Infected by Trojon.Vundo.H. Not Able to Clean It.

**janeswami** · #11 19th May 2009, 03:30

Hi Steve,

Find the Fix.bat result:

! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
netsvcs REG_MULTI_SZ
6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0ncshpgyk\0FastUserSwitchingCompatibility\0Hid
Serv\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasaut
o\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0Wm
dmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0napagent\0hkmsvc\0\0

Thanks,
Swami.

**sjb007** · #12 19th May 2009, 07:37

Hi there Swami

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

NetSvc::
ncshpgyk

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

Keep me updated. Let me know if your antivirus is behaving again....

**janeswami** · #13 19th May 2009, 17:30

Hi Steve,

Find attached the ComboFix log.

ComboFix 09-05-15.01 - Swami 05/19/2009 20:18.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.591 [GMT -4:00]
Running from: c:\documents and settings\swami\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\swami\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.
2009-05-18 23:22 . 2009-05-18 23:22 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-18 23:20 . 2009-05-18 23:20 -------- d-----w C:\KK
2009-05-18 14:32 . 2008-10-16 18:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-17 22:47 . 2009-05-17 22:47 38344 ---ha-w c:\windows\system32\mlfcache.dat
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-15 23:47 . 2009-05-16 03:25 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\swami\Application Data\SUPERAntiSpyware.com
2009-05-15 03:14 . 2009-05-15 03:14 -------- d--h--w C:\VJVod_Cache
2009-05-14 16:17 . 2009-05-14 16:17 -------- d-----w c:\program files\Trend Micro
2009-05-10 19:50 . 2009-05-10 19:51 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Application Data\orotyqae
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Local Settings\Application Data\orotyqae
2009-05-03 21:37 . 2009-05-03 21:37 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\nagasoft
2009-05-03 03:50 . 2009-05-03 03:58 -------- d-----w c:\documents and settings\swami\Application Data\Move Networks
2009-05-02 17:07 . 2009-05-02 17:07 -------- d-----w c:\windows\system32\nagasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 00:15 . 2006-09-11 13:16 -------- d-----w c:\program files\Cisco VPN client
2009-05-19 01:38 . 2007-06-11 16:43 16 --sh--r c:\windows\MSCIOTL.SYS
2009-05-19 01:38 . 2007-06-11 16:43 16 --sh--r C:\MSCIOTL.SYS
2009-05-19 01:38 . 2007-06-11 16:43 8416 ----a-w c:\windows\system32\drivers\CDProbe.SYS
2009-05-18 23:44 . 2008-10-20 21:46 -------- d-----w c:\program files\Spyware Doctor
2009-05-17 22:57 . 2007-07-05 23:58 -------- d-----w c:\program files\Java
2009-05-17 22:51 . 2007-07-14 01:14 -------- d-----w c:\program files\Google
2009-05-15 23:47 . 2006-08-30 18:49 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-14 14:35 . 2006-09-08 19:39 -------- d-----w c:\program files\Symantec AntiVirus
2009-05-02 17:13 . 2008-11-07 01:30 -------- d-----w c:\program files\TVAnts
2009-04-26 01:14 . 2009-01-30 06:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-01-30 06:06 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-01-30 06:06 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-09 09:19 . 2008-12-19 17:30 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 21:06 . 2009-02-28 21:06 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-27 02:56 . 2008-06-01 16:22 45272 ----a-w c:\documents and settings\swami\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-16_02.17.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-19 01:37 . 2009-05-19 01:37 16384 c:\windows\Temp\Perflib_Perfdata_444.dat
- 2004-08-04 12:00 . 2009-05-16 00:30 64774 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-05-19 01:43 64774 c:\windows\system32\perfc009.dat
- 2007-06-11 16:52 . 2008-06-23 01:06 12288 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-06-11 16:52 . 2009-05-18 23:26 12288 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-06-20 12:33 . 2007-06-20 12:33 86424 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\DBSHARE.DLL
