Symantic wont virus scan...FIXED see inside for details

[SilthDraeth]

I went to run a virus scan, using latest version of Symantic Antivirus Corporate, without the firewall... I get it free as Military.

And I got an error message 0x20000058 and the scan engine wouldnt initialize. I tried an uninstall which seemed to cause the system to freeze. I finally managed an uninstall and tried to reinstall symantic only the installation would get terminated automaticaly before completion. I feared something was on my system. I am running sygate free firewall so I cleared the list of available programs.

one thing it prompted me for was this
C:\WINDOWS\system32\Winrbd32.exe was trying to access jug.romail3arnest.info

I said no deny everything. that file is a hidden file, I tried to find out what it did on google and found no information. so I changed name of it to .2exe

downloaded hijackthis and ran a scan, and now I am praying someone can help me fix my pc. I am in military deployed, and I dont have my windows xp disk with me, and short of backing up everything to a dozen cd's I would hate to have to lose all my stuff.

thanks in advance.

here is the log

Logfile of HijackThis v1.99.1
Scan saved at 1:16:03 AM, on 7/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Documents and Settings\Rainier\My Documents\Programs\CrystalCPUID44\CrystalCPUID.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\DOCUME~1\Rainier\LOCALS~1\Temp\Rar$EX00.485\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a target=_blank class=ftalternatingbarlinklarge href="https://horizons.istaria.com/">https://horizons.istaria.com/</a>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [[Win Xp] Personal Firewall] Winrbd32.exe
O4 - HKLM\..\RunServices: [[Win Xp] Personal Firewall] Winrbd32.exe
O4 - Startup: Shortcut to CrystalCPUID.lnk = C:\Documents and Settings\Rainier\My Documents\Programs\CrystalCPUID44\CrystalCPUID.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} (Launcher Control) - <a target=_blank class=ftalternatingbarlinklarge href="https://horizons.istaria.com/controls/launcher.ocx">https://horizons.istaria.com/controls/launcher.ocx</a>
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v...86/client/wuweb_site.cab?1114728065781
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

 

[SilthDraeth]

Oh yes, a few more things I did try a system restore, and windows failed to load properly a few times. I also just found out from reading in hijack this, that the winrbd32.exe is part of windows xp firewall.

when I went to my network connection and clicked on advanced tab I get error
"windows cannot display the properties of this connection. the windows management instrumentation information might be corrupted. to correct this, use system restore to restore windows to an earlier time..." etc.

Once again thanks.

 

[mechBgon]

Yeah, that looks suspicious. Try this:

1) download the manual scanner described in this text file and unzip it as the directions say.

2) reboot into Safe Mode

3) run that scanner. Its window will vanish when it's done, and any info will be put into a file C:\report.html.


Because that scanner doesn't need installing per se, it shouldn't mess up your existing scanner. Once it has run, you might see if you can stay in Safe Mode and run the Symantec scanner now?

Good luck!

 

[mechBgon]

I also just found out from reading in hijack this, that the winrbd32.exe is part of windows xp firewall.

I think that's a ruse designed to ward off your suspicions.

 

[SilthDraeth]

Ok after I run that file you linked, should I then copy and paste the information here? and since you are online do you have msn messenger or ventrilo or anything that I can talk to you and get maybe a little real time help? thanks, i will wait for your reply and proceeed from there.

 

[mechBgon]

Originally posted by: SilthDraeth
Ok after I run that file you linked, should I then copy and paste the information here?

Yeah, go ahead and let's do that.

and since you are online do you have msn messenger or ventrilo or anything that I can talk to you and get maybe a little real time help? thanks, i will wait for your reply and proceeed from there.

I don't have any IM programs that I use but I'll probably be up for a little while longer (11PM Pacific Time here). The scanner could take quite a while depending how much data you have and how chewy it is, so otherwise I'll have to catch up with you tomorrow if it takes too long.

 

[SilthDraeth]

Ok thanks man.
Glad you caught this thread, you and this other guy, has an old man avatar I think, you guys are life savers. I wil be into safemode and running the scan right now.

 

[SilthDraeth]

ygpm mechbgon

 

[SilthDraeth]

Virus Scan Report File
Virus Scan Information

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4100 created Jul 15 2005
Scanning for 138536 viruses, trojans and variants.

Virus Scan Results



07/16/2005 02:04:51


Options:
/ADL /ALL /ALLOLE /ANALYZE /DEL /DOHSM /MAILBOX /MANALYZE /MIME /HTML C:\REPORT.HTML /PANALYZE /PROGRAM /STREAMS /UNZIP /WINMEM

Scanning C: []
Scanning C:\*.*
C:\WINDOWS\system32\Winrbd32.exe\Winrbd32.exe ... Found the W32/Sdbot.worm.gen.g virus !!!
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 65753
Clean: ................. 65690
Possibly Infected: ..... 1
Deleted: ............... 1
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0
Scanning E: []
Scanning E:\*.*

Summary report on E:\*.*
File(s)
Total files: ........... 4
Clean: ................. 2
Possibly Infected: ..... 0
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:23.44


Visit the Network Associates Online Web Site
Need some help or advice? Send email to Technical Support.