WiredWX Hobby Weather ToolsLog in

 


Have virus PLEASE HELP!!!

3 posters

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
The rootkit is gone, give MBAM a try now.

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

2/22/2009 11:30:12 AM
mbam-log-2009-02-22 (11-30-12).txt

Scan type: Quick Scan
Objects scanned: 72842
Time elapsed: 13 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
Hmm, only 1 file?
Lets have a look around.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
    Link 3
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
DDS (Ver_09-01-07.01) - NTFSx86
Run by Daniel Schneider at 11:40:33.18 on Sun 02/22/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.441 [GMT -6:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Wavexpress\TVTonic\WXRSS.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Wavexpress\TVTonic\WXTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Daniel Schneider\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9E3DCAB2-1B63-44D9-AF91-7751CB9F605B} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [EA Core] "c:\program files\electronic arts\ea link\Core.exe" -silent
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [CreateCD_Reminder] c:\windows\sonysys\vaio recovery\reminder.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\daniel~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1.lnk - c:\program files\panasonic\videocamsuite\VideoCamSuiteAutoStart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d7050v5\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tvtoni~1.lnk - c:\program files\wavexpress\tvtonic\WXTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daniel~1\applic~1\mozilla\firefox\profiles\5a10nuia.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\daniel schneider\application data\mozilla\firefox\profiles\5a10nuia.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\SAVRTPEL.SYS [2004-7-23 50312]
R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [2008-9-2 238848]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060104.006\NAVENG.Sys [2006-1-5 77864]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060104.006\NavEx15.Sys [2006-1-5 750952]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\SAVRT.SYS [2004-7-23 336008]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-27 198256]
R4 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2004-8-27 235120]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-27 165488]
R4 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-9-2 38144]
R4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R4 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2004-8-30 177264]
R4 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2007-11-6 810632]
R4 WXRSS;TVTonic RSS;c:\program files\wavexpress\tvtonic\WXRSS.exe [2007-9-5 188416]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-27 79472]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVSCAN.EXE [2004-7-23 198368]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
S4 SBService;scriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2004-8-30 67184]

=============== Created Last 30 ================

2009-02-21 18:43 44,323 a------- c:\windows\system32\mcenspc.dll
2009-02-21 18:43 5,541 a------- c:\windows\system32\uacinit.dll
2009-02-21 18:43 81,408 a------- c:\windows\system32\UACdghpndwm.dll
2009-02-21 18:43 24,576 a------- c:\windows\system32\UACedawbvby.dll
2009-02-21 18:43 27,136 a------- c:\windows\system32\UAClndpsdmm.dll
2009-02-21 18:43 127 a------- c:\windows\system32\UACaqxkpaqt.dat
2009-02-21 18:43 31,232 a------- c:\windows\system32\UACjmuwkksf.dll
2009-02-05 08:59 1,011,568 a------- C:\MoveMediaPlayer_071101000055.exe
2009-01-31 15:56 --d----- C:\ComboFix
2009-01-31 13:09 --d----- c:\docume~1\daniel~1\applic~1\Malwarebytes
2009-01-31 13:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-31 13:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 13:09 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-31 13:09 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 13:07 2,737,800 a------- C:\mbam-setup.exe
2009-01-24 15:09 --d----- c:\docume~1\alluse~1\applic~1\espionServerData