+ 2007-03-23 02:05 . 2007-03-23 02:05 97632 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\PP7X32.DLL
+ 2007-06-11 16:52 . 2009-05-18 23:26 4096 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-06-11 16:52 . 2008-06-23 01:06 4096 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-06-11 16:56 . 2009-05-18 23:25 4096 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-06-11 16:56 . 2008-06-11 17:55 4096 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2004-08-04 12:00 . 2009-05-16 00:30 409800 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2009-05-19 01:43 409800 c:\windows\system32\perfh009.dat
+ 2008-10-16 18:07 . 2008-10-16 18:07 208744 c:\windows\system32\muweb.dll
+ 2009-05-17 22:57 . 2009-03-09 09:19 148888 c:\windows\system32\javaws.exe
- 2008-12-19 17:30 . 2008-12-19 17:30 148888 c:\windows\system32\javaws.exe
- 2008-12-19 17:30 . 2008-12-19 17:30 144792 c:\windows\system32\javaw.exe
+ 2009-05-17 22:57 . 2009-03-09 09:19 144792 c:\windows\system32\javaw.exe
- 2008-12-19 17:30 . 2008-12-19 17:30 144792 c:\windows\system32\java.exe
+ 2009-05-17 22:57 . 2009-03-09 09:19 144792 c:\windows\system32\java.exe
+ 2007-06-11 16:52 . 2009-05-18 23:26 176128 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\visicon.exe
- 2007-06-11 16:52 . 2008-06-23 01:06 176128 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\visicon.exe
- 2007-06-11 16:52 . 2008-06-23 01:06 135168 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-06-11 16:52 . 2009-05-18 23:26 135168 c:\windows\Installer\{90510409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-06-11 16:56 . 2009-05-18 23:25 147456 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\pj11icon.exe
- 2007-06-11 16:56 . 2008-06-11 17:55 147456 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\pj11icon.exe
- 2007-06-11 16:56 . 2008-06-11 17:55 135168 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-06-11 16:56 . 2009-05-18 23:25 135168 c:\windows\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-09-08 19:15 . 2009-05-18 23:25 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2006-09-08 19:15 . 2008-10-30 16:46 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-05-29 10:02 . 2007-05-29 10:02 685608 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\SERCONV.DLL
+ 2007-05-29 08:48 . 2007-05-29 08:48 223152 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\PJSPOOL.EXE
+ 2007-05-29 08:48 . 2007-05-29 08:48 304560 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\PJRESC.DLL
+ 2006-01-17 22:48 . 2006-01-17 22:48 167176 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\PJMSGSDR.DLL
+ 2006-01-17 22:48 . 2006-01-17 22:48 146696 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\PJMSGMGR.DLL
+ 2007-05-29 08:48 . 2007-05-29 08:48 280496 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\PJ11TM11.DLL
+ 2007-05-29 10:02 . 2007-05-29 10:02 951848 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\PJ11OD11.DLL
+ 2007-05-29 08:48 . 2007-05-29 08:48 354224 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\MSWARP.DLL
+ 2007-05-29 10:02 . 2007-05-29 10:02 325040 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\ATLCONV.DLL
+ 2004-08-02 15:51 . 2004-08-02 15:51 719720 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\ANLYZTS.DLL
+ 2007-06-20 12:33 . 2007-06-20 12:33 108896 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\VISOCX.DLL
+ 2007-06-20 12:34 . 2007-06-20 12:34 190296 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\VISIO.EXE
+ 2007-06-20 12:29 . 2007-06-20 12:29 554336 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\UMLSYS.DLL
+ 2007-06-20 12:34 . 2007-06-20 12:34 186264 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\SQLSHARE.DLL
+ 2007-06-20 12:29 . 2007-06-20 12:29 335256 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\PDSBASE.DLL
+ 2007-06-20 12:29 . 2007-06-20 12:29 469912 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\ORGCHWIZ.DLL
+ 2007-06-20 12:29 . 2007-06-20 12:29 484760 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\MODELENG.DLL
+ 2007-06-20 12:34 . 2007-06-20 12:34 147864 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\IMUTIL.DLL
+ 2007-06-20 12:29 . 2007-06-20 12:29 537496 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\IMCOMMON.DLL
