009 - 10:48 PM

i've uninstalled limewire and utorrent. but i cant update mbam. i click on 'chek for updates' and an error message pops up saying 'update failed. please make sure you are connected to the internet and your firewall is set to allow malwarebytes' anti-malware to access the internet.' i am definetely properly connected to the internet and i even tried turning off my windows firewall for a second, but it won't update. maybe norton is stopping it from accessing the internet? but i have no idea

and thanks for all your help so far. really appreciate it

#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 PM

Posted 13 January 2009 - 07:13 AM

Give this a try. Start MBAM. Click on Updates Tab. Look at section titled Update mirror.
Look at the drop down list. There are 2 mirrors. Try them both to see which works, by clicking down arrow and selecting:
either Securitywonks.net
or Malwarebytes.org

and then click the Check for Updates button.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 srk_fan22

srk_fan22
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 13 January 2009 - 04:16 PM

it wont work with either one

#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 PM

Posted 13 January 2009 - 05:05 PM

On the Notification area (by system clock), do a Right Click on any unused spot (in between any icon is fine ---just a blank spot). Then select Properties. In the popup window-dialog, be sure that "Hide inactive icons" is Un-checked. Click Apply/ok

That should insure that icons for startup programs are shown there. Makes it easier to see your AV & firewall.


You had previously gotten the DDS utility and it should be on your Desktop.

Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.
Please include the following logs in your next reply:
DDS.txt
Attach.txt


Download Security Check by screen317 and save it to your Desktop.
  • Unzip SecurityCheck.zip and a folder named Security Check should appear.
  • Open the Security Check folder and double-click Security Check.bat
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log too, shortly.
Note: if a security program requests permission from dig.exe to access the Internet, allow it to do so.

In your next reply, put copies of DDS.txt, Attach.txt, & Checkup.txt
These will help us to see what's on selected areas of the system.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 srk_fan22

srk_fan22
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 13 January 2009 - 05:35 PM

when i unchecked the box for hide inactive icons, the norton icon still doesnt show up. the icons didn't change at all.

so heres DDS.txt:

DDS (Version 1.1.0) - NTFSx86
Run by Ownder at 17:26:34.71 on Tue 01/13/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.209 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ownder\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [TVTunerLib] c:\program files\common files\sony shared\tvtunerlib\TVTLInstTool.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [VZRemoteCommander] c:\program files\sony\vaio zone remote commander\AvRmtCtr.exe
mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: malwarebytes.org\www
TCP: {B4558F38-30B6-4D76-A8C3-DF4CA4E9206B} = 207.172.3.8,207.172.3.9
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-28 99376]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-12-28 1251720]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-9 108648]
R4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-7 24652]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-9 108648]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081230.004\NAVENG.SYS [2008-12-30 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081230.004\NAVEX15.SYS [2008-12-30 876112]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-01-12 16:44 161,792 a------- c:\windows\SWREG.exe
2009-01-12 16:44 98,816 a------- c:\windows\sed.exe
2009-01-07 14:58 <DIR> --d----- c:\program files\Viewpoint
2009-01-07 14:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-01-07 14:56 <DIR> --d----- c:\program files\AIM6
2009-01-07 13:38 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-03 22:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-03 22:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 22:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 15:30 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-03 15:25 <DIR> --d----- c:\windows\ERUNT
2009-01-03 14:31 <DIR> --d----- C:\SDFix
2008-12-29 00:30 <DIR> --d----- c:\docume~1\ownder\applic~1\Symantec
2008-12-28 22:14 706 a------- c:\windows\system32\drivers\COH_Mon.inf
2008-12-28 22:14 23,888 a------- c:\windows\system32\drivers\COH_Mon.sys
2008-12-28 22:14 10,537 a------- c:\windows\system32\drivers\COH_Mon.cat
2008-12-28 21:17 <DIR> --d----- c:\program files\Norton 360
2008-12-28 21:17 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-28 21:17 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-28 21:16 <DIR> --d----- c:\program files\Symantec
2008-12-26 23:14 <DIR> --d----- C:\fsaua.data
2008-12-26 13:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-26 13:34 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-26 13:34 <DIR> --d----- c:\docume~1\ownder\applic~1\SUPERAntiSpyware.com
2008-12-26 12:43 <DIR> --d----- C:\VundoFix Backups
2008-12-26 01:14 <DIR> --d----- c:\docume~1\ownder\applic~1\Malwarebytes
2008-12-26 01:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2008-12-28 21:35 10,671 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-28 21:35 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-04 17:06 410,976 a------- c:\windows\system32\deploytk.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-08-31 08:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083120080901\index.dat

