help needed.. invader, system format dosent help too

hi this is the 6th day im having the same problem over and over again.... im using kaspersky anti virus, the problem started a few days ago after i started having warnings about an invader malware process that was starting... at that time i didnt actually care about it that much so i didnt actually look into that file but i terminated or denied the process each time it appeared... it only took merely a few days for the virus to take its effect...every time, i see my kaspersky being disabled, the PC started freezing and crashing all of a sudden and due to this i installed AVG anti virus and it managed to delete some viruses after the kaspersky had been disabled... but in the end the freezing and everything was so much that i had to format my PC.... after formating it didnt last another night.... the next morning i woke up, the same thing had happen but there was no virus alerts this time. also it was slow like hell so there was no other choice but to format it again(the virus also disabled and cripples system restore). after the second format i installed acronis true image and so far it is the only thing saving me from another system format as the same thing happen twice. this time i made sure i made a disk clean up of C drive and remove any trace of any temporary file.. also some say it is because of my external hard disk which i didnt format... so i turned on the registry guard and application guard in kaspersky to make sure that i see any process that is taking place.. plugged my hard, made back ups and formatted that too.. after a while i thought this was over but it happen again.. this time i system restored using the acronis true image home again and decided to look at the kaspersky event logs that took place while i wasnt here.. ofcourse there was no warning alerts but in the events log and i noticed
some suspicious things in the events which said " process PID(****(some random numbers on each event)) tried to access kaspersky anti virus(***), but the action has been blocked by the self defence component, no action is needed on your part".
http://img201.imageshack.us/img201/1083/kasperskycq0.th.png.. also noticed that kaspersky real time protection has been switched on and off at different times...... so i did various online scans for virus and spyware which included 'malware bytes antimalware'
, some 'PC doctor'( dun remember the actual name) spybot, adaware and many more online virus scans but a single virus or spyware/malware wasnt detected on my PC... and yesterday i was full time occupied following the malware removal instructions and i assure you i did not even miss a single step while following the instructions. tried doing a lot of stuffs liek changing my IP address and reinstallin kaspersky different times, trust me, i tried a lotta stuff .... the problem kept on persisting so at last thought of writing here.. btw i became a member of this thing called zango, found out that a lot of people had faced probs with it before and uninstalled everything that came along with it.. there was some virus alerts i got when i was installing it which i remember was some thing called"adware.not.a.virus" or some thing like that. i think this might have been the root of all these problems.. so the only problem now is im getting riskware invader warnings, and right after the warnings, my PC crashes and starts freezing, an the problem seems o be moving from process to process, suppose if the warning alerts come frm winlogon.exe accessing explorer.exe, then the alerts starts comming from explorer.exe trying to access another thing, some say it is a bug in kaspersky to detect it because some processes starts acting like malware, but everytime i get those warnings, crashes, viruses and freezes start following it out of nowhere, yea and the only form of escape is a system restore from acronis.. i never saw or detected a keylogger in my PC but i detected keyloggers too after the invader came around.. (PS IM A LILL DESPERATE RIGHT NOW FOR ALL I'VE BEEN THROUGH SO P.S DUN THINK MUCH ABOUT ME WRITING A BIG ESSAY SO MUCH (even now its freezing like hell)) i' ve attached the logs along with this.. i did not attach a superantispyware and malwarebytes anti malware log since it did not detect anything

 

Hi chatastrphy,
Welcome to Major Geeks!

Most of the files on your computer are dated May 17th. Oddly enough, there are a very few dated the 15th and 16th of May. One of your files with the date May 17th is a driver located directly under your C drive: C:\sccfg.sys

Please see this first: http://forum.kaspersky.com/lofiversion/index.php/t50225.html

Then go to this folder dated May 16th and located in C:\

CUMUL May 16 2008 "cumul"

Open the folder and tell me what it is in it and why the date precedes your reforma/reinstallation?

