Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton Security Scan


  • This topic is locked This topic is locked
11 replies to this topic

#1 castrien

castrien

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:58 AM

Posted 16 March 2012 - 12:47 PM

I'm running Windows XP and since it showed up 4 days ago, I can't remove Norton Security Scan no matter what I do: 1) it does not show up in the Control Panel's Add/Remove Programs. 2) it does not show up in my scheduled tasks and 3) I cannot identify it in Windows Registry.

The shortcut is in my start menu but the "Uninstall" option does nothing. I did not download or purchase this software and it pops up everday around noon.

I am not a programmer or technical person by any means so any help would be greatly appreciated. I have attached the ComboFix Log. Can anyone help, please?

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:58 PM

Posted 17 March 2012 - 04:52 PM

Good evening. :)

Download DDS from here and save it to your Desktop.

  • Double click the file and it will create two logs - exciting I know!
  • I'd like you to copy and paste DDS.txt in your next reply.
  • I'd like you to zip up and attach Attach.txt - named to give you a hint.

Will you also tell me how you came to have Norton Security Scan onboard - did you install it on it's own or was it bundled with other software?

So long, and thanks for all the fish.

 

 


#3 castrien

castrien
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:58 AM

Posted 17 March 2012 - 11:04 PM

Thank you, so much, for your help on this. I did not download the Norton Security Scan knowingly so it must have been bundled with something else.

Here is the DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Donna at 23:53:32 on 2012-03-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.572 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Zune\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\WINDOW~4\Datamngr\DATAMN~1.EXE
C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\HP Deskjet 3050A J611 series\bin\HPNetworkCommunicator.exe
C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPNetworkCommunicator.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [HP Deskjet 3050A J611 series (NET)] "c:\program files\hp\hp deskjet 3050a j611 series\bin\ScanToPCActivationApp.exe" -deviceID "CN17C486J205PJ:NW" -scfn "HP Deskjet 3050A J611 series (NET)" -AutoStart 1
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DATAMNGR] c:\progra~1\window~4\datamngr\DATAMN~1.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\donna\startm~1\programs\startup\monito~1.lnk - c:\windows\system32\RunDll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\donna\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1315616202343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.3.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{283ABFCE-BC48-4059-A46A-4732173D7108} : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-12-14 136176]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 EraserUtilDrv11122;EraserUtilDrv11122;c:\program files\common files\symantec shared\eengine\EraserUtilDrv11122.sys [2012-3-16 106104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-12-14 136176]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2011-8-5 268512]
.
=============== Created Last 30 ================
.
2012-03-18 00:21:34 6552120 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d774de55-97fb-4c9a-8021-5d12311001f8}\mpengine.dll
2012-03-16 04:46:36 -------- d-sha-r- C:\cmdcons
2012-03-16 00:32:47 98816 ----a-w- c:\windows\sed.exe
2012-03-16 00:32:47 518144 ----a-w- c:\windows\SWREG.exe
2012-03-16 00:32:47 256000 ----a-w- c:\windows\PEV.exe
2012-03-16 00:32:47 208896 ----a-w- c:\windows\MBR.exe
2012-03-15 23:07:39 -------- d-----w- c:\documents and settings\donna\local settings\application data\Spotify
2012-03-15 23:06:31 -------- d-----w- c:\documents and settings\donna\application data\Spotify
2012-03-13 22:08:49 -------- d-----r- c:\program files\Skype
2012-03-10 17:36:41 -------- d-----w- c:\program files\common files\Symantec Shared
2012-03-10 17:36:32 -------- d-----w- c:\windows\system32\drivers\nss\0307010.004
2012-03-10 17:36:32 -------- d-----w- c:\windows\system32\drivers\NSS
2012-03-10 17:36:32 -------- d-----w- c:\program files\Norton Security Scan
2012-03-10 17:36:31 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-03-10 17:36:26 -------- d-----w- c:\program files\NortonInstaller
2012-03-10 17:36:26 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
2012-02-19 06:51:05 -------- d-----w- c:\documents and settings\donna\local settings\application data\Ilivid Player
2012-02-19 06:51:03 -------- d-----w- c:\documents and settings\donna\application data\searchquband
2012-02-19 06:51:03 -------- d-----w- c:\documents and settings\donna\AppData
2012-02-19 06:49:42 -------- d-----w- c:\program files\Windows iLivid Toolbar
2012-02-19 06:49:11 -------- d-----w- c:\documents and settings\donna\local settings\application data\PackageAware
2012-02-19 06:42:23 -------- d-----w- c:\documents and settings\donna\local settings\application data\Graboid_Inc
2012-02-19 06:42:23 -------- d-----w- c:\documents and settings\donna\local settings\application data\Graboid Inc
2012-02-19 06:42:20 -------- d-----w- c:\documents and settings\donna\local settings\application data\Graboid
2012-02-19 06:42:20 -------- d-----w- c:\documents and settings\all users\application data\Graboid Inc
2012-02-19 06:42:08 -------- d-----w- c:\documents and settings\donna\local settings\application data\Geckofx
2012-02-19 06:40:24 -------- d-----w- c:\program files\VideoLAN
2012-02-19 06:38:08 -------- d-----w- c:\program files\Graboid
.
==================== Find3M ====================
.
2012-02-09 01:49:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-09 01:49:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-08 01:31:00 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 23:54:30.17 ===============

Attached Files



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:58 PM

Posted 18 March 2012 - 03:33 PM

Good evening. :)

You'll need to cast your mind back to when you first saw it and then tell me what software you installed about that time.