============= FINISH: 17:27:03.75 ===============


Heres Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 4/2/2008 9:26:22 PM
System Uptime: 1/13/2009 4:11:28 PM (1 hours ago)
Processor: Intel® Pentium® M processor 1.86GHz | N/A | 1862/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 87 GiB total, 25.964 GiB free.
D: is Removable
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP33: 12/31/2008 2:06:16 AM - System Checkpoint
RP34: 12/31/2008 2:06:16 AM - System Checkpoint
RP35: 12/31/2008 2:06:17 AM - System Checkpoint
RP36: 12/31/2008 2:06:17 AM - System Checkpoint
RP37: 12/31/2008 2:06:17 AM - System Checkpoint
RP38: 12/31/2008 2:06:17 AM - System Checkpoint
RP39: 12/31/2008 2:06:17 AM - System Checkpoint
RP40: 12/31/2008 2:06:17 AM - System Checkpoint
RP41: 12/31/2008 2:06:17 AM - System Checkpoint
RP42: 12/31/2008 2:06:18 AM - Software Distribution Service 3.0
RP43: 12/31/2008 2:06:18 AM - System Checkpoint
RP44: 12/31/2008 2:06:18 AM - System Checkpoint
RP45: 12/31/2008 2:06:18 AM - System Checkpoint
RP46: 12/31/2008 2:06:18 AM - Installed MGTEK dopisp
RP47: 12/31/2008 2:06:18 AM - Software Distribution Service 3.0
RP48: 12/31/2008 2:06:18 AM - System Checkpoint
RP49: 12/31/2008 2:06:19 AM - System Checkpoint
RP50: 12/31/2008 2:06:19 AM - System Checkpoint
RP51: 12/31/2008 2:06:19 AM - System Checkpoint
RP52: 12/31/2008 2:06:19 AM - System Checkpoint
RP53: 12/31/2008 2:06:19 AM - System Checkpoint
RP54: 12/31/2008 2:06:19 AM - System Checkpoint
RP55: 12/31/2008 2:06:19 AM - Removed MGTEK dopisp
RP56: 12/31/2008 2:06:20 AM - System Checkpoint
RP57: 12/31/2008 2:06:20 AM - System Checkpoint
RP58: 12/31/2008 2:06:20 AM - System Checkpoint
RP59: 12/31/2008 2:06:20 AM - Software Distribution Service 3.0
RP60: 12/31/2008 2:06:20 AM - System Checkpoint
RP61: 12/31/2008 2:06:21 AM - System Checkpoint
RP62: 12/31/2008 2:06:21 AM - System Checkpoint
RP63: 12/31/2008 2:06:21 AM - System Checkpoint
RP64: 12/31/2008 2:06:21 AM - System Checkpoint
RP65: 12/31/2008 2:06:21 AM - System Checkpoint
RP66: 12/31/2008 2:06:22 AM - System Checkpoint
RP67: 12/31/2008 2:06:22 AM - Installed Java™ 6 Update 10
RP68: 12/31/2008 2:06:22 AM - System Checkpoint
RP69: 12/31/2008 2:06:22 AM - System Checkpoint
RP70: 12/31/2008 2:06:22 AM - Software Distribution Service 3.0
RP71: 12/31/2008 2:06:22 AM - System Checkpoint
RP72: 12/31/2008 2:06:23 AM - Software Distribution Service 3.0
RP73: 12/31/2008 2:06:23 AM - Software Distribution Service 3.0
RP74: 12/31/2008 2:06:23 AM - System Checkpoint
RP75: 12/31/2008 2:06:23 AM - Software Distribution Service 3.0
RP76: 12/31/2008 2:06:23 AM - System Checkpoint
RP77: 12/31/2008 2:06:24 AM - System Checkpoint
RP78: 12/31/2008 2:06:25 AM - System Checkpoint
RP79: 12/31/2008 2:06:25 AM - System Checkpoint
RP80: 12/31/2008 2:06:25 AM - System Checkpoint
RP81: 12/31/2008 2:06:25 AM - System Checkpoint
RP82: 12/31/2008 2:06:26 AM - ComboFix created restore point
RP83: 12/31/2008 2:06:26 AM - Installed SUPERAntiSpyware Free Edition
RP84: 12/31/2008 2:06:26 AM - System Checkpoint
RP85: 12/31/2008 2:06:26 AM - System Checkpoint
RP86: 12/31/2008 2:06:26 AM - Removed SUPERAntiSpyware Free Edition
RP87: 12/31/2008 2:06:27 AM - System Checkpoint
RP88: 1/12/2009 4:45:05 PM - ComboFix created restore point
RP89: 1/13/2009 5:00:19 PM - Software Distribution Service 3.0

