a virus norton cant beat

[glowingnissan07]

omg i hate when techspot makes me retype like 2 pages of stuff again.

Ill summarize this time.

VAIO
2.7 GHz Processor
1 GB RAM

-Put my computer on a wireless network today via Linksys Wireless USB Adapter. After fully installing it i tested the internet (google). it worked.

-Installed Steam (a program that connects to the internet through an account allowing you play Half-Life 2 [yeah baby] and other valve games) and Norton Internet Security 2007 at the same time. PC gets bogged down, takes forever, feel like just sitting back and playing HL2 while Norton finished installing.

-suddenly Computer gets like 30x slower than usual. HL2 keeps crashing at main menu because the CPU gets bogged down, even tho only like 50 processes are running (even after Norton got installed it did this)

-Decide to finish all the norton crap without Steam running. Takes forever to do everything as usual. Tried to use Live Update to update virus definitions. It installs most except two which are pretty much the same thing.

"Norton Internet Security URL Updates status: failed"

"Error: LU1812 - a program that was part of this update failed when it ran. update not applied"

It does that every time i run Live Update.

-For a while I tried going online for help but Internet Explore keps Not Responding.

-Decided to secure all other settings and stuff, which i did. I checked the Processes and found a bunch ive never heard of like tsitra1000106.exe or ccSvchst.exe. Ended most of them. Anything seeming to pertain to Symantic (csrss.exe?) it says Access is Denied which makes no sense to me. I'm the owner.

-Ran Full System Scan and stuff. It got rid of a lot of High Risk Threats, but it didn't really improve any performance on the computer.

-Also there are times when i click on LiveUpdate it'll say that it's already running and i can only run one instance even though it isnt running anywhere on the desktop or taskbar. It does that with Steam as well, but Steam.exe is easy to terminate in Task Manager.

-Got Internet Explorer to work without it not responding. Went to symantic.com for help but they gave me a bunch of useless information like, update your virus definitions, or use this AutoFix tool which mysteriously disappeared when i downloaded it. They gave me something else too but i couldnt use it until i use LiveUpdate to activate something i have no clue.

-Tested Steam again and im not sure if it was because of Steam or not but somehow someone changed my desktop to a stupid dating webpage after i logged on to Steam. It freaked me out big time and then i got like 10 messages from Norton saying they blocked a computer attack from someone called STAT or something.

-Randomly, (for the 2nd time already while i was on the internet), Norton goes from being "Secure" to completely not secure and i become completely vulnernable agaian.

-Disconnecting the Wireless Adapter doesnt improve anything either. Performance is still extremely slow, especially when i log onto windows. it takes like 10 mintues for everything to appear on the desktop. At least no more viruses can jump in...i hope.

-im not sure what to do. I cant kill any virus when i dont have the latest definitions for LiveUpdate, becuase something is preventing LiveUpdate from getting access to the defintions. Its obvious tho that norton is incapable of overcoming this threat. any ideas?

im already reinstalling Steam and Norton as I speak, because i do think the problem might be with Steam, but im not sure on that,

-thanks

 

[howard_hopkinso]

Go and read this thread HERE and post a HJT log as an attachment into this thread.

Regards Howard

 

[glowingnissan07]

the hjt log

ahh yes I forgot about this program. keep in mind that I already uninstalled Steam and Norton from my Pc before I ran "crusty.exe".

 

[howard_hopkinso]

Oh, dear! Your system is badly infected with a variety of nasties.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Run this Symantec/Norton removal tool.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of glowingnissan07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bobbye]

Howard will handle the HijackLog, but I have questions. Does Steam require running extra processes. In addition to malware, I see way too many processes running, and you have two 'Ati2evxx.exe' of the same process for your graphics card!

And not only is 'ViewpointService.exe' malware, it's a "Huge" guzzler of the the CPU.. And you have so many processes running in the background it's a wonder your system moves at all! One example is the ' Daemon Tools'

You mention 'only 50 processes running'- what would you think if I told you I only have 32 and 34 on my two systems? You have way too many startup and I hope when Howard helps you get cleaned up , you'll take a serious looks at the Startup tab in the msconfig utility. The only processes you need to start up at boot are your anti-virus program, firewall, touch-pad for laptop and network processes. ALL the other things can be started by you when you need them!

