virtumonde infection

Deleted Quarantined Files

Shaba,

I was able to delete the files in the Quaranting folders. I rebooted the system, updated my Spybot S&D definitions and reran a full scan. The only problem is reported was the "Microsoft.WindowsSecurityCenter_disabled".

Regarding the status of the system, it is not much better than when we started. It is still very slow to respond to mouse selections, but the speed of Spybot, once it is started seems normal. The symptom I notice the most is whenever I open a new program, the system seems to access the hard disk very heavy for 40-120 seconds before it responds by opening the program. This is very consistant behavior whether it is opening a menu by right clicking on a desktop item, right clicking on the START button, or highlighting a program on the desktop and hitting the RETURN key. I've attached another Hijackthis log after deleting the quarantine files and rebooting.

Regards, jgprice

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:17 PM, on 3/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dailykos.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ControlInstaller Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://rsvpn.raytheon.com/,DanaInfo=ES2-MSG06.raymail.ray.com,CT=java+dwa7W.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://rsvpn.raytheon.com/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12287 bytes
 
Security center issues is likely Norton related, it is known that Norton can cause it. So I recommend that you contact them.

As for slowness, it doesn't seem to be malware related issue. I can redirect you to some windows forum for that if you like to?
 
Additional Data and Request

Shaba,

Yes, I would appreciate if you can recommend a forum for my performance issues. I still have a belief that this was Malware related since the system was running fine until I shut the system down and rebooted the next morning with the system performance deteriorating a hundred fold. I also had an indication of a virtumonde virus from spybot after the problem started, but spybot appeared to get rid of it. I had run Combofix after that since that is what appeared to fix the problems the previous time I had virtumonde. Perhaps it got rid of the virus, but now there are artifacts of left that affect performance. Some colleagues have suggested I have registry entries that no longer point to real files so every time I try to access a file, it searches the whole system for the file.

I suspected a rootkit problem since the system degraded after a reboot, so I downloaded the MS Rootkit Revealer and AVGARKT. AVG didn't find anything, nor did AVIRA ANTIVIR Rescue Disk, but the MS RootkitReveal found some empty Registry Entries and ~7500 hidden files. I've attached the beginning of the RootkitReveal log, but can zip in a compressed file and send them to you if you are willing to look at them. One thing about the MS tool is that it doesn't fix anything. Could you tell me how to correctly delete the missing registry entries and let me know if you think I should do anything about all the hidden files?

Also, I still have the btdna.exe file in the MSCONFIG startup tab and I don't know how to delete that entry either. Could you help me with that as well?

A sincere thanks for the help.

