Avast Home detected a Trojan in a program and deleted it, then my firewall asked for permission for svhost to access the internet (port 80), called by the program which I though Avast just deleted. The program was still in memory, so I tried to end task the it, but it said permission denied. I got a few more permission requests from my firewall (Sygate) before it crashed; as it did Avast detected another Trojan and crashed (happened to fast to read exactly what was found).

I set Avast to do a boot time scan, but during the reboot I got the warning Avast had been changed. Avast executable disappeared, if I tried to re-install the executable would always disappear (all other files where still in the Avast folder). The same happened when I installed NOD32, Sygate, Comodo and AGV, just the main executable would disappear.

I tried some on-line scanners, but they mostly need Internet explorer and that had stopped working. I tried Trend Micro on firefox, but half way through my computer reboots.

Any ideas before I re-install on a new hard disk.

you didn’t mention the name of the virus found in your system… could you remember it?

Sorry, but no. I was rushing trying to install Auction Navigator trial to snip an eBay item, while I was out scuffing in new tyres on my Blackbird (the open road was calling).

After reading another post I downloaded SUPERAntiSpyware, which will run. Apart from the cookies it has found Malware.VirusRescue, as yet, but I set a thorough scan and I have 3 hard disks with about 500GB of data on them.

Please excuse typos, I am using internet explorer on my old Dell with no spell checker and a wireless keyboard that keeps missing keys :-\

hard to say anything, cause we don’t know if it was a Beagle or anything else… your scans with HJT or DSS failed?

SUPERAntiSpyware only found Malware.VirusRescue. I removed, re-booted and re-ran SUPERAntiSpyware, now it has found just Trojan.Downloader-Gen/Suspicious. Removed and re-booted again.

HJT re-boots the PC. What’s DDS again?

DSS is an analysis file which should show the miscreant

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

DSS also re-booted my PC, but I found it used HJT, so deleted the HJT folder, ran DSS and used its own scanner, which worked:

Deckard’s System Scanner v20071014.68
Run by Andrew on 2007-11-06 23:35:49
Computer is in Normal Mode.

– HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-06 23:36:14
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\DriveCrypt\DcrServ.exe
C:\WINDOWS\system32\e4mserv.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\system32\nspksrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Megatec\RUPS 2000\Rupsd.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Comodo\CBOClean\BOC425.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Andrew\Desktop\FireFox Downloads\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O4 - HKLM..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [DiskeeperSystray] “C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 “EPSON Stylus CX6600 Series” /O6 “USB002” /M “Stylus CX6600”
O4 - HKLM..\Run: [IntelliPoint] “C:\Program Files\Microsoft IntelliPoint\ipoint.exe”
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: Add all items to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/202
O8 - Extra context menu item: Add this item to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/201
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra ‘Tools’ menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra ‘Tools’ menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/fhg.CAB
O17 - HKLM\SYSTEM\CCS\Services\Tcpip..{2A32F179-5785-4F68-9ECA-E991AAB90192}: NameServer = 192.168.1.1
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: wbsys.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: ldr64 - C:\WINDOWS\system32\ldr64.dll (file missing)
O20 - Winlogon Notify: mmx432 - C:\WINDOWS\system32\mmx432.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cepstral License Server - Cepstral, LLC - C:\Program Files\Cepstral\lib\LicenseServer.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\system32\Crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: DriveCrypt Service (DriveCryptService) - Unknown owner - C:\Program Files\DriveCrypt\DcrServ.exe
O23 - Service: E4M service (e4mservice) - Unknown owner - C:\WINDOWS\system32\e4mserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: Network Serial Port Kit service (nspksrv) - FabulaTech, Inc. - C:\WINDOWS\system32\nspksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Rupsd - Mega System Technologies, Inc. - C:\Program Files\Megatec\RUPS 2000\Rupsd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SSC Monitor (SSCMntr) - SuperSpeed Software, Inc. - C:\WINDOWS\system32\SSCMntr.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe

–
End of file - 11419 bytes

– Files created between 2007-10-06 and 2007-11-06 -----------------------------

2007-11-06 22:36:48 0 d-------- C:\Documents and Settings\Andrew\Application Data\Comodo
2007-11-06 22:36:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-06 22:29:39 235008 --a------ C:\WINDOWS\UNBOC.EXE <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
2007-11-06 22:29:38 208896 --a------ C:\WINDOWS\CMDLIC.DLL <Not Verified; COMODO; COMODO BOClean - AntiMalware>
2007-11-06 22:29:25 0 d-------- C:\Program Files\Comodo
2007-11-06 19:31:08 0 d-------- C:\Program Files\Trend Micro
2007-11-06 19:30:54 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-06 19:30:44 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-06 19:30:43 0 d-------- C:\Documents and Settings\Andrew\Application Data\SUPERAntiSpyware.com
2007-11-04 20:12:47 0 d-------- C:\a_v_a_s_t
2007-11-04 19:55:27 0 d-------- C:\Documents and Settings\Guest\Application Data\Canopus
2007-11-04 19:29:56 0 d-------- C:\VirusRescue
2007-11-04 11:18:23 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-04 11:05:14 0 d-------- C:\Documents and Settings\Andrew.housecall6.6
2007-11-04 10:40:16 0 d-------- C:\WINDOWS\exefld
2007-10-29 20:53:12 0 d-------- C:\Documents and Settings\Andrew\Application Data\Canopus
2007-10-29 20:51:19 0 d-------- C:\Program Files\MSXML 4.0
2007-10-29 20:50:34 4608 --a------ C:\WINDOWS\system32\drivers\cdrport.sys <Not Verified; Canopus Co,. Ltd.; Canopus DREngine Liibrary>
2007-10-29 20:50:34 10368 --a------ C:\WINDOWS\system32\drivers\cdrblock.sys <Not Verified; Canopus Co,. Ltd.; Canopus DREngine Liibrary>
2007-10-29 20:50:33 49152 --a------ C:\WINDOWS\system32\cvpcdvc.dll <Not Verified; Canopus Co., Ltd.; Canopus Video Product>
2007-10-29 20:50:33 69632 --a------ C:\WINDOWS\system32\cuvccodc.dll <Not Verified; Canopus Co., Ltd.; Canopus HD Product>
2007-10-29 20:50:33 22528 --a------ C:\WINDOWS\system32\csthread.dll <Not Verified; Canopus Corporation; Canopus Thread Manager>
2007-10-29 20:50:33 122961 --a------ C:\WINDOWS\system32\csellc.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:33 671815 --a------ C:\WINDOWS\system32\csehqa.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:33 385108 --a------ C:\WINDOWS\system32\csedv.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:33 147456 --a------ C:\WINDOWS\system32\csccdvcx.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:33 159832 --a------ C:\WINDOWS\system32\csccdvc.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:33 258048 --a------ C:\WINDOWS\system32\cllccodc.dll <Not Verified; Canopus Co., Ltd.; Canopus HD Product>
2007-10-29 20:50:32 65536 --a------ C:\WINDOWS\system32\cdvhcodc.dll <Not Verified; Canopus Co., Ltd.; DVCPRO HD Product>
2007-10-29 20:50:32 69632 --a------ C:\WINDOWS\system32\cdvccodc.dll <Not Verified; Canopus Co., Ltd.; Canopus DV Product>
2007-10-29 20:50:32 61440 --a------ C:\WINDOWS\system32\cdv5codc.dll <Not Verified; Canopus Co., Ltd.; DVCPRO50 Product>
2007-10-29 20:50:22 122880 --a------ C:\WINDOWS\system32\icmpeg2.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:22 0 d-------- C:\Program Files\Canopus
2007-10-29 20:50:21 835665 --a------ C:\WINDOWS\system32\cseuvec.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:21 1085520 --a------ C:\WINDOWS\system32\csedvh.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:21 0 d-------- C:\Program Files\Common Files\Canopus Shared
2007-10-29 20:45:10 0 --a------ C:\WINDOWS\TempFile
2007-10-29 20:45:01 905216 -----n— C:\WINDOWS\system32\pavplal.dll <Not Verified; Canopus Co., Ltd.; pavplal>
2007-10-29 20:45:01 4096 -----n— C:\WINDOWS\system32\paveno.dll <Not Verified; Canopus Co., Ltd.; Canopus Video Product>
2007-10-29 20:45:01 49152 --a------ C:\WINDOWS\system32\pavedius.dll <Not Verified; ; EDIUS>
2007-10-29 20:45:01 458752 -----n— C:\WINDOWS\system32\pavapi.dll <Not Verified; Canopus Co., Ltd.; Canopus Video Product>
2007-10-20 22:24:59 0 d-------- C:\Documents and Settings\Andrew\Application Data\River Past G5
2007-10-20 22:24:59 0 d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
2007-10-20 21:57:41 0 d-------- C:\Program Files\Combined Community Codec Pack
2007-10-20 21:50:20 0 d-------- C:\Documents and Settings\Andrew\Application Data\Media Player Classic
2007-10-15 21:26:21 1122304 --a------ C:\WINDOWS\system32\mplvpx.dll <Not Verified; Ligos Corporation; MPL Video Library>
2007-10-15 21:26:20 1581056 --a------ C:\WINDOWS\system32\mplvw7.dll <Not Verified; Ligos Corporation; MPL Video Library>
2007-10-15 21:26:20 1552384 --a------ C:\WINDOWS\system32\mplvm6.dll <Not Verified; Ligos Corporation; MPL Video Library>
2007-10-15 21:26:20 1650688 --a------ C:\WINDOWS\system32\mplva6.dll <Not Verified; Ligos Corporation; MPL Video Library>
2007-10-15 21:26:20 77824 --a------ C:\WINDOWS\system32\mplaw7.dll <Not Verified; Ligos Corporation; MPL Audio Library>
2007-10-15 21:26:20 65536 --a------ C:\WINDOWS\system32\mplapx.dll <Not Verified; Ligos Corporation; MPL Audio Library>
2007-10-15 21:26:20 65536 --a------ C:\WINDOWS\system32\mplam6.dll <Not Verified; Ligos Corporation; MPL Audio Library>
2007-10-15 21:26:20 77824 --a------ C:\WINDOWS\system32\mplaa6.dll <Not Verified; Ligos Corporation; MPL Audio Library>
2007-10-15 21:26:20 19968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-10-15 21:26:19 152064 --a------ C:\WINDOWS\system32\unrar.dll
2007-10-15 21:26:18 761856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-10-15 21:26:13 0 d-------- C:\Program Files\ACE Mega CoDecS Pack
2007-10-13 15:56:17 0 d-------- C:\Program Files\Activision
2007-10-11 22:50:54 0 d-------- C:\Program Files\SmartFTP Client

