Avast WEBforum
Other => Viruses and worms => Topic started by: ecotack on November 06, 2007, 09:34:27 PM
-
Avast Home detected a Trojan in a program and deleted it, then my firewall asked for permission for svhost to access the internet (port 80), called by the program which I though Avast just deleted. The program was still in memory, so I tried to end task the it, but it said permission denied. I got a few more permission requests from my firewall (Sygate) before it crashed; as it did Avast detected another Trojan and crashed (happened to fast to read exactly what was found).
I set Avast to do a boot time scan, but during the reboot I got the warning Avast had been changed. Avast executable disappeared, if I tried to re-install the executable would always disappear (all other files where still in the Avast folder). The same happened when I installed NOD32, Sygate, Comodo and AGV, just the main executable would disappear.
I tried some on-line scanners, but they mostly need Internet explorer and that had stopped working. I tried Trend Micro on firefox, but half way through my computer reboots.
Any ideas before I re-install on a new hard disk.
-
you didn't mention the name of the virus found in your system... could you remember it?
-
Sorry, but no. I was rushing trying to install Auction Navigator trial to snip an eBay item, while I was out scuffing in new tyres on my Blackbird (the open road was calling).
After reading another post I downloaded SUPERAntiSpyware, which will run. Apart from the cookies it has found Malware.VirusRescue, as yet, but I set a thorough scan and I have 3 hard disks with about 500GB of data on them.
Please excuse typos, I am using internet explorer on my old Dell with no spell checker and a wireless keyboard that keeps missing keys :-\
-
hard to say anything, cause we don't know if it was a Beagle or anything else... your scans with HJT or DSS failed?
-
SUPERAntiSpyware only found Malware.VirusRescue. I removed, re-booted and re-ran SUPERAntiSpyware, now it has found just Trojan.Downloader-Gen/Suspicious. Removed and re-booted again.
HJT re-boots the PC. What’s DDS again?
-
DSS is an analysis file which should show the miscreant
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.- Close all other windows before proceeding.
- Double-click on dss.exe and follow the prompts.
- When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
-
DSS also re-booted my PC, but I found it used HJT, so deleted the HJT folder, ran DSS and used its own scanner, which worked:
Deckard's System Scanner v20071014.68
Run by Andrew on 2007-11-06 23:35:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-06 23:36:14
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\DriveCrypt\DcrServ.exe
C:\WINDOWS\system32\e4mserv.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\system32\nspksrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Megatec\RUPS 2000\Rupsd.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Comodo\CBOClean\BOC425.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Andrew\Desktop\FireFox Downloads\dss.exe
-
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB002" /M "Stylus CX6600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: Add all items to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/202
O8 - Extra context menu item: Add this item to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/201
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/fhg.CAB
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{2A32F179-5785-4F68-9ECA-E991AAB90192}: NameServer = 192.168.1.1
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: wbsys.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: ldr64 - C:\WINDOWS\system32\ldr64.dll (file missing)
O20 - Winlogon Notify: mmx432 - C:\WINDOWS\system32\mmx432.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cepstral License Server - Cepstral, LLC - C:\Program Files\Cepstral\lib\LicenseServer.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\system32\Crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: DriveCrypt Service (DriveCryptService) - Unknown owner - C:\Program Files\DriveCrypt\DcrServ.exe
O23 - Service: E4M service (e4mservice) - Unknown owner - C:\WINDOWS\system32\e4mserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: Network Serial Port Kit service (nspksrv) - FabulaTech, Inc. - C:\WINDOWS\system32\nspksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Rupsd - Mega System Technologies, Inc. - C:\Program Files\Megatec\RUPS 2000\Rupsd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SSC Monitor (SSCMntr) - SuperSpeed Software, Inc. - C:\WINDOWS\system32\SSCMntr.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe
--
End of file - 11419 bytes
-
-- Files created between 2007-10-06 and 2007-11-06 -----------------------------
2007-11-06 22:36:48 0 d-------- C:\Documents and Settings\Andrew\Application Data\Comodo
2007-11-06 22:36:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-06 22:29:39 235008 --a------ C:\WINDOWS\UNBOC.EXE <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
2007-11-06 22:29:38 208896 --a------ C:\WINDOWS\CMDLIC.DLL <Not Verified; COMODO; COMODO BOClean - AntiMalware>
2007-11-06 22:29:25 0 d-------- C:\Program Files\Comodo
2007-11-06 19:31:08 0 d-------- C:\Program Files\Trend Micro
2007-11-06 19:30:54 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-06 19:30:44 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-06 19:30:43 0 d-------- C:\Documents and Settings\Andrew\Application Data\SUPERAntiSpyware.com
2007-11-04 20:12:47 0 d-------- C:\a_v_a_s_t
2007-11-04 19:55:27 0 d-------- C:\Documents and Settings\Guest\Application Data\Canopus
2007-11-04 19:29:56 0 d-------- C:\VirusRescue
2007-11-04 11:18:23 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-04 11:05:14 0 d-------- C:\Documents and Settings\Andrew\.housecall6.6
2007-11-04 10:40:16 0 d-------- C:\WINDOWS\exefld
2007-10-29 20:53:12 0 d-------- C:\Documents and Settings\Andrew\Application Data\Canopus
2007-10-29 20:51:19 0 d-------- C:\Program Files\MSXML 4.0
2007-10-29 20:50:34 4608 --a------ C:\WINDOWS\system32\drivers\cdrport.sys <Not Verified; Canopus Co,. Ltd.; Canopus DREngine Liibrary>
2007-10-29 20:50:34 10368 --a------ C:\WINDOWS\system32\drivers\cdrblock.sys <Not Verified; Canopus Co,. Ltd.; Canopus DREngine Liibrary>
2007-10-29 20:50:33 49152 --a------ C:\WINDOWS\system32\cvpcdvc.dll <Not Verified; Canopus Co., Ltd.; Canopus Video Product>
2007-10-29 20:50:33 69632 --a------ C:\WINDOWS\system32\cuvccodc.dll <Not Verified; Canopus Co., Ltd.; Canopus HD Product>
2007-10-29 20:50:33 22528 --a------ C:\WINDOWS\system32\csthread.dll <Not Verified; Canopus Corporation; Canopus Thread Manager>
2007-10-29 20:50:33 122961 --a------ C:\WINDOWS\system32\csellc.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:33 671815 --a------ C:\WINDOWS\system32\csehqa.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:33 385108 --a------ C:\WINDOWS\system32\csedv.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:33 147456 --a------ C:\WINDOWS\system32\csccdvcx.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:33 159832 --a------ C:\WINDOWS\system32\csccdvc.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:33 258048 --a------ C:\WINDOWS\system32\cllccodc.dll <Not Verified; Canopus Co., Ltd.; Canopus HD Product>
2007-10-29 20:50:32 65536 --a------ C:\WINDOWS\system32\cdvhcodc.dll <Not Verified; Canopus Co., Ltd.; DVCPRO HD Product>
2007-10-29 20:50:32 69632 --a------ C:\WINDOWS\system32\cdvccodc.dll <Not Verified; Canopus Co., Ltd.; Canopus DV Product>
2007-10-29 20:50:32 61440 --a------ C:\WINDOWS\system32\cdv5codc.dll <Not Verified; Canopus Co., Ltd.; DVCPRO50 Product>
2007-10-29 20:50:22 122880 --a------ C:\WINDOWS\system32\icmpeg2.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:22 0 d-------- C:\Program Files\Canopus
2007-10-29 20:50:21 835665 --a------ C:\WINDOWS\system32\cseuvec.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:21 1085520 --a------ C:\WINDOWS\system32\csedvh.dll <Not Verified; Canopus Co., Ltd.; Canopus Software Engine>
2007-10-29 20:50:21 0 d-------- C:\Program Files\Common Files\Canopus Shared
2007-10-29 20:45:10 0 --a------ C:\WINDOWS\TempFile
2007-10-29 20:45:01 905216 -----n--- C:\WINDOWS\system32\pavplal.dll <Not Verified; Canopus Co., Ltd.; pavplal>
2007-10-29 20:45:01 4096 -----n--- C:\WINDOWS\system32\paveno.dll <Not Verified; Canopus Co., Ltd.; Canopus Video Product>
2007-10-29 20:45:01 49152 --a------ C:\WINDOWS\system32\pavedius.dll <Not Verified; ; EDIUS>
2007-10-29 20:45:01 458752 -----n--- C:\WINDOWS\system32\pavapi.dll <Not Verified; Canopus Co., Ltd.; Canopus Video Product>
2007-10-20 22:24:59 0 d-------- C:\Documents and Settings\Andrew\Application Data\River Past G5
2007-10-20 22:24:59 0 d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
2007-10-20 21:57:41 0 d-------- C:\Program Files\Combined Community Codec Pack
