Author Topic: New hard to deal virus (Read 4312 times)

guestolo · « **Reply #20 on:** July 06, 2008, 11:26:22 AM »

What's the Exact make/model of computer and monitor

guestolo · « **Reply #21 on:** July 06, 2008, 11:41:10 AM »

Quote

In the dxdiag, there isnt a display tab now.

Woops, sorry, Display tab won't show when in /BASEVIDEO

Right click on MyComputer icon and select Properties
Select the HARDWARE tab>>DEVICE MANAGER
Expand (+) on Display Adapter
Post back model of video adapter

FIxeL · « **Reply #22 on:** July 06, 2008, 11:58:24 AM »

Quote

What's the Exact make/model of computer and monitor

Well i use Samsung LCD television screen for monitor. Though the pink stripes started when the pc strated to freeze. Even in the tech screen, that is before the windows loading sign there weare some stripes, but not as many as now in normal mode. And about computer make and model, i dont know were to find them.

Video Adapter: Nvidia GeForece 7600 GS

guestolo · « **Reply #23 on:** July 06, 2008, 12:19:10 PM »

Go to the following link and download and Save to your desktop the latest graphics driver for your card
http://www.nvidia.com/object/winxp_175.16_whql.html

Do not install it yet

Access your Add and Remove programs and remove
NVIDIA Drivers

Reboot the computer afterwards
Back in Normal windows
Close any Hardware found prompts if prompted

Temporarily disable AVG AnitVirus
Double click the AVG icon by the clock and double click on
"Resident Shield"
Uncheck "Resident Shield Active"
Then select "Save Changes"
Close AVG window

Go back to msconfig
Under Boot. ini tab uncheck /BASEVIDEO
Under the General tab ensure Normal Startup is selected
Apply and Close
Choose NOT to restart the computer (Exit without Restart)

Double click on Nvidia driver installer, follow the prompts to install
Reboot when prompted,
Reboot normally

Can you get into Normal windows now with everything enabled and new drivers for video installed?

FIxeL · « **Reply #24 on:** July 06, 2008, 12:31:49 PM »

It freezed while loading windows, then after 1 min it restarted by itself, and after the loading screen then it showed green stripes and freezed again.

guestolo · « **Reply #25 on:** July 06, 2008, 12:49:36 PM »

Let's verify it is not software
Can you go into Safe mode

Right click on MyComputer>>select Properties
Advanced tab>SETTINGS under "Startup and Recovery"
Untick "Automatically restart" under System Failure

Ok and Apply out of there
Shutdown the computer

Check the cable connections to the back of the monitor and computer
Physically disconnect them, ensure there are no bent pins and then reconnect and ensure cables are seated properly

Reboot back to Normal windows
Instead of restarting, it may blue screen, can you post the exact error message if it does happen

FIxeL · « **Reply #26 on:** July 06, 2008, 01:59:29 PM »

No physical demeag. No blue screen, becouse it didnt restart, it stayed freezed.
I think its something with a virus or something like that, becouse when in safe mode, i scaned with avg anti spyware/ antivirus and spybot S&D, cleaned the pc, and after restarting, there wearent any pink stripes on the black screen when the pc information shows, and it didnt freeze while windows was loading. Though when windows loaded, after around 5 min it freezed, and after rebooting, the freezes started again.

guestolo · « **Reply #27 on:** July 06, 2008, 02:01:42 PM »

Well, I think it's hardware related

But, why not try the following
In safe mode, go back to msconfig and select /Basevideo

Reboot back to Normal windows
Scan those 3 files I asked you about earlier

FIxeL · « **Reply #28 on:** July 06, 2008, 02:21:26 PM »

The result of Progr_.dll:
http://www.virustotal.com/analisis/e7dd90f...a83a0b561b26bae
The result of Docum_.dll:
http://www.virustotal.com/analisis/04f207b...1771087de50507d
No report from BM1bcb2ecc.xml becouse it writes 0 bites received.

guestolo · « **Reply #29 on:** July 06, 2008, 02:47:29 PM »

Can you do the following
Update and run another scan with Malwarebytes AntiMalware
Ensure to remove selected
Then post it 's log

Also,
Download Dr.Web CureIt to the desktop from this link
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Again, I suggest that you disable your AntiVirus software while this scan is running
Double click to run Dr.Web-cureit.exe from desktop

Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer

Please post the log from Dr. Web in a seperate reply along with a fresh hijackthis log

FIxeL · « **Reply #30 on:** July 07, 2008, 04:21:30 AM »

Malverbytes result:

Malwarebytes' Anti-Malware 1.19
Database version: 929
Windows 5.1.2600 Service Pack 2

12:31:50 2008-07-07
mbam-log-7-7-2008 (12-31-50).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 138649
Time elapsed: 29 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\FIxeL\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\nero_6_x.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fccCTKbb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP74\A0014887.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP75\A0016935.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Games\Rappelz_USA\Launcher.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP72\A0012916.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP72\A0012918.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.

FIxeL · « **Reply #31 on:** July 07, 2008, 04:44:15 AM »

Malverbytes result:

Malwarebytes' Anti-Malware 1.19
Database version: 929
Windows 5.1.2600 Service Pack 2

12:31:50 2008-07-07
mbam-log-7-7-2008 (12-31-50).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 138649
Time elapsed: 29 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\FIxeL\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\nero_6_x.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fccCTKbb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP74\A0014887.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP75\A0016935.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Games\Rappelz_USA\Launcher.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP72\A0012916.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP72\A0012918.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.