Regards, jgprice
HKU\.DEFAULT\Control Panel\International 3/9/2009 9:39 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 3/9/2009 9:39 PM 0 bytes Security mismatch.
HKU\S-1-5-21-4219289235-2465402331-1742940364-1005\Control Panel\International 3/9/2009 9:39 PM 0 bytes Security mismatch.
HKU\S-1-5-21-4219289235-2465402331-1742940364-1005\Control Panel\International\Geo 3/9/2009 9:39 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 3/9/2009 9:39 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 3/9/2009 9:39 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 3/28/2006 5:58 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 3/28/2006 5:58 AM 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\{E07BB427-3CF3-4AC6-8585-BBDA0B53AA17} 3/18/2009 9:34 PM 3.22 KB Hidden from Windows API.
C:\Documents and Settings\Marie\History\History.IE5\MSHist012009031820090319 3/18/2009 9:39 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Marie\History\History.IE5\MSHist012009031820090319\index.dat 3/18/2009 9:39 PM 32.00 KB Hidden from Windows API.
C:\Documents and Settings\Marie\Local Settings\Temp\bz_temp_0 3/18/2009 9:22 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Marie\Local Settings\Temp\bz_temp_0\RootkitRevealer.exe 11/1/2006 1:07 PM 326.88 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Marie\Local Settings\Temp\~DF374F.tmp 3/18/2009 9:39 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Marie\Recent\2007_10_24.lnk 12/23/2008 12:03 AM 911 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Marie\Recent\RootkitRevealer.lnk 3/18/2009 9:39 PM 937 bytes Hidden from Windows API.
C:\Documents and Settings\Marie\Recent\Software.lnk 3/18/2009 9:39 PM 679 bytes Hidden from Windows API.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020 3/9/2009 6:39 AM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\CATALOG.DAT 1/22/2008 10:00 AM 3.35 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\CCERASER.DLL 2/25/2009 10:00 AM 2.30 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\ECBOOTIL.VXD 1/22/2008 10:00 AM 6.74 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\ECMSVR32.DLL 11/11/2008 10:00 AM 253.29 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\EECTRL.SYS 2/25/2009 10:00 AM 362.55 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\ERASER.GRD 2/25/2009 10:00 AM 287 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\ERASER.SIG 2/25/2009 10:00 AM 2.22 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\ERASER.SPM 2/25/2009 10:00 AM 4.15 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\ERASER.SYS 2/25/2009 10:00 AM 99.55 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\ESRDEF.BIN 3/8/2009 9:00 AM 6.02 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\HH 2/20/2009 10:00 AM 6.64 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\NAVENG.EXP 1/22/2008 10:00 AM 12.73 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\NAVENG.SYS 2/19/2009 10:00 AM 87.02 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\NAVENG.VXD 1/22/2008 10:00 AM 89.57 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\NAVENG32.DLL 2/19/2009 10:00 AM 173.36 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\NAVEX15.EXP 1/22/2008 10:00 AM 12.92 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\NAVEX15.SYS 2/19/2009 10:00 AM 855.61 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\NAVEX15.VXD 1/22/2008 10:00 AM 1.01 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\NAVEX32A.DLL 2/19/2009 10:00 AM 1.13 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\NCSACERT.TXT 1/22/2008 10:00 AM 6.38 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\SCRAUTH.DAT 1/22/2008 10:00 AM 95.48 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\SYMAVENG.CAT 2/19/2009 10:00 AM 8.44 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\SYMAVENG.INF 2/19/2009 10:00 AM 1.04 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\SYMERASE.CAT 2/25/2009 10:00 AM 7.60 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\SYMERASE.INF 2/25/2009 10:00 AM 581 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\TCDEFS.DAT 3/8/2009 10:00 AM 477.32 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\TCSCAN7.DAT 3/8/2009 9:00 AM 10.02 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\TCSCAN8.DAT 3/8/2009 10:00 AM 172.32 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\TCSCAN9.DAT 3/8/2009 10:00 AM 477.11 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\TECHNOTE.TXT 1/22/2008 10:00 AM 875 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\TINF.DAT 3/8/2009 10:00 AM 453 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\TINFIDX.DAT 1/22/2008 10:00 AM 148 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\TINFL.DAT 3/8/2009 10:00 AM 1.91 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\TSCAN1.DAT 3/8/2009 10:00 AM 70.87 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\TSCAN1HD.DAT 4/17/2008 8:00 AM 3.67 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\V.GRD 3/8/2009 9:00 AM 4.93 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\V.SIG 3/8/2009 9:00 AM 2.21 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\VIRSCAN.INF 3/8/2009 9:00 AM 103.75 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\VIRSCAN1.DAT 3/8/2009 9:00 AM 991.46 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\VIRSCAN2.DAT 3/8/2009 9:00 AM 558.55 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\VIRSCAN3.DAT 3/8/2009 9:00 AM 149.71 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\VIRSCAN4.DAT 3/8/2009 9:00 AM 312.75 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\VIRSCAN5.DAT 3/8/2009 10:00 AM 11.02 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\VIRSCAN6.DAT 3/8/2009 9:00 AM 386.21 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\VIRSCAN7.DAT 3/8/2009 9:00 AM 33.65 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\VIRSCAN8.DAT 3/8/2009 10:00 AM 1.02 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\VIRSCAN9.DAT 3/8/2009 10:00 AM 3.54 MB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\VIRSCANT.DAT 3/8/2009 10:58 AM 32 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\WHATSNEW.TXT 3/8/2009 9:00 AM 39.44 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090308.020\ZDONE.DAT 1/22/2008 10:00 AM 224 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Microsoft Office Trial Wizard\assist_en 5/11/2006 1:38 PM 0 bytes Hidden from Windows API.
C:\Program Files\Microsoft Office Trial Wizard\assist_en\ASSIS.CAB 8/24/2005 6:29 PM 970.33 KB Hidden from Windows API.
C:\Program Files\Microsoft Office Trial Wizard\assist_en\AssistantSetup_en.msi 8/24/2005 6:30 PM 87.00 KB Hidden from Windows API.
C:\Program Files\Microsoft Office Trial Wizard\assist_en\setup.bat 8/22/2005 2:25 PM 37 bytes Hidden from Windows API.
C:\Program Files\Microsoft Office Trial Wizard\MSOTW_A2.1.00.CVA 9/7/2005 1:02 AM 2.75 KB Hidden from Windows API.
C:\Program Files\Microsoft Office Trial Wizard\setup.bat 9/7/2005 6:59 PM 168 bytes Hidden from Windows API.
C:\Program Files\Microsoft Office Trial Wizard\tour_en 5/11/2006 1:38 PM 0 bytes Hidden from Windows API.
C:\Program Files\Microsoft Office Trial Wizard\tour_en\setup.bat 8/22/2005 2:24 PM 42 bytes Hidden from Windows API.
C:\Program Files\Microsoft Office Trial Wizard\tour_en\TOURS.CAB 8/24/2005 6:29 PM 1.68 MB Hidden from Windows API.
C:\Program Files\Microsoft Office Trial Wizard\tour_en\TourSetup.msi 8/24/2005 6:29 PM 111.50 KB Hidden from Windows API.
C:\Program Files\Microsoft Office\OFFICE11\1033\011 8/11/2006 4:16 AM 0 bytes Hidden from Windows API.
C:\Program Files\Microsoft Office\OFFICE11\1033\011\SKU011.XML 8/15/2003 5:10 PM 462.82 KB Hidden from Windows API.
C:\Program Files\Microsoft Office\OFFICE11\1033\ACMAIN10.AW 6/30/2003 11:23 PM 1.75 MB Hidden from Windows API.
C:\Program Files\Microsoft Office\OFFICE11\1033\ACMAIN11.CHM 6/2/2005 4:03 PM 3.97 MB Hidden from Windows API.
C:\Program Files\Microsoft Office\OFFICE11\1033\ACREADME.HTM 7/25/2003 8:31 PM 13.57 KB Hidden from Windows API.
C:\Program Files\Microsoft Office\OFFICE11\1033\ACTIP10.HLP 12/16/2000 12:14 AM 337.65 KB Hidden from Windows API.
...
...

