Not what you were looking for? Ask our experts!
Reply
Contributor
vabankas
Posts: 10
Registered: ‎06-11-2009

Re: Unrecognized virus, downloader or trojan - spamming hevealy on my PC

2 Quads

Thank you, done as you've directed.

I put the log below after your script:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver ".norton2009Reset" disabled successfully.
Driver "b6cdde3b" disabled successfully.

Error:  could not open driver "b6cdde3b.sys"
Disablement of driver "b6cdde3b.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "gxvxcserv.sys"
Disablement of driver "gxvxcserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "gxvxcserv"
Disablement of driver "gxvxcserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "seneka.sys"
Disablement of driver "seneka.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "gaopdxserv.sys"
Disablement of driver "gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "gaopdxserv"
Disablement of driver "gaopdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

 

The next thing as I see is to just wait and look for what happens with spamming?

Or there will be something more for me to do?

 

to silverhawk

At the moment I'm not using NAV2009.

Sadly when situation went out of control only people were to help me, but not machines :)

I've removed NAV, cracks and other crap, as you say, and for the moment will stick to N360, as an unpacked box is in my hands

Even don't care that it is outdated or so.

Will se if Norton make some decent software in the future to use.

Thanks fr your words too.

Bot Obliterator
Quads
Posts: 16,540
Registered: ‎07-21-2008

Re: Unrecognized virus, downloader or trojan - spamming hevealy on my PC

Hi

 

Just to see mainly if by disabling the [random].sys happens to upset Windows etc, yes at to see if the Mailing/Httping stops.

 

If it doesn't upset Windows, I will post the full script that removes the services (not just disabled) removes the files and registry entries.

 

Obviously then whoever used the crack got one with an extra punch of Malious code inside.

 

 

Quads 

Tony_Weiss
Posts: 8,280
Topics: 582
Kudos: 2,101
Solutions: 348
Registered: ‎04-07-2008

Re: Unrecognized virus, downloader or trojan - spamming hevealy on my PC


Quads wrote:

 Obviously then whoever used the crack got one with an extra punch of Malious code inside.

 

 Quads 


Thanks for all this effort, Quads.

 

I'll reiterate that using cracks for any software is illegal, since it is a way to circumvent purchasing the product. As we can see in this thread, the people who create and supply the cracks can be giving you any number of infections along with the crack. If you want the product, buy the product. At any given time, several software stores have rebates on Norton software. Time is valuable, and it seems like a bit of time has been spent trying to clear off this malware received from a crack. And I'm sure you all have better things to do than to troubleshoot malware issues. Consider that my Public Service Announcement for the weekend. Thanks!

Tony Weiss
Norton Forums Global Community Manager
Symantec Corporation
Bot Obliterator
Quads
Posts: 16,540
Registered: ‎07-21-2008

Re: Unrecognized virus, downloader or trojan - spamming hevealy on my PC

Hi 

 

I had already created the full script I just wanted to see if disabling the drivers caused Windows instability etc, before removing. Especially with the random .sys

 

Used, GMER, Rootrepeal, Hijackthis logs and http://www.threatexpert.com/report.aspx?md5=52e0a4e07a5e7c81175d0e23bffa5877

 

for The NortonReset entries

 

To remove, run Avenger again using this Script.

 


Drivers to disable:

.norton2009Reset

b6cdde3b

b6cdde3b.sys

gxvxcserv.sys

gxvxcserv

seneka.sys

gaopdxserv.sys

gaopdxserv

 

Drivers to delete:

.norton2009Reset

b6cdde3b

b6cdde3b.sys

gxvxcserv.sys

gxvxcserv

seneka.sys

 

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe

C:\WINDOWS\System32\drivers\b6cdde3b.sys

 

Registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.norton2009Reset

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.norton2009Reset

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\.norton2009Reset

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\b6cdde3b

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\b6cdde3b

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b6cdde3b


 
Quads 

 

Contributor
vabankas
Posts: 10
Registered: ‎06-11-2009

Re: Unrecognized virus, downloader or trojan - spamming hevealy on my PC

IThanks, I've learned the lesson, for sure.

