Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 Cribbs

Cribbs

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 10 July 2010 - 05:42 AM

It all started when I plugged a USB flash drive into my computer. It showed everything as shortcuts on the drive and was bringing up the Symantic Endpoint Tamper window. Then I noticed AV Security Suite. I tried to fix everything per the post on here "How to remove AV Security Suite (Uninstall Guide). It seemed to get rid of AV Security Suite, but I still have security windows popping up. I have run MBAM. Any help would be appreciated. Here are the errors that pop up, the DDS log, the ARK.txt, and the ATTACH.txt. If anything else is needed, let me know......thank you!

First Alert:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
Event Info: Write Memory
Action Taken: Blocked
Actor Process: C:\Documents and Settings\Brandon\leiojug.exe (PID 2572)
Time: Saturday, July 10, 2010 3:34:58 AM

Second Alert:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
Event Info: Write Memory
Action Taken: Blocked
Actor Process: C:\Documents and Settings\Brandon\leiojug.exe (PID 2572)
Time: Saturday, July 10, 2010 3:35:01 AM

Third Alert:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info: Write Memory
Action Taken: Blocked
Actor Process: C:\Documents and Settings\Brandon\leiojug.exe (PID 2572)
Time: Saturday, July 10, 2010 3:36:36 AM

Fourth Alert:
SYMANTEC TAMPER PROTECTION ALERT
Target: C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info: Write Memory
Action Taken: Blocked
Actor Process: C:\Documents and Settings\Brandon\leiojug.exe (PID 2572)
Time: Saturday, July 10, 2010 3:36:41 AM

DDS Log:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Brandon at 1:39:17.32 on Sat 07/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.290 [GMT -7:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Apache Software Foundation\Tomcat 4.1\bin\tomcat4w.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\Brandon\leiojug.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\Fujitech\Bluetooth Software\BTTray.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
svchost.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Fujitech\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\GM SPO\eSI\Apache Group\Tomcat 4.1\bin\tomcat.exe
C:\Program Files\GM SPO\eSI\Transbase\tbmux32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\GM SPO\eSI\Transbase\tbkern32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\GM SPO\eSI\Transbase\tbkern32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Brandon\Desktop\dds.scr
C:\Program Files\Common Files\Symantec Shared\COH\coh32.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SBCONVERT Class: {3017fb3e-9a77-4396-88c5-0ec9548fb42f} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll
BHO: SearchPredictObj Class: {389943b0-c3a2-4e69-82cb-8596a84cb3dc} - c:\progra~1\search~1\SEARCH~1.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\speedb~1\toolbar\grabber.dll
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [leiojug] c:\documents and settings\brandon\leiojug.exe
uRun: [Brandon] c:\documents and settings\brandon\Brandon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Norton Ghost 9.0] c:\program files\symantec\norton ghost\agent\GhostTray.exe
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ApacheTomcatMonitor] "c:\program files\apache software foundation\tomcat 4.1\bin\tomcat4w.exe" //MS//Tomcat4
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
StartupFolder: c:\docume~1\brandon\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\fujitech\bluetooth software\BTTray.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\fujitech\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\fujitech\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {722FE9B2-6895-42D9-9984-F4CB26616023} - {722FE9B2-6895-42D9-9984-F4CB26616023} - c:\program files\cosmi\perfect pdf creator essentials\pdfshell.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: usmc.mil\webmail.us.nmci
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267085632717
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267324885274
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138780]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46779]
R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-15 182576]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 SITomcat;SI Tomcat;c:\program files\gm spo\esi\apache group\tomcat 4.1\bin\tomcat.exe [2003-10-27 65536]
R2 SITransbase;SI Transbase;c:\program files\gm spo\esi\transbase\tbmux32.exe [2001-11-20 165376]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100709.024\NAVENG.SYS [2010-7-9 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100709.024\NAVEX15.SYS [2010-7-9 1347504]
R3 SCR24X2K;SCR24x PCMCIA SmartCard Reader;c:\windows\system32\drivers\SCR24X2K.sys [2006-10-11 39296]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 BluePoint Personal Edition;BluePoint Personal Edition;"c:\program files\bluepoint security\bluepoint personal\bp.exe" --> c:\program files\bluepoint security\bluepoint personal\bp.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-18 136176]
S2 HKEYMAN;Panasonic HotKey Manager;c:\program files\panasonic\hotkey manager\HKEYMAN.EXE [2010-2-24 94208]
S3 BTPCCARD;Bluetooth BCSP Transport for Pc Card;c:\windows\system32\drivers\btpcbcsp.sys [2003-8-4 232444]
S3 G Data Tuner Service;G Data Tuner Service;c:\program files\g data\totalcare\avktuner\avktunerservice.exe --> c:\program files\g data\totalcare\avktuner\AVKTunerService.exe [?]
S3 SCR24x PCMCIA Smart Card Reader;SCR24x PCMCIA Smart Card Reader;c:\windows\system32\drivers\SCR24X2K.sys [2006-10-11 39296]
S3 VFDCreator;VFDCreator;c:\program files\tanontech\creator\tcreator.sys [2010-2-27 24960]
S3 WPEServ;soft Xpansion Print2Document;c:\program files\common files\wpe\wpeserv.exe [2010-2-25 323584]
S4 Tomcat4;Apache Tomcat 4.1;c:\program files\apache software foundation\tomcat 4.1\bin\tomcat4.exe [2009-6-16 57344]

=============== Created Last 30 ================

2010-07-10 08:29:34 20 ----a-w- c:\documents and settings\brandon\defogger_reenable
2010-07-10 05:06:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-10 04:19:13 0 d-----w- c:\docume~1\brandon\applic~1\Malwarebytes
2010-07-10 04:19:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 04:18:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 04:18:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 04:18:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-10 03:20:21 0 d-----w- c:\windows\pss
2010-07-09 03:48:34 55296 --sh--r- c:\documents and settings\brandon\leiojug.exe
2010-07-07 00:57:27 0 d-----w- c:\program files\Snap-on Business Solutions
2010-07-02 09:11:32 0 d-----w- c:\program files\Yahoo!
2010-06-12 20:30:01 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

==================== Find3M ====================

2010-06-03 02:59:06 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-05-27 12:50:44 100111 ----a-w- c:\windows\MystikifyUninst.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-12 16:48:15 87608 ----a-w- c:\docume~1\brandon\applic~1\inst.exe
2010-04-12 16:48:15 47360 ----a-w- c:\docume~1\brandon\applic~1\pcouffin.sys
2010-02-25 08:50:54 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2010-02-25 08:50:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010022520100226\index.dat

============= FINISH: 1:40:52.94 ===============

Attached Files


Edited by Cribbs, 10 July 2010 - 12:13 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:27 AM

Posted 13 July 2010 - 09:14 AM

Hello Cribbs, My names Syler and I will be helping you to solve your malware issues.

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have
since resolved your issues I would appreciate if you would let me no so I can close this topic.


Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.



We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



Download and Run MBR Rootkit Scan
  • Please download MBR Rootkit Detector and save it on your desktop.
  • Go to Start >> Run then copy and paste the following line into the run box
    "%userprofile%\desktop\mbr.exe" -t

  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe from.
  • Copy and paste the contents of mbr.log on your next reply.


Then please post back here with the following logs:
  • OTL.txt
  • Extra.txt
  • mbr.log

Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:27 AM

Posted 18 July 2010 - 09:03 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users