Jump to content

Recommended Posts

Had Malwarebytes installed and up to date

Had Norton System works 2006 installed and up to date

I downloaded a file to correct a boot problem that I had on another machine

scanned file with Norton system works file scanner and came up clean.

5 seconds after I clicked on the .exe file it deleted itself

machine became next to unresponsive.

network connection went to 100%

For about 1 second Norton put up a notice box about a worm detected ( Note: afterwards I checked Norton logs and nothing showed up)

Could click on Malwarebyte Icon but nothing happened.

Could click on Norton System Works Icon but nothing happened.

Turned off machine at power supply

Restarted machine and run Norton System Works anti virus from cd rom disk and found nothing

Shutdown

Restarted machine and Malwarebyte icons (anywhere) did not work

Norton System Works would run but slowly, started virus scan on system it completed with nothing found

I installed Malwarebyte and reinstalled it with same results (install program works like it should but it will not start the program)

I setup Malwarebytes like the top part of this form

http://forums.malwarebytes.org/index.php?showtopic=9573

* At the end, be sure a checkmark is placed next to the following:

o Update Malwarebytes' Anti-Malware

o Launch Malwarebytes' Anti-Malware

* Then click Finish

Malwarebytes Would not update and would not start

Run the installed Norton System Works Registry Repair scanners but found nothing.

Below is the DDS.txt file and the attached ark-Attach.zip has the ark.txt and Attach.txt files

There is no Malwarebytes logs.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

DDS (Ver_10-03-17.01) - NTFSx86

Run by Master User at 23:51:03.96 on Wed 07/14/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.523 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\BUFFALO\NASNAVI\nassvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Master User\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [JDK5SWFMZY] c:\docume~1\master~1\locals~1\temp\Xfr.exe

uRun: [W34BCG2GRJ] c:\docume~1\master~1\locals~1\temp\Xfw.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [<NO NAME>]

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [soundMan] SOUNDMAN.EXE

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

uPolicies-explorer: NoViewOnDrive = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://samsclubus.pnimedia.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab

TCP: NameServer = 93.188.162.65,93.188.161.205

TCP: {0F6FD67E-221C-4B5E-B095-FC31D6EA2A7F} = 93.188.162.65,93.188.161.205

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton systemworks\norton antivirus\Savrtpel.sys [2005-8-26 53896]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 191848]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169320]

R2 NasPmService;NAS PM Service;c:\program files\buffalo\nasnavi\nassvc.exe -service_execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 --> c:\program files\buffalo\nasnavi\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 [?]

R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton systemworks\norton antivirus\NAVAPSVC.EXE [2005-9-23 139888]

R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~3\norton~2\NPROTECT.EXE [2005-10-3 95832]

R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2010-5-21 1251720]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-14 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100714.002\NAVENG.Sys [2010-7-14 85424]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100714.002\NavEx15.Sys [2010-7-14 1362608]

R3 SAVRT;SAVRT;c:\program files\norton systemworks\norton antivirus\savrt.sys [2005-8-26 334984]

S1 vgcmkxxx;vgcmkxxx;\??\c:\windows\system32\drivers\vgcmkxxx.sys --> c:\windows\system32\drivers\vgcmkxxx.sys [?]

S3 BCM42XX;Broadcom iLine10 Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [2007-11-4 54271]

S3 SAVScan;Symantec AVScan;c:\program files\norton systemworks\norton antivirus\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2010-07-15 04:41:50 0 ----a-w- c:\documents and settings\master user\defogger_reenable

2010-07-15 04:10:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-15 04:10:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-14 23:36:40 178176 ----a-w- c:\windows\Xxihib.exe

2010-07-14 23:28:05 178176 ----a-w- c:\windows\Xxihia.exe

2010-07-13 21:01:50 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-03 19:10:17 0 d-----w- c:\program files\EasyGPS

2010-06-26 05:18:28 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys

2010-06-26 05:18:28 51200 ----a-w- c:\windows\system32\drivers\msdv.sys

2010-06-26 05:18:23 38912 -c--a-w- c:\windows\system32\dllcache\avc.sys

2010-06-26 05:18:23 38912 ----a-w- c:\windows\system32\drivers\avc.sys

2010-06-26 05:18:20 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys

2010-06-26 05:18:20 48128 ----a-w- c:\windows\system32\drivers\61883.sys

2010-06-26 00:11:05 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys

2010-06-26 00:11:05 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2010-06-26 00:10:41 20992 -c--a-w- c:\windows\system32\dllcache\dshowext.ax

2010-06-26 00:10:41 20992 ----a-w- c:\windows\system32\dshowext.ax

2010-06-25 19:19:14 0 d-----w- c:\windows\system32\windows media

2010-06-25 19:19:00 0 d-----w- c:\windows\RegisteredPackages

2010-06-25 19:18:54 0 d-----w- c:\program files\Windows Media Components

2010-06-25 19:17:52 0 d-----w- c:\program files\Ulead Systems

2010-06-25 19:17:51 0 d-----w- c:\program files\common files\Ulead Systems

2010-06-25 19:05:09 536576 ----a-r- c:\windows\system32\mcs_core.dll

2010-06-25 19:05:09 53248 ----a-r- c:\windows\system32\mcs_dec.ax

2010-06-25 19:05:09 147456 ----a-r- c:\windows\system32\mcs_vfw.dll

2010-06-25 19:04:38 53248 ----a-r- c:\windows\mcs_dec.ax

2010-06-25 19:04:38 147456 ----a-r- c:\windows\mcs_vfw.dll

2010-06-25 19:04:37 536576 ----a-r- c:\windows\mcs_core.dll

2010-06-25 19:04:37 2859 ----a-r- c:\windows\install.inf

2010-06-25 19:04:28 75648 ----a-r- c:\windows\system32\drivers\CamAv.sys

2010-06-25 19:04:28 57344 ----a-r- c:\windows\HAJEInstall.dll

2010-06-25 19:04:28 282624 ----a-r- c:\windows\Uninstall.exe

2010-06-23 00:52:47 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-23 00:44:04 0 d-----w- c:\docume~1\master~1\applic~1\Malwarebytes

2010-06-23 00:33:27 0 d-----w- c:\docume~1\master~1\applic~1\Windows Search

==================== Find3M ====================

2010-07-14 23:30:41 45568 ----a-w- c:\docume~1\master~1\applic~1\184c64fa.exe

2010-05-23 06:54:13 2404 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-22 06:17:31 336 ----a-w- c:\program files\temp995.bat

2010-05-22 04:49:29 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-05-22 04:49:29 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-05-22 04:49:29 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-05-22 04:49:29 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-05-21 16:56:18 10344 ----a-w- c:\windows\system32\drivers\symlcbrd.sys

2010-05-21 07:09:56 23348 ----a-w- c:\windows\system32\emptyregdb.dat

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2004-04-12 20:18:00 271 --sh--w- c:\program files\desktop.ini

2004-04-12 20:18:00 23357 ---ha-w- c:\program files\folder.htt

============= FINISH: 23:55:03.48 ===============

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Any other thing you need just ask

Thanks Brad

ark_Attach.zip

Link to post
Share on other sites

Hello Brad! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Your program version of Norton is very old, but we'll take care about it when finish our work.

Step 1

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 2

Go into C:\Program Files\Malwarebytes' Anti-Malware and you will see a file called mbam.exe Right click on it and drop down to Rename change the name to firefox.com From mbam.exe to firefox.com . Please, restart your computer.

Step 3

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. JavaRa log
  2. MalwareBytes' Anti-Malware log
  3. a new fresh DDS log only

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.