Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect and Symantec Antiviru Auto-Protec disabled


  • This topic is locked This topic is locked
1 reply to this topic

#1 BWE007

BWE007

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:24 AM

Posted 20 October 2009 - 02:14 PM

I recenlty read dialog b/n Wildzero and Propoganda Panda about a similar problem I am having. Google searches are redirecting me to odd urls and everytime I turn my computer on it reads "Symantec Antivirus auto-protect is disabled". This problem has been on going for about a month and I can not get it fixed. Please advise.

I ran a ComboFix listed below...and also a GMER scan

ComboFix 09-10-19.04 - bryan 10/20/2009 11:30.1.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.1982.1186 [GMT -5:00]
Running from: c:\users\bryan\Downloads\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1610636702-4082516404-212443532-1001
c:\$recycle.bin\S-1-5-21-918056312-2952985149-2686913973-500
c:\program files\INSTALL.LOG
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\oem12.inf
c:\windows\system32\oem4.inf

----- BITS: Possible infected sites -----

hxxp://wrlad01:8530
.
((((((((((((((((((((((((( Files Created from 2009-09-20 to 2009-10-20 )))))))))))))))))))))))))))))))
.

2009-10-20 16:37 . 2009-10-20 16:37 -------- d-----w- c:\users\Test\AppData\Local\temp
2009-10-20 16:37 . 2009-10-20 16:37 -------- d-----w- c:\users\ktech_admin\AppData\Local\temp
2009-10-20 16:18 . 2009-10-20 16:21 -------- d-----w- C:\TEMP
2009-10-20 16:10 . 2009-10-20 16:22 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-20 15:14 . 2009-10-20 15:14 -------- d-----w- c:\users\bryan\AppData\Local\ICS
2009-10-19 21:20 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 21:20 . 2009-10-19 21:20 -------- d-----w- C:\Malwarebytes' Anti-Malware
2009-10-19 21:20 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-19 21:03 . 2009-10-19 21:03 -------- d-----w- c:\windows\system32\drivers\NSS
2009-10-19 21:03 . 2009-10-19 21:03 -------- d-----w- c:\program files\Norton Security Scan
2009-10-14 13:31 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 13:28 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 13:28 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 13:26 . 2009-10-14 13:26 -------- d-----w- c:\windows\PCHEALTH
2009-10-14 13:24 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 13:23 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 13:22 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-09-25 13:12 . 2009-09-25 13:12 -------- d-----w- c:\users\bryan\AppData\Local\Mozilla
2009-09-21 14:37 . 2009-09-21 14:37 -------- d-----w- c:\users\ktech_admin\AppData\Local\Symantec
2009-09-21 14:37 . 2009-09-21 14:37 -------- d-----w- c:\users\ktech_admin\AppData\Local\VirtualStore
2009-09-21 01:48 . 2009-10-19 21:03 -------- d-----w- c:\programdata\Norton
2009-09-21 01:48 . 2009-10-19 21:02 -------- d-----w- c:\program files\NortonInstaller
2009-09-21 01:48 . 2009-09-21 01:48 -------- d-----w- c:\programdata\NortonInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 16:11 . 2009-07-08 17:13 -------- d-----w- c:\program files\Symantec
2009-10-20 16:11 . 2009-07-08 17:18 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-20 16:11 . 2009-07-08 17:18 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-20 16:11 . 2009-07-08 17:18 109744 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-20 16:10 . 2009-06-24 21:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-20 16:10 . 2009-06-24 21:43 -------- d-----w- c:\programdata\Symantec
2009-10-14 13:27 . 2009-06-24 02:16 -------- d-----w- c:\programdata\Microsoft Help
2009-09-17 20:10 . 2009-07-07 13:59 -------- d-----w- c:\program files\Citrix
2009-09-17 20:10 . 2009-09-17 20:10 108920 ----a-w- c:\users\bryan\g2ax_customer_downloadhelper_win32_x86.exe
2009-09-08 18:27 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-06 21:45 . 2009-08-24 13:58 -------- d-sh--w- c:\programdata\1de22b9
2009-09-06 19:38 . 2009-09-06 19:38 -------- d-----w- c:\users\bryan\AppData\Roaming\Malwarebytes
2009-09-06 19:38 . 2009-09-06 19:38 -------- d-----w- c:\programdata\Malwarebytes
2009-08-31 20:54 . 2009-08-31 20:54 103720 ----a-w- c:\users\bryan\GoToAssistDownloadHelper.exe