+ 2007-06-20 12:34 . 2007-06-20 12:34 156056 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\DWGCNV.DLL
+ 2007-06-20 12:34 . 2007-06-20 12:34 135576 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\BRTVIEW.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 868744 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\AEC.DLL
+ 2007-04-19 20:09 . 2007-04-19 20:09 167256 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\IETAG.DLL
+ 2003-07-08 15:48 . 2003-07-08 15:48 115288 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DLL
+ 2007-05-10 00:19 . 2007-05-10 00:19 2585936 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\VBE6.DLL
+ 2007-05-29 10:02 . 2007-05-29 10:02 1738160 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\PRJRES.DLL
+ 2007-05-29 08:48 . 2007-05-29 08:48 4323248 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\PJOLEDB.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 8296344 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\VISLIB.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 2279776 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\VISFILT.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 7819104 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\VISBRGR.DLL
+ 2007-05-10 00:19 . 2007-05-10 00:19 2585936 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\VBE6.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 1511256 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\UML.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 2715992 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\SG.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 1001880 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\ORGCHART.DLL
+ 2007-06-20 12:30 . 2007-06-20 12:30 2098064 c:\windows\Installer\$PatchCache$\Managed\9040150900063D11C8EF10054038389C\11.0.8173\DWGDP.DLL
+ 2007-05-31 20:35 . 2007-05-31 20:35 6420320 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\POWERPNT.EXE
+ 2003-07-07 17:36 . 2003-07-07 17:36 2058343 c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DAT
+ 2007-05-29 10:02 . 2007-05-29 10:02 11421704 c:\windows\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\WINPROJ.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-05-14 396288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7195:TCP"= 7195:TCP:@xpsp2res.dll,-22009
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [9/7/2006 4:33 PM 85760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [9/7/2006 4:33 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [9/8/2006 2:23 PM 4442]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
R2 smefs;SMEFileSystem;c:\windows\system32\drivers\smefs.sys [6/11/2007 12:41 PM 20508]
R3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [6/11/2007 12:43 PM 8416]
R3 smedrv;SMEDriver;c:\windows\system32\drivers\smedrv.sys [6/11/2007 12:41 PM 9516]
S2 smihlp;SMI helper driver;\??\c:\program files\ThinkVantage Fingerprint Software\smihlp.sys --> c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/26/2008 12:36 PM 33752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/20/2008 5:46 PM 356920]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 4:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 3:42 PM 73600]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrv10910
*Deregistered* - mchInjDrv
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder
2008-11-13 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-08 08:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\swami\Application Data\Mozilla\Firefox\Profiles\xc0kh7hp.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 20:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1340)
c:\_integra\bin\smegina.dll
c:\_integra\bin\report.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
c:\windows\system32\igfxdev.dll
c:\windows\system32\notifyf2.dll
- - - - - - - > 'Explorer.exe'(3084)
c:\windows\system32\PROCHLP.DLL
.
Completion time: 2009-05-20 20:22
ComboFix-quarantined-files.txt 2009-05-20 00:21
ComboFix2.txt 2009-05-18 16:54
ComboFix3.txt 2009-05-17 22:31
ComboFix4.txt 2009-05-16 02:18
Pre-Run: 36,256,878,592 bytes free
Post-Run: 36,284,837,888 bytes free
257 --- E O F --- 2009-05-18 23:26

