Welcome to TSF 
Do you still need assistance?
Do you still need assistance?
AV Security Suite Infection
Basically the computer is prompting the user that the PC is infected and it wants to run a scan. I didn't recognize the supposed antivirus software it was referencing. Lo and behold, a rogue antivirus program has infected the machine. It seems to only affect a single user(logon) on that computer, although I'm not 100% certain.
In addition to the logs attached and posted below, I've got access to the Windows Install disc and I have a copy of a boot CD (UltimateBootCD).
Here goes:
====
DDS:
====
DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 12:54:07.06 on Wed 07/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.734 [GMT -4:00]
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\cthomas\Local Settings\Application Data\fiopswlrk\fxknysetssd.exe
C:\Program Files\Panasonic\UserUtility\ScannerIndicator.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: &Security Update: {35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} - c:\windows\system32\win32extension.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\my.freeze.com netassistant\NetAssistant.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRunOnce: [GV Cookie Remover] cmd.exe /c del "c:\documents and settings\administrator\cookies\*gamevance*" /F /Q /S
uRunOnce: [GV Firefox removal1] cmd.exe /c rd "c:\documents and settings\administrator\application data\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]" /Q/S
uRunOnce: [gvunonce] c:\docume~1\admini~1\locals~1\temp\gvun.exe -q
mRun: [SySmstray] c:\windows\mstre26.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nnxwypnb] c:\documents and settings\cthomas\local settings\application data\fiopswlrk\fxknysetssd.exe
mRunOnce: [gvu] cmd.exe /c rd /s /q "c:\program files\Gamevance Tournament"
mRunOnce: [gvu2] cmd.exe /c reg delete HKCU\Software\gvtl /f
mRunOnce: [gvu3] cmd.exe /c reg delete HKCU\Software\AppDataLow\gvtl /f
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\panasonic\userutility\ScannerIndicator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091229.009\naveng.sys [2009-12-30 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091229.009\navex15.sys [2009-12-30 1323568]
R4 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido\security suite\guard.sys --> c:\program files\ewido\security suite\guard.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-12 135664]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2009-12-17 11520]
S4 fioo32;fioo32;c:\windows\system32\SvchOst.eXE -k fioo32 [2004-8-4 14336]
S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]
=============== Created Last 30 ================
2010-07-07 16:50:58 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-07-07 16:05:06 0 d-sh--w- c:\documents and settings\administrator\IETldCache
2010-06-17 13:49:19 0 d-----w- c:\program files\W3i
2010-06-16 14:39:22 49152 ----a-w- c:\windows\system32\INETWH32.dll
2010-06-16 14:39:22 1089536 ----a-w- c:\windows\system32\ROBOEX32.DLL
2010-06-16 14:39:18 0 d-----w- c:\program files\Dataflight
2010-06-11 14:20:47 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 18:19:46 0 d-----w- c:\program files\MSXML 4.0
2010-06-07 21:19:13 0 d-----w- c:\program files\Panasonic Communications
2010-06-07 21:18:02 0 d-----w- c:\program files\EMC Captiva
2010-06-07 21:17:50 0 d-----w- c:\docume~1\alluse~1\applic~1\EMC Captiva
2010-06-07 21:00:06 221184 ----a-w- c:\windows\system32\wmpns.dll
==================== Find3M ====================
2010-05-18 15:13:06 90801 ----a-w- c:\windows\fonts\AdobeFnt.lst
2010-05-18 05:52:24 182608 ----a-w- c:\windows\system32\cnvshell.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:57:13 411368 ----a-w- c:\windows\system32\deploytk.dll
============= FINISH: 12:54:23.54 ===============
In addition to the logs attached and posted below, I've got access to the Windows Install disc and I have a copy of a boot CD (UltimateBootCD).
Here goes:
====
DDS:
====
DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 12:54:07.06 on Wed 07/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.734 [GMT -4:00]
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\cthomas\Local Settings\Application Data\fiopswlrk\fxknysetssd.exe
C:\Program Files\Panasonic\UserUtility\ScannerIndicator.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: &Security Update: {35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} - c:\windows\system32\win32extension.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\my.freeze.com netassistant\NetAssistant.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRunOnce: [GV Cookie Remover] cmd.exe /c del "c:\documents and settings\administrator\cookies\*gamevance*" /F /Q /S
uRunOnce: [GV Firefox removal1] cmd.exe /c rd "c:\documents and settings\administrator\application data\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]" /Q/S
uRunOnce: [gvunonce] c:\docume~1\admini~1\locals~1\temp\gvun.exe -q
mRun: [SySmstray] c:\windows\mstre26.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nnxwypnb] c:\documents and settings\cthomas\local settings\application data\fiopswlrk\fxknysetssd.exe
mRunOnce: [gvu] cmd.exe /c rd /s /q "c:\program files\Gamevance Tournament"
mRunOnce: [gvu2] cmd.exe /c reg delete HKCU\Software\gvtl /f
mRunOnce: [gvu3] cmd.exe /c reg delete HKCU\Software\AppDataLow\gvtl /f
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\panasonic\userutility\ScannerIndicator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091229.009\naveng.sys [2009-12-30 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091229.009\navex15.sys [2009-12-30 1323568]
R4 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido\security suite\guard.sys --> c:\program files\ewido\security suite\guard.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-12 135664]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2009-12-17 11520]
S4 fioo32;fioo32;c:\windows\system32\SvchOst.eXE -k fioo32 [2004-8-4 14336]
S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]
=============== Created Last 30 ================
2010-07-07 16:50:58 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-07-07 16:05:06 0 d-sh--w- c:\documents and settings\administrator\IETldCache
2010-06-17 13:49:19 0 d-----w- c:\program files\W3i
2010-06-16 14:39:22 49152 ----a-w- c:\windows\system32\INETWH32.dll
2010-06-16 14:39:22 1089536 ----a-w- c:\windows\system32\ROBOEX32.DLL
2010-06-16 14:39:18 0 d-----w- c:\program files\Dataflight
2010-06-11 14:20:47 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 18:19:46 0 d-----w- c:\program files\MSXML 4.0
2010-06-07 21:19:13 0 d-----w- c:\program files\Panasonic Communications
2010-06-07 21:18:02 0 d-----w- c:\program files\EMC Captiva
2010-06-07 21:17:50 0 d-----w- c:\docume~1\alluse~1\applic~1\EMC Captiva
2010-06-07 21:00:06 221184 ----a-w- c:\windows\system32\wmpns.dll
==================== Find3M ====================
2010-05-18 15:13:06 90801 ----a-w- c:\windows\fonts\AdobeFnt.lst
2010-05-18 05:52:24 182608 ----a-w- c:\windows\system32\cnvshell.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:57:13 411368 ----a-w- c:\windows\system32\deploytk.dll
============= FINISH: 12:54:23.54 ===============
Attachments
-
4.3 KB Views: 50
- Status
- Not open for further replies.
1 - 5 of 5 Posts
I sure wouldn't mind getting this machines cleansed. I have the option to re-image it, but wasn't sure if this was one of those things that would reappear after a fresh XP install. If I performed a proper (zero-fill) format, would that likely rid the HDD of the infection? Or would I be better off cleaning the machine first, and then going for a fresh XP install?
As long as the previous image doesn't contain any virus's then it might just be easier to re-image it.
Alrighty then... consider this thread resolved!
Thanks so much!
Thanks so much!
1 - 5 of 5 Posts
- Status
- Not open for further replies.
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Top Contributors this Month
View All
spunk.funk
145 Replies
SpywareDr
54 Replies
wolfen1086
42 Replies
Recommended Communities
