i just did a downgrade from vista back to XP. upon starting up the first things i got are IE popups. the next day msdos console pops up with a blank screen. then a window pops up reading
16 bit MSDOS Subsystem
C:\WINDOWS\System32\maxd641.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0dc7 IP:0103 OP:db 74 01 4b 83 Choose 'Close' to teminate the application.
Spybot and AVG only detects the virus but cant really do anything to remove them although they "healed" it.
this is my hijackthis log, please advice!
Logfile of HijackThis v1.99.1
Scan saved at 1:08:40 AM, on 10/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\Msn32e.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\Y2h1bg\command.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\kernels1118.exe
C:\Program Files\Common Files\{907BA00A-0958-1033-0601-040202050001}\Update.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\chun\LOCALS~1\Temp\metasploit.exe
c:\boot.inx
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\WINDOWS\System32\dlh9jkdq5.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\Msn32e.exe
C:\WINDOWS\system32\Msn32e.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.ntu.edu.sg/proxy.pac
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {7C38565D-E507-4676-903A-4F26BC4B754B} - C:\Program Files\MSN\horeloda.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Layer Services] Msn32e.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zro42981] RUNDLL32.EXE w00225dd.dll,n 0064297b0000000a00225dd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels1118.exe
O4 - HKLM\..\Run: [Microsoft Updates Emulator] MsnXp32s.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\RunServices: [Microsoft Layer Services] Msn32e.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels1118.exe
O4 - HKLM\..\RunServices: [Microsoft Updates Emulator] MsnXp32s.exe
O4 - HKCU\..\Run: [Microsoft Layer Services] Msn32e.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\o4ns0e57eh.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y2h1bg\command.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)