« previous next »
Pages: [1] 2 3

Author Topic: New hard to deal virus  (Read 4295 times)

Offline FIxeL

  • Full Member
  • ***
  • Posts: 145
  • Karma: +0/-0
    • View Profile
New hard to deal virus
« on: June 25, 2008, 05:43:53 AM »
Hello, I got a problem. My main PC got infected with some new virus that I hadnt even seen one. Heres the symptoms: When i turn on pc, on system startup, bios, recover menu letters are mixed up,i tryed to restore windoes with windoes cs by booting from it and go to repair, but it doesnt let me to write correcly becouse the same button have 2-3 diffrent letterns and the letters changes by the number of a place in wich it is, also it stucks after the windows boots up. I managed to get to safe mode and get there a HJT log ( in safe mode all letters are back to normal, though explorer keeps closing, os i have to turn it on with task manager.


Heres the HJT Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:21, on 2008.06.25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\FIxeL\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [18f81d50] rundll32.exe "C:\WINDOWS\system32\xwocobwd.dll",b
O4 - HKLM\..\Run: [BM1bcb2ecc] Rundll32.exe "C:\WINDOWS\system32\oppverdi.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4369 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
New hard to deal virus
« Reply #1 on: June 25, 2008, 09:20:35 AM »
Can you do the following please

Download this file - Combofix.exe and save it ONLY to your desktop

Don't run it yet
Physically disconnect the internet cable connection to your computer

Temporarily disable AVG protections please so it won't interfere with the next tool
Open the AVG Control Center program by double clicking it's icon by the clock
Double-click on the "AVG Resident Shield" component  -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.

Double click on ComboFix.exe to run the program

Follow the prompts
normally this fix takes anywhere from 10 to 30 minutes
After reboot
 ComboFix will run again, then continue to create a log, this can take a few minutes
Let it run uninterrupted please
I'll need to see this log later

Note:
[color=\"#4169E1\"]Do not mouseclick combofix's window while it's running. That may cause it to stall[/color]

After ComboFix runs, and after it's log opens
Reenable AVG's realtime protections
Connect Internet cable
By default, the location of the combofix log is located at this location
C:\combofix.txt

Post back the log from ComboFix and a fresh hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline FIxeL

  • Full Member
  • ***
  • Posts: 145
  • Karma: +0/-0
    • View Profile
New hard to deal virus
« Reply #2 on: June 25, 2008, 03:29:48 PM »
Ok, i did the scan, heres the report  :

ComboFix 08-06-20.4 - FIxeL 2008-06-25 23:32:05.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.2.1257.1.1033.18.823 [GMT 3:00]
Running from: C:\Documents and Settings\FIxeL\Desktop\ComboFix.exe

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bbKTCccf.ini
C:\WINDOWS\system32\bbKTCccf.ini2
C:\WINDOWS\system32\dwbocowx.ini
C:\WINDOWS\system32\fccCTKbb.dll
C:\WINDOWS\system32\hdnmkpmm.ini

.
(((((((((((((((((((((((((   Files Created from 2008-05-25 to 2008-06-25  )))))))))))))))))))))))))))))))
.