At the moment we'll just have to wait and if in couple of days nothing really bad happens, I'm confirming, that everything works and no bad viruses for good people :)

 

Thanks guys for all your help and words.

Bot Obliterator
Quads
Posts: 16,540
Registered: ‎07-21-2008

Re: Unrecognized virus, downloader or trojan - spamming hevealy on my PC

by now you will be able to tell if disabling the services hurts windows, so that you can use the above script with the extra delete commands,   Avenger will give another log afterwards

 

Quads 

Contributor
vabankas
Posts: 10
Registered: ‎06-11-2009

Re: Unrecognized virus, downloader or trojan - spamming hevealy on my PC

2 Quads

done, executed script one more time.

script deleted several entries and files, and this is what we've got as a result:
Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver ".norton2009Reset" disabled successfully.
Driver "b6cdde3b" disabled successfully.

Error:  could not open driver "b6cdde3b.sys"
Disablement of driver "b6cdde3b.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "gxvxcserv.sys"
Disablement of driver "gxvxcserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "gxvxcserv"
Disablement of driver "gxvxcserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "seneka.sys"
Disablement of driver "seneka.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "gaopdxserv.sys"
Disablement of driver "gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "gaopdxserv"
Disablement of driver "gaopdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Driver ".norton2009Reset" deleted successfully.
Driver "b6cdde3b" deleted successfully.

Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\b6cdde3b.sys" not

found!
Deletion of driver "b6cdde3b.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\gxvxcserv.sys" not

found!
Deletion of driver "gxvxcserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\gxvxcserv" not

found!
Deletion of driver "gxvxcserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\seneka.sys" not

found!
Deletion of driver "seneka.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\Autorun.inf" not found!
Deletion of file "C:\Autorun.inf" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open file "D:\Autorun.inf"
Deletion of file "D:\Autorun.inf" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist

File "C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe"

deleted successfully.
File "C:\WINDOWS\System32\drivers\b6cdde3b.sys" deleted successfully.

Error:  registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.norton2009Reset" not

found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.norton2009Reset"

failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.norton2009Reset"

not found!
Deletion of registry key

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.norton2009Reset" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\.norton2009Reset" deleted

successfully.

Error:  registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\b6cdde3b" not

found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\b6cdde3b"

failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\b6cdde3b" deleted

successfully.

Error:  registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b6cdde3b" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\b6cdde3b" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

 

what can you say about this?

Bot Obliterator
Quads
Posts: 16,540
Registered: ‎07-21-2008

Re: Unrecognized virus, downloader or trojan - spamming hevealy on my PC

From the log 

 

 


Driver ".norton2009Reset" deleted successfully.

Driver "b6cdde3b" deleted successfully.

 

File "C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe"  deleted successfully.
File "C:\WINDOWS\System32\drivers\b6cdde3b.sys" deleted successfully.

 

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\.norton2009Reset" deleted

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\b6cdde3b" deleted



Was using controlset002

 

Now run Hijackthis and see if these entries appear

 

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O23 - Service: Norton 2009 Reset (.norton2009reset) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Norton\Norton2009Reset.exe 

 

Quads 

 

 

Contributor
vabankas
Posts: 10
Registered: ‎06-11-2009

Re: Unrecognized virus, downloader or trojan - spamming hevealy on my PC

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:45:23, on 2009-06-16
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Kayako\LiveResponse\LiveResponse.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Bat!\thebat.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [LiveResponse.exe] C:\Program Files\Kayako\LiveResponse\LiveResponse.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [thebat_startup] C:\Program Files\The Bat!\thebat.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LastPass - file://C:\Program Files\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files\LastPass\context.html?cmd=fillforms
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8861 bytes

 

the O23 entry regarding Trial Reset is away, but O4 persists.

Bot Obliterator
Quads
Posts: 16,540
Registered: ‎07-21-2008

Re: Unrecognized virus, downloader or trojan - spamming hevealy on my PC

[ Edited ]

You mean you tick them and click Fixed Checked they keep coming back after the next scan

 

You now actually have more of them

 

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

 

Ticking only beside those 4 NOT the one similar further Up 

 

Quads 

Message Edited by Quads on 06-16-2009 06:06 PM