When opening a web browser I get a message box titled "Bad Image"
The box contains the following message:
globalroot\systemroot\system32\MSIVX ... .dll is either not designed to run on Windows or it contains and error
A search of the web forums suggests this might be symptomatic of a virus, but Norton is not finding it
The problem occurs with both IE and Firefox
I am running Windows Vista Home Premium with Service Pack 2 and Norton 360 3.0
Please advise
Thanks for the advice Yogesh
I'll give that a try and get back to you
Mike
When opening a web browser I get a message box titled "Bad Image"
The box contains the following message:
globalroot\systemroot\system32\MSIVX ... .dll is either not designed to run on Windows or it contains and error
A search of the web forums suggests this might be symptomatic of a virus, but Norton is not finding it
The problem occurs with both IE and Firefox
I am running Windows Vista Home Premium with Service Pack 2 and Norton 360 3.0
Please advise
Hello again Yogesh
Thanks for the advice, but it has not resolved the problem
I downloaded and installed the update -- it reported one symantic product updated
This I can safetly presume to be Norton 360 as that is the only symantic product I have installed
Restarted the machine in safe mode and ran a full scan
Norton reported 2 tracking cookies, which it helpfully removed
This didn't seem to address the problem but, in the interest of thoroughness, I restarted in normal mode and started Firefox
Unfortunately the problem remains
If you, or anybody else out there, has any more advice I would like to hear it
Thanks
Mike
Can you still run scans (manually) and get file counts properly?
And is Early Load enabled for N360? Go to Settings > Anti Virus > Automatic Protection > Early Load. Please ensure this is set to ON.
If the answer to both is YES then do the following, please:
Reboot the system into Safe Mode (when the system begins to start up, tap the F8 key until the Advanced Options screen appears. Use the arrow keys to select (highlight) Safe Mode [no network or command prompt] and press Enter. Once logged into the system, double click the N360 icon and answer Yes to run a full system scan.
Hello dbrisendine, good to hear from you
Just to answer your questions
Early Mode is turned on but I can run scans only in safe mode
If I try to run a scan in normal mode it appears to hang -- Norton reports that it is running a scan but none of the counters advance
Any advice would be greatly appriciated
Thanks
Mike
a small notice , post 1 show a rootkit infection on the user system
Hello Voyager10, I think you're right
I've been reading through the rest of the forum and I think I have the same problem as lost87 (link: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=60410) and dgtobin1 (link: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=60755)
-------------------
dbrisendine
On that assumption I have, as suggested to them, downloaded GMER and run a scan (log attached)
GMER reported that it had detected a rootkit
I have also downloaded Avenger but I havn't run it yet (I'm not a complete novice but I know enough to VERY nervous of playing around with the system registry)
In case it's relevant, the following items appeared in red in the GMER display window:
Service C:\Windows\system32\drivers\MSIVXxqeoqvwykhcpfimckxvlcbiitiibtmuq.sys (*** hidden *** )
File C:\Windows\System32\drivers\MSIVXxqeoqvwykhcpfimckxvlcbiitiibtmuq.sys 74240 bytes executable
Please advice, what should I tell Avenger to remove
Thanks again for the help
Mike
@michael_a
Open Gmer Application , than Click No to Run Full Gmer Scan .
You see now this Red marked Rootkit Service , open right click contextmenü on This red marked Rootkit Service and click disable Service .
Reboot your System and go with your Filebrowser to this now visible File
C:\Windows\system32\drivers\MSIVXxqeoqvwykhcpfimckxvlcbiitiibtmuq.sys
Upload this File please to Symantec
https://submit.symantec.com/websubmit/retail.cgi
Then delete this Sys File.
C:\Windows\System32\MSIVXpjqsdspqnkvoryoyopxlqssiphsjewar.dll
Norton detect the DLL Files as Trojan Vundo.
Hello again Voyager10
I owe you a big thank you, that seems to have solved the problem
Just forcompleteness sake, I am also tempted to to delete the MSIVXserv registry entries on the assumption that they are part of the rootkit install and not related to anything else. But, as is always the case with the registry, I am not at all sure if this is a valid assumption.
Is anybody out there able to confirm or deny this assumption?
Michael A:
Unfortunately we seem to have missed you. Preferably it is only one particular guru on our forum that deals with these kinds of issues, although others will offer their own solutions.
Please run another GMER for us to look at to make certain that it is actually gone. Please look for a star next to the name of the person assisting you. Quads is the member with the most experience removing these infections without damage to your operating system.
There will be other rootkit files on your computer some of which will allow it to repair itself.
Quads has been advised.
Hi Michael
The trouble with GMER is that
1. It can cause a PC crash /BSOD, even a person doing a GMER tutorial found this out.
2. People on this forum have used GMER off their own back have eventually come back to me asking for HELP.
I will Make up an Avenger script for you to use, created off your original GMER log.
Quads
Hi Michael
I have added the files / driver and registry entries in the script
Now (read carefully) If you have Spybot S&D uninstall it.
Also during the restarts with Avenger if Your PC has a Startup repair center like with HP and Toshiba tell it to start Normally if it kicks in.
1. Download Avenger to your desktop,
Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/
Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop
2. Click to run "Avenger.exe" (right click "Run as Administrator" if using Vista)
3. In the "Input script here:" copy and paste the script between the lines
Drivers to disable:
MSIVXserv.sys
Drivers to delete:
MSIVXserv.sys
Files to delete:
C:\Autorun.inf
D:\Autorun.inf
C:\Windows\System32\drivers\MSIVXxqeoqvwykhcpfimckxvlcbiitiibtmuq.sys
C:\Windows\System32\MSIVXpjqsdspqnkvoryoyopxlqssiphsjewar.dll
C:\Windows\System32\MSIVXpsiqbpbpprqaxybrosfjwtjccyinocpx.dlll
C:\WINDOWS\System32\MSIVXcount
Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIVXserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSIVXserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MSIVXserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MSIVXserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\MSIVXserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\MSIVXserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\MSIVXserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\MSIVXserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\MSIVXserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\MSIVXserv.sys
HKEY_LOCAL_MACHINE\SOFTWARE\MSIVX
Here is a screenshot (script updated since shot)
Make sure the "Automatically disable any rootkits found" is NOT selected
4. Click "Execute"
You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.
Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.
5. Restart the PC again, then see if you can install Update and run Malwarebytes
As a side Note the Rootkit Dll's are nothing to do with Vundo, as stated in a post further up
Quads
