Undiscovered virus driving me crazy [safe mode] [adaware]

Q: My system is infected by a series of spyware and viruses yesterday. I went to go into safe mode and run a lot of scanners / spyware removal programs (including AdAware VX2 scan), and did much to remove, but some problems still occur .

For example if I type, sometimes the letter I type is moved to the area, I can not enable Windows Firewall (I had the spyware before it was removed .), Task Manager goes off by itself, same with regedit (I got copies of those of THA problem), sometimes my whole taskbar will disappear and I can not do anything anymore. My computer freezes sometimes and some sites not accessible (known security sites) 0.

I tried any spyware removal programs I could find, I saw them both in safe mode and normal mode. I also ran several updated anti-virus programs. The material found, but still has issues. I disabled system restore.

In Task Manager is not unusual . Im at a loss here, how can I come to something I did not even detect? (

can someone help me? I appreciate it.:)

---

Re:Also try this:

1) get this patch from Microsoft and install it: http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx and expand Affected Software and Download Locations, then click "Critical" next to your version of Windows in the chart below. Then reboot.

2) http://www.omnicast.net/~tmcfadden/scan.txt (one-pass scan using a McAfee utility, preferably in Safe Mode w/ Command Prompt as instructed)

3) reboot into normal Windows and run this: http://www.f-secure.com/blacklight <— rootkit detector

If you do step 2 and PM me the text from the C:\Report.html file afterwards, I'll see if I have additional insights to offer. Also, if your Windows Firewall is down, I hope he has a router or else his system is patched up. Speaking of which, check it for missing patches and other security issues using Microsoft Baseline Security Analyzer 1.2.1 (http://www.microsoft.com/technet/security/tools/mbsa1/default.mspx), it's super-easy to use

Also… January 10th is Microsoft's "Patch Tuesday" for this month (second Tuesday of the month) so sometime Tuesday afternoon, drag his system through Windows Update and see what else they've got in store. You will be able to know three days in advance if there are patches, by watching here: http://www.microsoft.com/technet/security/bulletin/advance.mspx Ahhh, and in fact they have the info up already:

On 10 January 2006 Microsoft is planning to release:

Security Updates

1 Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).

1 Microsoft Security Bulletin affecting Microsoft Exchange and Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).

---

Re:Try the online scans at (1) housecall.trendmicro.com or (2) http://security.symantec.com/

---

Re:may as well get rid of this:
O18 – Protocol: msnim – {828030A1-22C1-4009-854F-8E305202313F} – "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Do you really want these loading at startup?
O4 – HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 – HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 – HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 – HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"

especially these?
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 – HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 – Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 – Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (one or the other, maybe)
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (one or the other, maybe)
O4 – Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (one or the other, maybe)
O4 – Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

---

Re:yea, I did.. I didn't see anything weird here, but here's the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 2:29:33 PM, on 1/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccVScan.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\pascal.DESKTOP\Desktop\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 – Toolbar: Adobe PDF – {47833539-D0C5-4125-9FA8-0819E2EAAC93} – D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 – HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 – HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 – HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 – HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 – HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 – HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 – Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 – Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 – Global Startup: GetRight – Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 – Extra context menu item: Convert link target to Adobe PDF – res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: Convert link target to existing PDF – res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Convert selected links to Adobe PDF – res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 – Extra context menu item: Convert selected links to existing PDF – res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 – Extra context menu item: Convert selection to Adobe PDF – res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: Convert selection to existing PDF – res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Convert to Adobe PDF – res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: Convert to existing PDF – res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Download with GetRight – C:\Program Files\GetRight\GRdownload.htm
O8 – Extra context menu item: Open with GetRight Browser – C:\Program Files\GetRight\GRbrowse.htm
O9 – Extra button: (no name) – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 – Extra button: Spyware Doctor – {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} – C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O16 – DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) – http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 – DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} – http://www.trendmicro.com/spyware-scan/as4web.cab
O18 – Protocol: msnim – {828030A1-22C1-4009-854F-8E305202313F} – "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 – AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll
O20 – Winlogon Notify: WRNotifier – C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 – Service: Adobe LM Service – Adobe Systems – C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe
O23 – Service: Trend Micro Central Control Component (PcCtlCom) – Trend Micro Incorporated. – C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 – Service: PC Tools Spyware Doctor (SDhelper) – PC Tools – C:\Program Files\Spyware Doctor\sdhelp.exe
O23 – Service: StarWind iSCSI Service (StarWindService) – Rocket Division Software – C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 – Service: Webroot Spy Sweeper Engine (svcWRSSSDK) – Webroot Software, Inc. – C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 – Service: Trend Micro Proxy Service (tmproxy) – Trend Micro Inc. – C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

---

Re:Have you ran hijackthis?

---

Related posts

• XP will not start. Neither will the Safe Mode. I do not want to reformat. [loading screen] [safe mode] (0)
• Windows XP Operating System Help [safe mode] [home computer] (0)
• Why does Spybot find on my PC? [spybot] [adaware] (0)
• What is the proper way to resurrect Win98? [gateway system] [safe mode] (0)
• that something broke . Error: “llsass.exe: class object not found” [safe mode] [kicker] (0)

Tags: adaware, safe mode