Tech Support Forum banner

AV Security Suite Infection

1646 Views 4 Replies 2 Participants Last post by  silversleeper
Basically the computer is prompting the user that the PC is infected and it wants to run a scan. I didn't recognize the supposed antivirus software it was referencing. Lo and behold, a rogue antivirus program has infected the machine. It seems to only affect a single user(logon) on that computer, although I'm not 100% certain.

In addition to the logs attached and posted below, I've got access to the Windows Install disc and I have a copy of a boot CD (UltimateBootCD).

Here goes:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 12:54:07.06 on Wed 07/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.734 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\cthomas\Local Settings\Application Data\fiopswlrk\fxknysetssd.exe
C:\Program Files\Panasonic\UserUtility\ScannerIndicator.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: &Security Update: {35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} - c:\windows\system32\win32extension.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\\ netassistant\NetAssistant.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRunOnce: [GV Cookie Remover] cmd.exe /c del "c:\documents and settings\administrator\cookies\*gamevance*" /F /Q /S
uRunOnce: [GV Firefox removal1] cmd.exe /c rd "c:\documents and settings\administrator\application data\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]" /Q/S
uRunOnce: [gvunonce] c:\docume~1\admini~1\locals~1\temp\gvun.exe -q
mRun: [SySmstray] c:\windows\mstre26.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [nnxwypnb] c:\documents and settings\cthomas\local settings\application data\fiopswlrk\fxknysetssd.exe
mRunOnce: [gvu] cmd.exe /c rd /s /q "c:\program files\Gamevance Tournament"
mRunOnce: [gvu2] cmd.exe /c reg delete HKCU\Software\gvtl /f
mRunOnce: [gvu3] cmd.exe /c reg delete HKCU\Software\AppDataLow\gvtl /f
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\panasonic\userutility\ScannerIndicator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091229.009\naveng.sys [2009-12-30 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091229.009\navex15.sys [2009-12-30 1323568]
R4 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido\security suite\guard.sys --> c:\program files\ewido\security suite\guard.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-12 135664]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2009-12-17 11520]
S4 fioo32;fioo32;c:\windows\system32\SvchOst.eXE -k fioo32 [2004-8-4 14336]
S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]

=============== Created Last 30 ================

2010-07-07 16:50:58 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-07-07 16:05:06 0 d-sh--w- c:\documents and settings\administrator\IETldCache
2010-06-17 13:49:19 0 d-----w- c:\program files\W3i
2010-06-16 14:39:22 49152 ----a-w- c:\windows\system32\INETWH32.dll
2010-06-16 14:39:22 1089536 ----a-w- c:\windows\system32\ROBOEX32.DLL
2010-06-16 14:39:18 0 d-----w- c:\program files\Dataflight
2010-06-11 14:20:47 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 18:19:46 0 d-----w- c:\program files\MSXML 4.0
2010-06-07 21:19:13 0 d-----w- c:\program files\Panasonic Communications
2010-06-07 21:18:02 0 d-----w- c:\program files\EMC Captiva
2010-06-07 21:17:50 0 d-----w- c:\docume~1\alluse~1\applic~1\EMC Captiva
2010-06-07 21:00:06 221184 ----a-w- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2010-05-18 15:13:06 90801 ----a-w- c:\windows\fonts\AdobeFnt.lst
2010-05-18 05:52:24 182608 ----a-w- c:\windows\system32\cnvshell.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:57:13 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 12:54:23.54 ===============


See less See more
Not open for further replies.
1 - 5 of 5 Posts
Welcome to TSF :)

Do you still need assistance?
I sure wouldn't mind getting this machines cleansed. I have the option to re-image it, but wasn't sure if this was one of those things that would reappear after a fresh XP install. If I performed a proper (zero-fill) format, would that likely rid the HDD of the infection? Or would I be better off cleaning the machine first, and then going for a fresh XP install?
As long as the previous image doesn't contain any virus's then it might just be easier to re-image it.
Alrighty then... consider this thread resolved!
Thanks so much!
1 - 5 of 5 Posts
Not open for further replies.