
Something infects EXE files and cannot restart PC
#16
Posted 06 October 2007 - 02:53 AM
Register to Remove
#18
Posted 06 October 2007 - 11:27 AM
Yes it is - this one normally deletes the safeboot keys - but you did a Windows repair in between, so that may have repaired them again. The fact that the safeboot keys are not deleted afterwards once again shows that the Virus you are dealing with is not active anymore - and actually Combofix doesn't find these malware related files anymore either.Idon't know... perhaps it's not about the virus you had in mind??
Well, I also see you had disabled a lot of services via msconfig:
Did you disable these?[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"Themes"=2 (0x2)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=2 (0x2)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
Also, don't really worry where it says that services are stopped. This means because they are set to manual for startuptype. Most of the services that are stopped in your case, are stopped in my case as well.
I compared the services with my computer and there are some that are stopped that should be set to automatic.
To do this, go to start > run and type: services.msc
Then scroll down to next services, doubleclick them in order to change the startup type for them.
Next should be set to automatically for startuptype:
Event log > automatic
DCom server process launcher > automatic
Alerter > automatic
Security Center > automatic
WebClient > automatic
Windows Management Instrumentation > automatic
Also doublecheck the next services and make sure they are set to manual:
WMI performance adapter > manual
Windows Installer > manual
Then reboot.
For your sound problem - this is really not my area since this is a hardware issue. Could be that you reinstalled the wrong drivers, could be something else.
For that, I suggest you post a thread in the troubleshooting/hardware part of this forum.
For Avast, since the related services are deleted anyway, I suggest you run this removal utility:
http://www.avast.com...ll-utility.html
Are you still having problems with Installing an Antivirus? Can you try to reinstall your NOD32 again?
#19
Posted 06 October 2007 - 11:53 AM
* Go here to run an online scannner from ESET.
- Note: You will need to use Internet explorer for this scan
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the activex control to install
- Click Start
- Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
- Click Scan
- Wait for the scan to finish
- Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic, laong with a new HijackThis log & a description of any remaining problems
F-Secure Blacklight: https://europe.f-sec...light/try.shtml
(fsbl.exe - graphical user interface)
Double-click fsbl.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply as well.
#20
Posted 06 October 2007 - 12:44 PM
Hi,
Yes it is - this one normally deletes the safeboot keys - but you did a Windows repair in between, so that may have repaired them again. The fact that the safeboot keys are not deleted afterwards once again shows that the Virus you are dealing with is not active anymore - and actually Combofix doesn't find these malware related files anymore either.Idon't know... perhaps it's not about the virus you had in mind??
Well, I also see you had disabled a lot of services via msconfig:
Did you disable these?[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"Themes"=2 (0x2)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=2 (0x2)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
Also, don't really worry where it says that services are stopped. This means because they are set to manual for startuptype. Most of the services that are stopped in your case, are stopped in my case as well.
I compared the services with my computer and there are some that are stopped that should be set to automatic.
To do this, go to start > run and type: services.msc
Then scroll down to next services, doubleclick them in order to change the startup type for them.
Next should be set to automatically for startuptype:
Event log > automatic
DCom server process launcher > automatic
Alerter > automatic
Security Center > automatic
WebClient > automatic
Windows Management Instrumentation > automatic
Also doublecheck the next services and make sure they are set to manual:
WMI performance adapter > manual
Windows Installer > manual
Then reboot.
For your sound problem - this is really not my area since this is a hardware issue. Could be that you reinstalled the wrong drivers, could be something else.
For that, I suggest you post a thread in the troubleshooting/hardware part of this forum.
For Avast, since the related services are deleted anyway, I suggest you run this removal utility:
http://www.avast.com...ll-utility.html
Are you still having problems with Installing an Antivirus? Can you try to reinstall your NOD32 again?
I didn't stop any of my services, and even if I start them manually, AND put them into automatic mode, next time I reboot, they are in the same state as before modifying manually - stopped!! And my soud card started having trouble exactly when this virus, or whatever it is, attacked my PC!!! I'm positive it's got to do smth with this virus!!
I think I already did a scan with that online scanner u asked me to, but can't remember what I did with the log , so I'm gonna do it again. It couldn't find any threats, either. But I'm'a do it again and post result. Thanks again! I cannot install Nod32 again!! NOR any other antivirus - or, in the best case, I CAN install it, but its exe file would be erased as soon as installation ends.. weired..
I forgot to mention that internet explorer first page is always: http://xtoff/ ever since first time infection. Does that ring any bell? Doesn't seem I could ever get rid of this web page. It's first to load, and my homepage is set to google.
Edited by Serghey, 06 October 2007 - 12:59 PM.
#21
Posted 06 October 2007 - 03:19 PM
#22
Posted 07 October 2007 - 05:34 AM
Also perform next steps please...
* Go here to run an online scannner from ESET.Download and Save blacklight to your desktop.
- Note: You will need to use Internet explorer for this scan
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the activex control to install
- Click Start
- Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
- Click Scan
- Wait for the scan to finish
- Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic, laong with a new HijackThis log & a description of any remaining problems
F-Secure Blacklight: https://europe.f-sec...light/try.shtml
(fsbl.exe - graphical user interface)
Double-click fsbl.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply as well.
Hi! The link u indicated contains a file that it's outdated and won't start. I scanned online with F-secure online scanner and here's the log:
Scanning Report
Sunday, October 07, 2007 12:35:20 - 14:20:16
Computer name: LAPTOP
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\
--------------------------------------------------------------------------------
Result: 38 malware found
Alexa (spyware)
System (Disinfected)
SDBot.gen8 (virus)
C:\SPONGEVHONGUFSTOOLS\HWK.UPDATER.V03.03.FSS.LOADER.EXE (Submitted)
C:\SPONGEVHONGUFSTOOLS\HWKTOOLS.EXE (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 32154
System: 4639
Not scanned: 3
Actions:
Disinfected: 2
Renamed: 0
Deleted: 0
None: 36
Submitted: 2
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\SERVUS\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{0417FE7C-BFFF-4600-BAC5-3F9AC1E903D2}
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-10-06
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0602-150-72
F-Secure Libra: 2.4.2, 2007-10-05
F-Secure Orion: 1.2.37, 2007-10-06
F-Secure Pegasus: 1.19.0, 2007-09-03
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics
--------------------------------------------------------------------------------
Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
So, anyway, UFStools is a software for GSM phones Tornado Box uses. It found a worm into its' update.exe file and so... don't think it's a true virus. Perhaps I'm not gonna be able to use that soft anynmore either.

Logfile of HijackThis v1.99.1
Scan saved at 14:27:01, on 07.10.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Servus\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1190650461781
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CFA0EE6E-F07B-46CF-81A2-80167A50DC67} (SarunasSoftwareSupportAccesser Control) - http://www.sarunasof...ortAccesser.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...129/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
#23
Posted 07 October 2007 - 11:46 PM
#24
Posted 08 October 2007 - 01:50 AM
Ignore my previous post. Logs from above scanners won't change a thing.
I have been contacting an Antivirus Vendor and it appears you are dealing with a new variant of Beagle which also patches system important legitimate files. They also recommend a format and reinstall since this is the only solution to deal with this properly especially since it already damaged so much, you're not even able to reboot, and extra tools may only cause more damage. We will just run around in circles.
I am very sorry to tell you this, but when such nasty malware is involved, you'll have to draw the line and throw in the towel since there's nothing much else that we can do anymore.

Make sure this won't happen again - so for future reference, stay away from illegal sites and be careful what you download via P2P programs, because that's how you got infected in the first place.
Please read this as well: http://users.telenet...prevention.html
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users