Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norman Malware Cleaner and W32/Liger [Moved]


  • This topic is locked This topic is locked
3 replies to this topic

#1 slider1

slider1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 21 July 2009 - 10:38 PM

OS: Windows XP pro SP3

I had an infection of Trojan.Win32.Patched.aa or W32/Liger which had infected Services.exe lsass.exe winlogon.exe and svchost.exe. Most antivirus tools did not catch it and the only one that removed it was Norman malware cleaner. The problem is it must not of correctly disinfected those files. After the removal reboot I could not drag and drop files and programs would not minimize to the taskbar. My user account in control panel was blank, the extended services applet did not work correctly and was blank while the standard Services tab would show the services but right clicking did nothing. Also installing certain programs does not work sometimes giving no error while .vbs scripts give access denied error.

I booted into another xp operating system on the same computer and replaced services.exe, lsass.exe, winlogon.exe and svchost.exe and the problems with drag and drop, taskbar, blank user account and extended services plus right clicking standard services were all gone but the installation errors are still present.Also Internet Explorer has restrictions placed on the internet zone where I get an error I cannot run activex on my computer when I try to go to Windows update. Changing settings in IE7 does not correct this problem and there are no settings in group policy that I can see that would create this restriction on my computer.

I tried to reinstall SP3 and install IE8 over IE7 but I get the error that the cryptographic service may not be started when it is running in the services applet. I tried running a .vbs script to fix cryptographic services that I got from Kelly's Corner but it gives an error on line 19 :access denied which is a command to delete catroot2. I have manually renamed catroot2 and ran the commands to fix the cryptographic error but it made no difference to the installation errors.

I have a feeling that these errors are related and have something to do with permission settings in the registry and/or possibly a corrupt windows installer installation caused by removing the virus. None of these problems existed before the virus removal and any help is appreciated.

I have also run sfc /scannow and chkdsk and neither fixed the problem., I believe if I can get the installer working to where I can reinstall SP3 and install IE8 that these problems will be solved. I am running Windows XP professional SP3.

Here is the log file for Norman Malware Cleaner:

Norman Malware Cleaner
Copyright 1990 - 2009, Norman ASA. Built 2009/07/16 17:43:13

Norman Scanner Engine Version: 6.01.09
Nvcbin.def Version: 6.01.00, Date: 2009/07/16 17:43:13, Variants: 3525158

Scan started: 17/07/2009 21:53:35

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 3
Logged on user: UNKNOWN\Administrator

Set registry value: HKCR\txtfile\shell\open\command\ = "C:\WINDOWS\system32\Notepad2.exe %1" -> ""%WinDir%\NOTEPAD.EXE" %1"
Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = "C:\PROGRA~1\KASPER~1\Kaspersky Anti-Virus 2009\mzvkbd.dll,C:\PROGRA~1\KASPER~1\Kaspersky Anti-Virus 2009\mzvkbd3.dll" -> ""
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableTaskMgr = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000

Changed service configuration for "wuauserv" from 0x00000004 and 0x00000001 to 0x00000002 and 0xFFFFFFFF
Started service "wuauserv"
Changed service configuration for "Browser" from 0x00000004 and 0x00000001 to 0x00000002 and 0xFFFFFFFF
Started service "Browser"
Changed service configuration for "BITS" from 0x00000004 and 0x00000001 to 0x00000003 and 0xFFFFFFFF
Started service "BITS"


Scanning running processes and process memory...

C:\WINDOWS\system32\winlogon.exe (Infected with W32/Patched.A)
File marked for defered repair (reboot required)

C:\WINDOWS\system32\services.exe (Infected with W32/Patched.A)
File marked for defered repair (reboot required)

C:\WINDOWS\system32\lsass.exe (Infected with W32/Patched.A)
File marked for defered repair (reboot required)

C:\WINDOWS\system32\svchost.exe (Infected with W32/Patched.A)
File marked for defered repair (reboot required)

C:\WINDOWS\system32\svchost.exe (Infected with W32/Patched.A)
File marked for defered repair (reboot required)

C:\WINDOWS\System32\svchost.exe (Infected with W32/Patched.A)
File marked for defered repair (reboot required)

C:\WINDOWS\System32\svchost.exe (Infected with W32/Patched.A)
File marked for defered repair (reboot required)

C:\WINDOWS\System32\svchost.exe(968) (C:\WINDOWS\System32\svchost.exe!0x00000000) (Infected with W32/Patched.A)
File marked for defered repair (reboot required)

Number of processes/threads found: 2468
Number of processes/threads scanned: 2455
Number of processes/threads not scanned: 13
Number of infected processes/threads terminated: 0
Total scanning time: 1m 28s


Scanning file system...

