Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cannot completely remove malware, qxzv5.exe still coming back


  • This topic is locked This topic is locked
4 replies to this topic

#1 truare

truare

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 24 February 2010 - 03:16 PM

If anybody can help and advice with a solution on removing malware from my windows xp sp3 machine

Symptoms what i had are:

System restore unable to use ( greyed out) - but managed to fix by importing registry keys
Unable to enter safe mode ( keep restarting machine ) - managed to fix by importing safeboot registry keys
On login getting error with generic host process for win32 services
System unstable after couple minutes and need to restart machine
MSN mesenger starting even if it not directed to do so
Disabled Symantec Endpoint Protection and cannot open it
Unable to unhide hidden files and folders , same with system protected files ( actually you can unhide it but in couple seconds it hides files again)
It easily infects usb drives how i noticed same problems on other computer that i used my usb drive after i used it on this one.

Anyway , i started a removal process with avast, malwarebytes and spyhunter

avast found a file in windows\system32\wmxperw.exe , it marked it as a rootkit and removed it.
in some time the file came back but was coming back also in other forms.. as :
wmxperc.exe
wmxperl.exe
wmxperd.exe
qxzv5.exe
qxzv8.exe

I have found traces of that in plenty registry keys as well

Finally i bought Prevx 3.0 how it was the only page while i was googleing that came up with definitions about those files

I made a scan and it seemed like it managed to remove it

After that i made a scan with avast again and then he start to find more malwares
Win32:wmit-c
Win32:Zbot-MQO
Win32:Rootkit-gen

All cleaned

Also there is something suspicious with a file Secupdat.dat in system32 folder
Strange thing happening with hosts file , i enabled all monitoring in spyhunter and it came that some changes are happening with it and will i aloud it?
There was a plethora of redirected URL's including most of the Anti-Virus and Security sites that wanted to infiltrate.. i blocked that

there are also strange strings in svchost -netsvcs :
enaya
jnjorhq
tbivuxmav
ijplp
knwjn
yhljleer

Anyway, with all that protection what i have now active , system stays stable more then before but still everytime when i logon Prevx 3.0 is blocking qxzv5.exe and a
generic host process for win32 services error comes up couple of times.


So i think that still i am not finished with that bastard and to can start surf safely without worrying that my passwords, accounts will be stolen.

Any HELP would be appreciated .
Thanks


Here are reports from DDS :

DDS.txt


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 22:10:03.25 on Wed 02/24/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.504 [GMT 2:00]

AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901}
AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GE Fanuc\Alarm Viewer\Host\AEClientHostService.exe
svchost.exe
C:\Program Files\GE Fanuc\Proficy Common\Proficy Common Licensing\CCFLIC0.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\GE Fanuc\Proficy Machine Edition\fxControl\Runtime\NT\FxControl.exe
C:\WINDOWS\Intellution\iLicenseSvc.exe
C:\Program Files\GE Fanuc\Proficy Event Logger\LoggingService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PrevxEnterprise\PX3EntSrv.exe
C:\Program Files\PrevxEnterprise\PX3EntTcpipSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\GE Fanuc\Proficy Machine Edition\Common\Components\NT\trapiserver.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com
mDefault_Page_URL = hxxp://saturnrdc/qhsemain
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer = 212.125.176.132:8080
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {377253CB-3122-42F2-AC53-6A27E859DB53} = 10.10.3.251,10.0.0.220,212.125.176.132
Handler: asp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: ezstor - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: hsp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: x-asp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: x-cnote - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: x-hsp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - c:\windows\system32\wowctl2.dll
Handler: x-mem3 - {4F6D06DD-44AB-4F89-BF13-9027B505B15A} - c:\windows\system32\eztoolslib2.dll
Handler: x-zip - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: zip - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\darmd9g6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.hr
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-2-21 30280]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-2-20 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-2-20 108392]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-2-21 6300592]
R2 FxControlRuntime;FxControl Runtime;c:\program files\ge fanuc\proficy machine edition\fxcontrol\runtime\nt\FxControl.exe [2006-12-14 630784]
R2 LoggingService;Proficy Log Server;c:\program files\ge fanuc\proficy event logger\LoggingService.exe [2006-12-12 143360]
R2 PX3EntSrv;Prevx 3.0 Enterprise Service;c:\program files\prevxenterprise\PX3EntSrv.exe [2010-2-1 58712]
R2 PX3EntTcpipSrv;Prevx 3.0 Enterprise Tcpip Service;c:\program files\prevxenterprise\PX3EntTcpipSrv.exe [2010-2-1 95560]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-2-21 50376]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-2-20 2440120]
R2 TrapiServer;Trapi File Server;c:\program files\ge fanuc\proficy machine edition\common\components\nt\TrapiServer.exe [2006-12-12 102400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-27 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100125.051\NAVENG.SYS [2010-1-27 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100125.051\NAVEX15.SYS [2010-1-27 1323568]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-2-21 24368]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswfsblk.sys --> c:\windows\system32\drivers\aswFsBlk.sys [?]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-2-19 138680]
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashmaisv.exe" /service --> c:\program files\alwil software\avast4\ashMaiSv.exe [?]
S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashwebsv.exe" /service --> c:\program files\alwil software\avast4\ashWebSv.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-2-19 38224]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]
S3 Proficy Driver Runtime;Proficy Driver Runtime;c:\program files\ge fanuc\proficy machine edition\fxview\runtime\proficydrivers\win32\GefPdfOpc.exe [2006-11-24 192512]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]

