Help -Norton is blocked and globalroot etc

mystiquelive · ‎07-09-2009

Ok, im not sure what happened.. of course downloading, yet im pretty safe, i have 2009 norton.. with all the bells and whistles.

but when i was downloading a bittorrent, i got somethign weird it asked me for..

well now, my notron wont scan, it says its scanning, but its not running its numbers, just keeps saying scanning, but its not.. I did however go into safemode, it worked there, well did a small scan of course, only found a small tracker..

-went back into normal vista mode.. and still norton wont scan and show file#'s its scanning through.. .

second.. which i assume its invovled..

when i go to go into explore this pops up

" globalroot\systemroot\system32\MSIVXmloynnhyvrqbvwhiacikxpqurwtoramv.dll

then says somethign about graffics..

but im very worried about my norton and why it wont work.. i rather not unistall it, as i got it online, and would be more then a hassel then having the cd...

but anyone can help me what to do.. details would be great.. i know somewhat about computers.. but not crazy worded details. just something easy i can follow.. hope this helps out other people too.

I have also tried other suggestions.. like combofix , i also have that gmear or whatever its called haha, scaned and saved onto my computer for whom ever to view it...

I have also tried downloading say AVG to see if i can scan with that but it wont allow me either..

Message Edited by mystiquelive on 07-09-2009 01:08 PM

dbrisendine · ‎10-06-2008

Can you boot into normal mode and run a HiJackThis log, please?

Please download HiJackThis for this web site. Choose the third one on the list; the executable and save it on your desktop. Run the file and select the first option on the main menu "Do a system scan and save a log file". When this is finished, Notepad will open with the log file in it. Select the Edit > Select all and Edit > Copy commands in Notepad. Then paste the copied log file in a reply post here.

mystiquelive · ‎07-09-2009

I will do this asap..

I will let you know.. thank you

mystiquelive · ‎07-09-2009

ok tried to do that..

i did it word for word.. still nothing..

i can save it, but when i go to run it, nothing happens.. it pops up says the file and run off of my desktop..

but doesnt go anywhere.. if i try repeatedly to run it, it just says closing..

i shut off norton and that.. but it just wont work

mystiquelive · ‎07-09-2009

yes i tried to run it as administrator.. it just says " " has stopped working, a program has stopped it from working, closing down.. and ya thats all

Quads · ‎07-21-2008

I suspect it's part of the "disallowed" list in the registry. AVG is on that list.

I will get to you in time, as I do each persons rootkit one at a time.

Quads

mystiquelive · ‎07-09-2009

sounds good.

i also spelled and missed a few letters not sure if that matters...

globalroot\systemroot\system32\MSIVXtmloynnhyvrqbvwhiacikxpqrwtoramv.dll

hopefully thats to a T now lol

Quads · ‎07-21-2008

Hi

Now (read carefully) If you have Spybot S&D uninstall it.

Also during the restarts with Avenger if Your PC has a Startup repair center like with HP and Toshiba tell it to start Normally if it kicks in.

1. Download Avenger to your desktop,

Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/

Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop

2. Click to run "Avenger.exe" (right click "Run as Administrator" if using Vista)

3. In the "Input script here:" copy and paste the script between the lines

Drivers to disable:

MSIVXserv.sys

Drivers to delete:

MSIVXserv.sys

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\Windows\System32\drivers\MSIVXoturuifttijwipuiyxcbmscfeetrpcjn.sys

C:\Windows\System32\MSIVXbuqpxcxqnxocivmseosjntsmlejllivy.dll

C:\Windows\System32\MSIVXtmloynnhyvrqbvwhiacikxpqrwtoramv.dll

C:\WINDOWS\System32\MSIVXcount

C:\Users\Bella\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3X5ZH3T6\background_gradient[1]

C:\Users\Bella\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5KLBEYRK\down[1]

C:\Users\Bella\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5KLBEYRK\errorPageStrings[2]

C:\Users\Bella\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5KLBEYRK\httpErrorPagesScripts[1]

C:\Users\Bella\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7SUSD3TY\httpErrorPagesScripts[1]

C:\Users\Bella\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9IGKUM78\navcancl[1]

C:\Users\Bella\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9IGKUM78\background_gradient[2]

C:\Users\Bella\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9IGKUM78\info_48[1]

Registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SOFTWARE\MSIVX

Here is a screenshot (script updated since shot)

Make sure the "Automatically disable any rootkits found" is NOT selected

4. Click "Execute"

You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.

Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.

5. Restart the PC again, then see if you can install Update and run Malwarebytes

Quads

mystiquelive · ‎07-09-2009

ok so everything seems to be working except...

before i did this avenger thing, if i started up explorer id get that weird msg.. and my norton wasnt scanning.. or updating

its updating, and scanning now..

no weird msg box when i open exporer.. however.... explorer would just open on its own and say error on the page cant connect with server.. all on its own..

i just realized that is still doing it..

Quads · ‎07-21-2008

Download, install and run a Full scan with the likes of Malwarebytes and or SuperAntispyware Free, as extra Malware can or does get downloaded with the Rootkit like a DNS Changer.

Quads