2008-06-25 06:48 . 2008-06-25 08:20   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 11:30 . 2008-06-24 11:30   94,720   --a------   C:\WINDOWS\system32\oppverdi.dll
2008-06-24 11:30 . 2008-06-24 11:30   87,040   --a------   C:\WINDOWS\system32\xwocobwd.dll
2008-06-24 11:30 . 2008-06-24 11:30   0   --a------   C:\WINDOWS\BM1bcb2ecc.xml
2008-06-23 23:23 . 2008-06-23 23:23   34,304   --a------   C:\WINDOWS\system32\rqRIaYqN.dll
2008-06-23 23:09 . 2008-06-23 23:09   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2008-06-23 23:09 . 2008-06-23 23:09   <DIR>   d--------   C:\Program Files\Ahead
2008-06-23 23:09 . 2004-07-26 16:16   1,568,768   --a------   C:\WINDOWS\system32\ImagX7.dll
2008-06-23 23:09 . 2004-07-26 16:16   476,320   --a------   C:\WINDOWS\system32\ImagXpr7.dll
2008-06-23 23:09 . 2004-07-26 16:16   471,040   --a------   C:\WINDOWS\system32\ImagXRA7.dll
2008-06-23 23:09 . 2004-07-26 16:16   262,144   --a------   C:\WINDOWS\system32\ImagXR7.dll
2008-06-23 23:09 . 2001-07-09 10:50   155,648   --a------   C:\WINDOWS\system32\NeroCheck.exe
2008-06-23 23:09 . 2004-03-02 16:37   125,184   ---------   C:\WINDOWS\system32\drivers\imagesrv.sys
2008-06-23 23:09 . 2000-06-26 10:45   106,496   --a------   C:\WINDOWS\system32\TwnLib20.dll
2008-06-23 23:09 . 2004-03-02 16:37   5,504   ---------   C:\WINDOWS\system32\drivers\imagedrv.sys
2008-06-20 03:01 . 2008-06-20 03:01   <DIR>   d--------   C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-19 20:06 . 2008-03-25 02:37   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-06-19 20:05 . 2008-06-19 20:06   <DIR>   d--------   C:\Program Files\Java
2008-06-19 20:04 . 2008-06-19 20:04   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-06-19 17:58 . 2008-06-19 17:59   <DIR>   d--------   C:\Documents and Settings\FIxeL\Application Data\Canon
2008-06-19 17:57 . 2008-06-19 17:57   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-06-19 17:54 . 2004-08-03 22:58   15,104   --a------   C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-19 17:54 . 2004-08-03 22:58   15,104   --a--c---   C:\WINDOWS\system32\dllcache\usbscan.sys
2008-06-19 17:53 . 2008-06-19 17:53   <DIR>   d--------   C:\Program Files\ScanSoft
2008-06-19 17:53 . 2008-06-19 17:53   <DIR>   d--------   C:\Program Files\Common Files\ScanSoft Shared
2008-06-19 17:53 . 2008-06-19 17:53   <DIR>   d--------   C:\Documents and Settings\FIxeL\Application Data\ScanSoft
2008-06-19 17:53 . 2008-06-19 17:53   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-06-19 17:53 . 2008-06-19 17:54   412   --a------   C:\WINDOWS\MAXLINK.INI
2008-06-19 17:52 . 2008-06-19 17:52   <DIR>   d--------   C:\Program Files\Common Files\CANON
2008-06-19 17:50 . 2008-06-19 17:50   <DIR>   d--h-----   C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-06-19 17:50 . 2008-06-19 17:50   <DIR>   d--h-----   C:\Program Files\CanonBJ
2008-06-19 17:50 . 2008-06-19 17:50   <DIR>   d--h-----   C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-06-19 17:50 . 2006-11-10 05:00   1,314,816   --a------   C:\WINDOWS\system32\CNCC140.DLL
2008-06-19 17:50 . 2006-12-25 23:00   198,656   --a------   C:\WINDOWS\system32\CNMLM8R.DLL
2008-06-19 17:50 . 2006-05-26 04:54   135,168   --a------   C:\WINDOWS\system32\CNCL140.DLL
2008-06-19 17:50 . 2006-06-29 08:29   106,496   --a------   C:\WINDOWS\system32\cnco140.dll
2008-06-19 17:50 . 2006-11-10 04:59   57,344   --a------   C:\WINDOWS\system32\CNCI140.DLL
2008-06-19 17:49 . 2008-06-19 17:57   <DIR>   d--------   C:\Program Files\Canon
2008-06-17 21:13 . 2008-06-17 21:13   <DIR>   d--------   C:\Program Files\Common Files\DirectX
2008-06-17 21:12 . 2008-06-24 19:02   96   --ah-----   C:\WINDOWS\system32\HsInfo.dat
2008-06-17 20:07 . 2008-06-17 20:07   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-17 20:03 . 2004-08-09 05:04   73,728   --a------   C:\WINDOWS\system32\ISUSPM.cpl
2008-06-15 22:57 . 2008-06-15 23:00   <DIR>   d--------   C:\Documents and Settings\FIxeL\Application Data\TeamViewer
2008-06-15 22:49 . 2008-06-15 22:49   <DIR>   d--------   C:\Program Files\DynGate
2008-06-15 22:49 . 2008-06-15 23:00   <DIR>   d--------   C:\Documents and Settings\FIxeL\temp
2008-06-12 21:58 . 2008-06-12 21:59   38   --a------   C:\WINDOWS\avisplitter.INI
2008-06-11 09:43 . 2008-06-11 09:43   <DIR>   d--------   C:\Program Files\7-Zip
2008-06-11 05:31 . 2008-06-13 16:10   272,128   ---------   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:31 . 2008-06-13 16:10   272,128   -----c---   C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 23:42 . 2006-08-16 00:22   811,064   --a------   C:\WINDOWS\system32\imjp81k.dll
2008-06-08 23:40 . 2001-08-17 22:36   8,704   --a------   C:\WINDOWS\system32\kbdjpn.dll
2008-06-05 09:37 . 2008-06-06 20:01   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-06-05 09:35 . 2006-09-28 16:05   237,848   --a------   C:\WINDOWS\system32\xactengine2_4.dll
2008-06-05 09:35 . 2006-09-28 16:04   68,888   --a------   C:\WINDOWS\system32\xinput1_3.dll
2008-06-05 09:35 . 2006-09-28 16:03   15,128   --a------   C:\WINDOWS\system32\x3daudio1_1.dll
2008-06-03 15:54 . 2007-05-16 16:45   3,497,832   --a------   C:\WINDOWS\system32\d3dx9_34.dll
2008-06-03 15:54 . 2006-09-28 16:05   2,414,360   --a------   C:\WINDOWS\system32\d3dx9_31.dll
2008-06-03 15:54 . 2008-06-03 16:11   278,984   --a------   C:\WINDOWS\system32\drivers\atksgt.sys
2008-06-03 15:54 . 2008-06-03 15:54   25,416   --a------   C:\WINDOWS\system32\drivers\lirsgt.sys
2008-06-03 15:50 . 2008-06-03 15:50   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-06-03 15:45 . 2007-02-22 19:05   90,112   --a------   C:\Progr_.dll
2008-06-03 15:45 . 2007-02-22 19:05   90,112   --a------   C:\Docum_.dll
2008-06-03 15:44 . 2008-06-05 10:50   <DIR>   d--------   C:\Program Files\DaemonTools_WhenUSave_Installer
2008-06-03 15:43 . 2008-06-03 15:44   <DIR>   d--------   C:\Documents and Settings\FIxeL\Application Data\DAEMON Tools Pro
2008-06-03 15:38 . 2008-06-03 15:50   <DIR>   d--------   C:\Program Files\DAEMON Tools Pro
2008-06-03 15:24 . 2008-06-03 15:24   685,816   --a------   C:\WINDOWS\system32\drivers\sptd.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 19:51   ---------   d-----w   C:\Documents and Settings\FIxeL\Application Data\skypePM
2008-06-24 16:31   ---------   d-----w   C:\Documents and Settings\FIxeL\Application Data\Skype
2008-06-24 12:24   ---------   d-----w   C:\Documents and Settings\FIxeL\Application Data\uTorrent
2008-06-20 06:23   96,520   ----a-w   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-20 06:23   76,040   ----a-w   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-20 06:23   12,936   ----a-w   C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-06-19 14:52   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-06-18 09:55   ---------   d-----w   C:\Program Files\Opera
2008-06-17 17:03   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-09 16:56   ---------   d-----w   C:\Program Files\HLSW
2008-05-22 17:13   ---------   d-----w   C:\Program Files\IDM Computer Solutions
2008-05-22 17:13   ---------   d-----w   C:\Documents and Settings\FIxeL\Application Data\IDMComp
2008-05-22 17:09   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-05-11 19:01   ---------   d-----w   C:\Documents and Settings\FIxeL\Application Data\Grisoft
2008-05-11 19:00   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-08 14:21   ---------   d-----w   C:\Program Files\Valve
2008-05-08 12:28   202,752   ----a-w   C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-04 08:07   ---------   d-----w   C:\Program Files\uTorrent
2008-05-01 18:22   ---------   d-----w   C:\Program Files\K-Lite Codec Pack
2008-05-01 18:22   ---------   d-----w   C:\Documents and Settings\FIxeL\Application Data\Media Player Classic
2008-04-30 21:48   ---------   d-----w   C:\Program Files\Red Kawa
2008-04-30 20:20   315,392   ----a-w   C:\WINDOWS\HideWin.exe
2008-04-30 20:20   ---------   d-----w   C:\Program Files\Realtek
2008-04-30 10:45   ---------   d-----w   C:\Program Files\Lavalys
2008-04-28 22:08   ---------   d-----w   C:\Program Files\MSXML 6.0
2008-04-28 22:06   ---------   d-----w   C:\Program Files\MSXML 4.0
2008-04-28 12:23   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-04-28 12:21   ---------   d-----w   C:\Program Files\Microsoft.NET
2008-04-28 12:21   ---------   d-----w   C:\Program Files\Microsoft ActiveSync
2008-04-28 12:14   32   ----a-w   C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-28 12:12   ---------   d-----w   C:\Program Files\Skype
2008-04-28 12:12   ---------   d-----w   C:\Program Files\Common Files\Skype
2008-04-28 12:12   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Skype
2008-04-28 12:09   ---------   d-----w   C:\Program Files\AVG
2008-04-28 12:09   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\avg8
2008-04-28 12:04   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
2008-04-28 11:51   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Motive
2008-04-28 11:50   155,995   ----a-w   C:\WINDOWS\java\Packages\I85FHRRX.ZIP
2008-04-28 11:49   ---------   d-----w   C:\Program Files\Common Files\Motive
2008-04-28 11:09   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-04-28 11:05   ---------   d-----w   C:\Program Files\Windows Media Connect 2
2008-04-10 13:52   16,861,184   ----a-w   C:\WINDOWS\RTHDCPL.exe
2008-04-02 06:27   1,196,032   ----a-w   C:\WINDOWS\RtlUpd.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E64E841-2463-47C9-8797-DAF2810BBF61}]
2008-06-23 23:23   34304   --a------   C:\WINDOWS\system32\rqRIaYqN.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 16:08 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 09:23 1231128]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16:52 16861184 C:\WINDOWS\RTHDCPL.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-05-12 15:55 6731312]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 09:03 210472]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 12:02 79400]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"18f81d50"="C:\WINDOWS\system32\xwocobwd.dll" [2008-06-24 11:30 87040]
"BM1bcb2ecc"="C:\WINDOWS\system32\oppverdi.dll" [2008-06-24 11:30 94720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0E64E841-2463-47C9-8797-DAF2810BBF61}"= C:\WINDOWS\system32\rqRIaYqN.dll [2008-06-23 23:23 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIaYqN]
rqRIaYqN.dll 2008-06-23 23:23 34304 C:\WINDOWS\system32\rqRIaYqN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\serverdoc\\CS_server\\counter-strike\\hlds.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"D:\\Games\\counter-strike\\hl.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"C:\\Program Files\\HLSW\\hlsw.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Skype\\Plugins\\Plugins\\289650C9E52C40FE91D947C6D0EB72DA\\rcviewer.exe"=
"D:\\Games\\THE SETTLERS - Rise of an Empire\\base\\bin\\Settlers6.exe"=
"C:\\Program Files\\IDM Computer Solutions\\UltraEdit\\Uedit32.exe"=
"D:\\Games\\RF Online\\RF.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"55551:TCP"= 55551:TCP:Utorrent