Moral of the story- it's not only malware running- it's excessive startups running in the background, plus some you should not have running like 'jusched', which if the Java auto check for updates. That's a very undesirable process to have running.

When you get the malware out, if you interested in culling those startups and processes, post back and I will help you with that part. I have to stay off while Howard is taking you through the malware removal.

 

[glowingnissan07]

ok i ran into several obstacles while following ur malware removal instructions, some of which were definately my fault. (ie, left ACTIVE SHIELD running or TEATIMER, or ran scans in normal mode instead of safe mode [the only program i ran in safemode was combofix]). I did disable TEATIMER and SHIELD towards the end of the instructions (step 13), but if i should redo anything, let me know.

Since TeaTimer was on through most of the time, i got a lot of important registry changes SS&D kept alerting me to. (they look like this:

"Spybot - Search & Destroy has detected an important registry entry that has been changed.

Category: Session Manager
Change: Value Changed

Entry: BootExecute

Old Data: autocheck autochk *\
New Data: autocheck autochk *\lsdelete\

")


I didn't know what to do with most of them, but i denied some, especially ones from programs like tsitra1000106.exe.

A lot of them appeared once Combofix was preparing its log, and i tried to get rid of some but then the whole pc crashed and i had to manually restart. I'm not sure if the first logfile was lost or not. I ran combofix again with TeaTimer disabled and thats the logfile that is attached.

AVG Free Edition Resident Shield (which i had running throughout most of the intructions)
keeps giving me this THREAT DETECTED!!

"While opening file: C:\Windows\System32\awtqp.dll

Virus found Lop

"

I can either ignore or send to "vault", but the problem is it says that might cause the OS to become unusable. I didnt want to take that chance so i just left it hanging around in the backround.

As you can see, there are TWO logs for the AVG Anti-Spyware scan. Thats because the first time AVG failed to backup the file C:\System Volume\Information\_restore{47E7117B-18F3-4A10-B47C-105BED-1BFF8B}\RP313\A0041527.exe and quarantine it. I got a message like 50 times and each time the above numbers kept randomly changing (virus cloning itself?). AVG Programme says that file (or files like it) are all Trojan horse IRC/Backdoor.SdBot.BPE. But in the infection tab of AVG Anti-Syware there are only 3 quarantined, two ending with .vbs (Trojan.small) and another with .sys (Antiroot.Agent.eq). Apparently Panda Antiroot did not pick up on that. That was the first scan. THe second scan 13 objects ended up in the infection tab. 11 of which are all variations of C:\ SystemVolume\Information\_restore{47E7117B-18F3-4A10-B47C-105BED-1BFF8B}\RP313\A0041527.exe. I have not removed them yet.

Panda Antiroot did not detect anything.

the last problem i having is that everytime i boot onto windows, ChkDsk checks Drive E (a secondary partition) for consistency. Only thing on there was a backup ISO file i immediately deleted, but even after i did that it continues to check drive E.

Peformance while logging on is greatly improved, but the pc still takes forever to load all the programs and such in the tasktray. (i see your point bobbeye)

yeah for some reason i cant upload any logs right now. Sorry for the inconvienance. Either Techspot or my PC (and its probably my PC) is making it so I can't upload anything at all. Soooo should i post the logs inside the thread?

yeah i guess what happened was i uploaded them and it worked but then i went to post the message and Techspot asked me to relogin and i did but it erased everything and now i cant upload anything cuz those 4 attachments are stuck "in progress" and i cant cancel them cuz everytime i do Techspot asks me to relogin and when i do it says "you didnt check anything to be deleted" when i really did or itll just throw me into my profile page.

-gah

ok got them posted, i just changed the file name.

 

[howard_hopkinso]

Run Panda Antirootkit and have it fix all entries.

Go HERE, download and install the latest version of Java.

Once it`s installed, go to add remove programmes in your control panel and uninstall all previous versions of Java, except version 6 update 3. Close Control panel.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Delete all files in AVG Antispyware quarantine.


