a virus dat keeps comin back :( unhandled exception error & other symptoms

[settnfires]

ok heres my scenario... i believe i caught a virus. it showed up thru msn messenger (windows live messenger) as dark angel m.e. virus. then afta tryin to fight it thru boot-scan (unhandled exception error), spyware scans, etc, it wiped my drive. this happened TWICE. now i m on my 3rd fresh install and its back again. it keeps showin up afta i install windows live messenger for sum STRANGE REASON... i get da install file from da msn site, so its not like i m usin a dirty file. at least i dont think i am since its not comin from me. i hav an external hard drive but i ve scanned dat numerous times only to find nuthn infected on it. now this 3rd time around of doin a fresh install, i did try to download sum things from da net dat avast said had viruses. but dam, da EXACT same symptoms again??? i evn tried uninstallin avast, then reinstallin it, boot-scannin without updatin it (which workd, but showed a bunch of ACCESS DENIED stuff), then updated it & did a boot-scan again only to run into da unhandled exception error again. seems like dat error only happens wen its updated.

symptoms dat sumtime arise:

1. right click/properties (on screen) doesnt work anymore
2. control panel wont open
3. nuthn i try to open in da run command box runs
4. add/remove programs wont open
5. system restore wont work

seems like anything dat takes administrative privileges wont work so then i got desperate and installed anotha antivirus program to see if it would find sumthn dat avast isnt findin. this program wouldnt even open. then i try to uninstall it to prevent further damage (from havin 2 antivirus programs installed) and it wont uninstall! so then i came here & lookd around. i found sumone sayin scan in safe mode, which i m doin right now. da otha antivirus program still wont open even in safe mode, but wen i try to uninstall it, it lets me! so i m thinkin sumthn changed my administrator privileges or sumthn. i m not sure... i believe one of u will tell me to post a hijack this reading or sumthn like dat, which i ve neva done before. avast says its updated to da latest vps database (8-27-07) & program update.

so yea dats da bulk of my story. any ideas? i really hope wateva it is dat wiped my drive twice doesnt do it again. i m tired of reinstallin everything all ova again

any help will b greatly appreciated & thx in advance

[FreewheelinFrank]

Hi settnfires,

Two AV's is not a good idea, as you seem to be aware: they'll just fight together like two dogs over a bone.

To let us see what is happening on your computer post a HijackThis! log.

[settnfires]

yep. i ve heard abt da 2 antivirus program thing. i ll uninstall da otha RIGHT NOW & try to get dat hijack this log up here for u. thx for da prompt response!

i m on it... i m on it... i m on it...

[Lisandro]

then updated it & did a boot-scan again only to run into da unhandled exception error again. seems like dat error only happens wen its updated.

Alwil acknowledges the boot time scanning bug (http://forum.avast.com/index.php?topic=29999.msg247134#msg247134). You'll need to wait for the next program update. Igor answer here that the problem persists: http://forum.avast.com/index.php?topic=30138.msg248589#msg248589

then i try to uninstall it to prevent further damage (from havin 2 antivirus programs installed)

Bad idea... two antivirus at the same time.

I suggest that you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

[DavidR]

Currently there is a problem with the boot-time scan and they are working on a fix for it. Let us know how you get on scanning from safe mode.

As Frank said 2 resident AVs can cause conflict and rather than provide twice the protection you may be more vulnerable. So you need to choose 1 resident AV (avast) and ensure the other is uninstalled completely. You can have an on-demand AV as a back-up scanner, something like BitDefender the free version is on-demand only, which should be fine. Or you could use an on-line scanner as a back-up scan - On-line Virus Scanners and other useful Links Security-Ops.eu.tt

[settnfires]

oh yea i forgot to mention avast keeps askin to reboot everytime i reboot. its annoying!!! 2nd antivirus program uninstalled. ok heres my hijackthis log. i ll b tryin all da otha suggestions u guys made RIGHT NOW.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:09 AM, on 8/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Free\Desktop\hijackthis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] rem "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] rem RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187845310203
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 4456 bytes

[DavidR]

Looks like you are living dangerously as there is no active firewall detected or you are using XP firewall that really isn't good enough, you should look at a third party firewall.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Other than that I don't see anything obvious in it, the log looks clean.

