Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Antivirus scan Norton 360 pop up infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 Peterjrose

Peterjrose

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 24 April 2010 - 09:23 PM

For a couple of weeks I have been geting pop ups of Norton antivirus 360 software. I have tried to remove it from ad/remove software to no avail. I have to alt control delete to close the pop up. Now a new pop has appeared that prevents me from using alt control delete. Antivirus scan. When I try to start any program an error message appears citing that that windows process is infected. I am writing in windows safe mode with networking because I cannot access dds or other programs because of this problem.

The dds log is as follows(from safe mode):


DDS (Ver_10-03-17.01) - FAT32x86 NETWORK
Run by Administrator at 21:56:55.65 on 24/04/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.1015.754 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\Defogger(4).exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.asus.com
mDefault_Page_URL = hxxp://www.asus.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [asam] c:\documents and settings\administrator\local settings\application data\asam.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NB Probe] c:\program files\asus\nb probe\NBProbe.exe
mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [ACMON] c:\program files\asus\splendid\ACMON.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [miqcuwft] c:\documents and settings\administrator\local settings\application data\oescbsnqr\cqtkkqmtssd.exe
mRun: [asam] c:\documents and settings\administrator\local settings\application data\asam.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: psfus - psqlpwd.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: DxhelicoShl.Dxhelico: {63cb9abd-1ec6-4562-a3b1-b0b2bb75dff3} - c:\windows\system32\dxhelico.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\xs7yx2al.default\
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPInfotl.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-11-29 36768]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2009-6-1 36352]
S2 gupdate1c9e3f391a7f452;Google Update Service (gupdate1c9e3f391a7f452);c:\program files\google\update\GoogleUpdate.exe [2009-6-2 133104]
S2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-4-21 3328]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\h:\everestultimate450\kerneld.wnt --> h:\everestultimate450\kerneld.wnt [?]

=============== Created Last 30 ================

2010-04-24 04:01:17 176 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-04-24 02:50:31 25 ----a-w- c:\windows\herjek.config
2010-04-18 19:27:50 45056 ----a-w- c:\windows\system32\acovcnt.exe
2010-04-11 19:18:56 0 d-----w- C:\graphizfiles

==================== Find3M ====================

2010-03-10 04:33:42 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2010-03-10 04:33:38 1025024 ------w- c:\windows\system32\dllcache\browseui.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-02-26 05:43:58 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:58 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2010-02-26 05:43:58 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-02-26 05:43:56 3073024 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-26 05:43:54 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2010-02-26 05:43:54 251904 ------w- c:\windows\system32\dllcache\iepeers.dll
2010-02-24 16:00:22 155808 ----a-w- c:\documents and settings\administrator\QDATAOFXLOG.DAT
2010-02-24 13:11:08 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 13:11:08 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:50 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:50 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:12 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:12 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:16 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2010-02-10 20:19:52 131072 --sha-r- c:\windows\system32\dxhelico.dll
2010-02-10 03:39:42 663552 ----a-w- c:\windows\system32\WADHLP.DLL
2010-02-02 17:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-08-02 22:58:02 349 ----a-w- c:\program files\INSTALL.LOG
2003-12-18 15:33:46 20102 ----a-w- c:\program files\Readme.txt
2003-09-03 11:46:54 10960 ----a-w- c:\program files\EULA.txt

============= FINISH: 21:57:19.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Peterjrose

Peterjrose
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 25 April 2010 - 05:48 PM

read through antivirus removal guide. Was able to fix problem by installing and running mbam

problem is seems to be solved will send more info if problem persists

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 30 April 2010 - 07:10 AM

Since this topic appears to be resolved, I will now close it.
If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users