I’m not sure if I have a virus or a hardware problem. When I started the pc this morning no .exe’s would run with the exception of task manager. They would run in safe mode tho. So I restored (cloned) from a backup I made yesterday and all was well until I shut the pc off for about an hour then restarted. Same thing. Here’s the logs I have (OTL didn’t save and extra’s). Help!!!
Hi,
Let me look these logs over and I will return shortly.
Ok,
Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-2025429265-790525478-839522115-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: File not found
O15 - HKU\S-1-5-21-2025429265-790525478-839522115-1004\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-2025429265-790525478-839522115-1004\..Trusted Domains: aol.com ([free] http in Trusted sites)
[2007/04/10 16:36:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and attach a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Ran the fix and then a scan. LOP and Purity were not selected, however once I hit scan they were.
Hi,
I see that you have Malwarebytes on your computer. Please open Malwarebytes, update it and then run a Quick Scan. There will be a log created that I will need in your next reply.
ESET Online Scanner:
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
[*]Please go here then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
[*][quote]Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
[*]Select the option YES, I accept the Terms of Use then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
[*]When prompted allow the Add-On/Active X to install.
[*]Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
[*]Now click on Advanced Settings and select the following:
[*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology
[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
[*]The virus signature database… will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically.
[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
[*]Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
In your next reply please attach the logs made by Malwarebytes and ESET online scanner.
I thought I mentioned this, but I’m doing all this in safe mode with networking as programs won’t start in normal mode. I ran Malwarebytes again, here’s the log of that and Eset.
I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis
To submit a file to virustotal, please click VirusTotal
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
C:\Updater.exe
scroll down a bit and click “send file”, wait for the results and post them in your next reply.
Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
Will the link to the analysis be good enough?
https://www.virustotal.com/file/61e45b3b7b74f327c918a6834a9b535b4f00d0dd2df0f2b04f82b07bf197c42f/analysis/1333670364/
Hi,
That will work just fine…
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:Files
C:\Updater.exe
C:\Documents and Settings\Bill\Desktop\New Folder\Install_AIM.exe
C:\Program Files\AIM\Sysfiles\WxBug.EXE
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
In your next reply attach the logs made by OTL and let me know if you are able to work in Normal Mode.
First seen by VirusTotal
2009-02-28 01:45:27 UTC ( 3 år, 1 måned ago )
Sigcheck
publisher…: Moodlogic
product…: Moodlogic Application
internal name…: Moodlogic Updater
copyright…: Copyright (C) 2004
original name…: Updater.exe
file version…: 1, 0, 0, 1
description…: Moodlogic Updater Application
The latest log. And normal mode still not working. If it’s like this morning, it will work if I restore (clone) from the backup, at least until I shutdown for any length of time. I do have a screenshot of the services that are normally running, and I can try to get one of how they are now in normal mode. As a side note, in an attempt to eliminate a hardware problem I’ve run prime95 for about 30 minutes, memtest (1 full pass) and the long diag from seatools on the hard drive.
Hi,
Please read through these instructions to familarize yourself with what to expect when this tool runs
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
The combofix log.
I did some comparing this morning of the services that are normally there in normal mode and what’s there now in normal mode. What’s missing is alg.exe, sascore.exe, wmiprvse.exe (not always there) and wauaclt.exe. Also the sound card drivers aren’t loading (I assume this since there’s no sound). The control panel loads, but takes about a minute and then clicking anything there gets an hourglass that never goes away. If I doubleclick on My Computer I get the “searching flashlite”, gave up on that after about 5 minutes. Right clicking in My Computer seems to do nothing, but I can see another rundll32 process get started.
Hi,
Thanks for letting me know.
Please download Farbar Service Scanner and run it on the computer with the issue.
[*]Make sure the following options are checked:
[*]Internet Services
[*]Windows Firewall
[*]System Restore
[*]Security Center
[*]Windows Update
[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[]Please attach the log to your reply.
The log from FSS.
Hi,
Do you have your Windows XP CD or can you borrow one from a friend? If so, get it out as we may need this during the following steps:
[*]Click on Start > Run > type CMD and press Enter. This will open the command prompt.
[*]In the Command Prompt Window, type (or copy and paste) sfc /scannow and press Enter.
The scan may take some time, so be patient. Windows will repair any corrupted or missing files that it finds. If information from the installation CD is needed to repair the problem, you may be prompted to insert your Windows XP CD.
Any hints on how to get SFC to run in safe mode? When I try I get this:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Bill>sfc /scannow
Windows File Protection could not initiate a scan of protected system files.
The specific error code is 0x000006ba [The RPC server is unavailable.
].
I came up in normal mode and it appears nothing happens, thinking that may be due to CMD being an exe file as well. I do have a cmd icon on the desktop as well, in normal mode all that gets me is a hourglass.
Looks like we have some problems with your system more than malware. Let’s see what we can get fixed up.
[*]Click Start, click Run, type mmc, and then click OK.
[*]In the Microsoft Management Console, click Console, and then click Add/Remove Snap-in.
[*]In the Add/Remove dialog box, click Add.
[*]Click Certificates, and then click Add.
[*]Click Computer Account, and then click Next.
[*]Click Local Computer, and then click Finish.
[*]Click Close, and then click OK.
[*]In the console tree, double-click Certificates (Local Computer).
[*]Double-click Trusted Root Certificate Authorities, and then click Certificates.
[*]In the details pane, locate the No Liability Accepted certificate and verify if it is there.[/li]
Let me know if it is there or not.
Yes, it’s there.