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Active@ ISO Burner v 1.1
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11
Adobe® Photoshop® Album Starter Edition 3.2
AIM 6
AppCore
Apple Mobile Device Support
Apple Software Update
AV
Bonjour
ccCommon
Click to DVD 2.0.03 Menu Data
Click to DVD 2.4.10
CONNECT
Defraggler (remove only)
DivX Web Player
DVgate Plus
EPSON CX 3800 Guide
EPSON Printer Software
EPSON Scan
GearDrvs
Google Toolbar for Internet Explorer
HDAUDIO SoftV92 Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB835221
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Image Converter 2
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterVideo WinDVD for VAIO
InterVideo WinDVDX
ISScript
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 4
Java™ 6 Update 10
Java™ 6 Update 7
LAN-Express AS IEEE 802.11 Wireless LAN
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Magic ISO Maker v5.4 (build 0256)
Malwarebytes' Anti-Malware
mCore
mDriver
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Web Components
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server Desktop Engine (VAIO_VEDB)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft XML Parser
mMHouse
MoodLogic
Move Networks Media Player for Internet Explorer
Mozilla ActiveX Control v1.7.12
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
Nero 8 Trial
neroxml
Netscape Internet Service Setup
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 Help
Norton Confidential Browser Component
Norton Confidential Web Authentification Component
Norton Confidential Web Protection Component
NVIDIA Drivers
OpenMG Secure Module 4.2.00
Quicken 2005
QuickTime
Realtek High Definition Audio Driver
Roxio DigitalMedia Audio
Roxio DigitalMedia Copy
Roxio DigitalMedia Data
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Setting Utility Series
SonicStage 3.2
SonicStage Mastering Studio Audio Filter Custom Preset
Sony Certificate PCH
Sony MP4 Shared Library
Sony USB Mouse
Sony Utilities DLL
Sony Video Shared Library
SPBBC 32bit
SuppSoft
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
Update for Office 2007 (KB946691)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VAIO Central
VAIO Entertainment Platform
VAIO Event Service
VAIO Launcher
VAIO Light Flo Wallpaper
VAIO Long Battery Life Wallpaper
VAIO Media 4.0
VAIO Media AC3 Decoder 1.0
VAIO Media Integrated Server 4.2
VAIO Media Redistribution 4.0
VAIO Media Registration Tool 4.0
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Scene SD Wide Contents
VAIO Power Management
VAIO Registration
VAIO Support Central
VAIO Survey Standalone
VAIO TV Tuner Library 1.4
VAIO Update 2
VAIO Wireless Utility
VAIO Zone
VAIO Zone Remote Commander
VCRedistSetup
Videora iPod Converter 3.07
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix [See KB886612 for more information]
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.1.3 final uninstall
Yahoo! Install Manager
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