As far as my antivirus goes, it is still showing a message as "Symantec Antivirus Corporate Edition" is turned off and and not able to turn it back on.

Thanks,
Swami.

**sjb007** · #14 21st May 2009, 13:08

Hi there

Close any open browsers.
Open notepad and copy/paste the text in the box below into it:

Code:

Firefox::
FF - ProfilePath - c:\documents and settings\swami\Application Data\Mozilla\Firefox\Profiles\xc0kh7hp.default\
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1

Looking at the image below as an example

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!

Please post the log C:\ComboFix.txt for further review.

**janeswami** · #15 21st May 2009, 19:00

Hi Steve,

Find the log below:

ComboFix 09-05-15.01 - swami 05/21/2009 21:46.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.520 [GMT -4:00]
Running from: c:\documents and settings\swami\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\swami\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.
2009-05-18 23:22 . 2009-05-18 23:22 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-18 23:20 . 2009-05-18 23:20 -------- d-----w C:\KK
2009-05-18 14:32 . 2008-10-16 18:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-17 22:47 . 2009-05-17 22:47 38344 ---ha-w c:\windows\system32\mlfcache.dat
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-15 23:47 . 2009-05-16 03:25 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\swami\Application Data\SUPERAntiSpyware.com
2009-05-15 03:14 . 2009-05-15 03:14 -------- d--h--w C:\VJVod_Cache
2009-05-14 16:17 . 2009-05-14 16:17 -------- d-----w c:\program files\Trend Micro
2009-05-10 19:50 . 2009-05-10 19:51 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Application Data\orotyqae
2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Local Settings\Application Data\orotyqae
2009-05-03 21:37 . 2009-05-03 21:37 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\nagasoft
2009-05-03 03:50 . 2009-05-03 03:58 -------- d-----w c:\documents and settings\swami\Application Data\Move Networks
2009-05-02 17:07 . 2009-05-02 17:07 -------- d-----w c:\windows\system32\nagasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 15:57 . 2008-10-20 21:46 -------- d-----w c:\program files\Spyware Doctor
2009-05-21 12:49 . 2006-09-11 13:16 -------- d-----w c:\program files\Cisco VPN client
2009-05-19 01:38 . 2007-06-11 16:43 16 --sh--r c:\windows\MSCIOTL.SYS
2009-05-19 01:38 . 2007-06-11 16:43 16 --sh--r C:\MSCIOTL.SYS
2009-05-19 01:38 . 2007-06-11 16:43 8416 ----a-w c:\windows\system32\drivers\CDProbe.SYS
2009-05-17 22:57 . 2007-07-05 23:58 -------- d-----w c:\program files\Java
2009-05-17 22:51 . 2007-07-14 01:14 -------- d-----w c:\program files\Google
2009-05-15 23:47 . 2006-08-30 18:49 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-14 14:35 . 2006-09-08 19:39 -------- d-----w c:\program files\Symantec AntiVirus
2009-05-02 17:13 . 2008-11-07 01:30 -------- d-----w c:\program files\TVAnts
2009-04-26 01:14 . 2009-01-30 06:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-01-30 06:06 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-01-30 06:06 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-09 09:19 . 2008-12-19 17:30 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 21:06 . 2009-02-28 21:06 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-02-27 02:56 . 2008-06-01 16:22 45272 ----a-w c:\documents and settings\swami\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot_2009-05-20_00.20.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-22 01:48 . 2009-05-22 01:48 53248 c:\windows\Temp\catchme.dll
+ 2004-08-04 12:00 . 2009-05-20 01:04 64774 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-05-19 01:43 64774 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-05-20 01:04 409800 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-19 01:43 409800 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-05-14 396288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7195:TCP"= 7195:TCP:@xpsp2res.dll,-22009
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [9/7/2006 4:33 PM 85760]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [9/7/2006 4:33 PM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [9/8/2006 2:23 PM 4442]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
R2 smefs;SMEFileSystem;c:\windows\system32\drivers\smefs.sys [6/11/2007 12:41 PM 20508]
R3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [6/11/2007 12:43 PM 8416]
R3 smedrv;SMEDriver;c:\windows\system32\drivers\smedrv.sys [6/11/2007 12:41 PM 9516]
S2 smihlp;SMI helper driver;\??\c:\program files\ThinkVantage Fingerprint Software\smihlp.sys --> c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/26/2008 12:36 PM 33752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/20/2008 5:46 PM 356920]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 4:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 3:42 PM 73600]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrv10910
*Deregistered* - mchInjDrv
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - Symantec AntiVirus
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - TPHDEXLGSVC
*Deregistered* - TpKmpSVC
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - vvdsvc
*Deregistered* - W32Time
*Deregistered* - WControl
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - winvnc
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder
2008-11-13 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-08 08:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\swami\Application Data\Mozilla\Firefox\Profiles\xc0kh7hp.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 21:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1340)
c:\_integra\bin\smegina.dll
c:\_integra\bin\report.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
c:\windows\system32\igfxdev.dll
c:\windows\system32\notifyf2.dll
- - - - - - - > 'Explorer.exe'(5724)
c:\windows\system32\PROCHLP.DLL
.
Completion time: 2009-05-22 21:49
ComboFix-quarantined-files.txt 2009-05-22 01:49
ComboFix2.txt 2009-05-20 00:22
ComboFix3.txt 2009-05-18 16:54
ComboFix4.txt 2009-05-17 22:31
ComboFix5.txt 2009-05-22 01:46
Pre-Run: 36,255,363,072 bytes free
Post-Run: 36,261,056,512 bytes free
185 --- E O F --- 2009-05-18 23:26

