EXEs being changed

[mouniernetwork]

Hello,

Do you any games(Enemy Territory - QUAKE or Medal of Honor Airborne or Need for Speed™ ProStreet or Proccess ID or PunkBuster, etc... ? If not then the file :
C:\WINDOWS\system32\PnkBstrA.exe

Might be suspicious as it is associated to those programs as well as some viruses. I would definitly check on virustotal.com whether that file is clean 

Al968

[Mr.Agent]

dont worry al968 its not a virus i got it and yes its for punk buster if u wanna play on PB server for Battlefield 1942 or something that run PB anti cheat

Btw sepulchre if the virus keep to off your anti virus then maybe you should try to copy it on a disk the setup and key so now go to your cpu infected then install it and if its didnt work then well i will have trying to help you but i think the best way will be maybe to format your pc. (correct me if im wrong)

[mouniernetwork]

dont worry al968 its not a virus i got it and yes its for punk buster if u wanna play on PB server for Battlefield 1942 or something that run PB anti cheat

Btw sepulchre if the virus keep to off your anti virus then maybe you should try to copy it on a disk the setup and key so now go to your cpu infected then install it and if its didnt work then well i will have trying to help you but i think the best way will be maybe to format your pc. (correct me if im wrong)

@Mr.Agent:
As I said earlier, I know that this file usually belongs to Punk Buster, and as I have explained above the reason I asked is to indeed make sure that this file is the one used by Punk Buster and has not been replaced by a virus as it is often the case 

I also don't understand what the cpu has to do this any of this 

@sepulchre:
Also I am still optimistic in the sense that I still think that we can save you from formating your hard drive.
Please post when you have completed the virustotal scan of the suspicious file or any update on the progress of the virus 

Al968

[sepulchre]

Sorry for my absence - had to work. So I've made no progress.   
Still I remain hopeful though I am preparing myself for the possibility of having to format.

Anyway, I will get the newer HJT today and post the results; thanks for the link.

I posted a link to the VirusTotal results earlier in the thread, but here they are:



Thanks again for all the help. I will be battling this all day.
Ken

[sepulchre]

Okay, I just got the latest version of HJT, renamed it and ran it. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:47 AM, on 3/8/2009
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\xNeat Clipboard Manager\xNeatClipMngr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
D:\# - Network Share\DogThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dvdcopyrip.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [xNeat Clipboard Manager] C:\Program Files\xNeat Clipboard Manager\xNeatClipMngr.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InterBase 7.5 Guardian gds_db (IBG_gds_db) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase 7.5 Server gds_db (IBS_gds_db) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6632 bytes

I hope this shows something helpful.
Ken

[sepulchre]

Well I've done it now. 

I attempted to reinstall Windows and now Windows will not boot up. This is coming to you from a boot of Dr. Web (linux). So I guess I'm well and truly screwed.
A friend said I might have problems with my master boot record (MBR). Well I don't know if that can be fixed now.  When I try to boot it gets as far as the Windows screen with the little moving bar, then reboots. That's also what happens when I try to boot into Safe Mode.
So I guess I will be Forced to reformat.  :'(  I was prepared to do that but I wanted to make an inventory of the drive first. Now I don't know if I'll be able to do that.

I will report any progress made.

If anyone ever finds out who produced the virus I would like show to that SOB my shotgun!

Thanks to everyone for your help. I encourage all to continue to work towards finding a cure.
Ken

[Lisandro]

Do you have a floppy in this computer? If so, you can boot on DOS and use
fdisk /mbr
to recover your mbr.
Also, if you can boot from Windows CD and get the recovery console. There are options to recover the MBR.

[CharleyO]

***

An analysis of your HJT log shows the following :

It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses.

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall.

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
Unnecessary (deactivated) entry that can be fixed. LinkScannerIE.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Belongs to Windows Live Messenger
http://www.systemlookup.com/CLSID/54865-wlchtc_dll.html

O4 - HKCU\..\Run: [mount.exe] C:\Program Files\FileUtilities.3\mount.exe /z
It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.


***

[sepulchre]

Thank you So much! I will look for MBR fixes and look into HJT again.

In desparation I tried the Bit Defender bootable CD once more. I had thought it was hanging up while "Trying to update the database" but it simply took awhile. When it did come up I saw that, besides the scanner, it has a hard rive view. I was glad because I wanted to jot down as much as I could about what's on the drive before reformatting. I didn't think the scanner would find anything - nothing else has - but I started it anyway. It took a long while to write down all that was on the drive and when I was finished so was the scanner. Much to my amazement IT FOUND THE BEAGLE VIRUS!!  in several places! And deleted it as well!
Since my reinstall of Windows was incomplete I have started that again. Hopefully, that will repair the MBR.

So. . . . BIT DEFENDER RULES!!    . . . well, their bootable CD does anyway. 

Oh, pardon me.  I will, of course, still use Avast as I am still confident in its abilities. I emailed the offending file in a password protected RAR with the password in the body to virus@avast.com with the subject "Undetected Virus" as the subject. So I hope the Techs at Avast can analyse it and employ detection of it in an update soon.

Many, many thanks to you all for your efforts and help. As I said, I'm hopeful that this install of Windows will work. If it's not working properly I will try the latest remedies you have suggested.
Thanks again,
Ken

[sepulchre]

Ok, the machine still wont boot. I tried a DOS bootable floppy and fdisk /mbr to no avail. I booted with my Windows disk and choose Recovery, but it asks for an administrator's password. I have a little utility on a bootable CD that changes the administrator's password but it says that the password is Blank and cannot be changed.

Does anyone know how I can get around this?

Thanks,
Ken

[Lisandro]

Ok, the machine still wont boot. I tried a DOS bootable floppy and fdisk /mbr to no avail. I booted with my Windows disk and choose Recovery, but it asks for an administrator's password. I have a little utility on a bootable CD that changes the administrator's password but it says that the password is Blank and cannot be changed.

Does anyone know how I can get around this?

Thanks,
Ken

http://www.petri.co.il/forgot_administrator_password.htm
http://pubs.logicalexpressions.com/pub0009/LPMArticle.asp?ID=305

[sepulchre]

Thanks! Got my password changed. Unfortunately, I had no luck fixing the problem even with the Recovery Console. So I will have to do what I've been trying so hard to avoid: reformat my hard drive. Seems unfair in light of the fact that I did get rid of the virus. But no matter what I do Windows refuses to boot up. Oh well.
Thanks to everyone for your advice and efforts. I really appreciate it.
Ken

[Mr.Agent]

No prob and sry if lost your thing we have do what we can when a virus is infected in all of the cpu there 99 % of the guy can destroy it because its possible in a way but well my self i didnt know

[sepulchre]

Well, I got my HD reformatted and Windows running. Now to reinstall all my apps (112 gb of them). One of the main losses I'm finding are all my favorites links. I guess I'll have to go find them again, if I can remember what they were. Lol!
Anyway, thanks again for everyone's help!
Ken

[Lisandro]

favorites links

For IE, store them online with IEPlus.
For Firefox, store and synchronize them with Foxmarks extension.