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-06-20 09:23]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-20 09:23]
S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-20 09:23]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 09:23]
S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-20 09:23]
S2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2006-11-10 09:12]
S3 USB_RNDIS_51;ZTE USB Remote NDIS Device Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 00:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-25 03:37:46 C:\WINDOWS\Tasks\RegCure.job"
- D:\Prog. Files\RegCure\RegCure.exe
"2008-06-09 20:15:00 C:\WINDOWS\Tasks\µTorrent.job"
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
New hard to deal virus
« Reply #3 on: June 25, 2008, 03:56:37 PM »
You didn't post the fresh Hijackthis log?

Don't worry about it right now
Instead, can you do the following

download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
       
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
       
  • Make sure that everything is checked, and click Remove Selected.
        * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
       
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Along with the log from Malwarebytes AntiMalware

Please do the following
Download [color=\"#008000\"]Deckard's System Scanner (dss.exe)[/color] to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post back just the Whole contents of Main.txt and Extra.txt

NOTE: If you cannot find a log from Extra.txt
Do the following instead
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline FIxeL

  • Full Member
  • ***
  • Posts: 145
  • Karma: +0/-0
    • View Profile
New hard to deal virus
« Reply #4 on: June 26, 2008, 05:43:56 AM »
After i scaned with the Malwarebytes AntiMalware, after restart pc booted up in normal mode, not in safe mode, so i managed to do a scan with dss, though after the scan, pc freezed again, and now i can boot up only in safe mode again. Here are the logs:





Malwarebytes' Anti-Malware 1.18
Database version: 870

13:22:54 2008-06-26
mbam-log-6-26-2008 (13-22-49).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 135496
Time elapsed: 2 hour(s), 54 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\rqRIaYqN.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0e64e841-2463-47c9-8797-daf2810bbf61} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0e64e841-2463-47c9-8797-daf2810bbf61} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqriayqn (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18f81d50 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM1bcb2ecc (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0e64e841-2463-47c9-8797-daf2810bbf61} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\System Volume Information\_restore{81A2EC54-EB7D-482B-902B-67F3D40F4430}\RP12\A0001601.exe (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\xwocobwd.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\oppverdi.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\rqRIaYqN.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> No action taken.

( No action taked is becouse i pressed view log before i deleted the files, if needed i can performe a new scan )


dss: main.txt

Deckard's System Scanner v20071014.68
Run by FIxeL on 2008-06-26 13:28:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
56: 2008-06-26 10:28:46 UTC - RP76 - Deckard's System Scanner Restore Point
55: 2008-06-25 03:47:27 UTC - RP75 - Restore Operation
54: 2008-06-24 06:03:21 UTC - RP74 - Avg8 Update
53: 2008-06-23 20:29:24 UTC - RP73 - Last known good configuration
52: 2008-06-23 20:29:19 UTC - RP72 - System Checkpoint


-- First Restore Point --
1: 2008-06-23 20:29:13 UTC - RP21 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as FIxeL.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:30, on 2008-06-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\FIxeL\Desktop\dss.exe
C:\DOCUME~1\FIxeL\Desktop\FIxeL.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E64E841-2463-47C9-8797-DAF2810BBF61} - C:\WINDOWS\system32\rqRIaYqN.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: rqRIaYqN - C:\WINDOWS\SYSTEM32\rqRIaYqN.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6088 bytes

-- File Associations -----------------------------------------------------------

[color=\"red\"].ini - UltraEdit.ini - DefaultIcon - unable to read value[/color]
[color=\"red\"].ini - UltraEdit.ini - shell\open\command - "C:\Program Files\IDM Computer Solutions\UltraEdit\uedit32.exe" "%1"[/color]
[color=\"red\"].js - UltraEdit.js - DefaultIcon - unable to read value[/color]
[color=\"red\"].js - UltraEdit.js - shell\open\command - "C:\Program Files\IDM Computer Solutions\UltraEdit\uedit32.exe" "%1"[/color]
[color=\"red\"].reg - regfile - shell\open\command - regedit.exe "%1" %*[/color]
[color=\"red\"].scr - scrfile - shell\open\command - "%1" %*[/color]
[color=\"red\"].txt - UltraEdit.txt - DefaultIcon - unable to read value[/color]
[color=\"red\"].txt - UltraEdit.txt - shell\open\command - "C:\Program Files\IDM Computer Solutions\UltraEdit\uedit32.exe" "%1"[/color]


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\combofix\catchme.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_0368&SUBSYS_72601462&REV_A3\3&267A616A&0&09
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_0368&SUBSYS_72601462&REV_A3\3&267A616A&0&09
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Video Controller
Device ID: PCI\VEN_14F1&DEV_8800&SUBSYS_6611107D&REV_05\4&D9F7D03&0&0030
Manufacturer:
Name: Multimedia Video Controller
PNP Device ID: PCI\VEN_14F1&DEV_8800&SUBSYS_6611107D&REV_05\4&D9F7D03&0&0030
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Other PCI Bridge Device
Device ID: PCI\VEN_10DE&DEV_0373&SUBSYS_72601462&REV_A3\3&267A616A&0&40
Manufacturer:
Name: Other PCI Bridge Device
PNP Device ID: PCI\VEN_10DE&DEV_0373&SUBSYS_72601462&REV_A3\3&267A616A&0&40
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-26 13:26:49       364 --a------ C:\WINDOWS\Tasks\RegCure.job
2008-06-09 23:15:00       264 --a------ C:\WINDOWS\Tasks\µTorrent.job


