Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware - AV issues


  • This topic is locked This topic is locked
8 replies to this topic

#1 coyotejoe

coyotejoe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 23 November 2010 - 06:54 PM

Hello, I am having issues with a friend's PC. There was always an error message that stated "AV cannot load" that would pop up everytime you tried to do just about anything on the machine. So you were constantly having to close the error message window. I updated the Symantec Anti-Virus and ran a scan in Safe mode. It found a few pieces of malware. I then downloaded MalwareBytes and ran it in Windows safe-mode. Again it found several new things and I cleaned those off. Now the Symantec AV's auto-protect will not load at startup nor by manually starting it. The error is: 'Symantec AntiVirus Corporate Edition : Symantec AntiVirus Auto-Protect failed to load.' I really just want the opinion of you experts to tell me if there is anything else lurking on this machine that might be preventing this from running or anything else for that matter.

I appreciate your help!

Here is the DDS.txt stuff:

DDS (Ver_10-11-10.01) - NTFSx86
Run by Sindhu at 6:16:28.62 on Tue 11/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.170 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Cobian Backup 10\Cobian.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\Documents and Settings\Sindhu\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mail.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10k_ActiveX.exe -update activex
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-10-6 1275216]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101122.002\naveng.sys [2010-11-22 86064]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101122.002\navex15.sys [2010-11-22 1371184]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-10-6 173392]

=============== Created Last 30 ================

2010-11-23 02:52:10 -------- d-----w- c:\docume~1\sindhu\locals~1\applic~1\Safe mirror
2010-11-23 02:51:51 -------- d-----w- c:\program files\Cobian Backup 10
2010-11-18 03:01:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-18 03:01:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-11-18 02:59:59 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-11-18 02:59:59 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-11-18 02:59:59 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-11-18 02:59:45 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-11-15 22:02:54 -------- d-----w- c:\windows\system32\scripting
2010-11-15 22:02:53 -------- d-----w- c:\windows\l2schemas
2010-11-15 22:02:52 -------- d-----w- c:\windows\system32\en
2010-11-15 22:02:52 -------- d-----w- c:\windows\system32\bits
2010-11-15 21:51:06 -------- d-----w- c:\windows\EHome
2010-11-15 16:43:23 -------- d-----w- c:\docume~1\sindhu\applic~1\Malwarebytes
2010-11-15 16:43:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-15 16:43:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-15 16:43:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-15 16:43:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-10 04:52:11 -------- d-----w- c:\windows\system32\NtmsData
2010-11-10 03:00:40 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2010-09-29 19:13:02 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-09-29 19:12:58 88 --sh--r- c:\windows\system32\1268B7736C.sys
2010-09-29 18:53:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-29 18:53:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 18:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2007-03-23 15:50:57 2873192 ----a-w- c:\program files\FLV PlayerRCATSetup.exe
2007-03-23 15:50:36 18029000 ----a-w- c:\program files\FLV PlayerRCSetup.exe

============= FINISH: 6:21:48.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:16 AM

Posted 01 December 2010 - 08:53 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 coyotejoe

coyotejoe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 01 December 2010 - 09:06 PM

Yep. Still here. I was about to give up, but thank you for contacting me. Please let me know what information you need. Thanks.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:16 AM

Posted 02 December 2010 - 04:39 PM

First thing to do is to reinstall your Symantec antivirus.

Are you still getting the message or are you not able to install it again?
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:16 AM

Posted 05 December 2010 - 08:24 PM

Hi,

I have not had a reply from you for 4 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#6 coyotejoe

coyotejoe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 05 December 2010 - 11:33 PM

I uninstalled Symantec AV. Installed Microsoft Security Essentials. (Couldn't find the original install CD for Symantec). Do you have an opinion on the best AV?

Any other information that you need to help make sure this PC is clean?

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:16 AM

Posted 06 December 2010 - 04:45 PM

I'm sure that the PC was clean before but I will post some tips below.

Just need you to confirm that the message 'Symantec AntiVirus Corporate Edition : Symantec AntiVirus Auto-Protect failed to load.' is no longer appearing.

------------------------------------------------------

Now here are the tips:

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#8 coyotejoe

coyotejoe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 07 December 2010 - 01:45 PM

Thanks. The message doesn't pop anymore.... since Symantec isn't installed. I was just curious to see if there was anything else lurking on the machine.

Thanks for your help.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:16 AM

Posted 11 December 2010 - 07:54 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users