Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Symantec suddenly starting to find unnamed trojan horses

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Symantec suddenly starting to find unnamed trojan horses

Unread postby lithiumus » December 8th, 2009, 9:06 am

Symantec Anti-Virus started to detect "trojan horses" and quarantining legitimate exe's on my laptop. The trojan horses found by symantec were unammed so I'm assuming possible malware. I work in IT Security and do research on bad domains and sometimes get redirected to bad sites. Will need to consider a virtual instance for stuff like this in the future...

Thank you in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:17 AM, on 2009-12-08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\GNU\GnuPG\dirmngr.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\GNU\GnuPG\kleopatra.exe
C:\Program Files\GNU\GnuPG\bin\dbus-daemon.exe
C:\Program Files\GNU\GnuPG\bin\kleopatra.exe
C:\Program Files\GNU\GnuPG\gpg-agent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tucows.com Co.
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://portal.internal.tucows.com/newportal/main.php
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int.lithiumus.com
O17 - HKLM\Software\..\Telephony: DomainName = int.lithiumus.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int.lithiumus.com
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7905 bytes
lithiumus
Active Member
 
Posts: 12
Joined: December 8th, 2009, 8:57 am
Advertisement
Register to Remove

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby deltalima » December 14th, 2009, 9:52 am

Hi lithiumus,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me.

Please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.

Uninstall List
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby lithiumus » December 14th, 2009, 1:56 pm

Thanks for the help!

Here is the uninstall info...

ACDSee Classic
Adobe Flash Player 10 Plugin
ALLDATA Repair
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft TotalMedia Extreme
Audacity 1.2.6
AviSynth 2.5
CDisplay 1.8
Cisco Systems VPN Client 4.8.00.0440
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CutePDF Writer 2.6
dBpoweramp DirectShow Decoder
dBpoweramp DSP Effects
dBpoweramp m4a Codec
dBpoweramp Monkeys Audio Codec
dBpoweramp Music Converter
dBpoweramp Ogg Vorbis Codec
Foxit Reader
Gpg4win (2.0.1)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
ImgBurn
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
Intel(R) Network Connections Drivers
InterVideo WinDVD
iPhone Configuration Utility
iTunes
Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 13
K-Lite Codec Pack 4.7.0 (Full)
LiveUpdate 3.0 (Symantec Corporation)
MediaInfo 0.7.12
MeGUI modern media encoder (remove only)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
MobileMe Control Panel
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8
neroxml
QuickTime
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Symantec AntiVirus
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad Modem Adapter
ThinkPad Power Management Driver
ThinkPad UltraNav Driver
ThinkVantage Access Connections
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VCRedistSetup
VideoLAN VLC media player 0.8.6e
ViewMail
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Internet Explorer 7
Windows Media Format Runtime
WinRAR archiver
XviD4PSP 5.0
lithiumus
Active Member
 
Posts: 12
Joined: December 8th, 2009, 8:57 am

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby deltalima » December 14th, 2009, 5:40 pm

Hi lithiumus,

Before we continue could you please clarify if this computer is used for personal use or for business use?
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby lithiumus » December 14th, 2009, 6:39 pm

Thanks again, this computer is for personal use. I may check business E-mails but it's primarily for personal use.
lithiumus
Active Member
 
Posts: 12
Joined: December 8th, 2009, 8:57 am

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby deltalima » December 15th, 2009, 4:23 pm

Hi lithiumus,

Please download DDS ... by sUBs.
Save it to your desktop. Alternate download link:here.
  • Double click the tool to run it.
  • A black Screen will open... read the contents but do nothing.
  • When DDS finishes... Notepad will open with 2 reports... DDS.txt and Attach.txt
    Ignore the comments about zipping / attaching any of the report files. The 2 report files are not saved anywhere,
    if you close Notepad, before copying /pasting them... you will need to run DDS again.
  • Copy/paste both DDS.txt and Attach.txt reports in your next reply.
  • Once the reports have been posted, you can delete DDS from your desktop.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with DDS.txt and Attach.txt from the DDS scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby lithiumus » December 16th, 2009, 11:59 am

Here is the attach.txt. The S.dirmngr in dds.txt looks strange, I don't recall installing anything or creating that... GMER will be in my next post as I'm shutting down Firefox...