2007-10-20 21:50:20 0 d-------- C:\Documents and Settings\Andrew\Application Data\Media Player Classic
2007-10-15 21:26:21 1122304 --a------ C:\WINDOWS\system32\mplvpx.dll <Not Verified; Ligos Corporation; MPL Video Library>
2007-10-15 21:26:20 1581056 --a------ C:\WINDOWS\system32\mplvw7.dll <Not Verified; Ligos Corporation; MPL Video Library>
2007-10-15 21:26:20 1552384 --a------ C:\WINDOWS\system32\mplvm6.dll <Not Verified; Ligos Corporation; MPL Video Library>
2007-10-15 21:26:20 1650688 --a------ C:\WINDOWS\system32\mplva6.dll <Not Verified; Ligos Corporation; MPL Video Library>
2007-10-15 21:26:20 77824 --a------ C:\WINDOWS\system32\mplaw7.dll <Not Verified; Ligos Corporation; MPL Audio Library>
2007-10-15 21:26:20 65536 --a------ C:\WINDOWS\system32\mplapx.dll <Not Verified; Ligos Corporation; MPL Audio Library>
2007-10-15 21:26:20 65536 --a------ C:\WINDOWS\system32\mplam6.dll <Not Verified; Ligos Corporation; MPL Audio Library>
2007-10-15 21:26:20 77824 --a------ C:\WINDOWS\system32\mplaa6.dll <Not Verified; Ligos Corporation; MPL Audio Library>
2007-10-15 21:26:20 19968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-10-15 21:26:19 152064 --a------ C:\WINDOWS\system32\unrar.dll
2007-10-15 21:26:18 761856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-10-15 21:26:13 0 d-------- C:\Program Files\ACE Mega CoDecS Pack
2007-10-13 15:56:17 0 d-------- C:\Program Files\Activision
2007-10-11 22:50:54 0 d-------- C:\Program Files\SmartFTP Client
-- Find3M Report ---------------------------------------------------------------
2007-11-06 22:37:10 0 d-------- C:\Program Files\PC Connectivity Solution
2007-11-06 22:00:27 0 d-------- C:\Program Files\Disk Checker
2007-11-06 19:30:28 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-06 19:18:39 0 d-------- C:\Documents and Settings\Andrew\Application Data\Skype
2007-11-06 13:31:50 0 d-------- C:\Program Files\WinZix
2007-11-04 21:05:57 0 d-------- C:\Program Files\Smart Panel
2007-10-29 20:50:21 0 d-------- C:\Program Files\Common Files
2007-10-29 20:50:18 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-29 20:23:09 0 d-------- C:\Program Files\Common Files\Cloudmark
2007-10-20 22:25:01 165553 --a------ C:\WINDOWS\Video Cleaner Pro Uninstaller.exe
2007-10-20 22:24:59 0 d-------- C:\Program Files\Common Files\River Past
2007-10-11 22:48:26 0 d-------- C:\Program Files\SmartFTP Client 2.0
2007-10-11 22:47:49 0 d-------- C:\Program Files\SmartFTP Client 2.0 Setup Files
2007-10-10 00:03:15 0 d-------- C:\Program Files\No-IP
2007-09-29 11:39:28 0 d-------- C:\Program Files\MagicSofts
2007-09-29 11:05:12 0 d-------- C:\Program Files\DivX
2007-09-25 18:24:13 0 d-------- C:\Program Files\Winstep
2007-09-07 21:10:38 0 d-------- C:\Program Files\Common Files\Skype
2007-08-08 13:04:15 2785 --a------ C:\WINDOWS\mozver.dat
2007-08-07 20:07:10 0 --a------ C:\lock_backup.bin
2007-08-07 16:37:42 2528 --a------ C:\Documents and Settings\Andrew\Application Data\$_hpcst$.hpc
-
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [11/06/2004 03:15]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" []
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [22/11/2005 17:38]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" []
"EPSON Stylus CX6600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.exe" [01/03/2004 03:00]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [04/12/2005 15:39]
"BluetoothAuthenticationAgent"="bthprops.cpl" [03/08/2004 22:56 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [21/06/2007 14:06]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\WINDOWS\system32\mstask.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [24/06/2003 06:31:35]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 13/10/2004 17:29 102400 C:\WINDOWS\system32\DPWLEvHd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ldr64]
ldr64.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mmx432]
mmx432.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 20/12/2005 19:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli DPPWDFLT
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c57b042-16ee-11da-9ccf-806d6172696f}]
AutoRun\command- D:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6294679-16ef-11da-974c-806d6172696f}]
AutoRun\command- F:\setup.exe -a
-- End of Deckard's System Scanner: finished at 2007-11-06 23:36:35 ------------
-
So that’s why my PC takes so long to boot.
ldr64.dll and mmx432.dll look like possible culprits, anymore?
-
yes.. but they are hidden by some rootkit maybe.. are you able to locate these files manually? if not, just download some antirootkit tool (GMER, RootkitRevealer, BlackLight) and try to unhide the files and to detect the rootkit engine... once this is done, you can send us the related files (the rootkit itself and the two libraries)..
-
I ran RootkitRevealert there was 4950 discrepancies. I'm not sure what to do next... ???
-
I tried to save the list, but kept getting location not found, then it crashed.
-
One last thing, I get something for the weekend on Friday.
No, not that, but COD4 ;D
If I can't sort this soon, its going to be a re-install :-[
-
I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp) (for XP/Vista). For XP: Panda (http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx) (for XP). They're more simple.
-
The infection is W32/Mitglieder.HT as per F-Prot
To fix the safeboot:
Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe
It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply and let me know if you can access Safe Mode now?
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O20 - Winlogon Notify: ldr64 - C:\WINDOWS\system32\ldr64.dll (file missing)
O20 - Winlogon Notify: mmx432 - C:\WINDOWS\system32\mmx432.dll (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
THEN
Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\ldr64.dll
C:\WINDOWS\system32\mmx432.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
The files will be quarantined
One service I am unable to find any decent information about is
O23 - Service: E4M service (e4mservice) - Unknown owner - C:\WINDOWS\system32\e4mserv.exe
Jotti File Submission:
- Please go to Jotti's malware scan (http://virusscan.jotti.org/)
- Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- C:\WINDOWS\system32\e4mserv.exe
- Click on the submit button
- Please post the results in your next reply.
-
SafeBootKeyRepair-CF text file reads:
Reg export of safeboot key after repair:
=============================
Just that, nothing else.
Won't go into safe mode
HJT didn't re-boot this time, but those files where not in the list. "hidr.exe" was so I Fixed it.
-
What was the location of hidr.exe as that file needs to be quarantined it is Trojan W32.Beagle.DZ
It looks like the trojan stopped the cf fix from working but I have another way around it
Download & run the safe mode fix here (http://"http://www.didierstevens.com/files/data/SafeBoot.zip")
Extract to your desktop, now you have a new file on your desktop called SafeBoot.reg
Double click and allow it to merge into your registry.
Try Safe Mode now.
-
Just found a reference it may be here %Userprofiles%\Application Data\hidires\hidr.exe
where %Userprofiles% is your user name
-
OK, will start in Safe mode now, can't find any of the two dlls in system23 or the hidr.exe.
E4M - Encryption for the masses, one of the projects merged in with drive crypt
Just re-booted and run RootKitBuster, nothing found
SuperAntiSpyware found nothing to
Re-installed Avast, chose a boot time scan, re-booted, it worked, no more message about Avast being changed. Its found a Small-BXN [trj] up to now, I’ll let it finish, do a through scan, also with SuperAntiSpyware and once more with RootKitBuster for good luck.
-
Sounds good could you post the SAS log, just extract the log file method from the following
- On the first page select Check for Updates
- On completion select SCAN YOUR COMPUTER
- On the next page select COMPLETE SCAN and tick ALL your drives
- The next stage will take a while as your entire drive(s), memory and registry are scanned
- When it has completed click NEXT
- The next screen shows the problems found click OK
- On the next screen place a tick against all items and select NEXT
- Now to get the log Go to the PREFERENCES button on the right bottom
- Select the STATISTICS/LOG tab
- Highlight the scan just completed and click VIEW LOG
- This will open a notepad text file copy and paste this to your next reply
-
Back to square one >:(
I just lost all network access, so did a scan with RootKitBuster (RKB) and the hidr.exe file had re-appeared. I used the safe mode fix again, went into safe mode, ran HJT, checked the hidr.exe file and clicked fix.
