Seems like I have everything! But no detection. Please help confirm and remove?

[wishinstonez]

When I was using Norton Internet Security earlier today I noticed that when I ran a full system scan, in the area that tells you what is currently being scanned I saw a LOT of:
Adware. ___
Trojan. ___
Backdoor. ___
Spyware. ___
Trackware. ___
w32. ___
and so on...
___ = the name/words after the dot.

But Norton just scans it, it doesn't pick it up as a risk. So I can't quarantine or remove any of it. I've tried CA eTrust, AVG, Spybot and Adaware...none of them have picked up anything except cookies. I've tried scanning in safe-mode as well.

As far as I can see I haven't got any of the symptons (that I know of anyway). My homepage is still the same, I don't get random pop-ups or see advertisements on my browser. Though sometimes my mouse ends up on the other side of the screen or has a right-click window without me doing anything...is that something to worry about? And sometimes my internet is slow when loading a page (but not when streaming something).

So, are these really infecting my computer?
If so...
Why hasn't any of the programs detected anything?
And what can I do to get rid of them?

If a Hijack log would be useful...I can supply one.

Any help would be appreciated

 

[yosa]

Its important to know that norton and other virus programs can get false readings, the mouse thing is legitimate, I beleive it may be a hardware issue,(or resident virus within an existing memory component; I doubt it) different than the norton problem you describe.(a lot of programs use scare tactics, I wouldn't put it past symamantic as well); I cannot answer either of your questions without the specifics, tell us what your scans identified, the more information the better.

 

[wishinstonez]

I hope it's just a scare tactic..though that is really low of them.
These are the things I keep seeing. There are quite a few I missed because they don't all show up the same every scan. I tried to categorise them:
W32.Mytob.C@mm
W32.Sality.U
w32.Erkez.B@mm
W32.HLLW.Gaobot
W32.Rahack.W
W32.Stration.D@mm
W32.Netsky@mm
W32.Randex
Backdoor.Rustock.B
Backdoor.Jeem
Backdoor.Haxdoor.L
Backdoor.Graybird.G
Backdoor.SubSeven.215
Backdoor.Sincom
Backdoor.Litmus
Trojan.Flush.K
Trojan.Perfcoo
Trojan.Zlob
Adware.AdRoar
Adware.Expand
Adware.iPend
Adware.ZenoSearch
Adware.SearchCentrix
Adware.IEHost
Adware.BrowserAid
Adware.Fastfind.B
Adware.LittleHelper
Adware.HungryHands
Adware.BlazeFind
Adware.LoveFreeGames
Spyware.SpyKy
Spyware.ISpyNow
Spyware.ISnake
Spyware.WALogger
Spyware.GiveMeMore
Spyware.Intelliflag
Trackware.WebGuardian
Infostealer.Sagic
Dialer.Kotu
Dialer.Ulubione
Dialer.Uyelik
Spybouncer
AlfaCleaner
SaferScan
AntiSpyZone
PCHealthPlan
MyCleanerPC
SpyShield
CryptDrive
AntiVermins
IrcFast
SpyDawn
VirusRay
MalWarrior
PCCleaner
RegistryCleanFix
CrisysTecSentry
MyBugFreePC
Movieland

Also they are scanned one after the other, there're no "safe" files in between these.
The Symantec website in the Virus dictionary, when I look at some of these they all say the full-system scan picks them up (unless they're in the "Add/Remove Programs")
I looked up a few of them. I can't find them in the "Add/Remove Programs" if they're meant to be there, I can't find them in the registry files if they were meant to create files, I don't get any of the visible effects of error/virus warnings and pop-ups or anything.


Are they just scare tactics? If so..why so many?
Or does me using Vista Ultimate have something to do with it? (threats not vista-compatible? or they don't show in Vista? :freak: )
Or do I have one of those programs that hides risks and threats so they're not detectable?

 

[Osiris]

post a log

 

[wishinstonez]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:08 PM, on 24/11/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\User\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = BigPond Broadband - Wireless, ADSL, Cable and dialup internet access
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinSys2] C:\Windows\system32\startup.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7391 bytes

 

[Osiris]

remove this entry

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

then make sure system restore is off, run ccleaner and cleanup. Then scan with norton again

 

[wishinstonez]

Thanks!

It's still doing the same thing in the scan though...

 

[Osiris]

does is show the path?

 

[wishinstonez]

No, no paths. It just shows the name of it. Like "W32.Sality.U" or "SpyDawn".


I really appreciated you helping

 

[Osiris]

download this http://www.bleepingcomputer.com/resources/link243.html and run it then follow below

make sure spydawn is not listed under add/remove programs

Automated Removal Instructions for SpyDawn:

1. Print out these instructions as we will need to close every window that is open later in the fix.
2. Download SmitfraudFix.exe from here and save it to your desktop:
   
   SmitFraudFix.exeConfirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:
   
   
   
3. Next, please reboot your computer into Safe Mode by doing the following:
   1. Restart your computer
   2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
   3. Instead of Windows loading as normal, a menu should appear
   4. Select the first option, to run Windows in Safe Mode.
   5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as.
4. When your computer has started in safe mode, and you see the desktop, close all open Windows.
5. Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The icon will look like the one below:
   
   
   
6. When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.
7. You will now see a menu as shown in the image below. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).
   
   
   
   
8. The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program as shown by the image below.
   
   
   
   
   
   
   
   This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with step 11.
9. When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key.
10. When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.
11. Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen.

Your computer should now be free of the SpyDawn infection.