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2009-03-23 6:02:59 PM
System Uptime: 2009-12-16 9:51:20 AM (1 hours ago)

Motherboard: LENOVO | | 224235U
Processor: Intel Pentium III Xeon processor | None | 2260/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 4.345 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP235: 2009-11-21 10:58:28 PM - System Checkpoint
RP236: 2009-11-23 3:55:03 AM - System Checkpoint
RP237: 2009-11-23 1:41:39 PM - Installed Compatibility Pack for the 2007 Office system
RP238: 2009-11-24 1:51:21 PM - System Checkpoint
RP239: 2009-11-25 2:14:43 PM - System Checkpoint
RP240: 2009-11-26 4:02:55 PM - System Checkpoint
RP241: 2009-11-27 5:16:47 PM - System Checkpoint
RP242: 2009-11-28 6:04:47 PM - System Checkpoint
RP243: 2009-11-29 7:05:51 PM - System Checkpoint
RP244: 2009-11-30 8:04:45 PM - System Checkpoint
RP245: 2009-12-02 2:43:26 AM - System Checkpoint
RP246: 2009-12-03 3:39:15 AM - System Checkpoint
RP247: 2009-12-03 3:00:00 PM - Software Distribution Service 3.0
RP248: 2009-12-04 10:10:15 PM - System Checkpoint
RP249: 2009-12-05 11:29:55 PM - System Checkpoint
RP250: 2009-12-06 11:58:20 PM - System Checkpoint
RP251: 2009-12-08 12:13:04 AM - System Checkpoint
RP252: 2009-12-09 1:17:37 AM - Software Distribution Service 3.0
RP253: 2009-12-10 2:15:06 AM - System Checkpoint
RP254: 2009-12-10 8:40:16 AM - Software Distribution Service 3.0
RP255: 2009-12-11 7:58:13 PM - System Checkpoint
RP256: 2009-12-12 8:47:20 PM - System Checkpoint
RP257: 2009-12-13 8:49:34 PM - System Checkpoint
RP258: 2009-12-14 8:59:40 PM - System Checkpoint
RP259: 2009-12-15 9:19:20 PM - System Checkpoint

==== Installed Programs ======================

ACDSee Classic
Adobe Flash Player 10 Plugin
ALLDATA Repair
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft TotalMedia Extreme
Audacity 1.2.6
AviSynth 2.5
CDisplay 1.8
Cisco Systems VPN Client 4.8.00.0440
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CutePDF Writer 2.6
dBpoweramp DirectShow Decoder
dBpoweramp DSP Effects
dBpoweramp m4a Codec
dBpoweramp Monkeys Audio Codec
dBpoweramp Music Converter
dBpoweramp Ogg Vorbis Codec
Foxit Reader
Gpg4win (2.0.1)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
ImgBurn
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
Intel(R) Network Connections Drivers
Intel(R) PROSet/Wireless WiFi Software
InterVideo WinDVD
iPhone Configuration Utility
iTunes
Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 13
K-Lite Codec Pack 4.7.0 (Full)
LiveUpdate 3.0 (Symantec Corporation)
MediaInfo 0.7.12
MeGUI modern media encoder (remove only)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
MobileMe Control Panel
Mozilla Firefox (3.0.11)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8
neroxml
QuickPar 0.9
QuickTime
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Symantec AntiVirus
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad Modem Adapter
ThinkPad Power Management Driver
ThinkPad UltraNav Driver
ThinkVantage Access Connections
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VCRedistSetup
VideoLAN VLC media player 0.8.6e
ViewMail
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format Runtime
WinRAR archiver
XviD4PSP 5.0

==== Event Viewer Messages From Past Week ========

2009-12-14 7:42:57 PM, error: Dhcp [1002] - The IP address lease 10.0.65.111 for the Network Card with network address 0016EABACE5A has been denied by the DHCP server 172.16.0.1 (The DHCP Server sent a DHCPNACK message).
2009-12-14 11:40:16 AM, error: Dhcp [1002] - The IP address lease 172.16.0.16 for the Network Card with network address 0016EABACE5A has been denied by the DHCP server 10.0.70.10 (The DHCP Server sent a DHCPNACK message).
2009-12-10 8:11:27 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service NMIndexingService with arguments "" in order to run the server: {E8933C4B-2C90-4A04-A677-E958D9509F1A}
2009-12-09 11:09:16 PM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
2009-12-09 1:07:35 PM, error: Service Control Manager [7000] - The SOFTLOK service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================

