Scan Problem - Unable to start scan

Hi,

 

I'm having serious problems with my PC and I think I've narrowed it down to a virus. My Windows suddenly decided it's not authentic any more, even though it definitely is, system restore won't work, trying to run Spybot S&D crashes the computer and Norton Internet Security won't scan. I have uninstalled it and reinstalled it and updated it but it refuses to scan anything. Both smart and full scanning stay at 0 items scanned no matter how long I leave it on (and I can only stop it by using the task manager, thereby turning Norton off completely)and a scan of the C drive finishes in a second and finds no threats. I have sent diagnostic reports to Microsoft, I have run checks on the hard drive and I have tried run programs in safe mode but nothing works. Malawarebytes found a trojan called DNSChanger but removing it didn't fix the problem. Norton finds something called Suspicious.MH960.A. every time I turn on the machine. But I can't scan.

 

What can I do?

 

[Edit: Updated Subject to better reflect topic] 

Message Edited by Tim_Lopez on 04-17-2009 11:45 AM

Hi JonK,

 

Can you tell us which Norton Product and version (year) you are using?

Also, if you can tell us which operating system you are using along with the service pack, that would further help us with diagnosing your issue.

Thanks.

I’m using Norton Internet Security 2009 with Windows Vista Home Premium OEM plus Service Pack 1.

I would recommend using the Norton Recovery Disc. "The NRD is a bootable CD that can run scans and remove threats from outside of your Windows operating system."  

 

If you have purchased the packaged CD product of NIS 2009 you will already have this tool on the product installation disc. If you downloaded NIS 2009 here is the link to make the NRD for NIS 2009.

 

Please be sure to follow these directions when using the NRD.

 

If you still have problems, let us know and we can try some other measures.

Jonk:

 

Have you got Teatimer running in Spybot S&D?

Spybot crashed the machine last time I tried it and it wouldn't update either.

 

I'm having trouble with this recovery disk too. When I boot from it, it gives me options for Windows EMU enabled and a memory tool but doesn't mention Norton. If I let it continue to boot it goes to a black and white vista startup screen (with the wavy lines) and does nothing more. Am I doing something wrong?

Sorry, I misread - no, teatimer isn’t running on Spybot.

I got the Tool working, it was my own fault for being impatient with it!

So did you try the NRD? Are things working for you now?

I haven’t had time to do the scan yet. When I get back from work today I’ll do it and I’ll let you know what happens.

Well the scan from the boot disk worked but came up with no threats or problems. I’m still having the same problem and Norton won’t scan under normal modes. Trying to revalidate windows by various means brings up the strange error “Maximum number of secrets exceeded on this machine”. Does anybody have the slightest idea what this means?

Hi

have you contacted microsoft? I have heard they are very helpful. In your first post you mentioned "Windows says it's not authentic" and it's popped up again here.


JonK wrote:
Well the scan from the boot disk worked but came up with no threats or problems. I'm still having the same problem and Norton won't scan under normal modes. Trying to revalidate windows by various means brings up the strange error "Maximum number of secrets exceeded on this machine". Does anybody have the slightest idea what this means?

worth a try.

 

Yes, I’ve been in touch with Windows via their help forums. I used the Authentic Windows tool and yes, my copy is authentic and although they have been trying to help me, nothing has worked so far. They don’t recognise the “number of secrets” error message either. I’m at a loss as to what to do other than wipe the drive and install again.

Message Edited by JonK on 04-16-2009 09:38 PM

Well back to the virus possibility.

Have you tried a Hi jack this scan and then post the log here to see if there are indeed a few dark secrets hiding

http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

A search on Google provides a number of hits for this particular error.  Some posters on other forums have provided Malwarebytes logs showing Seneka.dat files.  It would seem that our Mo has hit upon the likeliest solution.  Please post the logs here when you have run Malwarebytes as we have some very good Seneka removers if required.

Ok, thank you. Here is the Hijack This Log

 

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:48, on 17/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\SYSTEM32\taskeng.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CtHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton

Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program

Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton

Internet Security\Engine\16.5.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0

\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User

'SERVICIO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

(User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User

'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User

'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10

\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows

Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-

D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5581/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1

\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton

Internet Security\Engine\16.5.0.135\coIEPlg.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet

Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32

\nvvsvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common

Files\Steam\SteamService.exe

--
End of file - 5641 bytes

Can anyone check my Hijack thi log file? I haven’t any idea what it means.

Hi JonK,

 

I have checked your Hijackthis log and the only entry which needs to be fixed is 

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

 

I think, the error which you are getting from windows refers to Error 1381 in this Microsoft KB:

http://support.microsoft.com/default.aspx?scid=kb;en-us;186551

 

 I have read somewhere that Windows displays this message when a program tries to open an encrypted *.VOB file from a CD/DVD and the CD/DVD drive is not "authenticated". The error does not appear for non-encrypted *.VOB files. The same error can happen if your computer(one of the drives) is infected with Seneka and Vundo.

 

Yogesh

Message Edited by yogesh_mohan on 04-18-2009 01:50 AM

Hi

 

Vista has in the Services one or two services that in some way control the WGA/ Activation and if they are disabled or tampered with the problem can arise.

I have come across Vista own updates screwing the activation.  I can't remember the name of the services, The services can be tampered with by Malware as well.

 

Try updating Malwarebytes and using SuperAntispyware (up dated) then in Safe Mode Run Full Scans.

 

The only other thing if all fails is to try Combofix.

 

Vista If it sees the Activation has been tampered with can limit the users ability, and it can be really hard to get back.

 

UPDATE

 

The service I am thinking of in "slsvc.exe" that Malware can affect   "slsvc.exe" = Software Licensing Service

 

 

Quads 

Message Edited by Quads on 04-18-2009 12:18 PM

I know you have been through a lot on this but have you tried this?

 

Q:

What do I do if my system fails validation, but I am certain that I purchased/have a genuine copy of Windows?

A:

When a copy of Windows fails validation, the user is directed to a customized Web page with details about what caused the failure and recommendations for how to fix the problem. This page contains a section with troubleshooting steps. One of these steps will let you check to see whether you can use the online Product Key Update Tool.

 

(From http://www.microsoft.com/genuine/downloads/FAQ.aspx )