[Lisandro]

oh yea i forgot to mention avast keeps askin to reboot everytime i reboot. its annoying!!! 2nd antivirus program uninstalled.

Install avast from the scratch:
1. Uninstall avast from Control Panel first.
2. Boot.
3. Use Avast Uninstall for complete uninstallation.
4. Boot.
5. Install again the last version.
6. Boot.
7. Check and post the results.

Which was the 2nd antivirus?

[FreewheelinFrank]

Log looks clean as David said.

The virus detected may well be a false alarm:

http://forum.avast.com/index.php?board=2%3Baction=display%3Bthreadid=398

What exactly was the name and location of the file detected as malware?

I would suggest you scan your computer and your external HD if possible with an online scanner.

F-Secure

[settnfires]

da 2nd antivirus program was avg. it never ran or updated & i deleted it. avg anti-rootkit wont run. heres one thing it found, but this was afta da 1st two times my hd "stupposedly" got wiped by dat dark angel m.e. thing

8/27/2007   10:11:14 AM   1188223874   Free   1072   Sign of "VME family" has been found in "C:\Documents and Settings\Free\Application Data\SecondLife\cache\textures\c\c252bb12-0a0f-150c-eb29-f8f35f831a79" file.

Log looks clean as David said.

The virus detected may well be a false alarm:

http://forum.avast.com/index.php?board=2%3Baction=display%3Bthreadid=398

What exactly was the name and location of the file detected as malware?

I would suggest you scan your computer and your external HD if possible with an online scanner.

F-Secure

i saw this wen i first did a search on here. i rememba da file detected was NOT da avast update file. mayb da threat is gone & my windows is jus corrupted now?

[settnfires]

oh yea i forgot to mention avast keeps askin to reboot everytime i reboot. its annoying!!! 2nd antivirus program uninstalled.

Install avast from the scratch:
1. Uninstall avast from Control Panel first.
2. Boot.
3. Use Avast Uninstall for complete uninstallation.
4. Boot.
5. Install again the last version.
6. Boot.
7. Check and post the results.

Which was the 2nd antivirus?

i mentioned i did this already. did it 3 times... twice afta my drive got wiped da 2nd time. bootscan worked wen avast wasnt updated. bootscan didnt wrk afta it was updated.

avg was da 2nd av. neva ran & neva updated. so i uninstalled it rite away

[settnfires]

Panda

tried it... didnt find anything

[settnfires]

ok i m scannin wit super antispyware and spyware terminator and they both havnt found anything. i think i got rid of da virus sumwhere along da way, but now my windows is corrupted & needs a repair. anybody else think da same? i kno its corrupted cuz i cant open certain things anymore:

user accounts (in control panel)
avg antirootkit wouldnt open
avg antivirus wouldnt open

any ideas?

[Lisandro]

bootscan worked wen avast wasnt updated. bootscan didnt wrk afta it was updated.

Alwil acknowledges the boot time scanning bug (http://forum.avast.com/index.php?topic=29999.msg247134#msg247134). You'll need to wait for the next program update. Igor answer here that the problem persists: http://forum.avast.com/index.php?topic=30138.msg248589#msg248589

avg antivirus wouldnt open

You've said you've uninstalled it... it will conflict with avast, even if you only disable it... you need to uninstall it.

[settnfires]

correct. i tried to run it & it didnt wrk. this was before i uninstalled it. so i uninstalled it.

but to ease everybody's pain here, includin mine, i jus wiped my hd for da 3rd time in 3 days. reinstallin everything now AFTER installin all da protection FIRST (super antispyware, avast, avg antispyware). wish me luck!

thanks EVERYBODY for chimin in so promptly. i really really appreciate da help.

avast is STILL da best antivirus program out there to me!