=============== Created Last 30 ================

2010-02-24 20:00:58 20 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-02-24 03:43:23 27648 ----a-w- C:\conime.exe
2010-02-24 03:40:24 27648 ----a-w- c:\windows\system32\dllcache\conime.exe
2010-02-24 03:40:24 27648 ----a-w- c:\windows\system32\conime.exe
2010-02-24 03:34:05 0 d-----w- c:\program files\Unlocker
2010-02-24 00:13:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-02-23 19:14:10 0 d-s---w- c:\windows\Cookies
2010-02-23 18:39:32 0 d-sha-r- C:\cmdcons
2010-02-23 18:36:25 77312 ----a-w- c:\windows\MBR.exe
2010-02-23 18:36:24 98816 ----a-w- c:\windows\sed.exe
2010-02-23 18:36:24 261632 ----a-w- c:\windows\PEV.exe
2010-02-23 18:36:24 161792 ----a-w- c:\windows\SWREG.exe
2010-02-23 18:34:18 0 d-----w- C:\ComboFix
2010-02-23 17:54:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2010-02-23 17:54:37 0 d-----w- c:\program files\Panda USB Vaccine
2010-02-23 17:50:06 848856 ----a-w- c:\temp\USBVaccineSetup.exe
2010-02-23 17:34:11 1615732 ----a-w- c:\temp\ProcessExplorer.zip
2010-02-23 06:35:16 32824 ----a-w- c:\windows\system32\rrMon.sys
2010-02-23 06:35:04 0 d-----w- c:\program files\Registrar Registry Manager
2010-02-23 00:09:08 0 d-----w- c:\program files\Uniblue
2010-02-22 21:50:31 0 d-----w- C:\boot
2010-02-22 17:32:38 0 d-----w- c:\temp\Protection Tools
2010-02-22 08:42:37 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-22 08:42:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-22 08:39:27 16409960 ----a-w- C:\spybotsd162.exe
2010-02-22 08:39:26 6579192 ----a-w- C:\spybotsd_includes.exe
2010-02-21 22:01:09 603 ----a-w- c:\windows\WIN.INI
2010-02-21 21:13:02 55184 ----a-w- c:\windows\system32\PxSecure.dll
2010-02-21 21:13:01 50376 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-02-21 21:13:01 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-02-21 21:13:00 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-02-21 21:12:59 0 d-----w- c:\program files\Prevx
2010-02-21 21:12:56 0 d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2010-02-21 21:00:51 0 d-----w- c:\program files\PrevxEnterprise
2010-02-21 21:00:51 0 d-----w- C:\PrevxEnterprise
2010-02-21 21:00:43 298 ----a-w- c:\windows\{98C3BECF-DD5F-44D2-8EF3-48A96BB20771}_WiseFW.ini
2010-02-21 20:43:51 1016680 ----a-w- c:\temp\PREVXSAFEONLINE.EXE
2010-02-21 20:43:23 917288 ----a-w- c:\temp\PREVXCSIFREE.EXE
2010-02-21 20:02:07 2145280 ----a-w- c:\windows\ntoskrnl.exe
2010-02-21 19:41:52 2180992 ----a-w- c:\windows\system32\ntoskrnl.ex_
2010-02-21 19:41:52 2180992 ----a-w- C:\ntoskrnl.exe
2010-02-20 17:40:05 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-20 17:40:05 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-20 17:40:04 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-20 17:40:04 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-20 17:39:19 0 d-----w- c:\program files\Symantec
2010-02-19 22:34:47 0 d-----w- c:\program files\Sophos
2010-02-19 22:29:36 608 ----a-w- c:\documents and settings\administrator\sh_wi.bak
2010-02-19 19:53:04 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-02-19 19:52:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 19:52:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 19:52:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 19:52:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-19 18:14:53 54156 ---ha-w- c:\windows\QTFont.qfn
2010-02-19 18:14:53 1409 ----a-w- c:\windows\QTFont.for
2010-02-19 09:45:55 0 d-----w- c:\windows\SHELLNEW
2010-02-19 06:22:44 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-02-18 23:48:41 0 d-----w- c:\program files\CCleaner
2010-02-18 20:35:32 0 d-----w- c:\program files\PowerMenu
2010-02-18 19:10:17 0 d-----w- c:\docume~1\alluse~1\applic~1\TVU Networks
2010-02-18 19:10:11 0 d-----w- c:\documents and settings\administrator\LocalLow
2010-02-14 23:17:03 0 d-----w- c:\program files\PowerISO
2010-02-14 22:36:58 0 d-----w- c:\docume~1\admini~1\applic~1\DeepBurner Pro
2010-02-14 22:36:27 0 d-----w- c:\program files\Astonsoft
2010-02-14 21:44:56 617 ----a-w- c:\windows\eReg.dat
2010-02-14 21:41:41 0 d-----w- c:\program files\EA Games
2010-02-14 21:32:37 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-14 21:32:26 0 d-----w- c:\program files\DAEMON Tools Lite
2010-02-14 21:31:48 0 d-----w- c:\docume~1\admini~1\applic~1\DAEMON Tools Lite
2010-02-14 21:30:22 221 ----a-w- c:\windows\wininit.ini
2010-02-14 21:30:20 0 d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2010-02-12 18:47:40 28 ----a-w- c:\windows\MgrScrnSvr.ini

==================== Find3M ====================

2009-05-09 09:46:46 12567280 ----a-w- c:\program files\AdbeRdr910_Lite_en_US-9.1.0.26.exe

============= FINISH: 22:11:00.82 ===============




Attach.txt



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/14/2006 8:27:47 AM
System Uptime: 2/24/2010 10:02:48 PM (0 hours ago)