2009-08-29 00:27 . 2009-09-08 18:18 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-08 18:18 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-14 13:25 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 13:25 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-14 13:25 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-14 13:25 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-26 13:15 . 2009-08-26 13:15 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-08-26 13:06 . 2009-08-26 13:06 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-25 20:08 . 2009-07-07 19:10 -------- d-----w- c:\programdata\Webex
2009-08-24 14:35 . 2009-08-24 14:35 -------- d-sh--w- c:\programdata\85de
2009-08-24 14:11 . 2009-08-24 14:11 65 ----a-w- c:\users\bryan\AppData\Roaming\Microsoft\Windows\Recent\energy.drv
2009-08-24 13:59 . 2009-08-24 13:59 27 ----a-w- c:\users\bryan\AppData\Roaming\Microsoft\Windows\Recent\runddl.dll
2009-08-24 13:59 . 2009-08-24 13:59 77 ----a-w- c:\users\bryan\AppData\Roaming\Microsoft\Windows\Recent\fan.drv
2009-08-24 13:59 . 2009-08-24 13:59 36 ----a-w- c:\users\bryan\AppData\Roaming\Microsoft\Windows\Recent\hymt.exe
2009-08-24 13:59 . 2009-08-24 13:59 36 ----a-w- c:\users\bryan\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
2009-08-24 13:59 . 2009-08-24 13:59 2 ----a-w- c:\users\bryan\AppData\Roaming\Microsoft\Windows\Recent\delfile.drv
2009-08-24 13:59 . 2009-08-24 13:59 55 ----a-w- c:\users\bryan\AppData\Roaming\Microsoft\Windows\Recent\kernel32.sys
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 16:27 . 2009-09-08 18:19 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-08 18:19 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-08 18:19 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-08 18:19 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-08 18:19 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-08 18:19 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-08 18:19 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-08 18:19 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-08 18:19 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-08 18:19 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-08 18:19 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-07 14:32 . 2009-06-22 20:38 80731 ----a-w- c:\users\bryan\AppData\Roaming\nvModes.dat
2009-08-07 02:24 . 2009-08-27 12:48 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2009-08-27 12:48 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2009-08-27 12:48 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:23 . 2009-08-27 12:48 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2009-08-27 12:48 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 01:45 . 2009-08-27 12:48 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-08-07 01:44 . 2009-08-27 12:48 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-08-07 00:23 . 2009-08-27 12:48 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-08-06 23:44 . 2009-08-27 12:48 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2001-09-28 23:00 . 2009-07-14 14:10 164864 ----a-w- c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-08-31 20:55 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Run VNC Server.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Run VNC Server.lnk
backup=c:\windows\pss\Run VNC Server.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^bryan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
path=c:\users\bryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:ff,28,1e,bf,80,13,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2189175640-608856479-2941690388-1175]
"EnableNotificationsRef"=dword:00000001

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/28/2006 6:34 AM 122008]
S3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\Clt-Inst\vpremote.exe --> c:\temp\Clt-Inst\vpremote.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SPBBCDRV
*NewlyCreated* - SRTSPX
*NewlyCreated* - SYMREDRV
*Deregistered* - SYMREDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LPDService REG_MULTI_SZ LPDSVC
.
Contents of the 'Scheduled Tasks' folder

2009-10-20 c:\windows\Tasks\Norton Security Scan for bryan.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-10-19 00:58]

