United States
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Norton Internet Security / Norton AntiVirus

Reply
Topic Options
matyellott
Contributor
matyellott
Posts: 32
Registered: ‎05-20-2009

Re: Scan hangs and will not start - end.

Options

‎05-28-2009 09:10 PM

Stealth part2 

Object: Hidden Code [Driver: , IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86a021f8 Size: -

Object: Hidden Code [Driver: , IRP_MJ_POWER]
Process: System Address: 0x86a021f8 Size: -

Object: Hidden Code [Driver: , IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86a021f8 Size: -

Object: Hidden Code [Driver: , IRP_MJ_PNP]
Process: System Address: 0x86a021f8 Size: -

Object: Hidden Code [Driver: USBSTOR扎〳Ѕ䍃䡤, IRP_MJ_CREATE]
Process: System Address: 0x880811f8 Size: -

Object: Hidden Code [Driver: USBSTOR扎〳Ѕ䍃䡤, IRP_MJ_CLOSE]
Process: System Address: 0x880811f8 Size: -

Object: Hidden Code [Driver: USBSTOR扎〳Ѕ䍃䡤, IRP_MJ_READ]
Process: System Address: 0x880811f8 Size: -

Object: Hidden Code [Driver: USBSTOR扎〳Ѕ䍃䡤, IRP_MJ_WRITE]
Process: System Address: 0x880811f8 Size: -

Object: Hidden Code [Driver: USBSTOR扎〳Ѕ䍃䡤, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x880811f8 Size: -

Object: Hidden Code [Driver: USBSTOR扎〳Ѕ䍃䡤, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x880811f8 Size: -

Object: Hidden Code [Driver: USBSTOR扎〳Ѕ䍃䡤, IRP_MJ_POWER]
Process: System Address: 0x880811f8 Size: -

Object: Hidden Code [Driver: USBSTOR扎〳Ѕ䍃䡤, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x880811f8 Size: -

Object: Hidden Code [Driver: USBSTOR扎〳Ѕ䍃䡤, IRP_MJ_PNP]
Process: System Address: 0x880811f8 Size: -

Object: Hidden Code [Driver: usbuhcilj䅓䍓Ѝ䵆汳`돁돁, IRP_MJ_CREATE]
Process: System Address: 0x86a4c1f8 Size: -

Object: Hidden Code [Driver: usbuhcilj䅓䍓Ѝ䵆汳`돁돁, IRP_MJ_CLOSE]
Process: System Address: 0x86a4c1f8 Size: -

Object: Hidden Code [Driver: usbuhcilj䅓䍓Ѝ䵆汳`돁돁, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86a4c1f8 Size: -

Object: Hidden Code [Driver: usbuhcilj䅓䍓Ѝ䵆汳`돁돁, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86a4c1f8 Size: -

Object: Hidden Code [Driver: usbuhcilj䅓䍓Ѝ䵆汳`돁돁, IRP_MJ_POWER]
Process: System Address: 0x86a4c1f8 Size: -

Object: Hidden Code [Driver: usbuhcilj䅓䍓Ѝ䵆汳`돁돁, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86a4c1f8 Size: -

Object: Hidden Code [Driver: usbuhcilj䅓䍓Ѝ䵆汳`돁돁, IRP_MJ_PNP]
Process: System Address: 0x86a4c1f8 Size: -

Object: Hidden Code [Driver: cdrom, IRP_MJ_CREATE]
Process: System Address: 0x86ba4500 Size: -

Object: Hidden Code [Driver: cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x86ba4500 Size: -

Object: Hidden Code [Driver: cdrom, IRP_MJ_READ]
Process: System Address: 0x86ba4500 Size: -

Object: Hidden Code [Driver: cdrom, IRP_MJ_WRITE]
Process: System Address: 0x86ba4500 Size: -

Object: Hidden Code [Driver: cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86ba4500 Size: -

Object: Hidden Code [Driver: cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ba4500 Size: -

Object: Hidden Code [Driver: cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86ba4500 Size: -

Object: Hidden Code [Driver: cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86ba4500 Size: -

Object: Hidden Code [Driver: cdrom, IRP_MJ_POWER]
Process: System Address: 0x86ba4500 Size: -

Object: Hidden Code [Driver: cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86ba4500 Size: -

Object: Hidden Code [Driver: cdrom, IRP_MJ_PNP]
Process: System Address: 0x86ba4500 Size: -

Object: Hidden Code [Driver: Smb, IRP_MJ_CREATE]
Process: System Address: 0x87ff91f8 Size: -

Object: Hidden Code [Driver: Smb, IRP_MJ_CLOSE]
Process: System Address: 0x87ff91f8 Size: -

Object: Hidden Code [Driver: Smb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87ff91f8 Size: -

