Look, Please?

jemmeh

Hey, I'm fixing my friend's computer, now.

There are some major problems on this computer.

I have to manually start up explorer.exe with the task manager.

The desktop, after you manually start explorer will turn black.

There's a really annoying pause while you're typing, like firefox will freeze.

I don't think it's a virus, but we have to smack the monitor for it to not be shakey and have lines running through it, making it unreadable. . Also, this is a dell that came with windows and genuine is picking up as it not being verified.

There were some popups and crap earlier, too.

Bitdefender and some minor knowledge of Hijack this has helped me get rid of some of it, but I need help getting the rest. ^__^ I will run bitdefender again and also probably combofix, but I'm not sure if I need to do more. Thanks, if you can help!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:17:29 PM, on 4/23/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\Program Files\AIM6\aim6.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [643cb304] rundll32.exe "C:\WINDOWS\system32\koqgkgrg.dll",b

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\user\Start Menu\Programs\IMVU\Run IMVU.lnk

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--

End of file - 4698 bytes

Niels

Hello jemmeh,

The first thing that I've noticed is that Avast 4 is also installed or that there are still leftovers on the computer together with BitDefender Antivirus 2008 if both are running in realtime mode that can cause strange computer behaviour.

So what I advise is that you download this removal tool for Avast 4 and store it on a usb stick or cd-rom.

Boot the pc into safe mode. You can do this after you have seen the BIOS screen by pressing several times the F8 button on your keyboard before the windows splash screen appears select safe mode log in with an account that has administrator priviliges. Now put in the windows installation cd-rom after that press the windows button together with r now type cmd press enter. After that type sfc /scannow and press enter. Wait till it ends. After that go to start,control panel,set it on classic view now press double click on monitor/screen,go to the settings tab press on the advanced button, go to the monitor/screen tab now use the dropdown menu that you find by the refresh rate section and choose the lowest value possible now press on apply and ok. Try now to run the uninstall tool for avast 4. Reboot the pc as your normally do.

You can fix these entries in Hijack This:

O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

Be sure that Internet Explorer is closed so see if there is no iexplore.exe process running in task manager.

Please post also a combofix log.

Best regards

Niels

alexcrist

Hello Jemmeh,

Please attach this file for analysis, in a password protected ZIP archive:

C:\WINDOWS\system32\koqgkgrg.dll

Please attach the sample on the Sample Submission section.

If you cannot find the file, read here: http://forum.bitdefender.com/index.php?showtopic=3573

After that, fix with HJT this line:

O4 - HKLM\..\Run: [643cb304] rundll32.exe "C:\WINDOWS\system32\koqgkgrg.dll",b

Also, make a scan with ComboFix (as Niels said). After that, make a new scan with HijackThis, and post both logs (HJT and ComboFix).

Before running ComboFix, please disable the AV protection of your computer. Also, since the last time you didn't manage to run ComboFix correctly, please stay at your computer until ComboFix finishes the scan, to see whatever errors you get (if any). Don't forget to re-enable the AV protection after you finish with ComboFix.

Cris.