So long, and thanks for all the fish.

 

 


#5 castrien

castrien
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:58 AM

Posted 19 March 2012 - 09:49 AM

Good Morning!

I have wracked my brains and searched my laptop to recall what else was downloaded when the Norton Security scan was downloaded (on 3/10). I did a search on all files modified on that date: 23 files are related to Norton/Symantec and the remaining 154 files are music files and pictures from my phone. I did sync up my phone to my laptop on 3/10 to move photos to my machine, but I did not modify or even listen to any music files (and there is only one music file on my phone). I use Zune to sync my phone.

I did not voluntarily download any software on the date the Norton Security Scan was downloaded (3/10/2012).

What puzzles me is that I cannot see the NSS in the Control Panel's Add/Remove Programs list of currently installed programs.

Again, thank you sincerely for you help.

Donna

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:58 PM

Posted 19 March 2012 - 03:16 PM

Good evening. :)

I'm in the process of installing the app in question to a VM and i'll get back to you once i've had a play.

So long, and thanks for all the fish.

 

 


#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:58 PM

Posted 19 March 2012 - 03:35 PM

I'd like you to download and install a tool called Revo Uninstaller which is available here - you want the Freeware version. Once done, run it and you should be able to select the Norton Security Scan application from within Revo and have it uninstall itself. Accept the default options that Revo offers you and hopefully that should be that.

I use this app rather than the built-in uninstall option in Windows as it scans for leftovers once an uninstaller has run, so you might like to keep it if it does the job for you, but you are free to remove it if you wish.

Let me know how you get on.

What puzzles me is that I cannot see the NSS in the Control Panel's Add/Remove Programs list of currently installed programs.

Devious little bugger isn't it!

Edited by Noviciate, 19 March 2012 - 03:36 PM.

So long, and thanks for all the fish.

 

 


#8 castrien

castrien
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:58 AM

Posted 19 March 2012 - 10:45 PM

Attached File  revo-list.gif   47.69KB   1 downloadsAttached File  revo-error.gif   7KB   2 downloads

Hi again,

I installed Revo but the NSS does not show up for it either (see attached screen print). When I try to use Revo's "Hunter" feature I get an error that states "No Installation Package Found" (screen print also attached).

I'll keep playing around with revo to see what else might work but I'm open to suggestions.

Thanks,

Donna

Edited by castrien, 20 March 2012 - 11:12 AM.


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:58 PM

Posted 20 March 2012 - 03:52 PM

Good evening. :)

Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop:

  • Linky #1
  • Linky #2

  • Double-click SystemLook.exe to run it.
  • Copy the contents of the following codebox into the main textfield:


    :folderfind
    C:\Program Files\Norton Security Scan\Engine /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan - the log can also be found on your Desktop entitled SystemLook.txt
  • Please post the contents of this log in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download RegQuery from here and save it to your Desktop.
  • Double click the file to run it.
  • Copy the following keyname to your clipboard - either CTRL + C or right click will do.

    • hklm\software\microsoft\windows\currentversion\uninstall\nss
  • Click Paste from Clipboard and then Query.
  • A Notepad window should open with some text it - either that or you'll get a pop-up telling you to check the keyname.
  • Let me have the contents of the file in your next reply.

So long, and thanks for all the fish.

 

 


#10 castrien

castrien
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:58 AM

Posted 20 March 2012 - 10:22 PM

Hi again,

The SystemLook scan results are below:

SystemLook 30.07.11 by jpshortstuff
Log created at 11:08 on 20/03/2012 by Donna
Administrator - Elevation successful

========== folderfind ==========

Searching for "C:\Program Files\Norton Security Scan\Engine /s"
No folders found.

-= EOF =-

The RegQuery, when I run it, returns an error that says, "check key name."

If I look at my c:\program files folder, I can see the offending program. I know it's a silly question but can I just delete it?

Thanks for continuing to help me,

Donna

Attached Files

  • Attached File  NSS.gif   25.58KB   1 downloads


#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:58 PM

Posted 21 March 2012 - 03:44 PM

Good evening. :)

I know it's a silly question but can I just delete it?

In theory you can uninstall it, as long as you can positively identify the file that is responsible for uninstalling it. I have installed a few versions of NSS, sadly none was the version you have, and either Revo or the provided uninstaller did the job.

I want you to try and locate the following file: C:\Program Files\Norton Security Scan\Engine\3.7.1.4\InstWrap.exe and double click it. This should offer you the option to uninstall NSS and all being well make your evening. You may find that the window that opens will only have one option, to uninstall, or it may have two options, one of which is to uninstall - just click the right one.

So long, and thanks for all the fish.

 

 


#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:58 PM

Posted 27 March 2012 - 03:07 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users