Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Packed.Generic.200 - Again


  • This topic is locked This topic is locked
16 replies to this topic

#1 gouldluc

gouldluc

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 13 July 2009 - 08:46 PM

Hello, 2 months ago Norton anti-virus reported that it could not remove the Packed.Generic.200 from my PC. The PC slowed to a crawl and I could not run virus or spyware scans. I had Symantec remove the virus and it cost me $100.

A week or so ago, I upgraded to Norton 360 Premier and it has started to report the same virus only this time I'm not experiencing any problems with the PC. I ran Malwarebytes and it did find and remove a trojan. Subsequent scan with Malwarebytes and Norton have not found anything but the Norton alert keeps popping up. The alert shows one registry entry and 31 files being affected. One of the files begins with "globalroot\systemroot\"

Any suggestions?

BC AdBot (Login to Remove)

 


#2 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 13 July 2009 - 09:15 PM

Hello gouldluc
Welcome to bleeping computer.
Please try and run this scan for me http://www.superantispyware.com/
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:31 AM

Posted 13 July 2009 - 09:40 PM

Hello could you post the infected MBAM (Malwarebytes) log. it would be helpful to know what was here so we can tell what to run next..'

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.]Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 gouldluc

gouldluc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 14 July 2009 - 05:17 PM

Sorry it took me so long to post these.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/14/2009 at 07:28 AM

Application Version : 4.26.1006

Core Rules Database Version : 3992
Trace Rules Database Version: 1932

Scan type : Complete Scan
Total Scan Time : 01:30:06

Memory items scanned : 261
Memory threats detected : 0
Registry items scanned : 5379
Registry threats detected : 0
File items scanned : 126210
File threats detected : 1

Trojan.Agent/Gen-PEC
C:\WINDOWS\PEV.EXE

************************************************

Malwarebytes' Anti-Malware 1.39
Database version: 2431
Windows 5.1.2600 Service Pack 3

7/14/2009 6:08:57 PM
mbam-log-2009-07-14 (18-08-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 286388
Time elapsed: 25 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:31 AM

Posted 14 July 2009 - 10:17 PM

When Norton finds this...Packed.Generic.200
Where does it say it is ? C:\ ??????????????????????????
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 gouldluc

gouldluc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 15 July 2009 - 05:32 AM

Norton says that 31 files are affected, the first one listed is:

globalroot\systemroot\system32\uacawktbqxodvpqulx.dll.

The rest are located in the c:\documents and settings\ .... directories

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:31 AM

Posted 15 July 2009 - 09:19 AM

Ok, Thanks.. This is a rootkit..

Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 gouldluc

gouldluc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 15 July 2009 - 05:13 PM

Here's the RootRepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/15 17:58
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA907B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79A7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7657000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7419000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\mrcframework\common.dat
Status: Size mismatch (API: 1763328, Raw: 1762304)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8a82fe30

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a831910

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a2f4868

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8a7fee30

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a4965a8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa964d040

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8a37d550

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x8a38ad68

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a8692e0

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8a7e8828

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa964d2c0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa964d820

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x8a37cf40

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a2cf9e0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8a7fc440

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a82a388

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8a426500

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a870458

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8a802528

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8a316ca0

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8a78e4f8

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8a811550

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8a30f770

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a382e80

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a78f698

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a78bd00

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8a2cec00

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8a7ea6e0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa964da70

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8a8006b0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a8382c8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa93d5df0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8a77fd10

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a78e1c8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a2d0c70

==EOF==

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:31 AM

Posted 15 July 2009 - 07:59 PM

It looks like it was picked up. How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 gouldluc

gouldluc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 16 July 2009 - 08:30 AM

The PC seems to be running fine but Norton is still complaining about packed.generic.200 and the 31 files being affected.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:31 AM

Posted 17 July 2009 - 08:59 PM

Hello I almost lost you. Where is Norton saying it is? In C:\ XXXXXXXXXXXXX or perhaps a Restore file?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 gouldluc

gouldluc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 18 July 2009 - 03:20 PM

Norton still shows this file being affected:

globalroot\systemroot\system32\uacawktbqxodvpqulx.dll

and also:

c:\documents and settings\r&c\local settings\application data\microsoft\internet explorer\recovery\actice

c:\documents and settings\r&c\local settings\application data\microsoft\internet explorer\recovery\last actice

c:\documents and settings\r&c\local settings\application data\microsoft\internet explorer\recovery

c:\documents and settings\r&c\local settings\application data\microsoft\internet explore\services

c:\documents and settings\r&c\local settings\application data\microsoft\internet explorer

c:\documents and settings\r&c\local settings\application data\microsoft\cd burning

c:\documents and settings\r&c\local settings\application data\microsoft\credentials\s-1-5-21-725345543-1425521274-2147061141-1003

c:\documents and settings\r&c\local settings\application data\microsoft\credentials

c:\documents and settings\r&c\local settings\application data\microsoft\feeds~

and many others. 34 files all together. Norton is not letting me cut and paste them. I can type in the rest if you need them.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:31 AM

Posted 19 July 2009 - 03:00 PM

Please re run RootRepeal.
Run RootRepeal
Click Settings - Options
Set the Disk Access Level slider in the general tab to High


Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Edited by boopme, 19 July 2009 - 03:01 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 gouldluc

gouldluc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 19 July 2009 - 08:46 PM

Here's the RootRepeal scan:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/19 17:08
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8FB1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF799D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7840000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7419000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\r&c\local settings\temp\etilqs_6mumt6qjd27akrqhrxfm
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\backup\0\onlinebackup.srt
Status: Allocation size mismatch (API: 104923136, Raw: 104792064)

Path: c:\documents and settings\r&c\application data\thunderbird\profiles\00phyqmq.default\mail\pop3.mail.wowway.com\junk.msf
Status: Size mismatch (API: 3255, Raw: 3159)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8a7b8a48

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a826e08

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a3de128

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8a98c0a8

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a56f300

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa94e3040

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8a954f00

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x89669008

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a82c400

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8a762558

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa94e32c0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa94e3820

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x898fb1b0

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89990130

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8a7d2c68

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a7d3e98

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8a494618

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a989a18

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8a7ddf40

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8a3fb0a8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8a7f8890

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8a470320

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8993c128

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x896540f0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a80b570

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a80e828

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8a477250

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8a33f320

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa94e3a70

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89827dd8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a7fd2a8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa935bdf0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8a80f008

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a7ff890

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a7dd188

==EOF==

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:31 AM

Posted 19 July 2009 - 11:19 PM

That looks good, Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users