When scanning finishes ill post the Dr.Weband HJT log.

FIxeL · « **Reply #32 on:** July 07, 2008, 11:43:59 AM »

Dr.Web results:

psexesvc.exe   c:\windows   Program.PsExec.170   Incurable.Moved.
psexec.cfexe   C:\ComboFix   Program.PsExec.171   Incurable.Moved.
ComboFix.exe\327882R2FWJFW\psexec.cfexe   C:\Documents and Settings\FIxeL\Desktop\ComboFix.exe   Program.PsExec.171
ComboFix.exe   C:\Documents and Settings\FIxeL\Desktop   Archive contains infected objects   Moved.
Dc2.exe\327882R2FWJFW\psexec.cfexe   C:\RECYCLER\S-1-5-21-1482476501-73586283-725345543-1003\Dc2.exe   Program.PsExec.171
Dc2.exe   C:\RECYCLER\S-1-5-21-1482
476501-73586283-725345543-1003   Archive contains infected objects   Moved.
A0007003.dll   C:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP45   Adware.SaveNow.124   Incurable.Moved.
A0018945.dll   C:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP75   Trojan.Virtumod.based.20   Deleted.
A0018946.dll   C:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP75   Trojan.Virtumod.based.20   Deleted.
A0020014.EXE   C:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP76   Program.PsExec.170   Incurable.Moved.
A0020130.EXE   C:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP76   Program.PsExec.170   Incurable.Moved.
A0023247.exe\327882R2FWJFW\psexec.cfexe   C:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP77\A0023247.exe   Program.PsExec.171
A0023247.exe   C:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP77   Archive contains infected objects   Moved.
A0023248.exe\327882R2FWJFW\psexec.cfexe   C:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP77\A0023248.exe   Program.PsExec.171
A0023248.exe   C:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP77   Archive contains infected objects   Moved.
PSEXESVC.EXE   C:\WINDOWS   Program.PsExec.170   Invalid path to file
cabal.exe   D:\Games\CABAL Online   Trojan.DownLoad.336   Deleted.
zm_tree_house.bsp   D:\Games\counter-strike\cstrike\maps   Modification of Oxana.1419   Moved.
03021700.obj   D:\Games\SpaceCowboy\Res-Obj   Modification of Win32.Bumblebee.3833   Moved.
zm_tree_house.bsp   D:\serverdoc\CS_server\counter-strike\cstrike\maps   Modification of Oxana.1419   Moved.
A0023249.exe   D:\System Volume Information\_restore{16A198CA-56FD-42F3-8D1E-6375FF23AB3B}\RP77   Trojan.DownLoad.336   Deleted.
A0001698.exe\data009   D:\System Volume Information\_restore{81A2EC54-EB7D-482B-902B-67F3D40F4430}\RP12\A0001698.exe   Adware.Comet
A0001698.exe   D:\System Volume Information\_restore{81A2EC54-EB7D-482B-902B-67F3D40F4430}\RP12   Archive contains infected objects   Moved.
A0096960.exe\data009   D:\System Volume Information\_restore{A397AA59-85B3-4605-9425-332FA7D3C50E}\RP333\A0096960.exe   Adware.Comet
A0096960.exe   D:\System Volume Information\_restore{A397AA59-85B3-4605-9425-332FA7D3C50E}\RP333   Archive contains infected objects   Moved.
A0096961.exe   D:\System Volume Information\_restore{A397AA59-85B3-4605-9425-332FA7D3C50E}\RP333   Trojan.MulDrop.11541   Deleted.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:50, on 2008-07-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\FIxeL\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5605 bytes

guestolo · « **Reply #33 on:** July 07, 2008, 10:40:53 PM »

Nothing dramatically removed, most are in a safe place
How is everything running, unless you keep me updated, there is no way of me knowing??

FIxeL · « **Reply #34 on:** July 08, 2008, 03:50:52 AM »

No changes about the freezing and stripes.

guestolo · « **Reply #35 on:** July 10, 2008, 02:22:44 PM »

Do you have another Monitor you can try?
Do you have another cable from Monitor to Computer you can try?

death_angel07 · « **Reply #36 on:** July 13, 2008, 04:48:38 AM »

hmmmmm i belave that you should try new cables or monitar that is the problem most of the time senc eu have tried everything elts

FIxeL · « **Reply #37 on:** July 14, 2008, 02:25:25 AM »

I tryed another LCD monitor with a pc cable, and its still the same ( before i used a HDMI cable with the LCD television screen ).

death_angel07 · « **Reply #38 on:** July 14, 2008, 02:29:37 AM »

maybe you should get a new hdmi cable or try useing your old one. and set everything back up the way it used to be before u got the stipes

guestolo · « **Reply #39 on:** July 14, 2008, 09:01:26 AM »

This is sounding more like a Graphics card problem
If your sure you already tried latest drivers
Is your video adapter integrated with motherboard, or is an addin card?

If the latter, and you can get your hands on another video card, I would opt to try it and see if the lines disappear
or remove the video card and clean it
Is the inside of the computer clean?

News:

Author Topic: New hard to deal virus (Read 4312 times)