UACd virus?

[Trixie]

Does anyone have experience with this and how to eliminate it?

I am working on removing it, thought I might have, but I still cannot defrag my computer (and I'm not sure if that virus is the reason why). It stopped me from opening spyware, and wouldn't even let me access the sites or get a new browser (I used my aol browser to get what I needed). It's a tough one, and I'm not convinced I'm totally rid of it.

Unless my inability to defrag is something completely different.

 

[budpytko]

What virus detection software are you using? If you can get to their site, there is usually a way to have your computer cleaned of it using their scan. If you can not do that, use a different COMPUTER to download the .exe file to eliminate that particular virus, then run it on your computer via a thumb drive or floppy disk. If you can get that file to your computer, perhaps you can run it while in SAFE mode.

 

[Trixie]

I was able to get AdAware (a new edition) to run by getting it off AOL, it finds the trojans, deletes them, but they come back. I can't manually delete certain files. I ran a couple programs per SpyBot, which listed them all, and then couldn't send them to spybot because they were infected (lol). It helped me figure out what the problems are, it's just a very very difficult thing to get rid of it seems. I need something more specific. They had me use something from a rootkit and something called gmer.

I got mbab but I can't seem to run it.

EDIT: Oh, and it randomly plays voices and music. It's set up as a hidden driver. I haven't tried safe mode yet, I'll get to that soon I guess.

 

[budpytko]

Spybot and/or AdAware will NOT get rid of virus'. You need to get a VIRUS detection program like AVG ( http://free.avg.com/ ). IF you can install it. It's free and darn good.....

 

[Trixie]

Bud, I have AVG, and I have it running all the time, and I have nightly scans.

I don't know how I got this infection. Hubby claims not to have used the computer, he's the one who usually gets me infected.

 

[driller]

... he's the one who usually gets me infected.

That's what they all say. :fart

Emails are a nasty source of some viruses. Even legit looking ones could take you to a spoof site and then use html to fake a browser lockup all the while having implanted the virus from the site.

If I get an email with embedded links, chances are I will NOT click them and instead use the regular URL to access the particular site's homepage and then search for the link in question. Ebay is especially a common spoof source as well as financial institutions, photo/video hosting sites and many others.

 

[Trixie]

That's what they all say. :fart

Emails are a nasty source of some viruses. Even legit looking ones could take you to a spoof site and then use html to fake a browser lockup all the while having implanted the virus from the site.

If I get an email with embedded links, chances are I will NOT click them and instead use the regular URL to access the particular site's homepage and then search for the link in question. Ebay is especially a common spoof source as well as financial institutions, photo/video hosting sites and many others.

Yeah, I'm usually pretty careful, I won't even open attachments from people I know without appropriate comment from them (ie, I don't open joke stuff unless there's a personalized message to me about it), but it has been an extremely hectic week, so there is a possibility I did something.

I found ways to get rid of it using AOL browser (as it will not let me search for it on IE), but the instructions were over my head. So I probably will have the kid help me with it tomorrow. It's the one time I'm actually glad I have AOL. :big-grin:

 

[budpytko]

The regular scans do not do a FULL scan. Open AVG and command it to do a full computer scan...... if that don't find it.... uh-oh! Oh, if you can do that scan while in SAFE mode.

 

[Trixie]

The regular scans do not do a FULL scan. Open AVG and command it to do a full computer scan...... if that don't find it.... uh-oh! Oh, if you can do that scan while in SAFE mode.

I do have it set to do a full computer scan, that's why I have it set for 3 AM, it takes between 2-3 hours.

This isn't a regular virus, Bud. It stops antivirus programs from deleting it or from running at all.

 

[MindyMark]

OH fun stuff. You might try going to housecall.trendmicro.com and runing their online scanner, although sounds like you might have trouble running it from whatever is on your system.

So without knowing more about this particular virus and how to remove it, it might be faster to just reformat your computer.

But you don't want to do that, you can try running a program called "hijack this" and posting the results here. That log could give us some more information to find out what's running on your PC.

 

[Trixie]

Thanks Clayton, here you go - I think this worked like gmer, and I appear to have removed the UAC portions, but something else is going on. Last night I thought I was clean. I go to bed and I hear noises like talk radio coming from my computer. AVG ran and found nothing. I don't want to reformat. Can I do a system restore to a few days ago and get rid of it?

Results:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:43 AM, on 7/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1188797250\ee\AOLSoftware.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\NBYYDU6E\mbam-setup[1].exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\is-V1ODI.tmp\mbam-setup[1].tmp
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1188797250\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Annabel\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Yahtzee\Images\armhelper.ocx
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/bingame/dash/default/DinerDash.1.0.0.89.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9788 bytes

 

[Trixie]

Spybot sent me a custom file to use, and instructions on how to run it without the exe that is being stopped by the virus. We'll see if this works.

 

[MindyMark]

Hopefully that works for you! Mal-ware bytes is another good program to try as well if you have not already. The lines between virius and spyware seem to be a lot more grey then they used to...it's all "malware" as far as I'm concerned.

As for the system restore, it's usually not going to help, as most programs are able to insert themselves into the system restore points, or disable system restore altogether. To get them out of the system restore you have to remove the malware, turn off system restore (which deletes the restore points) and then re-enable system restore.

 

[Trixie]

I couldn't get Malware to run. It appears as of right now that Spybot has fixed the problem. We'll see.

So if anyone else comes across this, it appears I have the fix for it.

 

[MindyMark]

And some people say Spybot hasn't keep up to with the times!!! Glad they seemed to have come through for you!

 

[budpytko]

What sucks is you have NO idea how you acquired this malware/virus. You have the cure, but not the source of the problem. Usually, avoidance is lots easier than the cure...in this case, no one knows the cause.

 

[Trixie]

What sucks is you have NO idea how you acquired this malware/virus. You have the cure, but not the source of the problem. Usually, avoidance is lots easier than the cure...in this case, no one knows the cause.

Yeah, but I have been really tired lately, so it's possible I clicked on something by accident. Or, Hubby's lying and was surfing porn again.

Malwarebytes found more items. I'm not positive I'm totally clean yet, we'll have to see. But at least I'm able to run spyware items now.

 

[budpytko]

I run Norton 360 Premier and I have been into some dubious web-sites myself and Norton has detected some sites that showed malware and/or virus' and took care of the problem without causing my computer any harm.

I will continue purchasing 360 forever..... And as Office depot runs real good specials on it every few months, it almost costs nothing to run. And another thing, one copy is good for 3 computers!

When I switched to Firefox browser, it gave me some problems...called Norton on phone and they installed the newest version and extended my subscription at no charge. Sure worth the 20 bucks after rebate for 3 'puters.