Scanning: C:\*.*

C:\Program Files\Nirsoft\iconsext.exe (Infected with W32/Delf.CWEB)
Deleted file

C:\Users\Administrator\Application Data\IDM\SmitfraudFix\Agent.OMZ.Fix.exe (Infected with W32/Agent.MIAF)
Deleted file

C:\Users\Administrator\Desktop\pokerstarsautoreg.exe (Infected with W32/Agent.NJRA)
Deleted file

C:\Users\Administrator\Desktop\GTA\N00bmodeV2.0\N00bmodeV2.0\installer_unpacked.exe (Infected with W32/Startpage.DVZ.dropper)
Deleted file

C:\Users\Administrator\My Documents\Downloads\Compressed\166343.rar/RR (Error whilst scanning file: I/O Error (0x00220000))

C:\WINDOWS\system32\Agent.OMZ.Fix.exe (Infected with W32/Agent.MIAF)
Deleted file

C:\WINDOWS\system32\FGCBA.exe (Infected with W32/Obfuscated.P2!genr)
Deleted file

C:\WINDOWS\system32\FGCBAHandler.exe (Infected with W32/Obfuscated.P2!genr)
Deleted file

C:\WINDOWS\system32\lsass.exe (Infected with W32/Patched.A)
File marked for defered repair (reboot required)

C:\WINDOWS\system32\metapath.exe (Infected with W32/Obfuscated.H!genr)
Deleted file

C:\WINDOWS\system32\services.exe (Infected with W32/Patched.A)
File marked for defered repair (reboot required)

C:\WINDOWS\system32\svchost.exe (Infected with W32/Patched.A)
File marked for defered repair (reboot required)

C:\WINDOWS\system32\winlogon.exe (Infected with W32/Patched.A)
File marked for defered repair (reboot required)

Scanning: D:\*.*

D:\Program Files\AdvancedUninstaller\PopupHelp\ResultScan_AdvCheckListDeta-1.htm (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\HostsMan\readme.txt (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\NVIDIA Corporation\ForceWare\nStant Media\Common\Media\SpinnerLeftDisabled.bmp/content/contents.rdf (Error whilst scanning file: I/O Error (0x00220005))

D:\Program Files\RivaTuner v2.0 Final Release\Help\Databases\RivaTuner\ExtEscapeClockControl.rth (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\Help\Databases\RivaTuner\ExtEscapeColorControl.rth (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\Help\Databases\RivaTuner\HotKeyEmulationInterval.rth (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\Help\PatchScripts\DetonatorFXAntiprotection.rth (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\Help\PatchScripts\NV40BIOSHwUnitsMaskEliminator.rth (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\Help\PatchScripts\SoftFireGLAntiprotectionOGL.rth (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\Help\PatchScripts\SoftR9x00.rth (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\Help\Plugins\Monitoring\GPUProbe.rth (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\Localization\Rus\Help\PatchScripts\SoftFireGLAntiprotectionInstaller.rth (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\Localization\Rus\Help\PatchScripts\SoftFireGLAntiprotectionOGL.rth (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\Localization\Rus\Help\Plugins\Monitoring\GPUProbe.rth (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\Localization\Rus\Translation\Plugins\Monitoring\LM63.dll\Internal (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\Localization\Rus\Translation\Plugins\Monitoring\W83L785R.dll\Internal (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\PatchScripts\ATI\SoftFireGL\Unified\Antiprotection\FGLMax\Installer antiprotection.rts (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\Presets\NVIDIA\W9X\Games\Carmageddon 2000.rtp (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\RivaTuner v2.0 Final Release\SDK\Samples\Host\MonitoringHostSample\MonitoringHostSample.dsw (Error whilst scanning file: I/O Error (0x00000026))

D:\Program Files\SpywarePrograms\backups\backup-20070120-182824-125/CMT (Error whilst scanning file: I/O Error (0x00220000))

D:\Program Files\SpywarePrograms\backups\backup-20070120-182824-562/hiew_740.asc (Error whilst scanning file: I/O Error (0x00220005))

D:\Program Files\SpywarePrograms\backups\backup-20070120-182824-645/CMT (Error whilst scanning file: I/O Error (0x00220000))

D:\Program Files\SpywarePrograms\backups\backup-20070120-182824-869/PeToUSB.exe (Error whilst scanning file: I/O Error (0x00220005))

D:\Program Files\SpywarePrograms\backups\backup-20070120-182824-873/hiew_740.asc (Error whilst scanning file: I/O Error (0x00220005))

D:\Program Files\SpywarePrograms\backups\backup-20070120-182824-879/CMT (Error whilst scanning file: I/O Error (0x00220000))

D:\Program Files\SpywarePrograms\backups\backup-20070120-183028-793/tutorial3.pdf (Error whilst scanning file: I/O Error (0x00220005))

D:\Program Files\SpywarePrograms\backups\backup-20070120-183028-807.inf/tutorial3.pdf (Error whilst scanning file: I/O Error (0x00220005))


Running post-scan cleanup routine:

Number of files found: 241925
Number of archives unpacked: 8753
Number of files scanned: 241897
Number of files not scanned: 28
Number of files skipped due to exclude list: 0
Number of infected files found: 8
Number of infected files repaired/deleted: 8
Number of infections removed: 8
Total scanning time: 1h 27m 59s

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,903 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:45 AM

Posted 21 July 2009 - 11:57 PM

I'm moving this to the Am I Infected forum for you. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:45 AM

Posted 22 July 2009 - 12:23 AM

It appears you have a very badly damaged PC. I suspect many files were overwritten by the Drooper trojan and neeed to be replaced. I would say the two best courses here are the HJT forum or a format and re install. I will give you the HJT instructions, unless you want the other.

You will need to run HJT/DDS.
Please follow this guide.Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,903 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:45 AM

Posted 22 July 2009 - 06:23 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/243511/norman-malware-cleaner-and-w32liger/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users