==================== Find3M ====================

2008-12-27 18:01 302,928 a------- c:\program files\dxwebsetup.exe
2008-12-27 17:56 27,288,880 a------- c:\program files\QuickTimeInstaller.exe
2008-12-27 13:58 129,784 -------- c:\windows\system32\pxafs.dll
2008-12-27 13:58 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-12-27 13:58 116,472 -------- c:\windows\system32\pxcpyi64.exe
2008-12-27 13:58 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys
2008-12-27 13:58 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2008-12-27 13:58 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-12 05:12 8,996 a------- c:\windows\system32\ealregsnapshot1.reg
2008-12-05 21:23 3,376,393 a------- C:\doc2pdf2_setup.exe
2008-12-05 21:13 72,192 a------- c:\windows\cadkasdeinst01e.exe
2008-12-01 19:54 23,804,784 a------- C:\aaw2008.exe
2008-12-01 19:07 2,062,665 a------- C:\spywareguardsetup.exe
2008-12-01 18:46 2,869,536 a------- C:\spywareblastersetup41.exe
2008-12-01 18:45 15,083,520 a------- C:\spybotsd160.exe
2008-12-01 18:21 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-29 19:54 295,424 a------- c:\windows\system32\termsrv.dll
2008-11-17 10:36 40,368 a------- c:\docume~1\daniel~1\applic~1\GDIPFONTCACHEV1.DAT
2008-10-13 10:18 12,580,696 a------- c:\program files\mm20enu.exe
2008-02-10 14:54 28,868,320 a------- c:\program files\FileFormatConverters.exe
2007-12-06 12:39 6,820,520 a------- c:\program files\FirefoxGoogleToolbarSetup.exe
2007-11-18 01:12 13,532,808 a------- c:\program files\NBCDirectInstaller.exe
2007-10-14 15:09 1,473,748,992 a------- c:\program files\CoD4MWDemoSetup.exe
2007-04-11 14:54 414,637 a------- c:\program files\police-quest-in-pursuit-of-the-death-angel.zip
2007-04-11 14:53 1,049,705 a------- c:\program files\DOSBox-0.63-install.exe
2006-10-22 18:22 274 a------- c:\docume~1\daniel~1\applic~1\wklnhst.dat
2006-08-13 16:51 432,552 a------- c:\program files\wpsetup.exe
2006-07-01 11:55 905,728 a------- c:\program files\iview398.exe
2006-05-16 18:03 359,112 a------- c:\program files\LimeWireWin.exe
2006-04-13 11:53 2,871,168 a------- c:\program files\setuppad.exe
2006-04-13 11:38 36,465,208 a------- c:\program files\iTunesSetup.exe
2005-10-16 19:31 7,739,192 a------- c:\program files\DivXPlay.exe
2008-10-15 13:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101520081016\index.dat

============= FINISH: 11:41:47.32 ===============

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
Hello.
Are you running Norton only on trial? DDS tells me the database isn't updated, you can't really stay safe with an AV that isn't up to date. It also says the firewall that comes with Norton isn't active.

Do you have Limewire installed? I see the Limewire installer sat in your Program Files folder, if so, please uninstall it. P2P programs are dangerous, especially Limewire.
Then delete the installer:
c:\program files\LimeWireWin.exe

Let me know about them in your next post.

Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :files
    c:\windows\system32\mcenspc.dll
    c:\windows\system32\uacinit.dll
    c:\windows\system32\UACdghpndwm.dll
    c:\windows\system32\UACedawbvby.dll
    c:\windows\system32\UAClndpsdmm.dll
    c:\windows\system32\UACaqxkpaqt.dat
    c:\windows\system32\UACjmuwkksf.dll

    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
yeah, I have trial Norton (came with the machine), but never renewed it and I disable everytime the system starts up (until system restart) because it always seems to be getting in the way

also, i uninstalled LimeWire last go round, but must have forgotten to delete that file. so i went ahead and deleted it.