-- Files created between 2008-05-26 and 2008-06-26 -----------------------------

2008-06-26 10:19:33         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Malwarebytes
2008-06-26 10:19:27         0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 10:19:27         0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-25 23:34:07     53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-06-25 23:31:22     68096 --a------ C:\WINDOWS\zip.exe
2008-06-25 23:31:22     49152 --a------ C:\WINDOWS\VFind.exe
2008-06-25 23:31:22    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-25 23:31:22    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-25 23:31:22    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-25 23:31:22     98816 --a------ C:\WINDOWS\sed.exe
2008-06-25 23:31:22     80412 --a------ C:\WINDOWS\grep.exe
2008-06-25 23:31:22     89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-25 06:48:14         0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-23 23:23:46     34304 -----n--- C:\WINDOWS\system32\rqRIaYqN.dll
2008-06-23 23:09:06    106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-06-23 23:09:06    471040 --a------ C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-06-23 23:09:06    262144 --a------ C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-06-23 23:09:06   1568768 --a------ C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-06-23 23:09:05    155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-06-23 23:09:05         0 d-------- C:\Program Files\Common Files\Ahead
2008-06-23 23:09:02         0 d-------- C:\Program Files\Ahead
2008-06-20 03:01:49         0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-19 20:05:45         0 d-------- C:\Program Files\Java
2008-06-19 20:04:54         0 d-------- C:\Program Files\Common Files\Java
2008-06-19 17:58:09         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Canon
2008-06-19 17:57:08         0 d-------- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-06-19 17:53:35         0 d-------- C:\Documents and Settings\FIxeL\Application Data\ScanSoft
2008-06-19 17:53:29         0 d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-06-19 17:53:29         0 d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-06-19 17:53:09         0 d-------- C:\Program Files\ScanSoft
2008-06-19 17:52:19         0 d-------- C:\Program Files\Common Files\CANON
2008-06-19 17:50:38         0 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-06-19 17:50:31         0 d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-06-19 17:50:13         0 d--h----- C:\Program Files\CanonBJ
2008-06-19 17:49:04         0 d-------- C:\Program Files\Canon
2008-06-17 21:13:15         0 d-------- C:\Program Files\Common Files\DirectX
2008-06-17 21:12:58        96 --ah----- C:\WINDOWS\system32\HsInfo.dat
2008-06-17 20:07:14         0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-15 22:57:08         0 d-------- C:\Documents and Settings\FIxeL\Application Data\TeamViewer
2008-06-15 22:49:31         0 d-------- C:\Program Files\DynGate
2008-06-15 22:49:15         0 d-------- C:\Documents and Settings\FIxeL\temp
2008-06-11 09:43:46         0 d-------- C:\Program Files\7-Zip
2008-06-05 09:37:11         0 d--h----- C:\$AVG8.VAULT$
2008-06-05 09:35:25         0 d-------- C:\WINDOWS\pss
2008-06-03 15:50:05         0 d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-06-03 15:45:41     90112 --a------ C:\Progr_.dll
2008-06-03 15:45:09     90112 --a------ C:\Docum_.dll
2008-06-03 15:44:12         0 d-------- C:\Program Files\DaemonTools_WhenUSave_Installer
2008-06-03 15:43:46         0 d-------- C:\Documents and Settings\FIxeL\Application Data\DAEMON Tools Pro
2008-06-03 15:38:22         0 d-------- C:\Program Files\DAEMON Tools Pro
2008-06-03 15:24:20    685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys


-- Find3M Report ---------------------------------------------------------------

2008-06-26 13:27:48         0 d-------- C:\Documents and Settings\FIxeL\Application Data\skypePM
2008-06-24 19:31:56         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Skype
2008-06-24 15:24:49         0 d-------- C:\Documents and Settings\FIxeL\Application Data\uTorrent
2008-06-23 23:09:05         0 d-------- C:\Program Files\Common Files
2008-06-19 17:52:40         0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-18 12:55:15         0 d-------- C:\Program Files\Opera
2008-06-17 20:03:31         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-09 19:56:55         0 d-------- C:\Program Files\HLSW
2008-05-22 20:13:57         0 d-------- C:\Documents and Settings\FIxeL\Application Data\IDMComp
2008-05-22 20:13:17         0 d-------- C:\Program Files\IDM Computer Solutions
2008-05-22 20:09:06         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-11 22:01:02         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Grisoft
2008-05-11 21:58:03         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Mozilla
2008-05-10 12:26:33         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Adobe
2008-05-08 17:21:04         0 d-------- C:\Program Files\Valve
2008-05-04 11:07:40         0 d-------- C:\Program Files\uTorrent
2008-05-01 21:22:47         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Media Player Classic
2008-05-01 21:22:11         0 d-------- C:\Program Files\K-Lite Codec Pack
2008-05-01 00:48:27         0 d-------- C:\Program Files\Red Kawa
2008-04-30 23:20:37         0 d-------- C:\Program Files\Realtek
2008-04-30 23:20:31    315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-30 13:45:35         0 d-------- C:\Program Files\Lavalys
2008-04-29 01:08:18         0 d-------- C:\Program Files\MSXML 6.0
2008-04-29 01:06:11         0 d-------- C:\Program Files\MSXML 4.0
2008-04-28 23:51:00         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Opera
2008-04-28 20:49:21         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Macromedia
2008-04-28 16:57:22         0 d-------- C:\Program Files\Common Files\ODBC
2008-04-28 16:57:20         0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-28 16:56:59        62 --ahs---- C:\Documents and Settings\FIxeL\Application Data\desktop.ini
2008-04-28 15:23:52         0 d-------- C:\Program Files\Common Files\Adobe
2008-04-28 15:21:04         0 d-------- C:\Program Files\Microsoft.NET
2008-04-28 15:21:00         0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-28 15:12:41         0 d-------- C:\Program Files\Skype
2008-04-28 15:12:40         0 d-------- C:\Program Files\Common Files\Skype
2008-04-28 15:09:35         0 d-------- C:\Program Files\AVG
2008-04-28 14:49:47         0 d-------- C:\Program Files\Common Files\Motive
2008-04-28 14:44:50         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Identities
2008-04-28 14:09:19         0 d-------- C:\Program Files\microsoft frontpage
2008-04-28 14:09:04         0 -rahs---- C:\MSDOS.SYS
2008-04-28 14:09:04         0 -rahs---- C:\IO.SYS
2008-04-28 14:09:04         0 --a------ C:\CONFIG.SYS
2008-04-28 14:09:04         0 --a------ C:\AUTOEXEC.BAT
2008-04-28 14:07:48         0 d--h----- C:\Program Files\WindowsUpdate
2008-04-28 14:07:04         0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-28 14:06:56         0 d-------- C:\Program Files\Movie Maker
2008-04-28 14:06:13     21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-28 14:05:53         0 d-------- C:\Program Files\Online Services
2008-04-28 14:05:47         0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-28 14:05:42         0 d-------- C:\Program Files\Messenger
2008-04-28 14:05:38         0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-28 14:05:32         0 d-------- C:\Program Files\Windows NT
2008-04-01 00:25:46    682496 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-28 20:41:32      7680 --a------ C:\WINDOWS\system32\ff_vfw.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E64E841-2463-47C9-8797-DAF2810BBF61}]
2008-06-23 23:23   34304   ---------   C:\WINDOWS\system32\rqRIaYqN.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41]
"nwiz"="nwiz.exe" [2007-12-05 01:41 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 09:23]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16:52 C:\WINDOWS\RTHDCPL.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-05-12 15:55]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 09:03]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 12:02]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 16:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0E64E841-2463-47C9-8797-DAF2810BBF61}"= C:\WINDOWS\system32\rqRIaYqN.dll [2008-06-23 23:23 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIaYqN]
rqRIaYqN.dll 2008-06-23 23:23 34304 C:\WINDOWS\system32\rqRIaYqN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-06-26 13:31:02 ------------


Extra.txt:


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 Processor 3500+
Percentage of Memory in Use: 52%
Physical Memory (total/avail): 1023.36 MiB / 485.05 MiB
Pagefile Memory (total/avail): 2460.18 MiB / 1948.55 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1943.65 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 54.49 GiB total, 32.86 GiB free.
D: is Fixed (NTFS) - 178.4 GiB total, 6.77 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - SAMSUNG SP2504C - 232.88 GiB - 2 partitions
  \PARTITION0 (bootable) - Installable File System - 54.49 GiB - C:
  \PARTITION1 - Extended w/Extended Int 13 - 178.4 GiB - D:

\\.\PHYSICALDRIVE1 - Kingston DataTraveler 2.0 USB Device - 3.78 GiB - 1 partition
  \PARTITION0 - Unknown - 3.79 GiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG Anti-Virus v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\serverdoc\\CS_server\\counter-strike\\hlds.exe"="D:\\serverdoc\\CS_server\\counter-strike\\hlds.exe:*:Enabled:HLDS Launcher"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"D:\\Games\\counter-strike\\hl.exe"="D:\\Games\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Enabled:Opera Internet Browser"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Valve\\hl.exe"="C:\\Program Files\\Valve\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\HLSW\\hlsw.exe"="C:\\Program Files\\HLSW\\hlsw.exe:*:Enabled:hlsw"
"C:\\Documents and Settings\\All Users\\Application Data\\Skype\\Plugins\\Plugins\\289650C9E52C40FE91D947C6D0EB72DA\\rcviewer.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Skype\\Plugins\\Plugins\\289650C9E52C40FE91D947C6D0EB72DA\\rcviewer.exe:*:Enabled:Rsupport RemoteCall Viewer"
"D:\\Games\\THE SETTLERS - Rise of an Empire\\base\\bin\\Settlers6.exe"="D:\\Games\\THE SETTLERS - Rise of an Empire\\base\\bin\\Settlers6.exe:*:Enabled:THE SETTLERS - Rise of an Empire"
"C:\\Program Files\\IDM Computer Solutions\\UltraEdit\\Uedit32.exe"="C:\\Program Files\\IDM Computer Solutions\\UltraEdit\\Uedit32.exe:*:Enabled:UltraEdit Professional Text/Hex Editor"
"D:\\Games\\RF Online\\RF.exe"="D:\\Games\\RF Online\\RF.exe:*:Enabled:RFLauncher"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\FIxeL\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\FIxeL
LOGONSERVER=\\PC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\IDM Computer Solutions\UltraEdit\;C:\Program Files\IDM Computer Solutions\UltraCompare
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 79 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\FIxeL\LOCALS~1\Temp
TMP=C:\DOCUME~1\FIxeL\LOCALS~1\Temp
USERDOMAIN=PC
USERNAME=FIxeL
USERPROFILE=C:\Documents and Settings\FIxeL
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

FIxeL (admin)


-- Add/Remove Programs ---------------------------------------------------------

 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
AVG 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Canon MP Navigator 3.1 --> "C:\Program Files\Canon\MP Navigator 3.1\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 3.1\uninst.ini
Canon MP140 series --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP140_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP140_series /L0x0009
Canon MP140 series User Registration --> C:\Program Files\Canon\IJEREG\MP140 series\UNINST.EXE
Canon Utilities Easy-LayoutPrint --> C:\Program Files\Canon\Easy-LayoutPrint\uninst.exe uninst.ini
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Counter-Strike 1.6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{13B792AA-C078-43A4-8A3A-8B12D629940D}\Setup.exe" -l0x19
DynGate --> "C:\Program Files\DynGate\uninstall.exe"
EVEREST Ultimate Edition v4.00 --> "C:\Program Files\Lavalys\EVEREST Ultimate Edition\unins000.exe"
HijackThis 2.0.2 --> "C:\DOCUME~1\FIxeL\LOCALS~1\Temp\Rar$EX00.000\HijackThis.exe" /uninstall
HLSW v1.1.6 --> "C:\Program Files\HLSW\unins000.exe"
Java(tm) 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
K-Lite Codec Pack 3.9.0 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office 2003 Lithuanian User Interface Pack --> MsiExec.exe /I{901E0427-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Opera 9.50 --> MsiExec.exe /X{70B96CD0-FDF2-489E-8FA0-0F92ED599368}
PIXMA Extended Survey Program --> C:\Program Files\Canon\IJPLM\SETUP.EXE -R
PSP Video 9 2.25 --> C:\Program Files\Red Kawa\Video Converter\uninstaller.exe
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9  -removeonly
Requiem --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F9831B39-277F-4F53-BFB0-12DC90C4CB40}\setup.exe" -l0x9  -removeonly
RF Online Episode 2 --> "D:\Games\RF Online\unins000.exe"
ScanSoft OmniPage SE 4 --> MsiExec.exe /I{DEE88727-779B-47A9-ACEF-F87CA5F92A65}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Skypeâ„¢ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
THE SETTLERS - Rise of an Empire --> "C:\Program Files\InstallShield Installation Information\{D3F80A98-05AB-4D8C-9272-766CCFA6A48D}\setup.exe" -runfromtemp -l0x0009 -removeonly
UltraCompare Professional --> "C:\Program Files\IDM Computer Solutions\UltraCompare\Uninstall.exe" "C:\Program Files\IDM Computer Solutions\UltraCompare\install.log" -u
UltraEdit v14.00 --> MsiExec.exe /I{D7A33067-9016-4D52-BC5B-D42E245AD3BA}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type583 / Error
Event Submitted/Written: 06/25/2008 06:37:04 AM
Event ID/Source: 1008 / MsiInstaller
Event Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISDED53B0BB67C4244AE6AD6FD3C28D1EF_7_0_2_3.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

Event Record #/Type575 / Error
Event Submitted/Written: 06/24/2008 06:49:32 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hlds.exe, version 4.1.1.1, faulting module mp.dll, version 0.0.0.0, fault address 0x0008f8b9.
Processing media-specific event for [hlds.exe!ws!]

Event Record #/Type574 / Error
Event Submitted/Written: 06/24/2008 03:33:29 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hlds.exe, version 4.1.1.1, faulting module mp.dll, version 0.0.0.0, fault address 0x0008f8b9.
Processing media-specific event for [hlds.exe!ws!]

Event Record #/Type570 / Warning
Event Submitted/Written: 06/23/2008 11:11:00 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, to use the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Record #/Type569 / Warning
Event Submitted/Written: 06/23/2008 11:11:00 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, to use the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3120 / Error
Event Submitted/Written: 06/26/2008 01:26:08 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
AVG Anti-Spyware Driver
AvgLdx86
AvgMfx86
Fips
IPSec
MRxSmb
NetBIOS
NetBT
Processor
RasAcd
Rdbss
Tcpip

Event Record #/Type3119 / Error
Event Submitted/Written: 06/26/2008 01:26:08 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type3118 / Error
Event Submitted/Written: 06/26/2008 01:26:08 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31

Event Record #/Type3117 / Error
Event Submitted/Written: 06/26/2008 01:26:08 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Event Record #/Type3116 / Error
Event Submitted/Written: 06/26/2008 01:26:08 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-06-26 13:31:02 ------------
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
New hard to deal virus
« Reply #5 on: July 04, 2008, 10:20:22 AM »
Very sorry for the delay Fixel
I was out of town
Do you still need a hand here?