Go to add remove programmes in your control panel and uninstall anything to do with(if there).

viewpoint
viewpoint toolbar
viewpoint manager
Windows NT

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Viewpoint Manager Service

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ViewpointService.exe
tsitra1000106.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {92C22BA3-6EC5-47F2-A319-1DAA5352114C} - C:\Program Files\Windows NT\quzobuf4444.dll

O2 - BHO: (no name) - {df49a5d3-f1b1-497e-9819-9563592c394b} - C:\WINDOWS\system32\tcowfqr.dll (file missing)

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll (file missing)

O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\Program Files\Viewpoint
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Windows NT

Reboot into normal mode and rehide your protected OS files.

Run a fresh Panda Antirootkit scan and let me know the results.

Post fresh HJT, Combofix and AVG Antispyware logs.

Regards Howard

This thread is for the use of glowingnissan07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[glowingnissan07]

ok i did everything you asked. Pana Antiroot did not detect anything and neither did AVG Anti-spyware.

hows the malware situation looking for me? cuz my pc still runs slower than it used too, perhaps to those 50 some guzzling processes im running (5 svchost.exe's, 3 CLI.exe's, 2 ati2evxx.exe's, jusched.exe etc) i could use some help with that Bobbye or anyone else who knows computers way more than I do.

fyi im still getting important registry changes from SS&D resident i dont know how to deal with.


"Spybot Search & Destory has detected an important registry entry that has been changed.

Category: System Startup global entry
Change: Value deleted

Entry: runner1

Old Data: C:\Windows\tsitra1000106.exe 61A847B5B"

and a similar one came up earlier from svchost but its directory was in ...Windows\Fonts\

a place it should not be.

I checked the locations for both but could find neither files, and those were some of the files i fixed on the HJT!


anyway i thought id just give you an update. please post back as soon as you can.

 

[howard_hopkinso]

Do not worry that you couldn`t find the C:\WINDOWS\tsitra1000106.exe and
C:\WINDOWS\Fonts\svchost.exe files. That`s why I said if there.

We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Go HERE and follow the instructions for removing the Sony DRM rootkit.

Post fresh HJT and Combofix logs when done.

Regards Howard

This thread is for the use of glowingnissan07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[glowingnissan07]

done

when i was removing the rootkit in the instructions, the file Aries.sys wasnt found in the directory. It either was already deleted or never there to begin with.

So far, with regards to the systems performance, the CPU usage on taskmanager has been all over the place, jumping from 0 to 20 back to 0 to 30 back to 0 to 26 etc etc. im only running 36 processes at present and yet it still takes forever for certain windows to load., even though the CPU usage is way less than 100%. :/

 

[howard_hopkinso]

Looks like the Sony rootkit is still there.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.



Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).



Close task manager.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:


Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

Edit: Removed some instructions that were in error.

This thread is for the use of glowingnissan07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bobbye]

You need to be more concerned with "what's" using the CPU, not the total usage. When you have all active Windows closed and check the CPU in the Task Manager, you can show numbers like 97 in System Idle, 2 in System and 1 in taskmgr which total 100. But any other processes running with CPU of over 1 of 2 is what needs to be identified and stopped from starting up because it's running in the background.

NOTE: please do not start this review of running processes until Howard has finished with your logs. These are all legitimate programs but none of them need to start when you boot and run in the background. Stopping them using the msconfig utility startup menu will increase your boot start time:

C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\DAEMON Tools\daemon.exe
(Description: Background application that is used to map an image file, such as .iso and so forth, to a virtual CD or DVD drive.)

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
(cli.exe is installed alongside ATI's range of graphics cards with the Catalyst hardware driver range. Installs a easy-to-access taskbar icon for access to diagnostics features.)

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
(Automatic check for updates. It is recommended you NOT have this enabled: Control Panel> Java> Update tab> UCHECK 'check for updates> Yes.)

C:\Program Files\iPod\bin\iPodService.exe
(ipodservice.exe is a process belonging to Apple's iTunes mp3 media suite.

C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
(acroiehelper.dll is a module which offers support for the Adobe Acrobat Reader program.)

VAIO Media Music Server Service: sv_httpd.exe is a process belonging to Sony VAIO Media Platform. It can be set to Manual to start when you need it.