OTMOVEIT3 Log:


========== FILES ==========
LoadLibrary failed for c:\windows\system32\mcenspc.dll
c:\windows\system32\mcenspc.dll NOT unregistered.
c:\windows\system32\mcenspc.dll moved successfully.
LoadLibrary failed for c:\windows\system32\uacinit.dll
c:\windows\system32\uacinit.dll NOT unregistered.
c:\windows\system32\uacinit.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\UACdghpndwm.dll
c:\windows\system32\UACdghpndwm.dll NOT unregistered.
c:\windows\system32\UACdghpndwm.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\UACedawbvby.dll
c:\windows\system32\UACedawbvby.dll NOT unregistered.
c:\windows\system32\UACedawbvby.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\UAClndpsdmm.dll
c:\windows\system32\UAClndpsdmm.dll NOT unregistered.
c:\windows\system32\UAClndpsdmm.dll moved successfully.
c:\windows\system32\UACaqxkpaqt.dat moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\UACjmuwkksf.dll
c:\windows\system32\UACjmuwkksf.dll NOT unregistered.
c:\windows\system32\UACjmuwkksf.dll moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\\"SecurityProviders"|"msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" /E : value set successfully!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02222009_115401

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
Okay.

Please see here to download the Norton removal tool:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

Normal uninstalling isn't sufficient, Norton always does a messy uninstall, leaves behind so many of it's files.
Once Norton is uninstalled, please visit one of these sites and install a new AV,

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Also let me know how the machine is running now.

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
about to uninstall Norton and will then install Antivir. computer seems to be running pretty smooth. i still have that Spybot Search & Destroy box up that I mentioned before (it popped up on startup, even after running MBAM and restarting), i don't know whether or not I should mess with it (i.e. click Deny Change).

and before i proceed, two questions:

one, it is asking me for my Product Key, which, quite honestly, i have no idea where it is (like I said, got this computer in '04 and it was already installed). though i'm not sure if this is only required if you plan to reinstall it.

two, if I uninstall Norton, will I still be able to access the Internet? i don't know, i've just noticed screwy things in the past when dealing with Norton (that's why I usually disable it before surfing...i'm pretty sure one time i logged off accidently, and it wouldn't let me online)

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
Deny it, it's only a runonce thing.

Uninstalling Norton shouldn't break internet connection, this Norton has no LSP item, so the net should be fine.

If it won't uninstall via the removal tool, we can try a manual uninstall and move it's files with OTMoveIt. Lets see what Norton items are installed.

  • Open HijackThis
  • Click "Open the Misc Tools section"
  • Click "Open Uninstall Manager"
  • Click "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
okay, was able to uninstall Norton using the uninstaller (it then restarted) and have since installed and updated Antivir. still getting that stupid Spybot - Search & Destroy message.

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
okay, my AntiVir guard just popped up with this detection:

A virus or unwanted program was found!

C:\WINDOWS\system32\uacbbr.dll
Is the TR/PCK.Tdss.C.14 Trojan

and it has the list asking what it wants me to do: Move to quarantine; Delete; Rename; Deny access; Ignore

also, i was in the middle of a MBAM scan when it popped up, and the scan has since froze on a white screen.

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
Delete it.

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
all right, deleted it. and two others popped up on Antiwir during the scan that I deleted as well. the MBAM scan came up with no objects infected, however

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
Okay, note that I can only delete what I can see using our tools reports, so lets do this.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
Avira AntiVir Personal
Report file date: Sunday, February 22, 2009 13:08

Scanning for 1260296 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: WHITETUNDRA

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 18:38:19
ANTIVIR2.VDF : 7.1.2.55 248832 Bytes 2/20/2009 18:38:21
ANTIVIR3.VDF : 7.1.2.61 31232 Bytes 2/22/2009 18:38:22
Engineversion : 8.2.0.87
AEVDF.DLL : 8.1.1.0 106868 Bytes 2/22/2009 18:38:43
AESCRIPT.DLL : 8.1.1.47 348539 Bytes 2/22/2009 18:38:41
AESCN.DLL : 8.1.1.7 127347 Bytes 2/22/2009 18:38:39
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.8 397684 Bytes 2/22/2009 18:38:38
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 2/22/2009 18:38:35
AEHEUR.DLL : 8.1.0.97 1610103 Bytes 2/22/2009 18:38:33
AEHELP.DLL : 8.1.2.0 119159 Bytes 2/22/2009 18:38:26
AEGEN.DLL : 8.1.1.20 336245 Bytes 2/22/2009 18:38:25
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.6.6 176501 Bytes 2/22/2009 18:38:23
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, February 22, 2009 13:08