If so, can you post back here a fresh log from dss.exe please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline FIxeL

  • Full Member
  • ***
  • Posts: 145
  • Karma: +0/-0
    • View Profile
New hard to deal virus
« Reply #6 on: July 05, 2008, 11:43:19 AM »
No problem, not in a hurry or anything, though still need help.
Heres the dss fresh scan made in safe mode ( it didnt give any extra.txt becouse i think i ran it in safe mode) :

Deckard's System Scanner v20071014.68
Run by FIxeL on 2008-07-05 19:54:04
Computer is in Safe Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as FIxeL.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:54, on 2008-07-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\FIxeL\Desktop\dss.exe
C:\DOCUME~1\FIxeL\Desktop\FIxeL.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E64E841-2463-47C9-8797-DAF2810BBF61} - C:\WINDOWS\system32\rqRIaYqN.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: rqRIaYqN - C:\WINDOWS\SYSTEM32\rqRIaYqN.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5317 bytes

-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-06-26 10:19:33         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Malwarebytes
2008-06-26 10:19:27         0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 10:19:27         0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-25 23:34:07     53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-06-25 23:31:22     68096 --a------ C:\WINDOWS\zip.exe
2008-06-25 23:31:22     49152 --a------ C:\WINDOWS\VFind.exe
2008-06-25 23:31:22    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-25 23:31:22    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-25 23:31:22    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-25 23:31:22     98816 --a------ C:\WINDOWS\sed.exe
2008-06-25 23:31:22     80412 --a------ C:\WINDOWS\grep.exe
2008-06-25 23:31:22     89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-25 06:48:14         0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-23 23:23:46     34304 -----n--- C:\WINDOWS\system32\rqRIaYqN.dll
2008-06-23 23:09:06    106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-06-23 23:09:06    471040 --a------ C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-06-23 23:09:06    262144 --a------ C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-06-23 23:09:06   1568768 --a------ C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-06-23 23:09:05    155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-06-23 23:09:05         0 d-------- C:\Program Files\Common Files\Ahead
2008-06-23 23:09:02         0 d-------- C:\Program Files\Ahead
2008-06-20 03:01:49         0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-19 20:05:45         0 d-------- C:\Program Files\Java
2008-06-19 20:04:54         0 d-------- C:\Program Files\Common Files\Java
2008-06-19 17:58:09         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Canon
2008-06-19 17:57:08         0 d-------- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-06-19 17:53:35         0 d-------- C:\Documents and Settings\FIxeL\Application Data\ScanSoft
2008-06-19 17:53:29         0 d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-06-19 17:53:29         0 d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-06-19 17:53:09         0 d-------- C:\Program Files\ScanSoft
2008-06-19 17:52:19         0 d-------- C:\Program Files\Common Files\CANON
2008-06-19 17:50:38         0 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-06-19 17:50:31         0 d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-06-19 17:50:13         0 d--h----- C:\Program Files\CanonBJ
2008-06-19 17:49:04         0 d-------- C:\Program Files\Canon
2008-06-17 21:13:15         0 d-------- C:\Program Files\Common Files\DirectX
2008-06-17 21:12:58        96 --ah----- C:\WINDOWS\system32\HsInfo.dat
2008-06-17 20:07:14         0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-15 22:57:08         0 d-------- C:\Documents and Settings\FIxeL\Application Data\TeamViewer
2008-06-15 22:49:31         0 d-------- C:\Program Files\DynGate
2008-06-15 22:49:15         0 d-------- C:\Documents and Settings\FIxeL\temp
2008-06-11 09:43:46         0 d-------- C:\Program Files\7-Zip
2008-06-05 09:37:11         0 d--h----- C:\$AVG8.VAULT$
2008-06-05 09:35:25         0 d-------- C:\WINDOWS\pss


-- Find3M Report ---------------------------------------------------------------

2008-06-26 13:27:48         0 d-------- C:\Documents and Settings\FIxeL\Application Data\skypePM
2008-06-24 19:31:56         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Skype
2008-06-24 15:24:49         0 d-------- C:\Documents and Settings\FIxeL\Application Data\uTorrent
2008-06-23 23:09:05         0 d-------- C:\Program Files\Common Files
2008-06-19 17:52:40         0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-18 12:55:15         0 d-------- C:\Program Files\Opera
2008-06-17 20:03:31         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-09 19:56:55         0 d-------- C:\Program Files\HLSW
2008-06-05 10:50:30         0 d-------- C:\Program Files\DaemonTools_WhenUSave_Installer
2008-06-03 15:50:46         0 d-------- C:\Program Files\DAEMON Tools Pro
2008-06-03 15:44:10         0 d-------- C:\Documents and Settings\FIxeL\Application Data\DAEMON Tools Pro
2008-05-22 20:13:57         0 d-------- C:\Documents and Settings\FIxeL\Application Data\IDMComp
2008-05-22 20:13:17         0 d-------- C:\Program Files\IDM Computer Solutions
2008-05-22 20:09:06         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-11 22:01:02         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Grisoft
2008-05-11 21:58:03         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Mozilla
2008-05-10 12:26:33         0 d-------- C:\Documents and Settings\FIxeL\Application Data\Adobe
2008-05-08 17:21:04         0 d-------- C:\Program Files\Valve
2008-04-30 23:20:31    315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-28 16:56:59        62 --ahs---- C:\Documents and Settings\FIxeL\Application Data\desktop.ini
2008-04-28 14:09:04         0 -rahs---- C:\MSDOS.SYS
2008-04-28 14:09:04         0 -rahs---- C:\IO.SYS
2008-04-28 14:09:04         0 --a------ C:\CONFIG.SYS
2008-04-28 14:09:04         0 --a------ C:\AUTOEXEC.BAT
2008-04-28 14:06:13     21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E64E841-2463-47C9-8797-DAF2810BBF61}]
2008-06-23 23:23   34304   ---------   C:\WINDOWS\system32\rqRIaYqN.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41]
"nwiz"="nwiz.exe" [2007-12-05 01:41 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 09:23]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16:52 C:\WINDOWS\RTHDCPL.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-05-12 15:55]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 09:03]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 12:02]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-06-19 17:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 16:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0E64E841-2463-47C9-8797-DAF2810BBF61}"= C:\WINDOWS\system32\rqRIaYqN.dll [2008-06-23 23:23 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIaYqN]
rqRIaYqN.dll 2008-06-23 23:23 34304 C:\WINDOWS\system32\rqRIaYqN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-07-05 19:54:55 ------------
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
New hard to deal virus
« Reply #7 on: July 05, 2008, 11:53:14 AM »
Can you delete your copy of Combofix

Then REDownload a fresh copy from [color=\"#FF0000\"]> HERE <[/color][/url]
Save it ONLY to your desktop

Don't run it yet
Instead
==Open notepad
Click START>>RUN>>type in notepad
Hit OK
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]KillAll::

File::
C:\WINDOWS\system32\rqRIaYqN.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E64E841-2463-47C9-8797-DAF2810BBF61}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"=-
"Malwarebytes Anti-Malware Reboot"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIaYqN]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0E64E841-2463-47C9-8797-DAF2810BBF61}"=-
[/color]
Save this as txtfile on your desktop
CFScript


Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you  with the  name C:\ComboFix.txt..

Post the log from ComboFix
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline FIxeL

  • Full Member
  • ***
  • Posts: 145
  • Karma: +0/-0
    • View Profile
New hard to deal virus
« Reply #8 on: July 05, 2008, 02:10:26 PM »
Heres the result:

ComboFix 08-07-04.6 - FIxeL 2008-07-05 22:18:32.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.2.1257.1.1033.18.818 [GMT 3:00]
Running from: C:\Documents and Settings\FIxeL\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\FIxeL\Desktop\CFScript.txt

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]

FILE ::
C:\WINDOWS\system32\rqRIaYqN.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bbKTCccf.ini
C:\WINDOWS\system32\bbKTCccf.ini2
C:\WINDOWS\system32\dwbocowx.ini
C:\WINDOWS\system32\fccCTKbb.dll
C:\WINDOWS\system32\hdnmkpmm.ini
C:\WINDOWS\system32\rqRIaYqN.dll

.
(((((((((((((((((((((((((   Files Created from 2008-06-05 to 2008-07-05  )))))))))))))))))))))))))))))))
.