Object: Hidden Code [Driver: Smb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87ff91f8 Size: -

Object: Hidden Code [Driver: Smb, IRP_MJ_CLEANUP]
Process: System Address: 0x87ff91f8 Size: -

Object: Hidden Code [Driver: Smb, IRP_MJ_PNP]
Process: System Address: 0x87ff91f8 Size: -

Object: Hidden Code [Driver: netbt
က, IRP_MJ_CREATE]
Process: System Address: 0x880511f8 Size: -

Object: Hidden Code [Driver: netbt
က, IRP_MJ_CLOSE]
Process: System Address: 0x880511f8 Size: -

Object: Hidden Code [Driver: netbt
က, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x880511f8 Size: -

Object: Hidden Code [Driver: netbt
က, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x880511f8 Size: -

Object: Hidden Code [Driver: netbt
က, IRP_MJ_CLEANUP]
Process: System Address: 0x880511f8 Size: -

Object: Hidden Code [Driver: netbt
က, IRP_MJ_PNP]
Process: System Address: 0x880511f8 Size: -

Object: Hidden Code [Driver: iScsiPrt瑎牦掸溰觤, IRP_MJ_CREATE]
Process: System Address: 0x86ba01f8 Size: -

Object: Hidden Code [Driver: iScsiPrt瑎牦掸溰觤, IRP_MJ_CLOSE]
Process: System Address: 0x86ba01f8 Size: -

Object: Hidden Code [Driver: iScsiPrt瑎牦掸溰觤, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ba01f8 Size: -

Object: Hidden Code [Driver: iScsiPrt瑎牦掸溰觤, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86ba01f8 Size: -

Object: Hidden Code [Driver: iScsiPrt瑎牦掸溰觤, IRP_MJ_POWER]
Process: System Address: 0x86ba01f8 Size: -

Object: Hidden Code [Driver: iScsiPrt瑎牦掸溰觤, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86ba01f8 Size: -

Object: Hidden Code [Driver: iScsiPrt瑎牦掸溰觤, IRP_MJ_PNP]
Process: System Address: 0x86ba01f8 Size: -

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x8520c1f8 Size: -

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x8520c1f8 Size: -

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x8520c1f8 Size: -

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8520c1f8 Size: -

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8520c1f8 Size: -

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8520c1f8 Size: -

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8520c1f8 Size: -

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x8520c1f8 Size: -

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x8520c1f8 Size: -

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8520c1f8 Size: -

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x8520c1f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x869fb1f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x869fb1f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x869fb1f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x869fb1f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x869fb1f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x869fb1f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x869fb1f8 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CLOSE]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_READ]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_WRITE]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_EA]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CLEANUP]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_POWER]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_PNP]
Process: System Address: 0x86a0f500 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_CREATE]
Process: System Address: 0x89b8f1f8 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_CLOSE]
Process: System Address: 0x89b8f1f8 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_READ]
Process: System Address: 0x89b8f1f8 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_WRITE]
Process: System Address: 0x89b8f1f8 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89b8f1f8 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89b8f1f8 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89b8f1f8 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89b8f1f8 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89b8f1f8 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b8f1f8 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89b8f1f8 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89b8f1f8 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_CLEANUP]
Process: System Address: 0x89b8f1f8 Size: -

Object: Hidden Code [Driver: cdfs慖⁤І癅, IRP_MJ_PNP]
Process: System Address: 0x89b8f1f8 Size: -

 

Report Inappropriate Content
Message 81 of 90 (3,939 Views)
0 Kudos
matyellott
Contributor
matyellott
Posts: 32
Registered: ‎05-20-2009

Re: Scan hangs and will not start - end.

Options

‎05-28-2009 09:11 PM

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time:   2009/05/28 21:31
Program Version:  Version 1.2.3.0
Windows Version:  Windows Vista SP1
==================================================

Hidden Services
-------------------
Service Name: gxvxcserv.sys
Image Path: C:\Windows\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys

 

Report Inappropriate Content
Message 82 of 90 (3,939 Views)
0 Kudos
Quads
Bot Obliterator
Quads
Posts: 13,896
Registered: ‎07-21-2008

Re: Scan hangs and will not start - end.

[ Edited ]
Options

‎05-28-2009 09:47 PM - edited ‎05-28-2009 09:53 PM

Ok

 

None of the .dll files belonging to it show but hopefully this will be enough to break it.

