Help! unknown virus

dsuresh · #1 5th Oct 2008, 13:03

hi,
my system slow down every 20 - 30 min after booting .. i found a problem in temp file named C:\LOGFILE.ETL . file size increasing in every second . after 20-30 min harddisk full notification come from tray . unable to delete .... using avira antivir , spybot, adware spyremover, also checked with kaspersky virus remover tool...

help me........

screenshots :
http://img530.imageshack.us/img530/8...t051836xy3.gif
http://img88.imageshack.us/img88/626...t051836yv7.gif
http://img379.imageshack.us/img379/4...t051837oj3.gif
http://img258.imageshack.us/img258/3...t051844bx1.gif

**tomthedrummer1992** · #2 5th Oct 2008, 14:32

Have you tried deleting in safe mode?

Keep pressing F8 when you turn your computer on and select safe mode from the menu that comes up. Also - use the administrator account.

**evilfantasy** · #3 5th Oct 2008, 14:35

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

Double click on RSIT.exe to run.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open.
log.txt <will be maximized and info.txt <will be minimized
Please post the contents of both logs in the next reply.

dsuresh · #4 6th Oct 2008, 00:59

info.txt logfile of random's system information tool 1.04 2008-10-06 13:25:33

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\NuNInst.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.57-->"C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware SE Personal-->C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plug in.exe
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
BlueSoleil-->MsiExec.exe /X{996D8BB8-9B47-46C7-92DC-DCCE64467AB8}
Eraser-->"C:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}\EraserSetup32.exe" REMOVE=TRUE MODIFY=FALSE
Eraser-->C:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}\EraserSetup32.exe
ESET NOD32 Antivirus-->MsiExec.exe /I{3407FD83-0A2F-475E-BE94-34F1FA342C84}
Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
GOM Player-->"C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
Internet Download Manager-->C:\Program Files\Internet Download Manager\Uninstall.exe
K-Lite Codec Pack 3.8.5 Standard-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Mic rosoft .NET Framework 2.0\install.exe
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Mozilla Firefox (3.0.1)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3 Cutter Joiner 2.20-->"C:\Program Files\AudioToolsFactory\MP3 Cutter Joiner\unins000.exe"
Nero 7 Demo-->MsiExec.exe /I{513AEC24-3465-8C4F-87BA-652D6F491033}
PC Tools Firewall Plus 4.0-->C:\Program Files\PC Tools Firewall Plus\unins000.exe /LOG
Power Data Recovery 4.1.1-->"C:\Program Files\PowerDataRecovery\unins000.exe"
Privacy Guardian 4.1-->"C:\Program Files\Privacy Guardian\unins000.exe"
S3 S3Display-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Display'
S3 S3Gamma2-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Gamma2'
S3 S3Info2-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Info2'
S3 S3Overlay-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Overlay'
Sonic Foundry Sound Forge 6.0e-->MsiExec.exe /I{B3DE6A9E-1FD0-4208-92F4-EC9004E34774}
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
StarBurn Version 10 (Build 0x20080320)-->"C:\Program Files\Rocket Division Software\StarBurn\unins000.exe"
TeamViewer 3-->C:\Program Files\TeamViewer3\uninstall.exe
Ultra Mobile 3GP Video Converter 2.0.2-->"C:\Program Files\Ultra Mobile 3GP Video Converter\unins000.exe"
UniChrome Graphics Driver and Utilities-->C:\PROGRA~1\S3\S3\s3setvga.exe -s -fC:\PROGRA~1\S3\S3\S3.uns
VideoLAN VLC media player 0.8.6f-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Wisdom-soft ScreenHunter 5.0 Free-->C:\PROGRA~1\WISDOM~1\UNWISE.EXE C:\PROGRA~1\WISDOM~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\YAHOO!\COMMON\unyt.exe

======Hosts File======

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

======Security center information======

AV: Avira AntiVir PersonalEdition (disabled)
AV: ESET NOD32 Antivirus 3.0
FW: PC Tools Firewall Plus

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemR oot%\System32\Wbem;C:\Program Files\ZipGenius 6\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=0801
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;. WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

**evilfantasy** · #5 6th Oct 2008, 09:10

Please run it again and post the main log called log.txt.

dsuresh · #6 6th Oct 2008, 14:11

problem solved.... start key is 0

http://img530.imageshack.us/img530/2...t070239jb4.gif

dsuresh · #7 6th Oct 2008, 14:12

dword must be 0 value

**evilfantasy** · #8 6th Oct 2008, 14:20

So it was a registry key setting and not virus related?

I still wouldn't mind seeing the RSIT log.txt and make sure nothing else is going on.

**Coolyxxx** · #9 6th Oct 2008, 23:32

There's a program called Unlocker, which is pretty useful.
http://ccollomb.free.fr/unlocker/
I use it sometimes. It can delete the files which say are in use etc.

~~candykim~~ · #10 7th Oct 2008, 23:25

Hi
Some malware infects your system restore files too. So you might clean it out and it will reappear when you restart your pc. If this happens you have to turn off system restore to get your pc to delete all the restore points. I dont know if the online scans tell you, but BitDefender when installed will show you which an archive is infected and cant be cleaned.

Mark Sullivan,