2008-06-26 10:19 . 2008-06-26 10:19   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 10:19 . 2008-06-26 10:19   <DIR>   d--------   C:\Documents and Settings\FIxeL\Application Data\Malwarebytes
2008-06-26 10:19 . 2008-06-26 10:19   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 10:19 . 2008-06-26 10:19   <DIR>   d--------   C:\Deckard
2008-06-26 10:19 . 2008-06-19 17:48   34,296   --a------   C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 10:19 . 2008-06-19 17:47   17,144   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-06-25 06:48 . 2008-06-25 08:20   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 11:30 . 2008-06-24 11:30   0   --a------   C:\WINDOWS\BM1bcb2ecc.xml
2008-06-23 23:09 . 2008-06-23 23:09   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2008-06-23 23:09 . 2008-06-23 23:09   <DIR>   d--------   C:\Program Files\Ahead
2008-06-23 23:09 . 2004-07-26 16:16   1,568,768   --a------   C:\WINDOWS\system32\ImagX7.dll
2008-06-23 23:09 . 2004-07-26 16:16   476,320   --a------   C:\WINDOWS\system32\ImagXpr7.dll
2008-06-23 23:09 . 2004-07-26 16:16   471,040   --a------   C:\WINDOWS\system32\ImagXRA7.dll
2008-06-23 23:09 . 2004-07-26 16:16   262,144   --a------   C:\WINDOWS\system32\ImagXR7.dll
2008-06-23 23:09 . 2001-07-09 10:50   155,648   --a------   C:\WINDOWS\system32\NeroCheck.exe
2008-06-23 23:09 . 2004-03-02 16:37   125,184   ---------   C:\WINDOWS\system32\drivers\imagesrv.sys
2008-06-23 23:09 . 2000-06-26 10:45   106,496   --a------   C:\WINDOWS\system32\TwnLib20.dll
2008-06-23 23:09 . 2004-03-02 16:37   5,504   ---------   C:\WINDOWS\system32\drivers\imagedrv.sys
2008-06-20 03:01 . 2008-06-20 03:01   <DIR>   d--------   C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-19 20:06 . 2008-03-25 02:37   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-06-19 20:05 . 2008-06-19 20:06   <DIR>   d--------   C:\Program Files\Java
2008-06-19 20:04 . 2008-06-19 20:04   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-06-19 17:58 . 2008-06-19 17:59   <DIR>   d--------   C:\Documents and Settings\FIxeL\Application Data\Canon
2008-06-19 17:57 . 2008-06-19 17:57   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-06-19 17:54 . 2004-08-03 22:58   15,104   --a------   C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-19 17:54 . 2004-08-03 22:58   15,104   --a--c---   C:\WINDOWS\system32\dllcache\usbscan.sys
2008-06-19 17:53 . 2008-06-19 17:53   <DIR>   d--------   C:\Program Files\ScanSoft
2008-06-19 17:53 . 2008-06-19 17:53   <DIR>   d--------   C:\Program Files\Common Files\ScanSoft Shared
2008-06-19 17:53 . 2008-06-19 17:53   <DIR>   d--------   C:\Documents and Settings\FIxeL\Application Data\ScanSoft
2008-06-19 17:53 . 2008-06-19 17:53   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-06-19 17:53 . 2008-06-19 17:54   412   --a------   C:\WINDOWS\MAXLINK.INI
2008-06-19 17:52 . 2008-06-19 17:52   <DIR>   d--------   C:\Program Files\Common Files\CANON
2008-06-19 17:50 . 2008-06-19 17:50   <DIR>   d--h-----   C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-06-19 17:50 . 2008-06-19 17:50   <DIR>   d--h-----   C:\Program Files\CanonBJ
2008-06-19 17:50 . 2008-06-19 17:50   <DIR>   d--h-----   C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-06-19 17:50 . 2006-11-10 05:00   1,314,816   --a------   C:\WINDOWS\system32\CNCC140.DLL
2008-06-19 17:50 . 2006-12-25 23:00   198,656   --a------   C:\WINDOWS\system32\CNMLM8R.DLL
2008-06-19 17:50 . 2006-05-26 04:54   135,168   --a------   C:\WINDOWS\system32\CNCL140.DLL
2008-06-19 17:50 . 2006-06-29 08:29   106,496   --a------   C:\WINDOWS\system32\cnco140.dll
2008-06-19 17:50 . 2006-11-10 04:59   57,344   --a------   C:\WINDOWS\system32\CNCI140.DLL
2008-06-19 17:49 . 2008-06-19 17:57   <DIR>   d--------   C:\Program Files\Canon
2008-06-17 21:13 . 2008-06-17 21:13   <DIR>   d--------   C:\Program Files\Common Files\DirectX
2008-06-17 21:12 . 2008-06-24 19:02   96   --ah-----   C:\WINDOWS\system32\HsInfo.dat
2008-06-17 20:07 . 2008-06-17 20:07   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-17 20:03 . 2004-08-09 05:04   73,728   --a------   C:\WINDOWS\system32\ISUSPM.cpl
2008-06-15 22:57 . 2008-06-15 23:00   <DIR>   d--------   C:\Documents and Settings\FIxeL\Application Data\TeamViewer
2008-06-15 22:49 . 2008-06-15 22:49   <DIR>   d--------   C:\Program Files\DynGate
2008-06-15 22:49 . 2008-06-15 23:00   <DIR>   d--------   C:\Documents and Settings\FIxeL\temp
2008-06-12 21:58 . 2008-06-12 21:59   38   --a------   C:\WINDOWS\avisplitter.INI
2008-06-11 09:43 . 2008-06-11 09:43   <DIR>   d--------   C:\Program Files\7-Zip
2008-06-11 05:31 . 2008-06-13 16:10   272,128   ---------   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:31 . 2008-06-13 16:10   272,128   -----c---   C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 23:42 . 2006-08-16 00:22   811,064   --a------   C:\WINDOWS\system32\imjp81k.dll
2008-06-08 23:40 . 2001-08-17 22:36   8,704   --a------   C:\WINDOWS\system32\kbdjpn.dll
2008-06-05 09:37 . 2008-06-06 20:01   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-06-05 09:35 . 2006-09-28 16:05   237,848   --a------   C:\WINDOWS\system32\xactengine2_4.dll
2008-06-05 09:35 . 2006-09-28 16:04   68,888   --a------   C:\WINDOWS\system32\xinput1_3.dll
2008-06-05 09:35 . 2006-09-28 16:03   15,128   --a------   C:\WINDOWS\system32\x3daudio1_1.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 10:27   ---------   d-----w   C:\Documents and Settings\FIxeL\Application Data\skypePM
2008-06-24 16:31   ---------   d-----w   C:\Documents and Settings\FIxeL\Application Data\Skype
2008-06-24 12:24   ---------   d-----w   C:\Documents and Settings\FIxeL\Application Data\uTorrent
2008-06-20 06:23   96,520   ----a-w   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-20 06:23   76,040   ----a-w   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-20 06:23   12,936   ----a-w   C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-06-19 14:52   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2008-06-18 09:55   ---------   d-----w   C:\Program Files\Opera
2008-06-17 17:03   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-09 16:56   ---------   d-----w   C:\Program Files\HLSW
2008-06-05 07:50   ---------   d-----w   C:\Program Files\DaemonTools_WhenUSave_Installer
2008-06-03 13:11   278,984   ----a-w   C:\WINDOWS\system32\drivers\atksgt.sys
2008-06-03 12:54   25,416   ----a-w   C:\WINDOWS\system32\drivers\lirsgt.sys
2008-06-03 12:50   ---------   d-----w   C:\Program Files\DAEMON Tools Pro
2008-06-03 12:50   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-06-03 12:44   ---------   d-----w   C:\Documents and Settings\FIxeL\Application Data\DAEMON Tools Pro
2008-06-03 12:24   685,816   ----a-w   C:\WINDOWS\system32\drivers\sptd.sys
2008-05-22 17:13   ---------   d-----w   C:\Program Files\IDM Computer Solutions
2008-05-22 17:13   ---------   d-----w   C:\Documents and Settings\FIxeL\Application Data\IDMComp
2008-05-22 17:09   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-05-11 19:01   ---------   d-----w   C:\Documents and Settings\FIxeL\Application Data\Grisoft
2008-05-11 19:00   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-08 14:21   ---------   d-----w   C:\Program Files\Valve
2008-05-08 12:28   202,752   ----a-w   C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-30 20:20   315,392   ----a-w   C:\WINDOWS\HideWin.exe
2008-04-28 12:14   32   ----a-w   C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-10 13:52   16,861,184   ----a-w   C:\WINDOWS\RTHDCPL.exe
.

(((((((((((((((((((((((((((((   snapshot@2008-06-25_23.38.30.23   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 20:36:32   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
+ 2008-07-05 19:20:28   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 16:08 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 09:23 1231128]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 09:03 210472]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 12:02 79400]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16:52 16861184 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\serverdoc\\CS_server\\counter-strike\\hlds.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"D:\\Games\\counter-strike\\hl.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"C:\\Program Files\\HLSW\\hlsw.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Skype\\Plugins\\Plugins\\289650C9E52C40FE91D947C6D0EB72DA\\rcviewer.exe"=
"D:\\Games\\THE SETTLERS - Rise of an Empire\\base\\bin\\Settlers6.exe"=
"C:\\Program Files\\IDM Computer Solutions\\UltraEdit\\Uedit32.exe"=
"D:\\Games\\RF Online\\RF.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"55551:TCP"= 55551:TCP:Utorrent

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-06-20 09:23]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-20 09:23]
S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-20 09:23]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 09:23]
S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-20 09:23]
S2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2006-11-10 09:12]
S3 USB_RNDIS_51;ZTE USB Remote NDIS Device Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 00:04]

.
Contents of the 'Scheduled Tasks' folder

"2008-06-09 20:15:00 C:\WINDOWS\Tasks\µTorrent.job"
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
New hard to deal virus
« Reply #9 on: July 05, 2008, 02:26:22 PM »
Are you in Safe mode still or in Normal windows?
If still in safe mode, can you try booting to Normal windows and let me know the results
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline FIxeL

  • Full Member
  • ***
  • Posts: 145
  • Karma: +0/-0
    • View Profile
New hard to deal virus
« Reply #10 on: July 05, 2008, 02:33:52 PM »
When booting in normal mode, after the windows loading sign it freezes.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
New hard to deal virus
« Reply #11 on: July 05, 2008, 02:39:28 PM »
Can you try a clean boot of the machine

Click Start, click Run, type
msconfig
 and then click OK.

The System Configuration Utility dialog box appears.
Step 2: Configure selective startup options
1.   In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
2.   Click to clear the Process SYSTEM.INI File check box.
3.   Click to clear the Process WIN.INI File check box.
4.   Click to clear the Load Startup Items check box.
5.   Click the Services tab.
6.   Click to select the Hide All Microsoft Services check box.
7.   Click Disable All, and then click Apply and Close
8.   When you are prompted, click Restart to restart the computer.

Try restarting into Normal Windows
Any luck?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline FIxeL

  • Full Member
  • ***
  • Posts: 145
  • Karma: +0/-0
    • View Profile
New hard to deal virus
« Reply #12 on: July 05, 2008, 03:45:41 PM »
It still freezes after the configuration.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
New hard to deal virus
« Reply #13 on: July 05, 2008, 04:03:51 PM »
Can you scan a few files for me please

Go to the following link
http://www.virustotal.com/flash/index_en.html
Copy and paste the following bold line to the space next to  'Upload a File'

C:\Progr_.dll
Then use the SEND FILE button
Let it finish scanning
Could you post back the results of this scan back here please, or post the link to the results window

Do the same procedure for these file names seperately
C:\Docum_.dll
C:\WINDOWS\BM1bcb2ecc.xml

In addition: Do you know what program you installed before you were disabled from running in Normal windows?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline FIxeL

  • Full Member
  • ***
  • Posts: 145
  • Karma: +0/-0
    • View Profile
New hard to deal virus
« Reply #14 on: July 05, 2008, 04:27:22 PM »
I can connect to the internet only with a laptop, will it be ok, if i copy the files to my laptop and scan from there?
If i remember right i didnt install any programs, tho few days before the freezes i downloaded a game crack, though avg found it as a threat and i deleted it.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
New hard to deal virus
« Reply #15 on: July 05, 2008, 05:03:30 PM »
Tests
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
New hard to deal virus
« Reply #16 on: July 05, 2008, 05:05:31 PM »
Try the following
Not sure what's preventing you from Normal windows

Can you go to START>>RUN>>type in
msconfig

Hit OK
Under the Boot. ini tab
Select /BASEVIDEO

APPLY it and Close
Restart the computer, try back into Normal windows
Any luck?

EDIT>> Was having trouble posting the above
Apparently something to do with the .ini after Boot, hmmm
« Last Edit: July 05, 2008, 05:08:19 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline FIxeL

  • Full Member
  • ***
  • Posts: 145
  • Karma: +0/-0
    • View Profile
New hard to deal virus
« Reply #17 on: July 06, 2008, 10:24:55 AM »
Now i was able to go to normal mode, thought the letters and everything were still messed up while loading.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
New hard to deal virus
« Reply #18 on: July 06, 2008, 11:16:49 AM »
Go back to msconfig

Under the General tab select NORMAL startup and Apply it
Don't restart yet
Under the Boot. ini tab recheck /BASEVIDEO
Apply then Close

Restart the computer
Can you get back to Normal Windows
If so, do you know which Nvidia graphics card installed in your computer?
If not
Go to START>>RUN>>type in dxdiag
Hit OK
When it fully loads, select the Display tab
Name of card should be stated there
Post back that info

Edit>>Are you able to scan those files in Normal windows?
« Last Edit: July 06, 2008, 11:18:13 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline FIxeL

  • Full Member
  • ***
  • Posts: 145
  • Karma: +0/-0
    • View Profile
New hard to deal virus
« Reply #19 on: July 06, 2008, 11:22:41 AM »
It loaded, though there are a lot of pink stripes on the screen. In the dxdiag, there isnt a display tab now.
« Last Edit: July 06, 2008, 11:23:05 AM by FIxeL »
Logged
Pages: [1] 2 3
« previous next »