Thanks,
Swami.

**sjb007** · #16 21st May 2009, 21:11

Hi there

Can you just clarify something for me, is Symantec AntiVirus running but windows reporting it as not, or is Symantec AntiVirus not running full stop?

**janeswami** · #17 22nd May 2009, 04:22

Hi Steve,

I not sure. How can I tell if Symantec Antivirus is running or not? The Windows security center is reporting that my Antivirus is turned of.

This started happening after the Trojon attack, before it was not happening.

If I looks at the services window the following it shows me that the following services are running:

Symantec Antivirus
Symantec Antivirus Definition Watcher
Symantec Livestate Agent for Windows
Symantec Settings manager

There are other services that are not running though it says automatic and when I try and try to start them, it gives me some or other errors.

Symantec Events Manager
Symantec Network Drivers Service
Symantec SPBBCSvcs

Thanks,
Swami.

**sjb007** · #18 22nd May 2009, 09:32

Howdy there

Lets try this

Go to Start > Run and type Notepad.exe then click OK.

Copy and paste the following text within the code box into the new Notepad file.

Code:

@ECHO OFF
net stop winmgmt
cd /d %windir%\system32\wbem
ren repository repository.old
net start winmgmt
exit

In Notepad select File and Save as
Choose the Save to location to be the Desktop and for the File name: type in fixme.bat making sure that the Save as type field says All files.

Next double click fixme.bat to run it.
A black box should open and close after a short time, this is normal.
Do not continue until the black box has closed
Delete fixme.bat from the Desktop.

Let me know how things are now....

**janeswami** · #19 25th May 2009, 08:01

Hi Steve,

Things are the same. I think I got some more virus attacks on my system. Now, I not able to run any antivirus software. When I try and click to run Malwarebytes or SuperAntispyware tools, nothing happens.

Can you please help.

Thanks,
Swami.

**sjb007** · #20 25th May 2009, 10:57

Hi there

Delete the version of combofix that you have on your desktop

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt so we can continue cleaning the system.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Friends Pc Infected - Vundo/Variant-RONads - Vundo/Variant-0216 and-309k	redden137	Virus, Spyware & Security	3	28th Apr 2009 15:18
Virus/Worm/Trojon Killing Computer!	MichaelCrichton12	Virus, Spyware & Security	16	29th Oct 2008 13:42
Trojon thought to be removed but.....	rbscooby	Virus, Spyware & Security	20	22nd Apr 2008 17:09
Hopefully all clean..2	proyal03	Virus, Spyware & Security	17	14th Mar 2008 15:45
Ill clean this from now on as well	redden137	General Hardware Chat	8	14th Feb 2008 03:32