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'sgbhp.exe' - '1' Module(s) have been scanned
Scan process 'sgmain.exe' - '1' Module(s) have been scanned
Scan process 'WXTray.exe' - '1' Module(s) have been scanned
Scan process 'sqlmangr.exe' - '1' Module(s) have been scanned
Scan process 'Belkinwcui.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'VAIOUpdt.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'RM_SV.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'VzFw.exe' - '1' Module(s) have been scanned
Scan process 'VzCdbSvc.exe' - '1' Module(s) have been scanned
Scan process 'WXRSS.exe' - '1' Module(s) have been scanned
Scan process 'VCSW.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SMceMan.exe' - '1' Module(s) have been scanned
Scan process 'SonicStageMonitoring.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrB.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'MediaAgent.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehRecvr.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'bgsvcgen.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'PhotoshopElementsFileAgent.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
63 processes with 63 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD5
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '74' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentafy.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a0fa3fc.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentafy1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a0fa402.qua'!
C:\Documents and Settings\Daniel Schneider\Desktop\backups\backup-20090131-130545-903.dll
[DETECTION] Is the TR/Vundo.D.26 Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Daniel Schneider\Desktop\backups\backup-20090131-132601-779.dll
[DETECTION] Is the TR/Vundo.D.26 Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Daniel Schneider\Desktop\backups\backup-20090131-132731-614.dll
[DETECTION] Is the TR/Vundo.D.26 Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Daniel Schneider\Local Settings\Temp\EAD2.exe
[0] Archive type: NSIS
--> 0
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Daniel Schneider\Local Settings\Temp\EAD5.exe
[0] Archive type: NSIS
--> 0
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Daniel Schneider\Shared\Delta White - Come On Over.mpg
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP1044\A0097181.exe
[DETECTION] Is the TR/Dldr.FakeAle.kom Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP1044\A0097199.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP1044\A0097207.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP1044\A0097372.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP1044\A0097372.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP1044\A0097373.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\System Volume Information\_restore{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP1044\A0097373.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP1045\A0097646.dll
[DETECTION] Is the TR/PCK.Tdss.C.14 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP1045\A0097647.dll
[DETECTION] Is the TR/Vundo.D.26 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP1045\A0097648.dll
[DETECTION] Is the TR/Vundo.D.26 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP1045\A0097649.dll
[DETECTION] Is the TR/Vundo.D.26 Trojan
[NOTE] The file was deleted!
C:\_OTMoveIt\MovedFiles\02222009_115401\windows\system32\mcenspc.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\_OTMoveIt\MovedFiles\02222009_115401\windows\system32\UACdghpndwm.dll
[DETECTION] Is the TR/PCK.Tdss.C.14 Trojan
[NOTE] The file was deleted!
C:\_OTMoveIt\MovedFiles\02222009_115401\windows\system32\UACedawbvby.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
[NOTE] The file was deleted!
C:\_OTMoveIt\MovedFiles\02222009_115401\windows\system32\UACjmuwkksf.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\_OTMoveIt\MovedFiles\02222009_115401\windows\system32\UAClndpsdmm.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
[NOTE] The file was deleted!


End of the scan: Sunday, February 22, 2009 14:31
Used time: 1:22:28 Hour(s)

The scan has been done completely.

22028 Scanning directories
363920 Files were scanned
18 viruses and/or unwanted programs were found
2 Files were classified as suspicious:
18 files were deleted
0 files were repaired
2 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
363898 Files not concerned
7891 Archives were scanned
9 Warnings
20 Notes

NOTE THAT:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentafy.zip

and

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentafy1.zip

were moved into quarantine (though i thought they were deleted...they are sitting in there right now)

descriptionSolvedRe: Have virus PLEASE HELP!!!

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum