Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Something infects EXE files and cannot restart PC

Started by Serghey , Oct 02 2007 09:08 AM

  • Please log in to reply
23 replies to this topic

#1 Serghey

Serghey

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 02 October 2007 - 09:08 AM

Hello! I've been experiencing a nightmare with my laptop. It's infected with some sort of malware that doesn't allow my sound card to run, and it automatically shuts down and deletes almost any .EXE files from all antiviruses I had (AVG, Avast, Nod32 etc) Files cannot be extracted corectly from .MSI and .EXE setups, so I cannot install any security updates from windows or so. Please help! Here's the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 19:05:01, on 24.09.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\BPK\bpk.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Servus\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\PROGRA~1\BPK\bpkwb.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [bpk] C:\Program Files\BPK\bpk.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {CFA0EE6E-F07B-46CF-81A2-80167A50DC67} (SarunasSoftwareSupportAccesser Control) - http://www.sarunasof...ortAccesser.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

And here's a more recent one:

Logfile of HijackThis v1.99.1
Scan saved at 18:00:56, on 02.10.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\mIRC\mirc.exe
C:\Documents and Settings\Servus\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1190650461781
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CFA0EE6E-F07B-46CF-81A2-80167A50DC67} (SarunasSoftwareSupportAccesser Control) - http://www.sarunasof...ortAccesser.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...129/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)

Thank you kindly in advance, fine people!

    Advertisements

Register to Remove

#2 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 03 October 2007 - 01:28 AM

Hi,

I have bad news for you... :(
It appears that you are dealing with the Virut Virus.
What I suggest in your case is to format and reinstall Windows. This because, Virut is a file infector which infects every exe present on your system. The problem with Virut is, this is a buggy file infector and that's why scanners cannot disinfect them properly either > result > files are corrupted, won't work anymore - or getting deleted by the scanners instead.
And as I already explained, Virut infects every exe. This means that you may not delete these files, but they should be disinfected. And since it's a buggy virus, the files cannot be properly disinfected.
This unfortunately means that this is a game over situation and there's nothing much you can do besides formatting and reinstalling Windows.
Don't backup your files either, because when you backup exe files, they are also infected. You can however backup pictures and documents.

Read here for instructions how to format and reinstall Windows: http://web.mit.edu/i...all-format.html
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#3 Serghey

Serghey

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 04 October 2007 - 05:10 AM

Hi,

I have bad news for you... :(
It appears that you are dealing with the Virut Virus.
What I suggest in your case is to format and reinstall Windows. This because, Virut is a file infector which infects every exe present on your system. The problem with Virut is, this is a buggy file infector and that's why scanners cannot disinfect them properly either > result > files are corrupted, won't work anymore - or getting deleted by the scanners instead.
And as I already explained, Virut infects every exe. This means that you may not delete these files, but they should be disinfected. And since it's a buggy virus, the files cannot be properly disinfected.
This unfortunately means that this is a game over situation and there's nothing much you can do besides formatting and reinstalling Windows.
Don't backup your files either, because when you backup exe files, they are also infected. You can however backup pictures and documents.

Read here for instructions how to format and reinstall Windows: http://web.mit.edu/i...all-format.html


Thank You for your answer! My laptop works fine if I just keep it turned on, same speed, same everything. Problem is I don't have the sound, and I cannot use my scanner. Otherwise, Outlook and all such programms are running smoothly. I kindly ask You if you could give me some links to some removal tools for that virus. I have many programms insalled and I'm mostly away from home, so I don't have the time needed to reinstall all programms.
Thank You again!

Sergiu

#4 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 04 October 2007 - 06:22 AM

Hi, If your exe's are infected as you started this thread with, then there's nothing you can do, because it's most probably the Virut variant (which is spreading very fast nowadays) and in that case, scanners can't disinfect them since it's a buggy virus and it misinfects files, so a misinfected file is corrupted and scanners cannot disinfect corrupted files, so they get deleted. The latest Virut variant is only detected by a few scanners, but they cannot deal with it anyway. For other file infectors, I also recommend a format and reinstall, this because when a legitimate file gets infected, it should get disinfected, because legitimate files may not get deleted, because these infected files include system files as well. So, when a file infector is present, a lot of files become corrupted - and as I already explained, scanners cannot disinfect corrupted files. Also, even though the files may still properly run while being infected, after you use a scanner to disinfect them, they may become corrupted instead. And that's why in cases when a file infector is present, I always recommend a format and reinstall, because there's nothing we can do with corrupted files - including system files - unless you all replace them manually and even then you will have a hard time to do this and it will take a lot of time to replace all infected exe's. A format and reinstall only costs an hour or so. Then you can reinstall the other programs again, one by one when you need them. I also notice that you are dealing with a keylogger on top (BlazingTools Perfect Keylogger) and since you are having so many issues with your sound, files that cannot be extracted anymore etc.. well, your system is indeed already severly corrupted and a format and reinstall is the fastest and especially the safest solution here.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#5 Serghey

Serghey

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 04 October 2007 - 10:56 AM

Hi,

If your exe's are infected as you started this thread with, then there's nothing you can do, because it's most probably the Virut variant (which is spreading very fast nowadays) and in that case, scanners can't disinfect them since it's a buggy virus and it misinfects files, so a misinfected file is corrupted and scanners cannot disinfect corrupted files, so they get deleted. The latest Virut variant is only detected by a few scanners, but they cannot deal with it anyway. For other file infectors, I also recommend a format and reinstall, this because when a legitimate file gets infected, it should get disinfected, because legitimate files may not get deleted, because these infected files include system files as well. So, when a file infector is present, a lot of files become corrupted - and as I already explained, scanners cannot disinfect corrupted files. Also, even though the files may still properly run while being infected, after you use a scanner to disinfect them, they may become corrupted instead. And that's why in cases when a file infector is present, I always recommend a format and reinstall, because there's nothing we can do with corrupted files - including system files - unless you all replace them manually and even then you will have a hard time to do this and it will take a lot of time to replace all infected exe's. A format and reinstall only costs an hour or so. Then you can reinstall the other programs again, one by one when you need them.
I also notice that you are dealing with a keylogger on top (BlazingTools Perfect Keylogger) and since you are having so many issues with your sound, files that cannot be extracted anymore etc.. well, your system is indeed already severly corrupted and a format and reinstall is the fastest and especially the safest solution here.


Thank You once again. Exe's are working. Only scanner doesn't seem to work... I guess it could be the fact that perhaps its executable file has a name that sounds familiar with virus scanners' , and that's why it's got corrupted in the first place. But still, could You point me to some removal tools, so that we make sure it's Virut virus after all? Please! And then, I'm'a install a clean system, if that would be the case. Thanks a million!

#6 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 04 October 2007 - 11:18 AM

Ok, now this is really confusing - are your exe's infected or not? It doesn't always mean because they are infected that they won't run. Infected exe's do actually run, otherwise there's no point in infecting them.

To find out, do next please..

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply.

Also, are you aware that Perfect Keylogger is installed? Did you install it?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#7 Serghey

Serghey

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 04 October 2007 - 01:51 PM

Ok. Here it is:

KASPERSKY ONLINE SCANNER REPORT
Thursday, October 04, 2007 10:39:01 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 4/10/2007
Kaspersky Anti-Virus database records: 427385


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 55260
Number of viruses found 9
Number of infected objects 21
Number of suspicious objects 0
Duration of the scan process 01:40:55

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03182007-171425.log Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\CommView for WiFi 5.5 build 532 CRACK.zip.bac_a03692/CommView for WiFi 5.5 build 532 CRACK.exe/run.exe Infected: P2P-Worm.Win32.HappyNewYear.a skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\CommView for WiFi 5.5 build 532 CRACK.zip.bac_a03692/CommView for WiFi 5.5 build 532 CRACK.exe/path.exe Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\CommView for WiFi 5.5 build 532 CRACK.zip.bac_a03692/CommView for WiFi 5.5 build 532 CRACK.exe Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\CommView for WiFi 5.5 build 532 CRACK.zip.bac_a03692 ZIP: infected - 3 skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\CommView for WiFi 5.5 build 532 CRACK.zip.bac_a03692 CryptFF.b: infected - 3 skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\durere in suflet cand pierzi pe cineva.exe.bac_a03692/bpkhk.dll Infected: not-a-virus:Monitor.Win32.Perflogger.al skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\durere in suflet cand pierzi pe cineva.exe.bac_a03692/bpkwb.dll Infected: not-a-virus:Monitor.Win32.Perflogger.aa skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\durere in suflet cand pierzi pe cineva.exe.bac_a03692/bpk.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ad skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\durere in suflet cand pierzi pe cineva.exe.bac_a03692/rinst.exe Infected: Trojan-Spy.Win32.Perfloger.f skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\durere in suflet cand pierzi pe cineva.exe.bac_a03692 RAR: infected - 4 skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\durere in suflet cand pierzi pe cineva.exe.bac_a03692 RapSFX: infected - 4 skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\durere in suflet cand pierzi pe cineva.exe.bac_a03692 CryptFF.b: infected - 4 skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\i_bpk2003.exe.bac_a03692/bpk.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ad skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\i_bpk2003.exe.bac_a03692/bpkun.exe Infected: not-a-virus:Monitor.Win32.Perflogger.an skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\i_bpk2003.exe.bac_a03692/Setup.exe Infected: not-a-virus:Monitor.Win32.Perflogger.af skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\i_bpk2003.exe.bac_a03692/bpkhk.dll Infected: not-a-virus:Monitor.Win32.Perflogger.al skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\i_bpk2003.exe.bac_a03692/bpkwb.dll Infected: not-a-virus:Monitor.Win32.Perflogger.aa skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\i_bpk2003.exe.bac_a03692/bpkr.exe Infected: Trojan-Spy.Win32.Perfloger.f skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\i_bpk2003.exe.bac_a03692 RAR: infected - 6 skipped

C:\Documents and Settings\Servus\.housecall6.6\Quarantine\i_bpk2003.exe.bac_a03692 CryptFF.b: infected - 6 skipped

C:\Documents and Settings\Servus\Application Data\Microsoft\Outlook\Servus.NK2 Object is locked skipped

C:\Documents and Settings\Servus\Application Data\Microsoft\Outlook\Servus.srs Object is locked skipped

C:\Documents and Settings\Servus\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped

C:\Documents and Settings\Servus\Application Data\Microsoft\Word\STARTUP\Finereader6.sprint.dot Object is locked skipped

C:\Documents and Settings\Servus\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Servus\Local Settings\Application Data\Microsoft\Outlook\archive.pst Object is locked skipped

C:\Documents and Settings\Servus\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst Object is locked skipped

C:\Documents and Settings\Servus\Local Settings\Application Data\Microsoft\Outlook\Servusmail.servus.ro-00000002.pst Object is locked skipped

C:\Documents and Settings\Servus\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Servus\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Servus\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D45D086A-D5B6-4778-9A21-C5237873840E} Object is locked skipped

C:\Documents and Settings\Servus\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Servus\Local Settings\History\History.IE5\MSHist012007100420071005\index.dat Object is locked skipped

C:\Documents and Settings\Servus\Local Settings\Temp\Perflib_Perfdata_790.dat Object is locked skipped

C:\Documents and Settings\Servus\Local Settings\Temp\~DF2155.tmp Object is locked skipped

C:\Documents and Settings\Servus\Local Settings\Temp\~DF267F.tmp Object is locked skipped

C:\Documents and Settings\Servus\Local Settings\Temp\~DFC788.tmp Object is locked skipped

C:\Documents and Settings\Servus\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Servus\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Servus\NTUSER.DAT.LOG Object is locked skipped

C:\Program Files\eMule\Temp2.part Object is locked skipped

C:\Program Files\eMule\Temp6.part Object is locked skipped

C:\Program Files\eMule\Temp7.part Object is locked skipped

C:\Program Files\eMule\Temp9.part Object is locked skipped

C:\Program Files\eMule\Temp10.part Object is locked skipped

C:\Program Files\eMule\Temp11.part Object is locked skipped

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

C:\Program Files\Yahoo!\Messenger\logs\billing_Servus.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\client_Servus.log Object is locked skipped

C:\Program Files\Yahoo!\Messenger\logs\network_Servus.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\system32\config\sam Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\security Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.



Ok, now this is really confusing - are your exe's infected or not? It doesn't always mean because they are infected that they won't run. Infected exe's do actually run, otherwise there's no point in infecting them.

To find out, do next please..

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply.

Also, are you aware that Perfect Keylogger is installed? Did you install it?



Yes, I'm aware that Perfect Keylogger is installed. I installed it, and same kit didn't bother me on any other system I've installed it to. Now it's been disabled and "desinfected" by the scanners I've been scanning my drives with. Keylogger is not the problem.. for sure.. it's smth else.. must be..
Regards,

#8 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 04 October 2007 - 01:54 PM

kaspersky doesn't detect the Virut, but as I already explained, latest Virut variant is not really detected yet by most scanners...
Why did you install a keylogger in the first place?

As far as I could see in your log, this keylogger is still present and running though..

I see you're not afraid of visiting cracksites and other illegal sites, because some cracks are being flagged as malicious.
If you visit cracksites, use cracks, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :(
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.

Do next please..

* Download Combofix to your desktop.

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

* Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#9 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 04 October 2007 - 02:28 PM

Extra note - one thing is for sure - You are dealing with something very nasty here and the fact that you have MIRC installed is at this moment not a good idea. This because, whatever you are dealing with can be controlled/modified via Mirc/Irc by a hacker... or even use Mirc to infect more computers. So that's why I strongly recommend you temporary uninstall MIRC.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#10 Serghey

Serghey

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 05 October 2007 - 10:09 AM

kaspersky doesn't detect the Virut, but as I already explained, latest Virut variant is not really detected yet by most scanners...
Why did you install a keylogger in the first place?

As far as I could see in your log, this keylogger is still present and running though..

I see you're not afraid of visiting cracksites and other illegal sites, because some cracks are being flagged as malicious.
If you visit cracksites, use cracks, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :(
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.

Do next please..

* Download Combofix to your desktop.

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

* Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.


Hi again!
Thanks for helping!

The log was taken in Safe mode, cause, after restart, PC couldn't run windows normally, so I started it in safe mode, and then it worked, and saved this log:


ComboFix 07-10-04.6 - Servus 2007-10-05 0:45:21.1 - NTFSx86
Running from: C:\Documents and Settings\Servus\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 )))))))))))))))))))))))))))))))
.

2007-10-05 00:45 1,891,840 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-10-05 00:45 1,891,840 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2007-10-05 00:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-30 17:30 73,728 --a--c--- C:\WINDOWS\system32\dllcache\icwtutor.exe
2007-09-30 17:30 61,440 --a--c--- C:\WINDOWS\system32\dllcache\icwres.dll
2007-09-30 17:30 57,344 --a--c--- C:\WINDOWS\system32\dllcache\icwconn.dll
2007-09-30 17:30 45,056 --a--c--- C:\WINDOWS\system32\dllcache\icwutil.dll
2007-09-30 17:30 40,960 --a--c--- C:\WINDOWS\system32\dllcache\trialoc.dll
2007-09-30 17:30 24,576 --a--c--- C:\WINDOWS\system32\dllcache\icwrmind.exe
2007-09-30 17:30 155,648 --a--c--- C:\WINDOWS\system32\dllcache\icwhelp.dll
2007-09-30 17:29 113,944 --a--c--- C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-09-30 17:29 113,944 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-09-30 17:29 1,081,112 --a--c--- C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-09-30 17:29 1,081,112 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-09-30 17:21 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2007-09-30 17:21 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-09-30 17:21 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2007-09-30 17:21 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-09-30 16:03 28,556,584 --a------ C:\avg75free_488a1138.exe
2007-09-30 15:13 <DIR> d-------- C:\Documents and Settings\Servus\Application Data\Yahoo! Messenger
2007-09-30 12:43 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-09-30 09:33 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-30 09:32 <DIR> d-------- C:\Documents and Settings\Servus\.housecall6.6
2007-09-29 19:37 <DIR> d-------- C:\Program Files\Spyware Seizer
2007-09-29 01:41 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-29 01:41 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-29 01:41 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-29 01:41 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-29 01:41 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-09-29 01:41 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-29 01:41 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-29 01:41 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-29 01:41 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-29 01:00 77,824 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2007-09-29 01:00 520,192 --a--c--- C:\WINDOWS\system32\dllcache\wmplayer.exe
2007-09-29 01:00 24,576 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2007-09-29 01:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2007-09-29 01:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2007-09-28 21:17 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-09-28 10:20 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-09-27 00:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-26 21:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-26 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-26 09:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-24 21:52 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-09-24 21:52 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-09-24 21:52 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-24 19:40 <DIR> d-------- C:\WINDOWS\system32\Mira6
2007-09-24 19:40 <DIR> d-------- C:\Program Files\ScanDrv6
2007-09-24 19:08 <DIR> d-------- C:\Program Files\CCleaner
2007-09-24 18:58 <DIR> d-------- C:\Documents and Settings\Servus\Application Data\Jetico Personal Firewall
2007-09-24 18:03 <DIR> d-------- C:\Program Files\BenQ
2007-09-24 17:21 86,016 --a------ C:\WINDOWS\SoundMan.exe
2007-09-24 17:21 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2007-09-24 17:09 9,709,568 --a------ C:\WINDOWS\RTLCPL.exe
2007-09-24 17:09 4,304,384 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.Sys
2007-09-24 17:09 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-09-24 17:09 364,544 --a------ C:\WINDOWS\RtlUpd.exe
2007-09-24 17:09 2,879,488 --a------ C:\WINDOWS\SkyTel.exe
2007-09-24 17:09 2,808,832 --a------ C:\WINDOWS\alcwzrd.exe
2007-09-24 17:09 2,158,592 --a------ C:\WINDOWS\MicCal.exe
2007-09-24 17:09 16,248,320 --a------ C:\WINDOWS\RTHDCPL.exe
2007-09-24 16:51 83,712 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-09-24 16:51 4,992 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-09-24 16:51 18,560 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-09-24 16:51 16,384 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-09-24 16:43 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-09-24 16:31 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-09-24 16:31 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-09-24 16:31 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-09-24 16:29 38,024 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-09-24 16:29 182,400 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-09-24 16:27 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2007-09-24 16:27 696,320 --a--c--- C:\WINDOWS\system32\dllcache\sapi.dll
2007-09-24 16:27 10,496 --a--c--- C:\WINDOWS\system32\dllcache\irenum.sys
2007-09-24 16:27 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-09-15 13:37 <DIR> d-------- C:\bb5_unlocker
2007-09-15 13:05 <DIR> d-------- C:\Program Files\MYMA Decoder and Viewer
2007-09-15 12:01 <DIR> d-------- C:\Program Files\YArchiveViewerWB
2007-09-05 23:47 <DIR> d-------- C:\Program Files\BuddyCheck
2007-09-05 23:47 <DIR> d-------- C:\Documents and Settings\Servus\Application Data\Nuotex

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-04 23:06 --------- d-------- C:\Program Files\eMule
2007-10-02 23:56 --------- d-------- C:\Program Files\mIRC
2007-09-26 11:02 --------- d-------- C:\Program Files\Windows Defender
2007-09-24 19:43 --------- d-------- C:\Program Files\ABBYY FineReader 6.0 Sprint
2007-09-24 19:42 --------- d-------- C:\Documents and Settings\Servus\Application Data\Mira6
2007-09-24 19:08 --------- d-------- C:\Program Files\Yahoo!
2007-09-24 18:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-24 17:21 --------- d-------- C:\Program Files\Realtek
2007-09-08 15:03 --------- d-------- C:\Documents and Settings\Servus\Application Data\Ulead Systems
2007-09-03 20:59 --------- d-------- C:\Program Files\TEsT Box-II
2007-08-28 13:17 --------- d-------- C:\Program Files\NokiaFREE Unlock Codes Calculator
2007-08-24 00:19 --------- d-------- C:\Program Files\ATMDesk
2007-08-05 14:18 --------- d-------- C:\Program Files\TheGX15UpgradingTool
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 22:05]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2007-04-26 14:13]
"Tweak UI"="TWEAKUI.CPL" [2003-03-25 05:49 C:\WINDOWS\system32\tweakui.cpl]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" []
"SkyTel"="SkyTel.EXE" [2007-03-04 17:11 C:\WINDOWS\SkyTel.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" []
"RTHDCPL"="RTHDCPL.EXE" [2007-03-04 17:11 C:\WINDOWS\RTHDCPL.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-03-04 17:11 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2007-03-04 17:11 C:\WINDOWS\alcwzrd.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 06:41]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{142483DF-44BE-4ADE-875F-6B05CCBCE17C}"= C:\Program Files\Spyware Seizer\BtHelpFive.dll [2007-06-01 06:34 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Servus^Start Menu^Programs^Startup^Shortcut to avg75free_488a1138.lnk]
path=C:\Documents and Settings\Servus\Start Menu\Programs\Startup\Shortcut to avg75free_488a1138.lnk
backup=C:\WINDOWS\pss\Shortcut to avg75free_488a1138.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Photo Express Calendar Checker]
C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"Themes"=2 (0x2)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=2 (0x2)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)


*Newly Created Service* - PARPORT
.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 19:08:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-05 00:56:18
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-05 0:58:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-05 00:57
.
--- E O F ---


After repairing Windows, I took this hijackthis log. Virus is still active ( I still can't have a remove.exe file created on the desktop. It will delete itself in an instant):



Logfile of HijackThis v1.99.1
Scan saved at 19:02:13, on 05.10.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Servus\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1190650461781
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CFA0EE6E-F07B-46CF-81A2-80167A50DC67} (SarunasSoftwareSupportAccesser Control) - http://www.sarunasof...ortAccesser.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...129/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)

Thanks in advance for any further advice!

    Advertisements

Register to Remove

#11 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 05 October 2007 - 12:33 PM

Hi,

After repairing Windows, I took this hijackthis log.

How did you repair? Because if you "repair" after you have been using Combofix, it won't make sense since everything that Combofix deleted will be back.
You are indeed dealing with a very nasty worm.
And the more security related programs you are trying to install, the worse you will make it. Read here for more info: http://www.symantec...._...-99&tabid=2
So what I suggest here is to uninstall any of your scanners you have been installing before.

It also damages a lot.

Then run Combofix again and post the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#12 Serghey

Serghey

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 05 October 2007 - 01:01 PM

Before the infection, I was only using Windows defender and Nod32. The rest of the scanners came afterwards, and problem is still there, meaning that my PC acts the same way as before installing any scanners at all. I cannot make another log, cause I'm gonna have to install windows all over again if I restart PC. And that's kinda' annoying. Anyways, I appreciate your help. If there's any other way around, I would gladly accept, BUT no mo' waiting 'till windows repairs. (repair choosing R after Win XP CD boot). Thanks again!

#13 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 05 October 2007 - 01:54 PM

What happens if you reboot now? Are you actually able to reboot? This is important to know...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#14 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 05 October 2007 - 02:12 PM

Actually, this doesn't make sense...

The log was taken in Safe mode, cause, after restart, PC couldn't run windows normally, so I started it in safe mode, and then it worked, and saved this log:


ComboFix 07-10-04.6 - Servus 2007-10-05 0:45:21.1 - NTFSx86
Running from: C:\Documents and Settings\Servus\Desktop\ComboFix.exe

It is strange you were even able to run Safe mode, because the infection you are dealing with deletes important Safebootkeys, to prevent you going into safe mode.

I actually have been playing with this infection before and you shouldn't have any problems with Combofix though - unless not all files were deleted properly as I see here.

What you can do is next..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\drivers\srosa.sy_
C:\WINDOWS\system32\drivers\hidr.exe

Folder::
C:\Documents and Settings\Servus\Application Data\m
C:\WINDOWS\exefld

Driver::
srosa

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mule_st_key"=-
[-HKEY_CURRENT_USER\Software\FirstRRRun]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow

#15 Serghey

Serghey

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 06 October 2007 - 01:49 AM

Actually, this doesn't make sense...

The log was taken in Safe mode, cause, after restart, PC couldn't run windows normally, so I started it in safe mode, and then it worked, and saved this log:


ComboFix 07-10-04.6 - Servus 2007-10-05 0:45:21.1 - NTFSx86
Running from: C:\Documents and Settings\Servus\Desktop\ComboFix.exe

It is strange you were even able to run Safe mode, because the infection you are dealing with deletes important Safebootkeys, to prevent you going into safe mode.

I actually have been playing with this infection before and you shouldn't have any problems with Combofix though - unless not all files were deleted properly as I see here.

What you can do is next..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\drivers\srosa.sy_
C:\WINDOWS\system32\drivers\hidr.exe

Folder::
C:\Documents and Settings\Servus\Application Data\m
C:\WINDOWS\exefld

Driver::
srosa

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mule_st_key"=-
[-HKEY_CURRENT_USER\Software\FirstRRRun]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.


Idon't know... perhaps it's not about the virus you had in mind??

Here's the log after a 10 minutes reboot:

ComboFix 07-10-04.6 - Servus 2007-10-06 10:21:55.2 - NTFSx86
Running from: C:\Documents and Settings\Servus\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Servus\Desktop\CFScript.txt

FILE::
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sy_
C:\WINDOWS\system32\drivers\srosa.sys
.

((((((((((((((((((((((((( Files Created from 2007-09-06 to 2007-10-06 )))))))))))))))))))))))))))))))
.

2007-10-05 08:04 <DIR> d-------- C:\WINDOWS\LastGood
2007-10-05 08:03 73,728 --a--c--- C:\WINDOWS\system32\dllcache\icwtutor.exe
2007-10-05 08:03 61,440 --a--c--- C:\WINDOWS\system32\dllcache\icwres.dll
2007-10-05 08:03 57,344 --a--c--- C:\WINDOWS\system32\dllcache\icwconn.dll
2007-10-05 08:03 45,056 --a--c--- C:\WINDOWS\system32\dllcache\icwutil.dll
2007-10-05 08:03 40,960 --a--c--- C:\WINDOWS\system32\dllcache\trialoc.dll
2007-10-05 08:03 24,576 --a--c--- C:\WINDOWS\system32\dllcache\icwrmind.exe
2007-10-05 08:03 155,648 --a--c--- C:\WINDOWS\system32\dllcache\icwhelp.dll
2007-10-05 08:01 189,440 --a--c--- C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-10-05 08:01 139,776 --a--c--- C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-10-05 08:01 113,944 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-10-05 08:01 1,081,112 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-10-05 01:21 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2007-10-05 01:21 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-10-05 01:21 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2007-10-05 01:21 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-10-05 00:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-30 17:32 38,912 --a------ C:\WINDOWS\system32\wpd_ci.dll
2007-09-30 17:32 10,752 --a------ C:\WINDOWS\system32\wpdtrace.dll
2007-09-30 16:03 28,556,584 --a------ C:\avg75free_488a1138.exe
2007-09-30 15:13 <DIR> d-------- C:\Documents and Settings\Servus\Application Data\Yahoo! Messenger
2007-09-30 12:43 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-09-30 09:33 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-30 09:32 <DIR> d-------- C:\Documents and Settings\Servus\.housecall6.6
2007-09-29 19:37 <DIR> d-------- C:\Program Files\Spyware Seizer
2007-09-29 01:41 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-29 01:41 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-29 01:41 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-29 01:41 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-29 01:41 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-09-29 01:41 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-29 01:41 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-29 01:41 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-29 01:41 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-29 01:00 77,824 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2007-09-29 01:00 520,192 --a--c--- C:\WINDOWS\system32\dllcache\wmplayer.exe
2007-09-29 01:00 24,576 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2007-09-29 01:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2007-09-29 01:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2007-09-28 21:17 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-09-28 10:20 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-09-27 00:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-26 21:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-26 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-26 09:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-24 21:52 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-09-24 21:52 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-09-24 21:52 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-24 19:40 <DIR> d-------- C:\WINDOWS\system32\Mira6
2007-09-24 19:40 <DIR> d-------- C:\Program Files\ScanDrv6
2007-09-24 19:08 <DIR> d-------- C:\Program Files\CCleaner
2007-09-24 18:58 <DIR> d-------- C:\Documents and Settings\Servus\Application Data\Jetico Personal Firewall
2007-09-24 18:03 <DIR> d-------- C:\Program Files\BenQ
2007-09-24 17:21 86,016 --a------ C:\WINDOWS\SoundMan.exe
2007-09-24 17:21 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2007-09-24 17:09 9,709,568 --a------ C:\WINDOWS\RTLCPL.exe
2007-09-24 17:09 4,304,384 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.Sys
2007-09-24 17:09 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-09-24 17:09 364,544 --a------ C:\WINDOWS\RtlUpd.exe
2007-09-24 17:09 2,879,488 --a------ C:\WINDOWS\SkyTel.exe
2007-09-24 17:09 2,808,832 --a------ C:\WINDOWS\alcwzrd.exe
2007-09-24 17:09 2,158,592 --a------ C:\WINDOWS\MicCal.exe
2007-09-24 17:09 16,248,320 --a------ C:\WINDOWS\RTHDCPL.exe
2007-09-24 16:51 83,712 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-09-24 16:51 4,992 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-09-24 16:51 18,560 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-09-24 16:51 16,384 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-09-24 16:43 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-09-24 16:31 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-09-24 16:31 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-09-24 16:31 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-09-24 16:29 38,024 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-09-24 16:29 182,400 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-09-24 16:27 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2007-09-24 16:27 696,320 --a--c--- C:\WINDOWS\system32\dllcache\sapi.dll
2007-09-24 16:27 10,496 --a--c--- C:\WINDOWS\system32\dllcache\irenum.sys
2007-09-24 16:27 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-09-15 13:37 <DIR> d-------- C:\bb5_unlocker
2007-09-15 13:05 <DIR> d-------- C:\Program Files\MYMA Decoder and Viewer
2007-09-15 12:01 <DIR> d-------- C:\Program Files\YArchiveViewerWB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-06 10:15 --------- d-------- C:\Documents and Settings\Servus\Application Data\Nuotex
2007-10-04 23:06 --------- d-------- C:\Program Files\eMule
2007-10-02 23:56 --------- d-------- C:\Program Files\mIRC
2007-09-26 11:02 --------- d-------- C:\Program Files\Windows Defender
2007-09-24 19:43 --------- d-------- C:\Program Files\ABBYY FineReader 6.0 Sprint
2007-09-24 19:42 --------- d-------- C:\Documents and Settings\Servus\Application Data\Mira6
2007-09-24 19:08 --------- d-------- C:\Program Files\Yahoo!
2007-09-24 18:03 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-24 17:21 --------- d-------- C:\Program Files\Realtek
2007-09-08 15:03 --------- d-------- C:\Documents and Settings\Servus\Application Data\Ulead Systems
2007-09-05 23:47 --------- d-------- C:\Program Files\BuddyCheck
2007-09-03 20:59 --------- d-------- C:\Program Files\TEsT Box-II
2007-08-28 13:17 --------- d-------- C:\Program Files\NokiaFREE Unlock Codes Calculator
2007-08-24 00:19 --------- d-------- C:\Program Files\ATMDesk
.

((((((((((((((((((((((((((((( snapshot@2007-10-05_ 0.57.18.64 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 204,800 2001-08-23 12:00:00 C:\WINDOWS\LastGood\System32\blackbox.dll
----a-w 179,712 2002-08-29 03:40:50 C:\WINDOWS\LastGood\System32\cewmdm.dll
----a-w 266,240 2002-08-29 03:40:50 C:\WINDOWS\LastGood\System32\drmclien.dll
----a-w 76,830 2002-08-29 03:40:50 C:\WINDOWS\LastGood\System32\drmstor.dll
----a-w 602,112 2002-08-29 03:40:50 C:\WINDOWS\LastGood\System32\drmv2clt.dll
----a-w 6,656 2002-08-29 03:41:00 C:\WINDOWS\LastGood\System32\laprxy.dll
----a-w 24,576 2002-08-29 03:41:26 C:\WINDOWS\LastGood\System32\logagent.exe
----a-w 174,592 2002-08-29 03:41:06 C:\WINDOWS\LastGood\System32\msnetobj.dll
----a-w 25,088 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\MsPMSNSv.dll
----a-w 175,104 2002-08-29 03:41:06 C:\WINDOWS\LastGood\System32\MsPMSP.dll
----a-w 245,760 2002-08-29 03:41:08 C:\WINDOWS\LastGood\System32\MSSCP.dll
----a-w 155,648 2001-08-23 12:00:00 C:\WINDOWS\LastGood\System32\MSWMDM.dll
----a-w 152,576 2001-08-23 12:00:00 C:\WINDOWS\LastGood\System32\qasf.dll
----a-w 47,104 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\uwdf.exe
----a-w 15,872 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wdfapi.dll
----a-w 38,912 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wdfmgr.exe
----a-w 184,320 2002-08-29 03:41:18 C:\WINDOWS\LastGood\System32\wmadmod.dll
----a-w 442,398 2002-08-29 03:41:18 C:\WINDOWS\LastGood\System32\wmadmoe.dll
----a-w 274,432 2002-08-29 03:41:18 C:\WINDOWS\LastGood\System32\wmasf.dll
----a-w 22,528 2001-08-23 12:00:00 C:\WINDOWS\LastGood\System32\WMDMLOG.dll
----a-w 20,480 2001-08-23 12:00:00 C:\WINDOWS\LastGood\System32\WMDMPS.dll
----a-w 335,872 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\WMDRMdev.dll
----a-w 290,816 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\WMDRMNet.dll
----a-w 150,016 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wmidx.dll
----a-w 253,952 2002-08-29 03:41:18 C:\WINDOWS\LastGood\System32\wmnetmgr.dll
----a-w 110,592 2002-08-29 03:41:18 C:\WINDOWS\LastGood\System32\wmsdmod.dll
----a-w 1,119,744 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wmsdmoe2.dll
----a-w 413,944 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wmspdmod.dll
----a-w 940,544 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wmspdmoe.dll
----a-w 1,218,808 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wmvadvd.dll
----a-w 1,512,448 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\WMVADVE.DLL
----a-w 1,220,608 2002-08-29 03:41:20 C:\WINDOWS\LastGood\System32\wmvcore.dll
----a-w 294,912 2002-08-29 03:41:20 C:\WINDOWS\LastGood\System32\wmvdmod.dll
----a-w 1,003,008 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wmvdmoe2.dll
----a-w 61,952 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wpdconns.dll
----a-w 114,176 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wpdmtp.dll
----a-w 331,776 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wpdmtpdr.dll
----a-w 66,560 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wpdmtpus.dll
----a-w 331,264 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wpdsp.dll
----a-w 10,752 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wpdtrace.dll
----a-w 38,912 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\wpd_ci.dll
----a-w 18,944 2005-01-28 11:44:28 C:\WINDOWS\LastGood\System32\DRIVERS\wpdusb.sys
---ha-w 385,024 2007-10-05 05:05:12 C:\WINDOWS\repair\ntuser.dat
----a-w 23,388 2007-10-05 05:02:14 C:\WINDOWS\system32\emptyregdb.dat
----a-w 2,042,240 2002-08-29 02:03:30 C:\WINDOWS\system32\ntoskrnl.exe
----a-w 63,188 2007-10-05 05:02:42 C:\WINDOWS\system32\perfc009.dat
----a-w 403,968 2007-10-05 05:02:42 C:\WINDOWS\system32\perfh009.dat
----a-w 262,144 2007-10-06 07:21:54 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 16,384 2007-10-05 06:15:39 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-05 06:15:39 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-10-05 05:11:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007092420071001\index.dat
----a-w 32,768 2007-10-05 05:11:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007100520071006\index.dat
----a-w 32,768 2007-10-05 06:15:39 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
-c--a-w 14,848 2002-08-29 03:40:50 C:\WINDOWS\system32\dllcache\cdm.dll
-c--a-w 11,776 2001-08-23 12:00:00 C:\WINDOWS\system32\dllcache\chkdsk.exe
-c--a-w 166,912 2002-08-29 03:40:58 C:\WINDOWS\system32\dllcache\iuengine.dll
-c--a-w 14,848 2001-08-23 12:00:00 C:\WINDOWS\system32\dllcache\register.exe
-c--a-w 68,096 2001-08-23 12:00:00 C:\WINDOWS\system32\dllcache\sysinfo.exe
----a-w 921,088 2001-08-23 12:00:00 C:\WINDOWS\WinSxS\InstallTemp\62330\comctl32.dll
.
---ha-w 380,928 2007-09-30 14:32:26 C:\WINDOWS\repair\ntuser.dat
----a-w 23,388 2007-09-30 14:29:29 C:\WINDOWS\system32\emptyregdb.dat
----a-w 1,891,840 2002-08-28 22:04:56 C:\WINDOWS\system32\ntoskrnl.exe
----a-w 63,188 2007-09-30 14:29:57 C:\WINDOWS\system32\perfc009.dat
----a-w 403,968 2007-09-30 14:29:57 C:\WINDOWS\system32\perfh009.dat
----a-w 262,144 2007-10-04 21:45:20 C:\WINDOWS\system32\config\systemprofile\ntuser.dat
----a-w 16,384 2007-10-01 06:14:48 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-01 06:14:48 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-10-01 06:14:48 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
-c--a-w 71,448 2004-08-03 11:00:12 C:\WINDOWS\system32\dllcache\cdm.dll
-c--a-w 185,624 2004-08-03 11:04:40 C:\WINDOWS\system32\dllcache\iuengine.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 22:05]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\WINDOWS\system32\qttask.exe" [2007-04-26 14:13]
"Tweak UI"="TWEAKUI.CPL" [2003-03-25 05:49 C:\WINDOWS\system32\tweakui.cpl]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" []
"SkyTel"="SkyTel.EXE" [2007-03-04 17:11 C:\WINDOWS\SkyTel.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" []
"RTHDCPL"="RTHDCPL.EXE" [2007-03-04 17:11 C:\WINDOWS\RTHDCPL.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-03-04 17:11 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2007-03-04 17:11 C:\WINDOWS\alcwzrd.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 06:41]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{142483DF-44BE-4ADE-875F-6B05CCBCE17C}"= C:\Program Files\Spyware Seizer\BtHelpFive.dll [2007-06-01 06:34 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Servus^Start Menu^Programs^Startup^Shortcut to avg75free_488a1138.lnk]
path=C:\Documents and Settings\Servus\Start Menu\Programs\Startup\Shortcut to avg75free_488a1138.lnk
backup=C:\WINDOWS\pss\Shortcut to avg75free_488a1138.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Photo Express Calendar Checker]
C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"Themes"=2 (0x2)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=2 (0x2)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)


.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 07:31:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-06 10:31:52
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-06 10:33:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-06 10:33
C:\ComboFix2.txt ... 2007-10-05 00:58
.
--- E O F ---


And here's the Hijackthis log again:

Logfile of HijackThis v1.99.1
Scan saved at 10:40:28, on 06.10.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Servus\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1190650461781
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CFA0EE6E-F07B-46CF-81A2-80167A50DC67} (SarunasSoftwareSupportAccesser Control) - http://www.sarunasof...ortAccesser.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...129/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)

I have to say that most of my services are stopped and are set to be like that I guess, - by the virus. I'll attach some screenshots. Also about Combofix, at the end, before reboot, it showed an error regarding a service that's not running. I'll try to post these all in the next reply. Thanx!

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·