Here is the dds.txt


DDS (Ver_09-12-01.01) - NTFSx86
Run by glau at 10:43:53.52 on 2009-12-16
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1976.993 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\GNU\GnuPG\dirmngr.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\GNU\GnuPG\kleopatra.exe
C:\Program Files\GNU\GnuPG\bin\dbus-daemon.exe
C:\Program Files\GNU\GnuPG\bin\kleopatra.exe
C:\Program Files\GNU\GnuPG\gpg-agent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\glau.TUCOWSAD\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-system: HideLogonScripts = 0 (0x0)
mPolicies-system: MaxGPOScriptWait = 1000 (0x3e8)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdat ... /opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\glau~1.tuc\applic~1\mozilla\firefox\profiles\kuuoejwe.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.formula1.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [2009-4-6 96384]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 DirMngr;DirMngr;c:\program files\gnu\gnupg\dirmngr.exe [2009-9-28 242176]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2009-5-25 14416]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2009-3-31 66816]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-10-20 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-31 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091213.008\naveng.sys [2009-12-15 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091213.008\navex15.sys [2009-12-15 1323568]
S2 SOFTLOK;SOFTLOK; [x]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\atswpwdf.sys --> c:\windows\system32\drivers\ATSwpWDF.sys [?]
S3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [2009-5-25 44344]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-9-1 17408]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-12-16 14:51:57 21 ----a-w- c:\windows\S.dirmngr
2009-12-14 22:16:35 0 d-----w- c:\docume~1\glau\applic~1\Foxit Software
2009-11-23 18:41:30 0 d-----w- c:\program files\MSECache
2009-11-19 15:52:06 0 d-----w- c:\docume~1\glau\applic~1\dBpoweramp
2009-11-19 15:52:05 33846 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp DirectShow Decoder.bmp
2009-11-19 15:52:05 2738 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp DirectShow Decoder.dat
2009-11-19 15:45:25 33846 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.bmp
2009-11-19 15:45:25 3065 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
2009-11-19 15:44:21 33846 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.bmp
2009-11-19 15:44:21 3107 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
2009-11-19 15:44:00 3625 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2009-11-19 15:44:00 33846 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp m4a Codec.bmp
2009-11-19 15:40:02 0 d-----w- c:\docume~1\glau\applic~1\AccurateRip
2009-11-19 15:40:01 33846 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp DSP Effects.bmp
2009-11-19 15:40:01 11024 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp DSP Effects.dat
2009-11-19 15:39:55 33846 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2009-11-19 15:39:55 15607 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-11-19 15:39:54 229752 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-11-19 15:39:51 0 d-----w- c:\program files\Illustrate
2009-11-16 17:13:38 0 d-----w- c:\program files\CDisplay

==================== Find3M ====================

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-21 18:57:51 61224 ----a-w- c:\documents and settings\glau\GoToAssistDownloadHelper.exe
2009-09-20 20:43:38 81736 ----a-w- c:\windows\system32\lmdimon8.dll

============= FINISH: 10:44:14.38 ===============
lithiumus
Active Member
 
Posts: 12
Joined: December 8th, 2009, 8:57 am

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby lithiumus » December 16th, 2009, 1:25 pm

Here is the GMER scan output...

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-16 12:23:26
Windows 5.1.2600 Service Pack 3
Running: toqdwrte.exe; Driver: C:\DOCUME~1\GLAU\LOCALS~1\Temp\ufdiqpod.sys


