Avast WEBforum

Other => Viruses and worms => Topic started by: wei203 on June 29, 2010, 10:19:57 PM

Title: Help ! Cant Even Identify the virus!
Post by: wei203 on June 29, 2010, 10:19:57 PM

Symptoms :
Audio Drive Disabled ( No active mixer devices available , blah2 )
Window Startup UI are changed into outdated style Win95 like ( im using WINXP! )
sudden lag in internet and games :(
already using Avast Boot and MBAM complete scan
help please

Title: Re: Help ! Cant Even Identify the virus!
Post by: essexboy on June 29, 2010, 10:22:18 PM

Hi I have an idea what it is - do you also have audio ads ?

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Check the box that says Scan All Users
  
• Under the Custom Scan box paste this in

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

Title: Re: Help ! Cant Even Identify the virus!
Post by: wei203 on June 29, 2010, 11:48:54 PM

cant put the file in attachment due to the size.

Title: Re: Help ! Cant Even Identify the virus!
Post by: essexboy on June 29, 2010, 11:51:14 PM

Could you upload to Mediafire (http://www.mediafire.com/) and post the sharing link.

Title: Re: Help ! Cant Even Identify the virus!
Post by: wei203 on June 29, 2010, 11:54:08 PM

here is the link
http://www.mediafire.com/?nmnl3mmnzyh

Title: Re: Help ! Cant Even Identify the virus!
Post by: wei203 on June 30, 2010, 04:37:58 AM

here is the log on 1st MBAM Scan :

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4258

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/30/2010 2:01:59 AM
mbam-log-2010-06-30 (02-01-59).txt

Scan type: Quick scan
Objects scanned: 116065
Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msdirectx (Fake.SystemService) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2QFGLKST\yldpyuu[1].bmp (Extension.Mismatch) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NC4TBION\pmykgj[1].gif (Extension.Mismatch) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ZPNSL9B5\odhzwq[1].jpg (Extension.Mismatch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sky\Local Settings\Temporary Internet Files\Content.IE5\XGH0A3QS\odhzwq[1].jpg (Extension.Mismatch) -> Quarantined and deleted successfully.

Title: Re: Help ! Cant Even Identify the virus!
Post by: essexboy on June 30, 2010, 09:01:37 PM

Have you just re-iinstalled windows ?

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:OTL
[2010/06/29 14:56:50 | 005,607,424 | ---- | C] () -- C:\WINDOWS\System32\nic1284.dll
[2010/06/26 14:25:20 | 000,000,862 | R--- | C] () -- C:\WINDOWS\System32\x

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Title: Re: Help ! Cant Even Identify the virus!
Post by: wei203 on July 01, 2010, 07:32:44 AM

here is the result of OTL and COMBOFIX

Title: Re: Help ! Cant Even Identify the virus!
Post by: essexboy on July 01, 2010, 09:03:52 PM

Hi they are both the OTL result log - could you post the combofix one - it will be at C:\combofix.txt

Title: Re: Help ! Cant Even Identify the virus!
Post by: wei203 on July 01, 2010, 10:43:27 PM

Doh , it seems like the file lost  :o maybe my brother erased it , geez
so what should i do now ? :'(

Title: Re: Help ! Cant Even Identify the virus!
Post by: essexboy on July 01, 2010, 10:45:46 PM

Could you re-run combofix please

Title: Re: Help ! Cant Even Identify the virus!
Post by: wei203 on July 02, 2010, 06:52:48 AM

weird , the combofix folder disappeared and became like "my computer" icon , when i clicked on it direct me into my computer ???
here i attach something i found in QooBox folder this probably the combofix yesterday you asked

Title: Re: Help ! Cant Even Identify the virus!
Post by: essexboy on July 02, 2010, 09:28:10 PM

You need to allow the installation  of recovery console for combofix to do a full job

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]

Fcopy::
c:\windows\system32\dllcache\tcpip.sys|c:\windows\system32\drivers\tcpip.sys

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new OTListit log.

Title: Re: Help ! Cant Even Identify the virus!
Post by: wei203 on July 03, 2010, 01:57:16 AM

about the OTListit Log, i should only Run Scan it right?

Title: Re: Help ! Cant Even Identify the virus!
Post by: wei203 on July 03, 2010, 06:27:28 AM

I put the combofix log in attachment and OTL log at this link
http://www.mediafire.com/?ynxojnjz2ky

Title: Re: Help ! Cant Even Identify the virus!
Post by: wei203 on July 03, 2010, 06:40:24 AM

silly me , just done googling and found out what is OTListIt  ;D
but the link given there was broken / unavailable so any suggestion where can i get this program at?

Title: Re: Help ! Cant Even Identify the virus!
Post by: essexboy on July 03, 2010, 01:25:34 PM

What are your current problems ?

Title: Re: Help ! Cant Even Identify the virus!
Post by: wei203 on July 03, 2010, 04:18:48 PM

i posted the link of combofix log http://www.mediafire.com/?ynxojnjz2ky
and you also told me to include A new OTListit log.The problem is where can i get this OTListit software?
any idea?

Title: Re: Help ! Cant Even Identify the virus!
Post by: essexboy on July 03, 2010, 05:37:18 PM

Sorry that was my bad writing I meant OTL which is the tools new name

What problems do you have now ?

Title: Re: Help ! Cant Even Identify the virus!
Post by: wei203 on July 04, 2010, 01:29:08 AM

usual problem , my volume control got disabled if i let my PC on for after a while
"There is no active mixer devices available blah blah"
And my LAN disabled too.
there is no other visible effect on PC other than that.

 

Title: Re: Help ! Cant Even Identify the virus!
Post by: essexboy on July 04, 2010, 01:17:11 PM

Ok could you go to control panel > Device manager and let me know if there is anything with a yellow exclamation mark

If there is could you take a screen shot and post it here

Title: Re: Help ! Cant Even Identify the virus!
Post by: wei203 on July 04, 2010, 05:12:10 PM

as you can see here , no yellow exclamation

Title: Re: Help ! Cant Even Identify the virus!
Post by: essexboy on July 04, 2010, 05:42:57 PM

Quote

usual problem , my volume control got disabled if i let my PC on for after a while
"There is no active mixer devices available blah blah"
And my LAN disabled too.

None of these are symptoms of malware

What error do you get when you try the LAN connection ?

Have you updated your sound card drivers ?