– Find3M Report ---------------------------------------------------------------

2007-11-06 22:37:10 0 d-------- C:\Program Files\PC Connectivity Solution
2007-11-06 22:00:27 0 d-------- C:\Program Files\Disk Checker
2007-11-06 19:30:28 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-06 19:18:39 0 d-------- C:\Documents and Settings\Andrew\Application Data\Skype
2007-11-06 13:31:50 0 d-------- C:\Program Files\WinZix
2007-11-04 21:05:57 0 d-------- C:\Program Files\Smart Panel
2007-10-29 20:50:21 0 d-------- C:\Program Files\Common Files
2007-10-29 20:50:18 0 d–h----- C:\Program Files\InstallShield Installation Information
2007-10-29 20:23:09 0 d-------- C:\Program Files\Common Files\Cloudmark
2007-10-20 22:25:01 165553 --a------ C:\WINDOWS\Video Cleaner Pro Uninstaller.exe
2007-10-20 22:24:59 0 d-------- C:\Program Files\Common Files\River Past
2007-10-11 22:48:26 0 d-------- C:\Program Files\SmartFTP Client 2.0
2007-10-11 22:47:49 0 d-------- C:\Program Files\SmartFTP Client 2.0 Setup Files
2007-10-10 00:03:15 0 d-------- C:\Program Files\No-IP
2007-09-29 11:39:28 0 d-------- C:\Program Files\MagicSofts
2007-09-29 11:05:12 0 d-------- C:\Program Files\DivX
2007-09-25 18:24:13 0 d-------- C:\Program Files\Winstep
2007-09-07 21:10:38 0 d-------- C:\Program Files\Common Files\Skype
2007-08-08 13:04:15 2785 --a------ C:\WINDOWS\mozver.dat
2007-08-07 20:07:10 0 --a------ C:\lock_backup.bin
2007-08-07 16:37:42 2528 --a------ C:\Documents and Settings\Andrew\Application Data$_hpcst$.hpc