(7000 more lines from various applications and c:\Windows\...

AVGARKT

c:\Program Files\Microsoft Office\OFFICE11\MSTORE.EXE,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\MSTORES.DLL,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\MSUSP.DLL,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\MSWEBCAP.DLL,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\MSWORD.OLB,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\MULTIMGR.DLL,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\MULTIQ.DLL,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\NAME.DLL,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\NOISECHS.TXT,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\NOISECHT.TXT,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\NOISEDEU.TXT,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\NOISEENG.TXT,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\NOISEENU.TXT,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\NOISEESN.TXT,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\NOISEFRA.TXT,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\NOISEITA.TXT,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\NOISEJPN.TXT,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\NOISEKOR.TXT,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\NOISENEU.TXT,Hidden File
c:\Program Files\Microsoft Office\OFFICE11\NOISENLD.TXT,Hidden File
 
Those files are hidden yes but not bad. They are sort of supposed to be hidden.

Registry entries are not actually not empty; it is a way that windows handles them.

You can restore that entry from msconfig and afterwards fix it with HijackThis, that is likely the easiest way.
 
Problem Resolved

Shaba,

I wanted to let you know that I finally resolved the problem. I tried a couple of other antivirus programs (avgfreee; a2free) which found more problems as well as deleting old software I wasn't using. I also loaded MS procmon and regmon and saw that the Norton anti-virus was constantly being used and appeared to hang on accessing files. I also disabled all 3rd party shell extentions using another tool I found on the web, but nothing seemed to improve the system. I then loaded a Registry cleaner, PCTools Registry Mechanic which found ~600 problems. Unfortunately, I had to buy the product for 30Euros to be allowed to delete all found problems. On the bright side it fixed my problems. I suspect one of the Virus/Spybot checkers I was running when the problem occured got rid of the virus, but left the registry entries pointing to empty/nonexistant directories/programs and this is what caused the system to run so slow. If you are interested in the logs from any of the above scans and I can figure out how to retrieve them, I'll send them to you for future reference in helping other people who may have similar problems.

Regards, jgprice
 
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top