Firefox and Norton 360 broken (moved back from MR)

[Jaytee]

Ok I d/loaded a Norton uninstall tool and that fixed the problem, also I shifted that CEC_main.exe out of the program group in the meantime so the machine complains each time I restart

[Jintan]

Good - you are clearing up some issues. Better if you put the file back for now though. Seeing an unusual entry in a Gmer scan log isn't anything we should act on right now. Just need to take a look. But not seeing any upload from you at the SpyKiller site. Could you double-check the steps again, please?

[Jaytee]

I am having a heap of problems with the Spykiller forum.
I am following the instructions
When I hit "post" It takes ages to upload the file then
Forbidden you do not have permission to access "index.php on this server additionally a 404 not found was encountered while trying to use an error document................

[Jaytee]

I put that CEC_Main back where I found it for the mean time...
I wonder if there is some other place I can upload a copy of the file to?

[Jintan]

I did a test upload at that site, but didn't run into those errors. The ComboFix log shows a few files we need to put back, and a few others we need to verify, so still need some file copy moving done. What problems are occurring there now, with Norton uninstalled? We so far are not seeing malware, so don't want to go to far along without purpose.


Zip a copy of that CEC_Main file, as well as the following two files, and email them as attachments, one at a time, to jintan@malwarecrypt.com as an attachment. Please place "Submitted Files -Jaytee/cth/files" as the email Subject.

C:\qoobox\Quarantine\C\program files\webserver\PdvrParser.ax.vir
C:\qoobox\Quarantine\C\program files\webserver\PdvrServer.dll.vir

[Jaytee]

The only problems that I am aware of are broken or disabled Firefox a user went missing possible cause for that is a system restore that occurred when the machine failed to boot.
Windows update is failing and java update is also failing..

[Jaytee]

I sent those files. Hope they are ok

[Jintan]

I received the files, thanks. What did you use to zip them - they are reduced nicely?

Sure enough, that camera CEC_MAIN.exe incorporates quite a bit of what it refers to as "debug" in it's functions. And the code show what Gmer reflects as well, so not a malware action.

As for the other files, the code in them suggests streaming video, audio/graphics use. Release_codec3Dll references as well. No indication of malicious actions in them. And no indication of the vendor or source. Korean sourced. One file you have, WebServer.ocx, does web search to Corel Paradox use, so a thin tie with the "pd" of the files. This scan indicates two scanners see one file as part of a rogue security install, but those two hits are too few to verify malware.

But the uploads raise a different questioning. The folders were named ."pdf". Was this something you chose? Wondering if many items there are acquiring that extension, which would mess things up. if you did not name them .pdf, did you make sure earlier you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

[Jintan]

I checked an analysis of that PdvrParser.ax file. It also uses the same Renos malware reference, shows the source as Korean, and includes a "Pdvr Http Push" function (info here). Given the check on that camera file, and these file's busy video related functions, I am leaning towards "pdvr" meaning "portable digital video recorder", likely from some Korean device software. Any devices on that system match that? We can check for some of the analysis info on that system, though admittedly, this is just to verify what those files do. Not seeing them as having caused problems there.


Download Nirsoft's RegScanner from here (scroll down - select "Download self-install executable for installing RegScanner with uninstall support") to your desktop. Then right click that regscanner_setup.exe, select "Run as administrator, and follow the prompts to install RegScanner.

When the display opens, copy/paste the following into the "Find String" box, then click OK:

F9C69F34-2CD3-4769-A414-C3AB121FDF94

Once that scan completes go to Edit - Select All. Then again Edit - Copy All.

Open Notepad (go to Start Search, type notepad.exe and hit Enter), and right click Paste the log results there. Save that to your desktop by any name you choose, and post the contents here in your next reply please.

[Jaytee]

I just have time to respond to the "zip" questions.
The files I sent you were in fact the three files with the names you reqested
I was unsure how to zip files in windows vista environment so I copied the files to a flash drive and compressed them with my Linux system as it has a lot of zip extensions .tar .jar.bz etc. However the files were identified as windows executables and would not compress so I renamed them .pdf to compress them then when compressed I renamed the actual files back to there original state and tested them on the Win machine for readability. I think it is unlikely that any information would remain hidden as Linux uses hiding for a different purpose as far as I am aware.
The machine is a Toshiba laptop with a built in camera at the top centre of the screen.
I will attempt to get the output from Reg scan tomorrow evening...

[Jintan]

That clears up the extension issue, thanks. FYI - if you right click a file in Vista (same as XP) and select "Send to" -> Compressed (zipped) Folder, that will create a zipped copy in the same location as the target file. Not as nicely compressed though. Yes, let's check the Registry search results, then if nothing from that, see about correcting the update issue, then check reinstalling Firefox and Norton.

[Jintan]

Actually, go here and download and run the BITS Repair Tool. Reboot after, and see if the updates work then please. No reason to wait on that.

[Jaytee]

Reg scan came back with a nil result on the key you gave me.
BITS came back with a not required at this time type statement.
I am trying windows update again but not confident of the outcome..

[Jaytee]

Negative outcome... The o/s will not boot. I am going to bed in disgust!!!

[Jaytee]

Yet another system restore and the machine is back to its pre-updates stage.