No, there is no log, but after you done with getting rid of Norton, give me a new log, following steps from my reply #20.
Printable View
No, there is no log, but after you done with getting rid of Norton, give me a new log, following steps from my reply #20.
Latest Avz4 log:
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 2/22/2009 7:38:24 PM
Database loaded: signatures - 211074, NN profile(s) - 2, microprograms of healing - 56, signature database released 20.02.2009 23:52
Heuristic microprograms loaded: 372
SPV microprograms loaded: 9
Digital signatures of system files loaded: 97058
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.0.2195, Service Pack 4 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
>>>> Probable masking of executable file's name 792 intuitupdateservice.exe, real name - IntuitUpdateSer
>>>> Probable masking of executable file's name 1496 roxwatchtray.exe, real name - RoxWatchTray.ex
>>>> Probable masking of executable file's name 1600 googletoolbarnotifier.exe, real name - GoogleToolbarNo
>>>> Probable masking of executable file's name 1612 superantispyware.exe, real name - SUPERAntiSpywar
>>>> Probable masking of executable file's name 1604 webshotstray.exe, real name - WebshotsTray.ex
>>>> Probable masking of executable file's name 1796 cpshelprunner.exe, real name - CPSHelpRunner.e
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=0808E0)
Kernel ntoskrnl.exe found in memory at address 80400000
SDT = 804808E0
KiST = 804721E8 (248)
Function NtConnectPort (1B) intercepted (804C5ADA->B7093040), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateFile (20) intercepted (804A7172->B708F930), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateKey (23) intercepted (80511E50->B709AA80), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreatePort (28) intercepted (804C65D6->B7093510), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateProcess (29) intercepted (804E2264->B7099870), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateSection (2B) intercepted (804CB114->B709CFD0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtCreateWaitablePort (31) intercepted (804C65F4->B7093600), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtDeleteFile (34) intercepted (804A0E26->B708FF20), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtDeleteKey (35) intercepted (80512214->B709B6E0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtDeleteValueKey (37) intercepted (80512430->B709B440), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtDuplicateObject (3A) intercepted (804D61A8->B7099580), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtLoadKey (56) intercepted (80514256->B709B8B0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtOpenFile (64) intercepted (804A8416->B708FD70), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtOpenProcess (6A) intercepted (804DEB24->B7099350), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtOpenThread (6F) intercepted (804DEDE4->B7099150), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtReplaceKey (A9) intercepted (8051470A->B709BCB0), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtRequestWaitReplyPort (B0) intercepted (804C4EF2->B7092C00), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtRestoreKey (B4) intercepted (80513BFC->B709C080), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtSecureConnectPort (B8) intercepted (804336C0->B7093220), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtSetInformationFile (C2) intercepted (804A93BA->B7090120), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtSetValueKey (D7) intercepted (80513F9A->B709B140), hook C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Function NtTerminateProcess (E0) intercepted (804E32CC->B7047F20), hook C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys, driver recognized as trusted
Functions checked: 248, intercepted: 22, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
\driver\tcpip[IRP_MJ_CREATE] = B70A4C20 -> C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_CLOSE] = B70A4C20 -> C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_DEVICE_CONTROL] = B70A4C20 -> C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_INTERNAL_DEVICE_CONTROL] = B70A4C20 -> C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_CLEANUP] = B70A4C20 -> C:\WINNT\System32\vsdatant.sys, driver recognized as trusted
Checking - complete
2. Scanning memory
Number of processes found: 37
Analyzer: process under analysis is 728 C:\WINNT\System32\drivers\CDAC11BA.EXE
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 792 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 1128 C:\Program Files\Pwrchute\ups.exe
[ES]:Contains network functionality
[ES]:Capable of sending mail ?!
[ES]:Application has no visible windows
Analyzer: process under analysis is 1520 C:\WINNT\system32\desk95.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1496 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1452 C:\Program Files\IconLock\ICONLOCK.EXE
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1564 C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\VBPTASK.EXE
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1720 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 1796 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
[ES]:Application has no visible windows
Number of modules loaded: 359
Scanning memory - complete
3. Scanning disks
Direct reading C:\WINNT\system32\wbem\Repository\CIM.REC.BAK
F:\Documents and Settings\User\Local Settings\Temp\SPR1910.EXE >>> suspicion for IRC-Worm.Win32.***ot.c ( 086DE4D0 042E7F72 0021DE6F 001E4DAD 91648)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\WINNT\system32\Hook95.dll --> Suspicion for Keylogger or Trojan DLL
C:\WINNT\system32\Hook95.dll>>> Behavioural analysis
1. Reacts to events: keyboard, mouse, all events
C:\WINNT\system32\Hook95.dll>>> Neural net: file with probability 99.87% like a typical keyboard/mouse events interceptor
C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll>>> Behavioural analysis
1. Reacts to events: keyboard, mouse
C:\Program Files\FarStone\RestoreIT\RestoreIT_2K\HookAPI.dll>>> Neural net: file with probability 99.92% like a typical keyboard/mouse events interceptor
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Alerter (Alerter)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>>> Security: Internet Explorer allows ActiveX, not marked as safe
>>> Security: Internet Explorer allows unsigned ActiveX elements
>>> Security: Internet Explorer allows automatic queries of ActiveX administrative elements
>> Security: terminal connections to the PC are allowed
>> Security: sending Remote Assistant queries is enabled
>> Security: automatic logon is enabled
Checking - complete
9. Troubleshooting wizard
>> Internet Explorer - ActiveX, not marked as safe, are allowed
>> Internet Explorer -unsigned ActiveX elements are allowed
>> Internet Explorer - automatic queries of ActiveX operating elements are allowed
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 260308, extracted from archives: 211644, malicious software found 0, suspicions - 1
Scanning finished at 2/22/2009 8:07:16 PM
Time of scanning: 00:28:53
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress
System Analysis - complete
Latest Avz4 .zip file attached.
Thanks.
Any changes to the computer behavior?
No change from previous behavior, except that I cannot run HijackThis in Normal Mode now. I will try running it in Safe Mode later today. Explorer is about useless. Creating a new folder causes the Explorer Windows to hang, and you can't end it even with Task Manager. You can create a new folder using the Command Prompt window, which will also hang, but you can end that.
What is F drive?
This PC had the hard drive upgraded. The F: drive is the old C: drive that is now used only for backup storage.
I asked, because the scan reports this:
http://209.85.48.8/228/109/upload/p4315332.gif
Broni,
I'll check the file creation date on that later today as well.
This is temporary folder, so you can actually get rid of it altogether.
I will probaby delete it, but the dates might give an idea as to whether that filel might have something to do with the current problem. If all dates are old, then it probably doesn't.
Well, if it IS infected file, the dates can be misleading.
I looked at it, and it says:
- created - 2/22/2006
- modified - 11/18/2005
which is little bit weird.
That is strange. I'll check to see if it is on the C: drive as well. If it isn't, I'm reasonably sure it wasn't run from the F: drive recently. Thanks.