Attack by Unknowns and Defunct Norton AV and System Restore

Attack by Unknowns and Defunct Norton AV and System Restore
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Anti-Virus Software    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Attack by Unknowns and Defunct Norton AV and System Restore Richard T 11-08-2007
Posted by Richard T on November 8, 2007, 9:36 am
If you were  Registered and logged in, you could reply and use other advanced thread options

This attack is really serious and it defuncts my Norton AV and I can
activate my Sytem Restore. Using hijack to scan and I got the following and
your advice would be very appreciated:-
Logfile of HijackThis v1.99.0
Scan saved at 22:15:12, on 08/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\crypserv.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\tcpsvcs.exe
D:\WINDOWS\system32\slserv.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\System32\WFXSVC.EXE
D:\Program Files\Symantec\WinFax\WFXMOD32.EXE
D:\WINDOWS\System32\mqsvc.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\WINDOWS\slrundll.exe
D:\WINDOWS\System32\mqtgsvc.exe
D:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
D:\WINDOWS\System32\wfxsnt40.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\WINDOWS\System32\carpserv.exe
D:\WINDOWS\AGRSMMSG.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
D:\Program Files\The Cleaner\tca.exe
D:\Program Files\The Cleaner\tcm.exe
D:\program files\voipstunt.com\voipstunt\voipstunt.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter
Utility\DWLGTI.EXE
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Common Files\Palo Alto Software.0\PAS8_Update.exe
D:\Program Files\MSN Toolbar
Suite\DS.05.0001.1119\en-gb\bin\WindowsSearch.exe
D:\Program Files\MSN Toolbar
Suite\DS.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
E:\Antivirus\ISS.BlackICE.PC.Protection.v3.6.cqn.Incl.Keymaker-CORE\keygen.e
xe
D:\Program Files\ISS\BlackICE\blackice.exe
D:\Program Files\ISS\BlackICE\rapapp.exe
D:\Program Files\ISS\BlackICE\rapapp.exe
D:\Program Files\ISS\BlackICE\ProUtil.exe
D:\WINDOWS\system32\Restore\rstrui.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\Documents and Settings\User\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://uk.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://uk.yahoo.com/?.home=ytie
O2 - BHO: Adobe PDF Reader Link Helper -
- D:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - -
D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - - (no file)
O2 - BHO: Windows Live Sign-in Helper -
- D:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - -
d:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper -
- D:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO -
- D:\Program
Files\Google\GoogleToolbarNotifier.0.301.7164\swg.dll
O2 - BHO: MSN Search Toolbar Helper -
- D:\Program Files\MSN Toolbar
Suite\TB.05.0000.1082\en-gb\msntb.dll
O2 - BHO: NAV Helper - - D:\Program
Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Adobe PDF - -
D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - -
D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - -
D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Search Toolbar - -
D:\Program Files\MSN Toolbar Suite\TB.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Norton AntiVirus - -
D:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - -
D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - - d:\program
files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [] D:\Program
Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [Yahoo Update] Yahoo.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program
Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Security Agent Manager] mssams.exe
O4 - HKLM\..\Run: [RCScheduleCheck] D:\Program Files\VCOM\Recovery
Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NvCplScan] winasp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup]
D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Easy-PrintToolBox] D:\Program
Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AttuneClientEngine]
D:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat
7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [*wuauclt.exe] wmsct.exe
O4 - HKLM\..\Run: [tcactive] D:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\RunServices: [Yahoo Update] Yahoo.exe
O4 - HKLM\..\RunServices: [RealPlayer] RealPlayer.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O4 - HKLM\..\RunServices: [Security Agent Manager] mssams.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunServices: [*wuauclt.exe] wmsct.exe
O4 - HKLM\..\RunOnce: [avp6_post_install] msiexec.exe /i"D:\Documents and
Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky
Anti-Virus 7.0.0.125\English\kav.en.msi"
O4 - HKCU\..\Run: [VoipStunt] "D:\program
files\voipstunt.com\voipstunt\voipstunt.exe" -nosplash -minimized
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = D:\Program
Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: BlackICE PC Protection.lnk = D:\Program
Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk =
D:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter
Utility\DWLGTI.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program
Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = D:\Program
Files\Common Files\Palo Alto Software.0\PAS8_Update.exe
O4 - Global Startup: Trojan Guarder Gold Version.lnk = D:\Program
Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O4 - Global Startup: Windows Desktop Search.lnk = D:\Program Files\MSN
Toolbar Suite\DS.05.0001.1119\en-gb\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://D:\Program Files\MSN
Toolbar Suite\TB.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Convert link target to Adobe PDF -
res://D:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -
res://D:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -
res://D:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -
res://D:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -
res://D:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -
res://D:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List -
res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -
res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open in new background tab - res://D:\Program
Files\MSN Toolbar
Suite\TAB.05.0001.1119\en-gb\msntabres.dll/229?e326e72f5da455ba6c265ad3f3
5f71c
O8 - Extra context menu item: Open in new foreground tab - res://D:\Program
Files\MSN Toolbar
Suite\TAB.05.0001.1119\en-gb\msntabres.dll/230?e326e72f5da455ba6c265ad3f3
5f71c
O9 - Extra button: (no name) - -
D:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
- D:\Program
Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Messenger - -
D:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
-
D:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Research - -
D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - -
D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -
- D:\Program
Files\Messenger\MSMSGS.EXE
O16 - DPF:
(PatchInstaller.Installer) - file://F:\content\include\XPPatchInstaller.CAB
O16 - DPF: -
http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.ca
b
O16 - DPF: (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wu
web_site.cab?1107426679609
O16 - DPF: (MSSecurityAdvisorCD
Class) - file://F:\Content\include\msSecUcd.cab
O16 - DPF: -
http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\:
NameServer = 202.188.0.133,202.188.1.5
O17 -
HKLM\System\CS1\Services\Tcpip\..\:
NameServer = 202.188.0.133,202.188.1.5
O17 -
HKLM\System\CS2\Services\Tcpip\..\:
NameServer = 202.188.0.133,202.188.1.5
O17 -
HKLM\System\CS3\Services\Tcpip\..\:
NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: livecall - -
D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - -
D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common
Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - D:\Program
Files\ISS\BlackICE\blackd.exe
O23 - Service: Canon Camera Access Library 8 - Canon Inc. - D:\Program
Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager - Unknown - D:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation - Unknown - D:\Program
Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager - Unknown - D:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
O23 - Service: Google Updater Service - Google - D:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Unknown - D:\Program
Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service - Unknown -
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: NvCplScan - Unknown - D:\WINDOWS\System32\winasp.exe (file
missing)
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation -
D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - D:\Program
Files\ISS\BlackICE\rapapp.exe
O23 - Service: SAVScan - Unknown - D:\Program Files\Norton
AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service - Unknown -
D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: Symantec Network Drivers Service - Unknown - D:\Program
Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec SPBBCSvc - Unknown - D:\Program Files\Common
Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec Core LC - Unknown - D:\Program Files\Common
Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation -
D:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WinFax PRO - Symantec Corporation -
D:\WINDOWS\System32\WFXSVC.EXE



Posted by jen on November 8, 2007, 12:49 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> This attack is really serious and it defuncts my Norton AV and I can
> activate my Sytem Restore. Using hijack to scan and I got the
> following and
> your advice would be very appreciated:-
> Logfile of HijackThis v1.99.0
> Scan saved at 22:15:12, on 08/11/2007
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
[snip ]

Don't post HijackThis logs on usenet!
Go here(or similar sites) for help:
Preparation Guide for use before posting a HijackThis Log :
http://www.bleepingcomputer.com/forums/topic34773.html

-jen



Similar ThreadsPosted
missing system restore tab October 16, 2005, 10:45 pm
System Restore and malware. January 4, 2006, 11:20 am
SYSTEM RESTORE BAGLE WORM November 12, 2005, 8:11 pm
Norton System Works August 19, 2005, 2:33 pm
Both Mcaffee and Norton crush my system ... what to do ?? January 23, 2008, 7:50 pm
Killing all Norton System Works processes (and restarting later) December 15, 2005, 10:20 pm
Virus in restore file September 30, 2007, 8:29 am
F-Secure under attack! October 20, 2005, 4:42 am
New type of attack July 20, 2006, 3:34 pm
Virus attack? March 10, 2007, 11:10 am

The site map in XML format XML site map

Contact Us | Privacy Policy