---- System - GMER 1.0.15 ----

SSDT 89322F00 ZwAlertResumeThread
SSDT 88E00AD0 ZwAlertThread
SSDT 88FDFB98 ZwAllocateVirtualMemory
SSDT 8916DC48 ZwConnectPort
SSDT 8924B738 ZwCreateMutant
SSDT 89174CC8 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9927CCB0]
SSDT 89225B70 ZwFreeVirtualMemory
SSDT 89183750 ZwImpersonateAnonymousToken
SSDT 89347438 ZwImpersonateThread
SSDT 891F30A8 ZwMapViewOfSection
SSDT 89D067B8 ZwOpenEvent
SSDT 88DEAAD0 ZwOpenProcessToken
SSDT 88DFBAD0 ZwOpenThreadToken
SSDT 8910B970 ZwQueryValueKey
SSDT 88F79B00 ZwResumeThread
SSDT 892F1EB0 ZwSetContextThread
SSDT 8917ED00 ZwSetInformationProcess
SSDT 88DA9AD0 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9927CF10]
SSDT 89264318 ZwSuspendProcess
SSDT 89CDBC40 ZwSuspendThread
SSDT 88DD3AD0 ZwTerminateProcess
SSDT 89CDCF20 ZwTerminateThread
SSDT 891BFDF8 ZwUnmapViewOfSection
SSDT 88E4AB10 ZwWriteVirtualMemory

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B8A7516D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B8A74FC2

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0x98896400, 0x82482, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x98936420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x98936420]
.protectÿÿÿÿhardlockunknown last code section [0x98936200, 0x5105, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0x98936200, 0x5105, 0xE0000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----
lithiumus
Active Member
 
Posts: 12
Joined: December 8th, 2009, 8:57 am

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby deltalima » December 17th, 2009, 4:26 pm

Hi lithiumus,

The S.dirmngr in dds.txt looks strange


That is OK and is connected to Gpg4win – (C:\Program Files\GNU\GnuPG\dirmngr.exe)

The disk space on drive C: is very low, please make some space as soon as possible, 10% free should be the minimum.

Set Your Computer to Show All Files/Folders.

  • Click Start.
  • Click My Computer
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading, select Show hidden files and folders.
  • Uncheck Hide protected operating system files (recommended).
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.

Next

Upload a File to Virustotal

Please go to Virustotal
Copy/paste this file and path into the white box at the top:
c:\windows\system32\drivers\archlp.sys

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby lithiumus » December 17th, 2009, 4:38 pm

It looks like there is one hit out of 41 scanners...

http://www.virustotal.com/analisis/1ae1 ... 1245975684

Explains why it's gone unnoticed for so long given that I have Symantec running...
lithiumus
Active Member
 
Posts: 12
Joined: December 8th, 2009, 8:57 am

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby deltalima » December 17th, 2009, 5:27 pm

Hi lithiumus,

Malwarebytes Anti-Malware:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and select then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:
  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby lithiumus » December 18th, 2009, 2:32 am

Malwarebytes' Anti-Malware 1.42
Database version: 3383
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2009-12-18 1:30:59 AM
mbam-log-2009-12-18 (01-30-59).txt

Scan type: Quick Scan
Objects scanned: 121862
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
lithiumus
Active Member
 
Posts: 12
Joined: December 8th, 2009, 8:57 am

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby deltalima » December 18th, 2009, 5:45 pm

Hi lithiumus,

Please let me know if the symptoms
Symantec Anti-Virus started to detect "trojan horses" and quarantining legitimate exe's
happened for only a brief period or if you are still experiencing them.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply and also let me know how your computer is runnig now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby lithiumus » December 19th, 2009, 11:36 pm

It still happens but it's intermittent and not on a daily basis. Kaspersky found one infected file...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, December 19, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, December 19, 2009 15:17:01
Records in database: 3389304
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 62957
Threats found: 1
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 02:09:03


File name / Threat / Threats count
C:\Documents and Settings\glau\Local Settings\Application Data\Microsoft\Outlook\archive1.pst Infected: Backdoor.PHP.Agent.dn 4

Selected area has been scanned.
lithiumus
Active Member
 
Posts: 12
Joined: December 8th, 2009, 8:57 am

Re: Symantec suddenly starting to find unnamed trojan horses

Unread postby deltalima » December 20th, 2009, 4:00 pm

Hi lithiumus,

The one detection from Kaspersky is within an email in an Outlook archive and may prove difficult to isolate. If you could please check though your email archive and delete any executable attachments that you no longer require and then right click on Deleted items and select Empty “Deleted Items” folder.

Please run a new Kaspersky scan and include the results in your next post.

Could you please give more details of the files that have been quarantined by Symantec, any from Internet sites or only files already on computer? Location (path to files) and file names.

If possible please provide a copy of the Symantec logs for these quarantine events and the results from the Kaspersky scan in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware