Posts by unikat

Sorry for double posting can't edit. Thanks for helping out, it seems my win XP cd was messed up, so I didn't have to use DBan after all. Formated and installed Windows, everything is fine, thanks again and sorry for slow response, it took some time for my sister to decide what she wants to do >_<.

Thanks I'll try it out tomorrow, while I look a bit more into problem which is mentioned in FAQs on that site about disks larger than 128GB (the one her laptop has is at least 300GB). Also need to get few empty dvds since it'll wipe out partitions. One partition still has her backups.

Nope no disks. Even if they did send disks, I'm failing to get to point where I can actually format windows or install it. But thx anyway.

Anyway stupid question, have you tried using search for rundll32?
I found it in few locations on my pc, among which is one of those hidden folders C:\WINDOWS\$NtServicePackUninstall$ as well as
C:\WINDOWS\system32
C:\WINDOWS\ServicePackFiles\i386

Most viruses are actually hidden from task menager.
Even if they show up, sometimes they are masked as critical or can't be closed, or just start again.

My sister got new laptop Sony Vaio, which was bought in Italy. It had that password protection when you first run it, so we couldn't get into Windows (Windows 7 64-bit, not sure which edition).

A month later father got password from shop where he bought it (he works in Italy as lorry driver), but by that time sister went to this "expert" and had it reinstalled. He first reinstalled it, but 32-bit version, and all drivers for Graphics card weren't working, it just wouldn't recognize them. He then installed XP, had same problem, then reinstalled 32-bit version and returned laptop saying he'll search for drivers. She doesn't really need drivers, it was running smoothly, she doesn't play any games or anything, just casually browses internet, sometimes uses MSN and stores photographies from her digital camera, so it was ok, but he installed valuation copy only.

Once it ran out. She took laptop back to him, he installed XP SP3, while bringing back her backups to her laptop from his external HDD, he transfered files from few people whose computers he was fixing and loads of photos, porn and who know what, along with viruses. For obvious reasons, she didn't take it back to him.

I did a bit research installed Avira. It found 2 viruses. Anyway apparently which I'm not 100% sure virus which she had on her PC was so called "Sasser" (based on some problems it causes and processes it's connected to), I removed …

Well I've had to do international call after all, thanks everyone.

It's been more than 10 days (12-13).
I've tried calling, but as supposed Bosnian support doesn't work, it says number is not in use.

And when I've used these
Start with last known good configuration or
Safe mode (with networking)
it doesn't work, first one brings me to the same thing as when normalyy started, Safe mode (w.n.) tells me that I can't activate windows like this 'cause I can't register while in safe mode and reboots pc normaly.

When I've tried system restore from safe mode, I did restore to yesterday before I'll restart PC (out of fear not to lose anything important), still nothing happens.
Then I've tried Safe Mode and I can access everything (except network connections), so basically, I can play music, watch clips, play games etc.
Should I do system restore to some 10 days ago?
Do I lose anything else other than installations?

Last step I couldn't try, 'cause I don't have XP CD (or it's cd-key), although I'm supposed to have original Vista and XP installed, at least I was said I do have them. My father's friend installed them, 'cause I had Italian version of Vista installed on my PC when I bought it. And I don't know anyone else who has xp cd. And my father is out of country and I can't contact him to ask him about friend, so I guess only option is calling someone for repair (which …

Well I didn't yet 'cause I don't have a phone. I do have cell phone but I'm out of credit atm. So I was hoping there's a way to still do it over net. I'm not even sure if there's support for Bosnia.

Anyway... a year ago I've bought new PC and still kept old one to use for online purposes.
Few days ago I've changed GP card on new one, and it asked me to register windows online. Today it won't let me do anything until I register Windows online, the problem is I can't access anything on PC, not even control panel or network connections so I could connect online. Is there any way around this? I'm supposed to have original version of XP installed, I'm not 100% sure if I do since I didn't do instalation myself.

I've tried using ctrl+alt+delete to get to control panel over it, but nothing happens when combinations is pressed >_<.

Thanks for any help in advance.

Thanks for this and everything before, I'll do all these things ASAP and mark problem as solved.

I've removed that hjt enrty and deleted that folder, there was no need to go to safe mode to delete any of those.

here is latest hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:19:34, on 19.7.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\NIKOLA\Desktop\uni\HJT\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control …

I went to Jotti's and it said:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.
I couldn't upload it on other site, either, it said also something about size being 0 bytes and something on spanish (I think) after that.

here is HJT log after rebooting
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:50:25, on 19.7.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\NIKOLA\Desktop\uni\HJT\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet …

thanks for your help so far, it seems that those two have been removed, also... like log from VundoFix suggested I've removed java versions 1.5.0.6 and 1.5.0.9.

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 11:33:58 19.7.2007

Listing files found while scanning....

C:\WINDOWS\system32\hlsijheb.dll
C:\WINDOWS\system32\moqru.bak1
C:\WINDOWS\system32\moqru.bak2
C:\WINDOWS\system32\moqru.ini
C:\WINDOWS\system32\moqru.ini2
C:\WINDOWS\system32\moqru.tmp
C:\WINDOWS\system32\ssqqnmn.dll
C:\WINDOWS\system32\urqom.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\moqru.bak1
C:\WINDOWS\system32\moqru.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\moqru.bak2
C:\WINDOWS\system32\moqru.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\moqru.ini
C:\WINDOWS\system32\moqru.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\moqru.ini2
C:\WINDOWS\system32\moqru.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\moqru.tmp
C:\WINDOWS\system32\moqru.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqqnmn.dll
C:\WINDOWS\system32\ssqqnmn.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\urqom.dll
C:\WINDOWS\system32\urqom.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqqnmn.dll
C:\WINDOWS\system32\ssqqnmn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqom.dll
C:\WINDOWS\system32\urqom.dll Has been deleted!

Performing Repairs to the registry.
Done!
---------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:06, on 19.7.2007
Platform: Windows XP SP2 (WinNT …

sorry for that...
here is the log from new version of HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:06:38, on 19.7.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
D:\ostalo\Winamp\winamp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\NIKOLA\Desktop\uni\HJT\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

so here is the situation I have...
few days ago my compute got infected, and started opening various advertisment sites, and no matter how many times I've removed them (I'm using spybot-search & destroy and Ad-Aware SE personal both regulary updated) in a week or two same advertisment would pop up, so I've just blocked those sites that were opening, and deleting virus every time it poped up (I'm using Avira Anti Virus PE). Lately I've had Vundo.gen poping up regulary as infection and no matter how many times I would delete it, it would show up again. Than there are two entries that spybot can't delete, they are both recognized as TR/Agent.33302 by Avira and are part of Virtumonde in Spybot entries, no matter how many times I would delete them (even over HiJack This, and even when I try to delete them on startup or from safe mode) they would return every time I try to open Internet Explorer or any link in it, they are located in system32 folder every time they appear.
Then there's new infection which just showed up after I've returned home after being two weeks away, problem is that noone used computer, and Avira recognized it right when I started computer. That one just randomly goes crazy and for like 5 minutes tries multiple attacks so much that my PC frezzes almost every time from alerts by Avira, that last one is recognized as TR/PSW.Gamania.B.
I have two more infections …