Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Regedit And Msconfig Close By Themselves


  • Please log in to reply
1 reply to this topic

#1 Picollo30

Picollo30

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 26 October 2007 - 05:07 AM

hi guys first of all i'm going to introduce myself, as i'm new here. i'm paulo,31 from portugal. this is the problem i get, maybe malware or virus related seriously don't know.

when i open them they close after a few seconds. i also cant access windows security center or windows firewall or add/remove programs cuz it gives me this weird rundll32.exe. kaspersky internet security 6.0 tells me i have a virus and it tells me av.exe itself (kis main file has a virus too). i thought formatting the pc would solve this eventually, but the virus remains, it causes my computer to crash with BSODS (blue screens of death), when i try to execute a programs it says either the file is corrupted and has been modified or it crashes.

This is one of the virus i'm getting

When i open KIS it shows up:

Virus.Win32.Virut.ag

C:\Programas\KasperskyLabs\KasperskyInternetSecurity6.0\avp.exe

this file contains a virus and cannot be disinfected, it gives me this to almost all files, even system files. i tried the delete once, but then system became unstable and crashed everytime, so i formatted and thought the virus got wiped out but it seems it didnt.

i have the weirdest errors like when i start windows xp it logs in and then automatically it logs off after a few seconds. i dont know what kind of virus this is, but it seems kaspersky 6.0 doesnt seem to be able to delete. once i start kaspersky it goes crazy with reports of virus and it says i have to delete lots of files, even windows system files, when i dont delete the file it asks to delete another one and so on, lots of files with virus. i ran ewido and online antivirus like trend micro and kaspersky and they detected nothing, nor virus or spyware. somebody please help, i'm going crazy here.

i'll post 2 of my most recent my hijackthis logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:17:45, on 26-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\Programas\ASUS\Ai Booster\OverClk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\BtUsrBdg.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\Programas\SlySoft\CloneCD\CloneCDTray.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Paulo Monteiro\Ambiente de trabalho\Media\Utils\ewido_micro.exe
C:\Programas\Real\RealOne Player\realplay.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\Opera\Opera.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Name of App] C:\Programas\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Atalho para a Página de Propriedades do High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Programas\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Programas\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AVP] "C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programas\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Programas\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Netlog 24] C:\Programas\Netlog 24\Notifier\Netlog24Notifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: RAID Manager.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1B30541-76C8-4A6D-8207-40474A8D1C2E}: NameServer = 212.55.154.174
O20 - AppInit_DLLs: "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programas\CyberLink\Shared files\RichVideo.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

--
End of file - 5079 bytes


and a more recent one


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:40, on 26-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\SAMSUNG\FW LiveUpdate\FWManager.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\BtUsrBdg.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\Programas\SlySoft\CloneCD\CloneCDTray.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programas\Opera\Opera.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Name of App] C:\Programas\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Atalho para a Página de Propriedades do High Definition Audio]

HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Programas\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Programas\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AVP] "C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programas\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Programas\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Programas\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Netlog 24] C:\Programas\Netlog 24\Notifier\Netlog24Notifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: RAID Manager.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} -

C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1B30541-76C8-4A6D-8207-40474A8D1C2E}: NameServer =

212.55.154.174
O20 - AppInit_DLLs: "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky

Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner -

C:\Programas\CyberLink\Shared files\RichVideo.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner -

C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. -

C:\Programas\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5745 bytes


hope you guys can help me out

thanks in advance

BC AdBot (Login to Remove)

 


m

#2 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:42 AM

Posted 11 November 2007 - 11:46 AM

* I suggest you reïnstall KIS.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Greets Jürgenv

Donation: Click me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users