Motherboard: Hewlett-Packard | | 09F8h
Processor: Intel® Pentium® 4 CPU 3.20GHz | XU1 PROCESSOR | 2777/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 19.363 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Adobe Acrobat 7.0 Professional
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3
Adobe Shockwave Player
Apple Software Update
avast! Antivirus
Broadcom Management Programs
CCleaner
DVD X Player 4.1 Professional
Egd Cfg Client Library - V03.00.00C
GE Control Catalog 1.3
Google Earth
Google Talk Plugin
High Definition Audio Driver Package - KB888111
HP Help and Support 4.0
HP Safety and Comfort Guide
HSP Installation
Intel® Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0
Java 2 Runtime Environment, SE v1.4.2
Java™ 6 Update 2
Java™ 6 Update 5
K-Lite Codec Pack 3.4.5 Full
LiveUpdate 3.3 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.15)
MSN
MSVCRT
Panda USB Vaccine 1.0.1.4
PowerISO
Prevx
Prevx 3.0 Enterprise
Proficy Common Licensing
Proficy Event Logger
Proficy Machine Edition
QuickTime
Realtek High Definition Audio Driver
Registrar Registry Manager 6.50
Security Update for Windows XP (KB923789)
Segoe UI
Skype™ 3.6
Spybot - Search & Destroy
SpyHunter
Symantec Endpoint Protection
Uniblue RegistryBooster 2010
Unlocker 1.8.8
Update for Microsoft Office Word 2007 (KB974631)
VNC Free Edition 4.1.2
WebFldrs XP
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

2/24/2010 5:06:01 AM, error: Service Control Manager [7000] - The aswFsBlk service failed to start due to the following error: The system cannot find the file specified.
2/24/2010 2:25:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi
2/24/2010 2:25:28 PM, error: Service Control Manager [7001] - The avast! Antivirus service depends on the avast! Standard Shield Support service which failed to start because of the following error: The system cannot find the file specified.
2/24/2010 2:25:28 PM, error: Service Control Manager [7000] - The avast! Standard Shield Support service failed to start due to the following error: The system cannot find the file specified.
2/24/2010 2:25:28 PM, error: Service Control Manager [7000] - The avast! iAVS4 Control Service service failed to start due to the following error: The system cannot find the file specified.
2/24/2010 10:10:08 PM, error: Service Control Manager [7016] - The FxControl Runtime service has reported an invalid current state 0.
2/23/2010 4:10:45 AM, error: Trapi File Server [258] -
2/22/2010 10:37:04 AM, error: TermServDevices [1111] - Driver HP Color LaserJet 2840 PS required for printer HP Color LaserJet 2840 PS is unknown. Contact the administrator to install the driver before you log in again.
2/20/2010 4:23:16 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2/20/2010 4:16:02 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000034' while processing the file '_filelst.cfg' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
2/20/2010 3:23:59 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file '_filelst.cfg' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
2/20/2010 1:39:06 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu sptd Tcpip
2/20/2010 1:39:06 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2/20/2010 1:39:06 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/20/2010 1:39:06 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/20/2010 1:39:06 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/20/2010 1:38:20 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/20/2010 1:38:19 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/20/2010 1:38:13 AM, error: sptd [4] - Driver detected an internal error in its data structures for .
2/19/2010 8:08:42 AM, error: NETLOGON [5719] - No Domain Controller is available for domain SONGA due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
2/19/2010 7:56:32 AM, error: Print [33] - The PrintQueue Container could not be found because the DNS Domain name could not be retrieved. Error: 54b
2/19/2010 7:51:45 AM, error: Kerberos [5] - The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server sdc2$. This indicates that the ticket used against that server is not yet valid (in relationship to that server time). Contact your system administrator to make sure the client and server times are in sync, and that the KDC in realm SONGA.CORP is in sync with the KDC in the client realm.
2/19/2010 7:49:00 AM, error: NETLOGON [5719] - No Domain Controller is available for domain SONGA due to the following: The RPC server is unavailable. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
2/19/2010 4:20:56 AM, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: %1 is not a valid Win32 application.
2/19/2010 4:20:55 AM, error: DCOM [10005] - DCOM got error "%193" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
2/19/2010 3:36:17 AM, error: Print [33] - The PrintQueue Container could not be found because the DNS Domain name could not be retrieved. Error: 6ba
2/19/2010 3:22:48 AM, error: Srv [2020] - The server was unable to allocate from the system paged pool because the pool was empty.
2/19/2010 12:59:59 PM, error: W32Time [46] - The time service encountered an error and was forced to shut down. The error was: 0x800706BB
2/19/2010 12:36:32 AM, error: Service Control Manager [7034] - The AEClientHostService service terminated unexpectedly. It has done this 1 time(s).
2/19/2010 12:36:02 AM, error: Service Control Manager [7034] - The M1 Licensing Helper service terminated unexpectedly. It has done this 1 time(s).
2/19/2010 12:35:56 AM, error: Service Control Manager [7034] - The Proficy Log Server service terminated unexpectedly. It has done this 1 time(s).
2/19/2010 12:35:45 AM, error: Service Control Manager [7034] - The Trapi File Server service terminated unexpectedly. It has done this 1 time(s).
2/19/2010 10:07:28 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
2/19/2010 10:06:04 AM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
2/19/2010 10:06:04 AM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for DeleteFlag with the following error: Access is denied.
2/18/2010 5:26:48 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
2/18/2010 10:55:48 AM, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {0C0A3666-30C9-11D0-8F20-00805F2CD064} to the user SONGA\eesaturn SID (S-1-5-21-653892700-3219916036-885337392-1188). This security permission can be modified using the Component Services administrative tool.