All of the above can be called up when needed and do not need to start and run in the background. The only processes on startup should be for anti-virus program, firewall, real-time spyware (although I discourage using Tea Timer as it does cause conflicts since it runs in Real time)network process if network is set up and possible touch pad process for laptop- nothing else!

 

[glowingnissan07]

check

here ya go

 

[howard_hopkinso]

Your HJT log is now clean.

However, we have a few bits and bobs to get rid of yet.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::


Folder::
C:\WINDOWS\system32\xx8
C:\WINDOWS\system32\fx1
C:\WINDOWS\system32\bf22
C:\Qoobox

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt.

Regards Howard

Edit: Removed some instructions that were in error.


This thread is for the use of glowingnissan07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[glowingnissan07]

nice. hopefully this will be the last run.

 

[howard_hopkinso]

That looks clean mate.

You can now get rid of all the tools etc we used to clean your system. This includes the Combofix backups etc.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of glowingnissan07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Rik]

I have just got to say that i find the title of this thread amusing. Now if it said a virus that Norton CAN beat it'd be even funnier.

 

[glowingnissan07]

lmao


so yeah should i still keep AVG or should uninstall it and use Norton? I mean i know Norton sucks but is it better than free antivirus software?

and also Windows keeps checking partition E for consistency, which only started once the malware problem started. Coincidence?

MY Pc is still somewhat slower than normal, possible due to the all the antivirus and Firewall i have running. I followed Bobbye's instruction which did still help. I'm going to defrag tonight, but is there anything else i can optimize my pc's performace?

(and dont say set the window eyecandy off i already did that long ago)

 

[Rik]

Get rid of Norton, its absolute rubbish.

 

[howard_hopkinso]

Norton is a terrible resource hog and as you`ve found out, it ain`t that great at killing infections either.

I recommend you get rid of it.

Download this Symantec/Norton removal tool.

Download one antivirus and one firewall programme from the list below.

AVG free or Avast antivirus programmes.

Zonealarm Kerio or Comodo free firewall programmes.


Disconnect from the net and run the Norton removal tool. reboot your computer the required number of times.

Install whichever firewall programme you chose and reconnect to the net.

Install whichever AV programme you chose and run the AV updates.

Do a full system scan and let us know the results.

Regards Howard

This thread is for the use of glowingnissan07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[glowingnissan07]

hahaha no howard i already did that after my first thread.


but yeah it still takes like 2-3 seconds for each window to open when i click on something. idk why, thats what im trying to fix.

oh, and i found out my Cd-drives are now disabled, something to do with that sony XCD thingy. I can intall any DVDs and my pc doesnt even show my secondary CD drive on my computer.

 

[howard_hopkinso]

What are your H and I drives? They shows up in your combofix log, see below.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command - H:\LaunchBOPC1.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command - I:\LaunchBOPC2.exe

Your cd drive problem, may be caused by the sony rootkit. I take it your optical drives are recognised in bios, but not in Windows?

Take a look at this article and let me know if it helps at all.

Regards Howard

This thread is for the use of glowingnissan07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[glowingnissan07]

"BEFORE you do anything else, you now have to consider if you're brave enough to do manual registry editing, because if you remove anything else and don't clean up the registry, your CDROM and possibly your hard disk(s) *WILL* vanish if "crater.sys" and "$sys$cor.sys" are removed. So if you're uncomfortable with registry editing, STOP NOW! You're DONE!!!"

thats all that link says about losing your CDROM, and i have no clue about registry editing. last time someone messed with that stuff, my dads laptops keyboard and mouse became completely useless.

The H and I drives are drives the computer thinks are installed. but they merely virtual drives created by a program called daemon. I use it so i dont have to load actual DVDs into my computer to use them.

 

[Bobbye]

" I mean i know Norton sucks but is it better than free antivirus software?"

Don't think that just because a software program cost money that equates with "better"! As a matter of fact, the three spyware/adware programs that are recommended most are all free-and good.

Take some time and go through the information I left for you about those programs starting up and running in the background, not that you're clean.

 

[glowingnissan07]

yes i already disabled some of the startup things using msconfig (see attached .bmp for current running processes in taskmgr). my pc is still slow as respects booting up programs, windows, and simple menus.