[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.6

Symantec is reporting malware and I've been unable to locate or remove it.

Asked by DesktopResourcesInc in HijackThis Software, Windows XP Operating System, Anti-Virus Applications

Tags: unable

Hello all,

I'm having an issue with a laptop at a client that I have so far been unsuccessful at resolving.  Symantec Antivirus is reporting an infection on the laptop during it's quick scan that occurs immediately after logon.  I've already ran scans using SAV, Ad-aware, and Spybot with the system booted in normal mode as well as in safe mode, emptied the contents of all Temp Internet Files, Cookies, all user temp directories, c:\temp, and c:\windows\temp.  I've also removed a couple questionable (I don't remember what they were now) entries that were in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run.  I've looked for them, but can't find any of the files referenced in the SAV log.  Regardless of all this, however, the scan still finds and alerts of the infection within a couple minutes of logging on.  The laptop is running WinXP Pro SP2.   I'm hoping to not have to format and rebuild this particular laptop from scratch, so I'm hoping someone out there sees something I don't.

Here is the contents of the SAV threat log (minus irrelevant info):

Risk      Action      Count      Filename      Risk Type      Original Location      Status      Current Location      Action Description
Trojan Horse      Quarantined      2      x334fdws.exe      File      C:\WINDOWS\      Infected      Quarantine      The file was quarantined successfully.
Trojan Horse      Quarantined      2      ntfsx.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      Quarantine      The file was quarantined successfully.
Infostealer      Cleaned by deletion      2      all.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      C:\WINDOWS\system32\drivers\ssl\06\       
Infostealer      Cleaned by deletion      1      vidr.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      C:\WINDOWS\system32\drivers\ssl\06\       
Trojan Horse      Quarantined      2      x334fdws.exe      File      C:\WINDOWS\      Infected      Quarantine      The file was quarantined successfully.
Trojan Horse      Quarantined      2      ntfsx.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      Quarantine      The file was quarantined successfully.
Infostealer      Cleaned by deletion      2      all.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      C:\WINDOWS\system32\drivers\ssl\06\       
Infostealer      Cleaned by deletion      1      vidr.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      C:\WINDOWS\system32\drivers\ssl\06\       
Trojan Horse      Quarantined      2      x334fdws.exe      File      C:\WINDOWS\      Infected      Quarantine      The file was quarantined successfully.
Trojan Horse      Quarantined      1      ntfsx.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      Quarantine      The file was quarantined successfully.
Infostealer      Cleaned by deletion      1      all.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      C:\WINDOWS\system32\drivers\ssl\06\       
Infostealer      Cleaned by deletion      1      vidr.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      C:\WINDOWS\system32\drivers\ssl\06\       
Trojan Horse      Quarantined      2      x334fdws.exe      File      C:\WINDOWS\      Infected      Quarantine      The file was quarantined successfully.
Trojan Horse      Quarantined      2      ntfsx.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      Quarantine      The file was quarantined successfully.
Infostealer      Cleaned by deletion      2      all.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      C:\WINDOWS\system32\drivers\ssl\06\       
Infostealer      Cleaned by deletion      1      vidr.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      C:\WINDOWS\system32\drivers\ssl\06\       
Trojan Horse      Quarantined      2      x334fdws.exe      File      C:\WINDOWS\      Infected      Quarantine      The file was quarantined successfully.
Trojan Horse      Quarantined      2      ntfsx.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      Quarantine      The file was quarantined successfully.
Infostealer      Cleaned by deletion      2      all.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      C:\WINDOWS\system32\drivers\ssl\06\       
Infostealer      Cleaned by deletion      2      vidr.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      C:\WINDOWS\system32\drivers\ssl\06\       
Trojan Horse      Quarantined      2      x334fdws.exe      File      C:\WINDOWS\      Infected      Quarantine      The file was quarantined successfully.
Trojan Horse      Quarantined      2      ntfsx.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      Quarantine      The file was quarantined successfully.
Infostealer      Cleaned by deletion      2      all.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      C:\WINDOWS\system32\drivers\ssl\06\       
Infostealer      Cleaned by deletion      2      vidr.exe      File      C:\WINDOWS\system32\drivers\ssl\06\      Infected      C:\WINDOWS\system32\drivers\ssl\06\       

Here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:07:17 AM, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\commagent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\drivers\ssl\06\rar.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SSU.EXE
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
\sdbsrv03\ABD\Ultra-Staff\Executable\ABDUltraStaff.exe
C:\Documents and Settings\missym\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] "C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\\SpySweeperUI.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152116498245
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sdb.local
O17 - HKLM\Software\..\Telephony: DomainName = sdb.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sdb.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sdb.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe
O23 - Service: Windows Licence Managements - Unknown owner - C:\WINDOWS\licences.exe

--
End of file - 7508 bytes

Thank you for any help received!!!

- Brian
 
Related Solutions
Keywords: Symantec is reporting malware and I'…
Title
1 AntiSpyware Master Infection - have …
2 hijackthis
3 Hijackthis Log
4 HijackThis: smitfraud?
5 HijackThis log
6 Computer badly infected with spyware…
 
Loading Advertisement...
 
[+][-]05/22/07 10:31 AM, ID: 19135792Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05/22/07 10:37 AM, ID: 19135849Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05/22/07 10:57 AM, ID: 19136004Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05/22/07 11:18 AM, ID: 19136153Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05/22/07 11:23 AM, ID: 19136188Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05/22/07 11:29 AM, ID: 19136230Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05/22/07 12:47 PM, ID: 19136876Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05/22/07 10:11 PM, ID: 19139457Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: HijackThis Software, Windows XP Operating System, Anti-Virus Applications
Tags: unable
Sign Up Now!
Solution Provided By: rpggamergirl
Participating Experts: 2
Solution Grade: A
 
[+][-]05/23/07 05:59 AM, ID: 19141140Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091021-EE-VQP-81