Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Something infects EXE files and cannot restart PC


  • Please log in to reply
23 replies to this topic

#16 Serghey

Serghey

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 06 October 2007 - 02:53 AM

Here are screenshots with services that are stopped or running, and Code 10 for sound card that states that device cannot start, even if I reinstalled the original drivers:

Attached Thumbnails

  • sysconfig1.JPG
  • sysconfig2.JPG
  • sysconfig3.JPG
  • sysconfig4.JPG
  • sysconfig5.JPG
  • sysconfig6.JPG
  • sysconfig7.JPG
  • sysconfig8.JPG
  • CombofixService.JPG

    Advertisements

Register to Remove


#17 Serghey

Serghey

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 06 October 2007 - 02:54 AM

Sound card Cannot start device

Attached Thumbnails

  • soundcard.JPG


#18 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 06 October 2007 - 11:27 AM

Hi,

Idon't know... perhaps it's not about the virus you had in mind??

Yes it is - this one normally deletes the safeboot keys - but you did a Windows repair in between, so that may have repaired them again. The fact that the safeboot keys are not deleted afterwards once again shows that the Virus you are dealing with is not active anymore - and actually Combofix doesn't find these malware related files anymore either.

Well, I also see you had disabled a lot of services via msconfig:

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"Themes"=2 (0x2)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=2 (0x2)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

Did you disable these?

Also, don't really worry where it says that services are stopped. This means because they are set to manual for startuptype. Most of the services that are stopped in your case, are stopped in my case as well.

I compared the services with my computer and there are some that are stopped that should be set to automatic.
To do this, go to start > run and type: services.msc
Then scroll down to next services, doubleclick them in order to change the startup type for them.

Next should be set to automatically for startuptype:

Event log > automatic
DCom server process launcher > automatic
Alerter > automatic
Security Center > automatic
WebClient > automatic
Windows Management Instrumentation > automatic

Also doublecheck the next services and make sure they are set to manual:
WMI performance adapter > manual
Windows Installer > manual

Then reboot.

For your sound problem - this is really not my area since this is a hardware issue. Could be that you reinstalled the wrong drivers, could be something else.
For that, I suggest you post a thread in the troubleshooting/hardware part of this forum.

For Avast, since the related services are deleted anyway, I suggest you run this removal utility:
http://www.avast.com...ll-utility.html

Are you still having problems with Installing an Antivirus? Can you try to reinstall your NOD32 again?

#19 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 06 October 2007 - 11:53 AM

Also perform next steps please...

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, laong with a new HijackThis log & a description of any remaining problems
Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-sec...light/try.shtml
(fsbl.exe - graphical user interface)
Double-click fsbl.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply as well.

#20 Serghey

Serghey

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 06 October 2007 - 12:44 PM

Hi,

Idon't know... perhaps it's not about the virus you had in mind??

Yes it is - this one normally deletes the safeboot keys - but you did a Windows repair in between, so that may have repaired them again. The fact that the safeboot keys are not deleted afterwards once again shows that the Virus you are dealing with is not active anymore - and actually Combofix doesn't find these malware related files anymore either.

Well, I also see you had disabled a lot of services via msconfig:

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"Themes"=2 (0x2)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=2 (0x2)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

Did you disable these?

Also, don't really worry where it says that services are stopped. This means because they are set to manual for startuptype. Most of the services that are stopped in your case, are stopped in my case as well.

I compared the services with my computer and there are some that are stopped that should be set to automatic.
To do this, go to start > run and type: services.msc
Then scroll down to next services, doubleclick them in order to change the startup type for them.

Next should be set to automatically for startuptype:

Event log > automatic
DCom server process launcher > automatic
Alerter > automatic
Security Center > automatic
WebClient > automatic
Windows Management Instrumentation > automatic

Also doublecheck the next services and make sure they are set to manual:
WMI performance adapter > manual
Windows Installer > manual

Then reboot.

For your sound problem - this is really not my area since this is a hardware issue. Could be that you reinstalled the wrong drivers, could be something else.
For that, I suggest you post a thread in the troubleshooting/hardware part of this forum.

For Avast, since the related services are deleted anyway, I suggest you run this removal utility:
http://www.avast.com...ll-utility.html

Are you still having problems with Installing an Antivirus? Can you try to reinstall your NOD32 again?


I didn't stop any of my services, and even if I start them manually, AND put them into automatic mode, next time I reboot, they are in the same state as before modifying manually - stopped!! And my soud card started having trouble exactly when this virus, or whatever it is, attacked my PC!!! I'm positive it's got to do smth with this virus!!

I think I already did a scan with that online scanner u asked me to, but can't remember what I did with the log , so I'm gonna do it again. It couldn't find any threats, either. But I'm'a do it again and post result. Thanks again! I cannot install Nod32 again!! NOR any other antivirus - or, in the best case, I CAN install it, but its exe file would be erased as soon as installation ends.. weired..
I forgot to mention that internet explorer first page is always: http://xtoff/ ever since first time infection. Does that ring any bell? Doesn't seem I could ever get rid of this web page. It's first to load, and my homepage is set to google.

