Tech Support Forum banner
Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
5 Posts
Discussion Starter · #1 ·
I don't know if this virus is "new" or resurrected from infected archived files that I recently opened. I know this machine was previously infected when someone else was using it last year, but don't have details about what the virus was or how it was dealt with.

The computer is running Windows XP Professional version 2002 Service Pack 3.

Last week, I started getting fake XP Security 2011 warnings popping up. I tried to deal with it myself using ATF Cleaner and Combo Fix. Also ran AVG and Spybot Search and Destroy. That stopped the pop ups, but Norton and MSE were still finding evidence of the virus. Norton identified sem.exe.vir(Trojan FakeAV) and quarantined a bunch of stuff, mostly from \documents and settings\ and some from the task bar, etc.

It also identified [email protected] - this was in an archived (zipped) folder of a website directory (from one of the websites we maintain) that that had recently been downloaded.

We also had a malicious script injected into the index page of one of our other WordPress sites, but the evidence of that went back to over a year ago. Those files were also FTPed onto this computer. MSE identified the threat as an obfuscated js Trojan.

Right now I cannot enable the Automatic Updates in the Security Center. The setting is set correctly in the Control Panel, but it is still disabled. I can't locate it running under Administrative Tools > Services to check for errors.

Earlier today the computer spontaneously restarted, and then displayed a system error:

Error signature

BCCode : 10000050 BCP1 : E9780FFE BCP2 : 00000000 BCP3 : A8262619
BCP4 : 00000001 OSVer : 5_1_2600 SP : 3_0 Product : 256_1

Files

C:\DOCUME~1\Hanna\LOCALS~1\Temp\WERe179.dir00\Mini040511-01.dmp
C:\DOCUME~1\Hanna\LOCALS~1\Temp\WERe179.dir00\sysdata.xml

DDS report is below. Looks like Norton wasn't disabled all the way, but I hope that doesn't mean I have to do this all over again.

Any help or insight is appreciated. Thanks in advance.

-------------------------------------------------


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Hanna at 18:07:38.76 on Tue 04/05/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1979.1311 [GMT -7:00]
.
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files\SugarSync\SugarSyncManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Hanna\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: {B922D405-6D13-4A2B-AE89-08A030DA4402} - No File
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
uRun: [SugarSync] "c:\program files\sugarsync\SugarSyncManager.exe" -startInTray -usedelay=true
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263066877265
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263066872875
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\hanna\applic~1\mozilla\firefox\profiles\o7ei1y35.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coFFPlgn
FF - Ext: Firebug: [email protected] - %profile%\extensions\[email protected]
FF - Ext: CodeBurner for Firebug: [email protected] - %profile%\extensions\[email protected]
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\symds.sys [2011-4-4 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\symefa.sys [2011-4-4 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110309.001\BHDrvx86.sys [2011-3-9 800376]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys [2011-4-4 136312]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-1-28 387072]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.5.0.125\ccsvchst.exe [2011-4-4 130000]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2009-10-20 241880]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-4-4 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110401.001\IDSXpx86.sys [2011-4-5 341944]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-9 110080]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110404.033\naveng.sys [2011-4-5 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110404.033\navex15.sys [2011-4-5 1393144]
S1 MpKslf3818085;MpKslf3818085;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5aaf97fe-a326-4363-bdac-50e67bcd750e}\mpkslf3818085.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5aaf97fe-a326-4363-bdac-50e67bcd750e}\MpKslf3818085.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-9 1684736]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-12-13 30192]
.
=============== Created Last 30 ================
.
2011-04-05 23:48:43 -------- d-----w- c:\docume~1\hanna\locals~1\applic~1\Temp
2011-04-04 21:56:20 368248 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symtdi.sys
2011-04-04 21:56:20 330360 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys
2011-04-04 21:56:20 295032 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symnets.sys
2011-04-04 21:56:19 652336 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symefa.sys
2011-04-04 21:56:19 340016 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symds.sys
2011-04-04 21:56:18 509560 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\srtsp.sys
2011-04-04 21:56:18 50168 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\srtspx.sys
2011-04-04 21:56:18 136312 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys
2011-04-04 21:55:14 -------- d-----w- c:\windows\system32\drivers\nis\1205000.07D
2011-04-04 21:29:03 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-04-04 21:29:03 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-04-04 21:29:02 -------- d-----w- c:\program files\Symantec
2011-04-04 21:29:02 -------- d-----w- c:\program files\common files\Symantec Shared
2011-04-04 21:27:57 -------- d-----w- c:\windows\system32\drivers\NIS
2011-04-04 21:27:52 -------- d-----w- c:\program files\Norton Internet Security
2011-04-04 21:27:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-04-04 21:27:37 -------- d-----w- c:\program files\NortonInstaller
2011-04-04 21:27:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2011-03-31 20:45:25 -------- d-sha-r- C:\cmdcons
2011-03-31 20:42:17 98816 ----a-w- c:\windows\sed.exe
2011-03-31 20:42:17 89088 ----a-w- c:\windows\MBR.exe
2011-03-31 20:42:17 256512 ----a-w- c:\windows\PEV.exe
2011-03-31 20:42:17 161792 ----a-w- c:\windows\SWREG.exe
2011-03-31 20:19:33 -------- d-----w- C:\AVGTemp
2011-03-31 20:12:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-14 16:32:45 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 18:08:25.43 ===============
 

Attachments

·
Registered
Joined
·
5 Posts
Discussion Starter · #2 ·
I accidentally attached the .txt rather than .zip copies of the logs to my first post. I don't see the option to edit or delete it, so I am attaching the docs in correct format here.
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello Raleigh23,

Kindly post the C:\ComboFix.txt for review
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #4 ·
Hello,

ComboFix.txt is attached.

I ran Norton after running ComboFix, so I don't know if this log's information is current.

Let me know if there is anything else that would be helpful.

Thank you
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Thank you. Download CF-querySvc.exe

Double click to run it, then please post the log it produces.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts

·
Registered
Joined
·
5 Posts
Discussion Starter · #8 ·
Thank you. I'll look into it. It's possible that someone else may have tinkered with the settings, although I hadn't notice Auto Updates appearing before as disabled.
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top