With the new updates that have been loaded, a lot of patience, and a lot of help from you Quads, I think that I'm almost there. What I've learned through this process is how to apply these various tools, and what to look for manually.
I've sent you an updated Highjackthis log that looks pretty clean.
I kept getting an entry of hgcheck untill I realized that it was comming from the Prefetch folder. There were a number of badies there so I cleared out the folder and rebooted. Took longer than normal but it worked.
ODBJECT is no longer present.
Norton found and removed the timeresu file with the recent update. I was able to manually delete all of the others but the DuBa driver still show up in the highjackthis log with a (missing file) tag.
I still have a lot of residual files that I think are from the perfs rootkit. 20 files in the system32 dir begin with the name perfsxxxxxx with a variety of extentions from DAT to config files. I haven't yet removed them because I'm not sure yet if some are legit' or not.
Along with the 1.exe I also have a 111 and a 30.exe file. ???
I do not have a firewall installed. I'm operating from a docked laptop where we have a firewall on the network at work and it causes problems when there is one active on the laptop too. But I'm naked when I hook up to my high-speed at home. Haven't figured out a way to turn it on and have it selectively turn off when at work.
And JohnM...I understand that these things move like a wildfire sometimes and there is always some jerk out there trying to get around you. There isn't one product out there that can catch everything. All you can do is remain diligent.
So far this morning I haven't had any hits...sounds encouraging...but I remain guardedly optimistic.
Help, please - I have followed all steps - patch says virus has been removed from the computer - Norton scan says virus is gone from computer - I have deleted files and folders that files were in - I have emptied recycle bin - but Norton still says I have one unresolved security risk because of this virus - I had two, but one disappeared after I did all of the above - the only thing I think I did differently was - while in safe mode I never deleted the infected file individually - I simply deleted the entire folder it was in - would this make a difference for Norton not torecognize that it is gone? I can't figure this out because when I individually deleted the other infected files and then the folder the one unresolved sec. risk disappeared - but as I said - when I deleted the entire folder Norton will not remove this unresolved risk - please help or advise - Thanks
Uncheck the SymProtect Tamper Protection from Miscellaneous Settings. Delete the folder QBackup. The location is as follows:
C:\Documents and Settings\All Users\Application data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup
Recheck the SymProtect Tamper Protection from Miscellaneous Settings. Run LiveUpdate and then a full system scan again. Check whether it shows any unresolved risks now.
The Firewall and the fact you don't have one because of work, Most Firewalls allow you to turn them off/disable. So you could have with NAV the free Comodo firewall, then turn it off when you are at work, turn it back on when at home, Hope the Malware you had is not floating around your work network.
The Entries left in the Hijackthis log that won't be removed, but at least now has "(file missing)" at the end of the entries.
It could be that the registry entries for like "O23 - Service: Network Connections Logs (Netlogs) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)" are locked/ not have permission, so for that you would I say have to go into the registry and change the permissions then delete the entry via regedit.
JohnM, Yeah, the well known software like Norton Malware creators target to disable or worse, I have noticed that a few now stop Malwarebytes working properly to.
The only file listed below that I couldn't locate in our DB is drmgs.sys. We may of course have it under a different name but I can't determine that without an MD5 to cross reference. If anyone finds a copy please submit it for analysis and post the tracking number here. A couple of new variant detections were added as a result but that doesn't guarantee there isn't still something hiding deep in the recesses of a computer that has been hit with this. Once a machine has been rootkit'ed the only way of knowing for sure it is clean is to reformat and reinstall.
Quads, I missed this earlier - "C:\Program Files\Symantec AntiVirus\1.exe" - is definitely *not* legitimate.
I believe that folder is asscoiated with SAV9 installations. I seriously doubt there would be an executables in that folder whose filename consists of numbers only. I have asked a member of the SAV product team to confirm, but in the meantime if you have any such files please submit them and post or PM me the tracking number and I will have them checked.