 

Now I will post the script further down, don't use the script on the "Avenger" thread as it doesn't contain your, but does contain theirs

 

1. Go to http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=53509#M53509

 

Read that post on using "Avenger" boxes ticked etc,

 

For #3 on that post instead use this script 

 

3. In the "Input script here:" copy and paste the script between the lines 

 

 

Drivers to disable:
UACd.sys
gxvxcserv.sys
gaopdxserv.sys

Drivers to delete:
UACd.sys
gxvxcserv.sys
gaopdxserv.sys

Files to delete:
C:\Autorun.inf
C:\WINDOWS\system32\wJQs.exe
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\uacvymnbtboeayohhs.dll
C:\WINDOWS\system32\uacqciqunodfnlghrv.dll
C:\WINDOWS\system32\drivers\gxvxcserv.sys
C:\WINDOWS\system32\gxvxccounter
C:\WINDOWS\System32\drivers\gaopdxserv.sys
C:\WINDOWS\system32\gaopdxl.dll
C:\WINDOWS\system32\drivers\gxvxcaithwuhtprrwopxgilalbaobwucrdslx.sys
C:\WINDOWS\system32\gxvxcxkfpxfxurntewmrfttjyqtsmsenqwgiw.dll
C:\RECYCLER\s-9-4-17-100016843-100000262-100031119-1898.com 
C:\WINDOWS\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys
 
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC
HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx
HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc
HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services/gxvxcserv.sys
 
It will produce a log when finished as stated in the other post 
 
Quads 

 

Message Edited by Quads on 05-29-2009 04:53 PM
Report Inappropriate Content
Message 83 of 90 (3,925 Views)
matyellott
Contributor
matyellott
Posts: 32
Registered: ‎05-20-2009

Re: Scan hangs and will not start - end.

Options

‎05-30-2009 05:56 PM

Quads and others you peoplpe are tru pros, scan in running not and the trojan had already been removed.. thanks so much!!
Report Inappropriate Content
Message 84 of 90 (3,845 Views)
0 Kudos
delphinium
Posts: 9,680
Kudos: 2,856
Solutions: 283
Registered: ‎11-21-2008

Re: Scan hangs and will not start - end.

Options

‎05-30-2009 07:22 PM

Well done, Quads! Very glad Matyellott regained the use of his machine.
Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain
Report Inappropriate Content
Message 85 of 90 (3,830 Views)
0 Kudos
Regular Contributor
Compumind
Posts: 892
Registered: ‎10-08-2008

Re: Scan hangs and will not start - end.

[ Edited ]
Options

‎05-30-2009 07:31 PM - edited ‎05-30-2009 07:33 PM

Hi Quads -

 

Yes, good work! I'm glad that it didn't have to come to a re-image.

 

Perhaps you could share the technical details with us on exactly how this correction came about.

 

Was it a rootkit?

 

TIA :smileyhappy:

Message Edited by Compumind on 05-30-2009 10:33 PM

Compumind

NIS 2009, XP-SP3, Vista-SP2, IE 8

Report Inappropriate Content
Message 86 of 90 (3,825 Views)
0 Kudos
delphinium
Posts: 9,680
Kudos: 2,856
Solutions: 283
Registered: ‎11-21-2008

Re: Scan hangs and will not start - end.

Options

‎05-30-2009 07:35 PM

Compumind:

 

This is a little something that Quads put together in his secret underground laboratory.  I suspect none of us would understand the technical details anyway.  If we did, he might have to.....you know.:smileywink:

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain
Report Inappropriate Content
Message 87 of 90 (3,817 Views)
0 Kudos
Quads
Bot Obliterator
Quads
Posts: 13,896
Registered: ‎07-21-2008

Re: Scan hangs and will not start - end.

Options

‎05-30-2009 07:54 PM

matyellott wrote:
Quads and others you peoplpe are tru pros, scan in running not and the trojan had already been removed.. thanks so much!!
 
Can I ask, Please can you post the Avenger log after that appeared after Avenger did it's thing??
 
 Quads 

 

Report Inappropriate Content
Message 88 of 90 (3,806 Views)
0 Kudos
matyellott
Contributor
matyellott
Posts: 32
Registered: ‎05-20-2009

Re: Scan hangs and will not start - end.

Options

‎05-31-2009 10:24 AM

  I am not sure where it saved to, I will look for it.  After norton ran it found 2 trojans removed them, system is running in tip-top shape.
Report Inappropriate Content
Message 89 of 90 (3,768 Views)
0 Kudos
Quads
Bot Obliterator
Quads
Posts: 13,896
Registered: ‎07-21-2008

Re: Scan hangs and will not start - end.

Options

‎05-31-2009 01:55 PM

Hi

 

It should be in this location  "C:\avenger.txt" 

 

I only had it remove the file on your PC that we knew and hopefully it would be enough to break the Rootkit from working, allowing MBAM, SAS, Norton etc being able to run and mop up anything else.

 

Quads 

Report Inappropriate Content
Message 90 of 90 (3,754 Views)
0 Kudos

Products

Services

Support

Norton on Facebook
Norton on Twitter
Norton's YouTube Channel
Symantec on Linked In
Norton on Google+