Technology, Support, and News Forum

[EatChex89 Profile Website]

Alright so I've tried basically everything to try to get rid of this virus. Here's what I've tried so far:

-Boot-time scan with Avast Anti-virus
-Regular scan with Avast Anti-virus
-Regular scan with McAfee Virus
-Scan with Microsft Anti-Spyware
-HijackThis/Killbox method

Nothing has worked. The virus only deploys itself when it feels it is being threatened (at least that's what I think). It runs itself when:

a) I try to access Control Panel
b) I try to access C:\WINDOWS or C:\WINDOWS\System32 (where it is located) folders

When it runs, it just freezes my computer and ends closes the Control Panel or C:\Windows folder(s)... This is very annoying.

I tried to google it and came up with very unsatisfying results. Any help on this would be GREATLY appreciated.

for the record, here is my HijackThis Log and Avast Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:27:08 PM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5112.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Downlo~1\MyWebEx\319\atnthost.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
E:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\aim\aim.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Gaim\gaim.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Common Files\AOL\1123900409\ee\AOLHostManager.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\Downlo~1\MyWebEx\319\raagtx.exe
E:\Program Files\Memento\Memento.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Common Files\AOL\1123900409\ee\AOLServiceHost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\1123900409\ee\AOLServiceHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\calc.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
e:\unzipped\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9101/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [IECHECK.EXE] C:\WINDOWS\iecheck.exe
O4 - HKCU\..\Run: [AIM] C:\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gaim] E:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: Memento.lnk = E:\Program Files\Memento\Memento.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WebEx PCNow.LNK = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [TABS] Tabbed Browsing
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8038629125
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/a ... _en_dl.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/St ... b35645.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab

[snip :: Logitech Proccesses..]

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WB - E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AT Host Service (atnthost) - WebEx - C:\WINDOWS\Downlo~1\MyWebEx\319\atnthost.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

fqqmq.dll C:\WINDOWS\System32 Win32:Qoologic-T [Trj]
-- this entry 2 more times.
ikxcxnt.dll C:\WINDOWS\System32 Win32:Qoologic-T [Trj]
wuauclt.dll C:\WINDOWS\System32 Win32:Qoologic-T [Trj]
-- this entry 3 more times

Thanks,
EatChex89

[ar1stotle Profile ICQYIM]

Always give safe mode a shot

[EatChex89 Profile Website]

Always give safe mode a shot

I think i'm going to try that, but still I'm not sure what causes the virus to run.. and the .dll file is created only when I try to open up control panel and the c:\windows folders

[augie]

Always give safe mode a shot

I think i'm going to try that, but still I'm not sure what causes the virus to run.. and the .dll file is created only when I try to open up control panel and the c:\windows folders

Run msconfig and see what's in your startup and uncheck what you don't recognize. You can also disable system restore and see what happens.

[ar1stotle Profile ICQYIM]

Yea, but in safe mode, nothing will run except what windows needs, so whatever is letting it know that you are doing that wont be able to run, which means you should be able to delete it.

[EatChex89 Profile Website]

Yea, but in safe mode, nothing will run except what windows needs, so whatever is letting it know that you are doing that wont be able to run, which means you should be able to delete it.

but i don't even know what it is.. so I can't delete it.

[kd1966 Profile YIM]

If you are going to the safe mode to get rid of some malware that cannot be deleted in normal mode, consider:

- TURNING OFF SYSTEM RESTORE
- BOOT TO SAFE MODE W/NETWORKING
- UPDATE YOUR AV AND OTHER SECURITY PROGRAMS
- RUN SCANS IN SAFE MODE

Determine which program/file got through into your system and adjust your security settings

[ar1stotle Profile ICQYIM]

:-/ if you know what file is infected, delete it.

BTW: Is THIS related to your problem? It has some detailed instructions if its of any help to you.

[EatChex89 Profile Website]

:-/ if you know what file is infected, delete it.

BTW: Is THIS related to your problem? It has some detailed instructions if its of any help to you.

no thats not what my problem is.. i have no problem with ads... as i said it freezes my control panel and c:\windows folders

I have already scanned with Avast in boot-time, which wouldn't that detect any viruses? I think it should...

Like I also said, it only runs and creates the .dll file when I try to access the control apnel or c:\windows folders. I'm not sure what the real program is, and I can't delete the .dll file, because unfortunately it only creates itself when it is being 'threatened'.

Very complicated, and p**ses me off.

[kd1966 Profile YIM]

have you tried the online Panda and Trendmicro scans?

I have found that running these scans in the safe mode will nab those little regen'g buggers; the scan finds the archive file that is recreating the other files (DLL's in your case) and just kills the whole thing