1/7/2009 1:24:36 PM, error: System Error [1003] - Error code 100000d1, parameter1 e25e1000, parameter2 00000002, parameter3 00000000, parameter4 aaa41d50.
1/12/2009 4:33:26 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

==== End Of File ===========================


and heres Checkup.txt

Results of screen317's Security Check version 0.97.6.9
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Antivirus
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````


Scan took 2 seconds.
`````````End of Log```````````

#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 PM

Posted 13 January 2009 - 05:52 PM

Go to Control Panel > Security Center.
what does it show for AV & firewall status?

It should show Norton360 being on.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#13 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:14 PM

Posted 13 January 2009 - 06:37 PM

There's a malicious DLL needing removal, ffkuz.dll which is a component of Trojan-Downloader.Win32.Murlo
I also want to check on possible remnants of "seneka"

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double-click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    c:\windows\system32\ffkuz.dll
    C:\WINDOWS\system32\drivers\seneka.sys 
    C:\WINDOWS\system32\seneka.sys
    C:\WINDOWS\pcload.exe
    C:\WINDOWS\system32\pcload.exe
    
    Folders to delete:
    C:\resycled
    D:\resycled
    e:\resycled
    f:\resycled
    g:\resycled
    h:\resycled
    i:\resycled
    
    Drivers to delete:
    Service_seneka
    seneka
    clbdriver
    tdss
    tdssserv
    TDSSserv.SYS
    Service_TDSSSERV.SYS
    Legacy_TDSSSERV.SYS
    msqpdxserv.sys
    msqpdxserv
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

Make sure the system is restarted fresh, at least one time. Then, reply with a copy of C:\Avenger.txt
and then later, try the MBAM update once more, and if succeed, we want a FULL Scan with MBAM, plus that log.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#14 srk_fan22

srk_fan22
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 13 January 2009 - 08:19 PM

Go to Control Panel > Security Center.
what does it show for AV & firewall status?

It should show Norton360 being on.


for firewall it says that "norton 360 is currently on. a firewall helps protect your computer against viruses". for antivirus, it says that "norton 360 reports that it is up to date and virus scanning is on. antivirus software helps protect your computer".
and for the following steps, i dont know how to disable norton 360, so i will just follow them without disabling it

Edited by srk_fan22, 13 January 2009 - 08:24 PM.


#15 srk_fan22

srk_fan22
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 13 January 2009 - 08:37 PM

so i tried updating mbam after everything, and it still wouldn't update (maybe norton is interfering? but i dont know how to disable it because the icon isnt in the tray and its window won't open). but heres avenger.txt, and the computer rebooted twice (like you said, because of the drivers):

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\ffkuz.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\seneka.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\seneka.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\seneka.sys" not found!
Deletion of file "C:\WINDOWS\system32\seneka.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\pcload.exe" not found!
Deletion of file "C:\WINDOWS\pcload.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\pcload.exe" not found!
Deletion of file "C:\WINDOWS\system32\pcload.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\resycled" not found!
Deletion of folder "C:\resycled" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open folder "D:\resycled"
Deletion of folder "D:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "e:\resycled"
Deletion of folder "e:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "f:\resycled"
Deletion of folder "f:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "g:\resycled"
Deletion of folder "g:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "h:\resycled"
Deletion of folder "h:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "i:\resycled"
Deletion of folder "i:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_seneka" not found!
Deletion of driver "Service_seneka" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\seneka" not found!
Deletion of driver "seneka" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\clbdriver" not found!
Deletion of driver "clbdriver" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!
Deletion of driver "tdss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!
Deletion of driver "tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.SYS" not found!
Deletion of driver "TDSSserv.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSSERV.SYS" not found!
Deletion of driver "Service_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_TDSSSERV.SYS" not found!
Deletion of driver "Legacy_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!
Deletion of driver "msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!
Deletion of driver "msqpdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users