2009-09-08 c:\windows\Tasks\User_Feed_Synchronization-{1757D705-FC5A-4FF6-AA41-D7FC962D4B82}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: redtailtechnology.com
Trusted Zone: redtailtechnology.com\www
Handler: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021} - c:\netexc~1.0\FlowHook.dll
FF - ProfilePath - c:\users\bryan\AppData\Roaming\Mozilla\Firefox\Profiles\js9pww7b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-PDFLIB - c:\progra~1\COSSTEMP\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-20 11:37
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Common Client\ccService\Channels]
@Denied: (C D) (Everyone)
"ccSvcHst_ccEvtMgr"="{9F9404D0-746F-4F45-9F61-8E380E4F86D9}"
"ccSvcHst_ccSetMgr"="{9F9404D0-746F-4F45-9F61-8E380E4F86D9}"
"SNDServiceRequestChannel"="{9F9404D0-746F-4F45-9F61-8E380E4F86D9}"
"SNDLocationChannel"="{9F9404D0-746F-4F45-9F61-8E380E4F86D9}"
"{5BC18446-D690-443D-BDFF-C3C41ABAD8AC}"="{9F9404D0-746F-4F45-9F61-8E380E4F86D9}"
"{0928448A-5FB5-43C9-91A8-55C5F6B20CBF}"="{9125BCFD-22D1-4354-A855-F54E0FD1AE87}"
"{E779744B-639B-433B-ACAD-C884890B22B1}"="{5BF2C45B-AFDF-433A-936C-EB4B1D643B70}"
"ccSettingsService"="{9F9404D0-746F-4F45-9F61-8E380E4F86D9}"
"ccEvtCli"="{9F9404D0-746F-4F45-9F61-8E380E4F86D9}"
"{D2177F47-9C9E-4F58-9FE4-CAB25E0900BB}"="{9125BCFD-22D1-4354-A855-F54E0FD1AE87}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-20 11:39
ComboFix-quarantined-files.txt 2009-10-20 16:39

Pre-Run: 71,285,710,848 bytes free
Post-Run: 74,933,026,816 bytes free

- - End Of File - - AE576D756B1EA456513AF7879328AB99









I also did a scan with with GMER...

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-20 13:44:34
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\bryan\AppData\Local\Temp\aflyyaog.sys


---- System - GMER 1.0.15 ----

SSDT 87045340 ZwAlertResumeThread
SSDT 87045400 ZwAlertThread
SSDT 87084330 ZwAllocateVirtualMemory
SSDT 8670C068 ZwConnectPort
SSDT 8708BDE8 ZwCreateMutant
SSDT 87098EB0 ZwCreateThread
SSDT 87038CA8 ZwFreeVirtualMemory
SSDT 8708BEA8 ZwImpersonateAnonymousToken
SSDT 8708BF68 ZwImpersonateThread
SSDT 870841B8 ZwMapViewOfSection
SSDT 8708BD28 ZwOpenEvent
SSDT 87009320 ZwOpenProcessToken
SSDT 870112A8 ZwOpenThreadToken
SSDT 86E38300 ZwResumeThread
SSDT 86B76A98 ZwSetContextThread
SSDT 86FBF610 ZwSetInformationProcess
SSDT 8706F310 ZwSetInformationThread
SSDT 8708BC68 ZwSuspendProcess
SSDT 87045508 ZwSuspendThread
SSDT 870A1270 ZwTerminateProcess
SSDT 86FF4D28 ZwTerminateThread
SSDT 86E2C370 ZwUnmapViewOfSection
SSDT 870842A0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 81CEB860 8 Bytes [40, 53, 04, 87, 00, 54, 04, ...] {INC EAX; PUSH EBX; ADD AL, 0x87; ADD [ESP+EAX-0x79], DL}
.text ntkrnlpa.exe!KeSetEvent + 131 81CEB874 4 Bytes [30, 43, 08, 87]
.text ntkrnlpa.exe!KeSetEvent + 221 81CEB964 4 Bytes [B0, 8E, 09, 87]
.text ntkrnlpa.exe!KeSetEvent + 335 81CEBA78 4 Bytes [A8, 8C, 03, 87]
.text ntkrnlpa.exe!KeSetEvent + 359 81CEBA9C 4 Bytes [A8, BE, 08, 87]
.text ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3420] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6D5BF3FB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS



Propoganda Panda...if you are out there I would appreciate some hlep.

BWE

BC AdBot (Login to Remove)

 


#2 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2009 - 05:24 PM

Hello BWE007,

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed. If you have any questions, please PM me or another Moderator.
The BC Staff




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users