Edited by Serghey, 06 October 2007 - 12:59 PM.


#21 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 06 October 2007 - 03:19 PM

As I already explained, this malware damages A LOT! I know all the other problems started with this Virus, but the problem with your sound card is a hardware related issue as a result of this malware you are dealing with, including all the other problems you are having now. Because everytime you reboot, you'll have to perform a repair install or a last known good. In "normal circumstances", this type of malware doesn't act this way and can actually be easily removed in a few steps, but in your case, the damage it already caused and whatever else that may be present + maybe also non malware related issues makes it almost impossible to deal with this properly, since you cannot properly reboot either because of the damage it already caused. We still can try a few things, but I cannot guarantee it will be successful since there are really not many options left anymore. This system needs a reboot to get rid of it properly and since you always have to perform a system restore after reboot, it will always come back - and I have a bad feeling that important system files are patched here as well. So we are actually running around in circles. What we removed will be back again. Anyway, the NOD32 online scan will maybe tell us + the scan with blacklight. Once we can get rid of the malware - then we'll also have to restore whatever it has damaged - and that's a lot and I cannot guarantee either if all damage can be properly restored too. So this thread can be long - (I guess a few weeks if you really want to sort this out manually) and even then - as I said - I cannot guarantee it will ever run the same anymore. This is almost impossible since it's so badly damaged/compromised. So you really have to be patient here... That's why I also suggested in one of my first posts that a format and reinstall will be the fastest and especially safest solution. You can still back up your data now (actually you should have done this already, I always recommend to backup important data when a system is severly infected), this in case when a system is completely lost because of the damage. But you insisted to get rid of it manually - so that's your choice and I will try to help you - but you have to understand, when there are really no more options left that it will be time to throw in the towel. This is a fact - when systems are severly infected/damaged - common sense is a format and reinstall. If that was happening with my computer - I wouldn't hesitate a second and reinstall - because I would never be able to trust this system anymore. So if I would do this, it is my responsibility to recommend it to others as well... mainly because of their safety.

#22 Serghey

Serghey

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 07 October 2007 - 05:34 AM

Also perform next steps please...

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, laong with a new HijackThis log & a description of any remaining problems
Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-sec...light/try.shtml
(fsbl.exe - graphical user interface)
Double-click fsbl.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply as well.



Hi! The link u indicated contains a file that it's outdated and won't start. I scanned online with F-secure online scanner and here's the log:



Scanning Report
Sunday, October 07, 2007 12:35:20 - 14:20:16
Computer name: LAPTOP
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 38 malware found
Alexa (spyware)
System (Disinfected)
SDBot.gen8 (virus)
C:\SPONGEVHONGUFSTOOLS\HWK.UPDATER.V03.03.FSS.LOADER.EXE (Submitted)
C:\SPONGEVHONGUFSTOOLS\HWKTOOLS.EXE (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 32154
System: 4639
Not scanned: 3
Actions:
Disinfected: 2
Renamed: 0
Deleted: 0
None: 36
Submitted: 2
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\SERVUS\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{0417FE7C-BFFF-4600-BAC5-3F9AC1E903D2}

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-10-06
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0602-150-72
F-Secure Libra: 2.4.2, 2007-10-05
F-Secure Orion: 1.2.37, 2007-10-06
F-Secure Pegasus: 1.19.0, 2007-09-03
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

So, anyway, UFStools is a software for GSM phones Tornado Box uses. It found a worm into its' update.exe file and so... don't think it's a true virus. Perhaps I'm not gonna be able to use that soft anynmore either. :) But it's ok.. Here's a new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:27:01, on 07.10.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Servus\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1190650461781
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CFA0EE6E-F07B-46CF-81A2-80167A50DC67} (SarunasSoftwareSupportAccesser Control) - http://www.sarunasof...ortAccesser.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...129/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)

#23 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 07 October 2007 - 11:46 PM

Hi, Do you have the log from F-secure Blacklight? Because you ran the F-secure online scanner instead. Also, do you also have the log from NOD32 online? Not sure what link you mean that is outdated.

#24 miekiemoes

miekiemoes

    MalwareBytes

  • Visiting Fellow
  • PipPipPipPip
  • 514 posts

Posted 08 October 2007 - 01:50 AM

Hi,

Ignore my previous post. Logs from above scanners won't change a thing.

I have been contacting an Antivirus Vendor and it appears you are dealing with a new variant of Beagle which also patches system important legitimate files. They also recommend a format and reinstall since this is the only solution to deal with this properly especially since it already damaged so much, you're not even able to reboot, and extra tools may only cause more damage. We will just run around in circles.
I am very sorry to tell you this, but when such nasty malware is involved, you'll have to draw the line and throw in the towel since there's nothing much else that we can do anymore. :(
Make sure this won't happen again - so for future reference, stay away from illegal sites and be careful what you download via P2P programs, because that's how you got infected in the first place.
Please read this as well: http://users.telenet...prevention.html

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users