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NVRaidService”=“C:\WINDOWS\system32\nvraidservice.exe” [11/06/2004 03:15]
“SmcService”=“C:\PROGRA~1\Sygate\SPF\smc.exe”
“DiskeeperSystray”=“C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe” [22/11/2005 17:38]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”
“EPSON Stylus CX6600 Series”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.exe” [01/03/2004 03:00]
“IntelliPoint”=“C:\Program Files\Microsoft IntelliPoint\ipoint.exe” [04/12/2005 15:39]
“BluetoothAuthenticationAgent”=“bthprops.cpl” [03/08/2004 22:56 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“@”=“”
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [21/06/2007 14:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
“SchedulingAgent”=C:\WINDOWS\system32\mstask.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [24/06/2003 06:31:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 13/10/2004 17:29 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ldr64]
ldr64.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mmx432]
mmx432.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 20/12/2005 19:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“appinit_dlls”=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Notification Packages”= scecli DPPWDFLT

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@=“Driver Group”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}]
@=“DiskDrive”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@=“Hdc”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@=“Keyboard”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@=“Mouse”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@=“System”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@=“Volume”

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7c57b042-16ee-11da-9ccf-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d6294679-16ef-11da-974c-806d6172696f}]
AutoRun\command- F:\setup.exe -a

– End of Deckard’s System Scanner: finished at 2007-11-06 23:36:35 ------------

So that’s why my PC takes so long to boot.

ldr64.dll and mmx432.dll look like possible culprits, anymore?

yes… but they are hidden by some rootkit maybe… are you able to locate these files manually? if not, just download some antirootkit tool (GMER, RootkitRevealer, BlackLight) and try to unhide the files and to detect the rootkit engine… once this is done, you can send us the related files (the rootkit itself and the two libraries)…

I ran RootkitRevealert there was 4950 discrepancies. I’m not sure what to do next… ???

I tried to save the list, but kept getting location not found, then it crashed.

One last thing, I get something for the weekend on Friday.
No, not that, but COD4 ;D
If I can’t sort this soon, its going to be a re-install :-[

I suggest AVG or Trend Micro RootkitBuster (for XP/Vista). For XP: Panda (for XP). They’re more simple.

The infection is W32/Mitglieder.HT as per F-Prot

To fix the safeboot:

Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe
It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply and let me know if you can access Safe Mode now?

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O20 - Winlogon Notify: ldr64 - C:\WINDOWS\system32\ldr64.dll (file missing)
O20 - Winlogon Notify: mmx432 - C:\WINDOWS\system32\mmx432.dll (file missing)

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\ldr64.dll
C:\WINDOWS\system32\mmx432.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

The files will be quarantined

One service I am unable to find any decent information about is
O23 - Service: E4M service (e4mservice) - Unknown owner - C:\WINDOWS\system32\e4mserv.exe

Jotti File Submission:

[*]Please go to Jotti’s malware scan

[*]Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

[*]C:\WINDOWS\system32\e4mserv.exe

[*] Click on the submit button

[*] Please post the results in your next reply.

SafeBootKeyRepair-CF text file reads:

Reg export of safeboot key after repair:

Just that, nothing else.

Won’t go into safe mode
HJT didn’t re-boot this time, but those files where not in the list. “hidr.exe” was so I Fixed it.

What was the location of hidr.exe as that file needs to be quarantined it is Trojan W32.Beagle.DZ

It looks like the trojan stopped the cf fix from working but I have another way around it

Download & run the safe mode fix here
Extract to your desktop, now you have a new file on your desktop called SafeBoot.reg
Double click and allow it to merge into your registry.

Try Safe Mode now.

Just found a reference it may be here %Userprofiles%\Application Data\hidires\hidr.exe

where %Userprofiles% is your user name