==== End Of File ===========================


WHEN I WANT TO RUN GMER IT GIVES ME THIS ERROR :
LoadDriver("C:DOCUME~1\LOCALS~1\Temp\kxdoafog.sys" error 0x000061: Cannot create a stable subkey under a volatile parent key

I already runned defogger before everything so it finished Ok.

BC AdBot (Login to Remove)

 


#2 truare

truare
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 24 February 2010 - 09:00 PM

Is there now solution for this or everybody is busy? How i heard first exact symptoms where noticed middle of January 2010 and I tried everything, also with PC Tools - Alternate Operating System Scanner and Kaspersky Rescue Disk. Gmer i managed to run only first time when it discovered a rootkit. After that whenever i want to run it, it gives me error, even when renaming file.
Looks for me that the only solution will be format c: and fresh install sad.gif

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our Malware Removal Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the Malware Removal Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another MRT member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Pandy~
Forum Moderator


Edited by Pandy, 24 February 2010 - 09:18 PM.


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:59 AM

Posted 26 February 2010 - 08:11 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 truare

truare
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 27 February 2010 - 01:40 AM

I think that it will not be possible for me to do that. I end up with total disaster. Never seen malware like that before. This was a corporate computer connected to a LAN network. Anyway, last what happened, i was running that Prevx 3.0 on a system and even if the system was much more stable then before i would get each time when i logon a message from Prevx that it is "blocking a manual infection from entering into system from a file:" , didn't say from which file. And after some time while working on computer it pop up a warning that a malware is detected qxzv5.exe and giving me option for instant deletion. And it was like that over and over so i sent a mail to a Prevx support also. Sugestion what they gave me was fatal : to try to uninstall Prevx and re-install it, but with changed name of a setup file. Actually they gave me a download link on their site where setup file name was already different then original. And now disaster happened. I uninstalled, then installed new one, runned a scan which showed zero infection, and restarted machine just to see if that logon message about blocking will come up.. this time Prevx didn't want to start at all on a startup, finally it started after couple minutes but with disabled protection. I restarted machine one more time and when get to the CTRL+ALT+DEL screen my keyboard was dead, as well as mouse.. both ps/2 port. Then i plugged usb mouse and mouse start to work, but usb keyboard ( what i actually needed to get into windows ) still nothing. But everything working normal on a boot menu. When i went to safe mode i had the same story, stucked on CTRL+ALT+DEL screen.
Then i put xp installation cd with intension to repair windows. I started everything normal but on a second setup restart when i needed to enter Product key the keyboards are still stucked. Anyway how IT support is involved in all of this because this is not the only computer in the network that is having problems, I suppose that they will simply change complete machine and try to save data by removing hard drive out because they also running out from ideas.
Strangelly it all started to happen when a new office 2007 professional was installed on 10 different machines, from then all of them have problems and same simptoms.

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:59 AM

Posted 01 March 2010 - 08:39 AM

Hi,

very sorry to hear that. sad.gif Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users