The other programs I found which precede May 17th are these:

"C:\Documents and Settings\New\My Documents\"

hijack~1.log May 16 2008 5607 "hijackthis.log"
restore.txt May 15 2008 17 "restore.txt"
txt.txt May 16 2008 8774 "txt.txt"
userim~1.bmp May 15 2008 43062 "UserImages.bmp"


"C:\Documents and Settings\New\Application Data\"

ACRONIS May 15 2008 "Acronis"
MALWAR~1 May 16 2008 "Malwarebytes"
MOZILLA May 15 2008 "Mozilla"
WINRAR May 16 2008 "WinRAR"


It's likely that one of your programs contains the file which is causing these problems and each time you reinstall the program, it puts the same file back on your computer. If the above link to the Kaspersky forum doesn't help you, what happens if you don't install Kaspersky? Do you still get the same symptoms?

I can't see the image you posted. Please resubmit it as a zip file using the Manage Attachments button.

abri

 

hi, im really sorry for still not stating enough info or stated too much to make you confused... actually like i said its been 6 days(now 7) since the prob started.. also its been 3 days(15th may) after my last format.. sorry again... about the files.... 'sccfg.sys' was a part of a folder lock i used a long time ago... i deleted it now since it may pose a threat anyway.. so any file that was here after the 15th was ok and i checked them... almost all of them are logs of things like hijack this.. so theres no threat there... i tried uninstalling kaspersky and install something like NOD32 or avast but the problem got worse after that.. everytime the computer reboots usually the infected processes start to inject them into other processes.. but kaspersky stopped that.. NOD and avast couldnt, so as for now, on every startup, the installed anti virus(even kaspersky) takes about 2-3 minutes to load... some times the desktop freezes too.. i read about some people who has the same problems too(sorry kinda forgot to save most of the links and used CCleaner).. at the time the message about invaders started showing, many of them found numerous keylogger making their way into their PC... others also reported credit card frauds(since some info about credit card is in thir PC).. the worst thing that happens is it always come back even after system formats just like what happen to me....
" http://forum.kaspersky.com/lofiversion/index.php/t10224.html " ... it is usually a virus that injects into other processes to hide it self and spreads on that way.. so here i am.. kinda hopeless cuz i have spent like 3 days straight near the PC trying to fix it but no luck.... i just hope anybody could find a cure for this ASAP.. btw one question... if u format your hard drive i heard that there will still be traces of temporary files and some stuff... if thats true was wondering if there is a way to completely purge out every piece of information in one go... thankx again and i have attached that other pic in a zip file....

 

hi again, i really dont know how or why but a miracle just happen lol... i ran avg antirootkit again and some how found ntndis.sys which is a kernel mode rootkit from what i heard.... deleted it and the lagging stopped and my system tray returned to normal(the tray would usually freeze when the virus takes effect, this is how i observe if the virus is active or not) .. at that time i took the chance to install kaspersky, zone alarm and some anti spyware... after that in a while, that ntndis.sys was detected again on kaspersky and superantispyware so i deleted it again... it seems that it seems to run when certain .exe files are executed.. when i installed online armor(before i installed zone alarm), when i pressed the exe file kaspersky sent an alert saying 'running process C:\windows\system32\winlogon.exe: detected modification of riskware invader'.. i allowed it and when winlogon started running next, winlogon tried to inject the same invader process to explorer, and after explorer was infected, it spread frm explorer to another process... so i systrem restored upto the point when everything was working and installed zone alarm after downloading straight from the site so there was no modification... so i could conclude that most of my installation and exe files are still infected but the processes are ok due to system restore and every now and then if an exe file is opened the same warning appears and the virus (ntndis.sys) appears out of nowhere and lags the whole PC... also im still scared to start up cuz every time i boot, from the welcome screen, it freezes and lags all the way to start up and an error message appears after that about ntndis.sys(i've attached an pic of it)... as for now im observing nothing much abnormal except the control panel lagging and double icons( i've put a pic of it too). i also have a suspicion what i see when i right click some images(pic of it in the ntn file too).. this is the 1st time i've gained an edge on the virus in 4 days(been at the comp tryin to fix it for 4 days straight lol) but i wont sop untill i take care of the problem permanently... thankx

 

sorry forgot about the control panel pic

 

hi, again.. today morning when i woke up, i was having connectivity problems to the internet.. it wasnt easy to come here too...the "connection was reset" error comes every now and then. the same thing happen last time before my second system reformat but that time my internet was blocked as a whole.. atleast this time i can view the page after pressing refresh about 5 times or so... its getting worse by the second.. pls help

 

Hi chatastrphy,

I would like to have you remove one registry entry and then I want you to get a list of files.

Please do the following:

1) Download and install Erunt. Use it to create a backup of your registry.

2) Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f01b2067-230a-11dd-940e-001cc02a57ff}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-[/b][/quote]

3) Now, please do a search of your C:\WINDOWS\System32 folder and look for all files with the ending .cpl by searching for *.CPL

4) Attach the list with your next post and let me know if you got a success message when you ran the registry patch (REGEDIT4)

abri

 

hi... the registry edit thing didnt work it says "cannot import C:\documents and settings\user \desktop\fixME.reg: the specified file is not a registry script. you can only import binary registry files from within the registry editor"

here are the system 32 cpls... i did a little OS patch last night so were new files in the control panel and they werent double

 

Oh sorry chatastrophy,

Multiple apologies! I changed one of my copy/paste instructions and got an error in it that keeps showing up. That's why your registry patch didn't work. I'll redo the instructions here:

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

 

heheh yea this time i got a success message when i ran the registry patch yea and i attached the results i got when i did the search for cpls.... it was the same list(even though i made a lill typin error last time) but ill repost it anyway...
so, what was the patch actually needed for and how are things supposed to be after i run it???

 

Hi chatastrophy,

We asked for the cpl list to see if we could find out why the programs were doubled, but if I understood you correctly, that problem is now gone? If so, go ahead with the final cleanup instructions:

abri

 

hi, well the problems were only half way fixed... still it takes about +5 minutes to start up and the taskbar including the control panel are messed up again... im going to format it again by the end of tomorrow.. hope it works this time.. this time i wont keep a single exe or software in my backups, ill keep just the avi,zip(etc) files i need just to make sure nothing infected gets through... also last time i reformatted when i ran the system disk clean up, not too late after the format there were about 3 gb i could free... any tips on how i could not leave even a single trace of any file when i format(a way to format ur comp as safely as possible)???

 

Hi chatastrophy,
Since you already reformatted twice, it seems like it would be a good idea to get rid of the virus. Would you like to have chaslang look at it before you go radical again? He sometimes has some suggestions about things.
abri

 

well thanks a lot but i think ill go with the system reformat this time... besides after all i've been though(reformattin twice and all) i got nothin much to loose.. so another try with no exe file or anything of that sort being backed up, i could go for it... so should i post here again if the problems persist or start a new thread??? also like i said earlier any tips extra tips i should take into account when i reformat to lower the chances of it happenin again?? anyways thankx for everythn and ill let you know if problems persist

 

Hi chatastrophy,

Here's a standard list of things to consider when you reformat. In your case, you need to consider the possibility that the problem you're trying to get away from is being reinstalled each time so it's coming from somewhere:

 

yea thankx... i have everythn i need and now im backing up my stuff... got the tips in mind.... thankx for everything and ill repost again if anything happens

 

Oh, please do! I am very curious if you will get it resolved this way!
Good luck with it!
abri

 

hi, just formatted it today.. so far so good.. i dont see much problems yet.. havent done any backing up though... anyways i think the problem is over even though im not sure of it...hope nothing happens soon.. well thats all, thankx and cya

 

Thanks chatastrophy,

Be sure and scan any external backed up files before you reinstall them on your computer. You can use the BitDefender online scan to scan individual drives like your flash drive and cd's. If the problems start up again, you're welcome to continue in this thread.

abri