Problem with the services.exe with the status code 1073741790 -

[MadSheep]

Hello! After the start of the Computer a window appears telling me that services.exe is facing a problem with mentioned above status code. After accepting this message another window appears telling me that the system is going to be shut down in a minute after that the system freeces. I have avoided that by the cmd shutdown -a at the moment. After scanning the Computer with escan several viruses have been detected. However I cannot formate the harddisk due to several license keys kept on this harddisk, therefore I hope you will be able to get rid of the infections without the re-formation of my harddisk.

[Bratez]

Execute the following script in AVZ:

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\WINDOWS\system32\dla\tfswctrl.exe','');
 DeleteFile('C:\WINDOWS\Downloaded Program Files\popcaploader.dll');
 BC_ImportQuarantineList;
 BC_DeleteFile('C:\WINDOWS\Downloaded Program Files\popcaploader.dll');
 BC_DeleteSvc('xpdt');
 BC_DeleteFile('C:\WINDOWS\system32:xpdt.sys');
BC_Activate;
RebootWindows(true);
end.

Your system will reboot.
Then upload quarantined files, according to appendix #3 of Rules.

P.S. Do you install post-SP2 updates from Microsoft?
They often help solving similar problems.

[MadSheep]

thank you for your fast response!

Yes, usually I do all the updates for SP2 via the automatic updating function

[Bratez]

OK, nothing bad was found in the quarantine.
Now please make new logfiles (according to steps #8-13 of Rules) to be sure we've really deleted malware from your PC.

[MadSheep]

OK, nothing bad was found in the quarantine.
Now please make new logfiles (according to steps #8-13 of Rules) to be sure we've really deleted malware from your PC.

So here again my log files. I reallised that he had two more infected files detected also yesterday but I performed the 1st scan around midnight so that the computer saved the first log file under a different date

[Bratez]

I'd say it's all OK, just fix these lines in HijackThis:

Код:

O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab

but AVZ quarantined two more suspicious files during log creation:
C:\Programme\Microsoft Games\Flight Simulator 9\Addon Scenery\Pfsloww\MSFSInst.exe
C:\Programme\MP3 Player Utilities 3.61\DelDrv.exe
Please upload only these two files as described in appendix #3 of Rules.

[MadSheep]

[quote=Bratez;113745]I'd say it's all OK, just fix these lines in HijackThis:

Код:

O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab

I have uploaded the new archive. But can you tell me how can I fix the lines from Hijack This?

[Bratez]

How to "Fix in HijackThis"

As for last two files - looks like "false positive"
(no detection at virustotal.com).

[MadSheep]

Ok so this is done! Большои спасибо за Ваше Времия!