Once rebooted I checked with RKB, which found hidr.exe and srosa.sys. I highlighted the two files and selected delete, then re-booted the PC. Avast had been deleted again so I reinstalled and set a boot time scan.
Is there anything I can do to detect if these Trojans install again? I had Avast home installed and Comodo firewall. I also checked with RKB and SAS every day and found nothing
-
No network access ???
Gone through all network settings, re-installed drivers, re-booted router, swapped cables, disabled the firewall, un-installed the firewall, re-installed the firewall, but still can not access the LAN. I could yesterday before the Trojan re-appeared.
I think the Trojan may have changed something or left something behind. Any suggestions?
-
I think the Trojan may have changed something or left something behind. Any suggestions?
As a last resource, maybe http://www.majorgeeks.com/download4372.html (WinSock XP Fix 1.2) or, less probably, any function of http://www.majorgeeks.com/download4899.html (Dial-a-fix 0.60.0.24).
WinSock: Fixes the winsock settings on your Windows XP machine. This tool is recommended for IT professionals only. Please read license.
It can often cure the problem of lost connections after the removal of Adware components or improper uninstall of firewall applications or other tools that modify the XP network and Winsock settings.
If you encounter connection problems after removing network related software, Adware or after registry clean-up; and all other ways fail, then give WinSock XP Fix a try.
It can create a registry backup of your current settings, so it is fairly safe to use. We actually tested it on a test machine that was having a Winsock problem due to some Adware removal, and after running the utility and rebooting, the connectivity was restored.
-
Thanks, I'll put them on a memory stick and try them this evening.
-
Thanks, I'll put them on a memory stick and try them this evening.
You're welcome. Other users will be here and trying to help.
I'll be on an one-week trip 8)
-
I'll be on an one-week trip 8)
Its alright for some, my last holiday was 14 years ago.
Tried the two programs but network still won't work. It says Status: Connected, Duration: <increasing>, Speed 100.0 Mbps, Sent: 0 and received: 0.
Anymore suggestions? Anyone??
Can't ping the router, or any other PC on the network. Can't view workgroup computers.
-
Try this
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FxBeagle.exe
Locate the file that you just downloaded.
Double-click the FxBeagle.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean.
Then run
Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
-
As I was sat here reading this I noticed the Avast icon disappear on my infected PC. A quick scan with RootKitBuster and the two files are back (hidr.exe and srosa.sys). I scanned it less than two minutes ago and it was clean.
W32.Beagle removal tool is now running, lets keep our fingers crossed.
-
Definitely bagle I will need to look at the winpfind to clear any residue
-
FxBeagle.exe took hours to finish. Next time I'll disable my two data hard drives to speed things up. Is it safe to delete files I don't want, while infected, again to help speed things along?
Unfortunately FxBeagle.exe said it found nothing. I'll try again this evening in safe mode.
-
OK it looks like the symantec fix is getting a bit old
Download SDFix[/color] (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
- Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
-
Thanks!
I had to run Sdfix twice, because I stupidly ran it from a USB drive the first time and it didn’t finish off after the re-boot.
Logs attached.
-
Ta for the logs
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hidr.exe
O23 - Service: W - Unknown owner - D:\TEMP\W.exe (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
THEN
Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
D:\TEMP\W.exe
C:\WINDOWS\system32\drivers\hidr.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If you could now follow up with the winpfind
Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- On the left under drivers services select non-microsoft
- Under Additional Scans click the checkboxes in front of the following items to select them:
Reg - Disabled MS Config Items
Reg - Security Settings
Reg - Software Policy Settings
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
-
Thanks again. Log atached.
OTMoveit said it couldn't find the files.
-
Avast icon went again, hidr.exe and srosa.sys are back :(
I think I'll order a new hard disk and re-install windows
-
I would wait until essexboy has a chance to review the WinPFind3u log.
-
Not good news I'm afraid you also had Goldun and Haxdoor as well as bagle and they were all kind of cooperating to stop you getting fixed. With this fix I am going to kill explorer so you may loose the desktop etc.
Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Kill Explorer]
[Win32 Services - Non-Microsoft Only]
YY -> (W) W [Win32_Own | Disabled | Stopped] -> D:\TEMP\W.exe
[Driver Services - Non-Microsoft Only]
YY -> (Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] ->
YY -> (abp480n5) abp480n5 [Kernel | Disabled | Stopped] ->
YY -> (adpu160m) adpu160m [Kernel | Disabled | Stopped] ->
YY -> (Aha154x) Aha154x [Kernel | Disabled | Stopped] ->
YY -> (aic78u2) aic78u2 [Kernel | Disabled | Stopped] ->
YY -> (aic78xx) aic78xx [Kernel | Disabled | Stopped] ->
YY -> (AliIde) AliIde [Kernel | Disabled | Stopped] ->
YY -> (amsint) amsint [Kernel | Disabled | Stopped] ->
YY -> (asc) asc [Kernel | Disabled | Stopped] ->
YY -> (asc3350p) asc3350p [Kernel | Disabled | Stopped] ->
YY -> (asc3550) asc3550 [Kernel | Disabled | Stopped] ->
YY -> (catchme) catchme [Kernel | On_Demand | Stopped] -> D:\TEMP\catchme.sys
YY -> (cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] ->
YY -> (Changer) Changer [Kernel | System | Stopped] ->
YY -> (Cpqarray) Cpqarray [Kernel | Disabled | Stopped] ->
YY -> (dac960nt) dac960nt [Kernel | Disabled | Stopped] ->
YY -> (dpti2o) dpti2o [Kernel | Disabled | Stopped] ->
YY -> (hpn) hpn [Kernel | Disabled | Stopped] ->
YY -> (i2omgmt) i2omgmt [Kernel | System | Stopped] ->
YY -> (i2omp) i2omp [Kernel | Disabled | Stopped] ->
YY -> (ini910u) ini910u [Kernel | Disabled | Stopped] ->
YY -> (kednl6) AVSearch service [Kernel | On_Demand | Stopped] -> %System32%\kednl6.sys
YY -> (lbrtfdc) lbrtfdc [Kernel | System | Stopped] ->
YY -> (mmx432) MMX2 virtualization service [Kernel | Auto | Stopped] -> %System32%\mmx464.sys
YY -> (mmx464) MMX virtualization service [Kernel | System | Stopped] -> %System32%\mmx464.sys
YY -> (ql1080) ql1080 [Kernel | Disabled | Stopped] ->
YY -> (Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] ->
YY -> (ql12160) ql12160 [Kernel | Disabled | Stopped] ->
YY -> (ql1240) ql1240 [Kernel | Disabled | Stopped] ->
YY -> (ql1280) ql1280 [Kernel | Disabled | Stopped] ->
YY -> (Simbad) Simbad [Kernel | Disabled | Stopped] ->
YY -> (srosa) Megadrv3 [Kernel | System | Stopped] -> %System32%\drivers\srosa.sys
YY -> (sw848b) sw848b [Kernel | Auto | Running] -> %System32%\drivers\sw848b.sys
YY -> (sw878b) sw878b [Kernel | Auto | Running] -> %System32%\drivers\sw878b.sys
YY -> (symc810) symc810 [Kernel | Disabled | Stopped] ->
YY -> (symc8xx) symc8xx [Kernel | Disabled | Stopped] ->
[Files/Folders - Created Within 30 days]
NY -> wintems.exe.ren -> %System32%\wintems.exe.ren
NY -> srosa.sys.ren -> %System32%\drivers\srosa.sys.ren
[Files/Folders - Modified Within 30 days]
NY -> DEBUGSM.INI -> %SystemRoot%\DEBUGSM.INI
NY -> wintems.exe.ren -> %System32%\wintems.exe.ren
NY -> srosa.sys.ren -> %System32%\drivers\srosa.sys.ren
[File String Scan - Non-Microsoft Only]
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable
[Empty Temp Folders]
[Start Explorer]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
THEN follow that up with a combofix run
Download ComboFix from Here (http://"http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe") or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
- Double click combofix.exe and follow the prompts.
- When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
-
Thanks again, I was just about to say I would wait for your reply, it’s only courteous, but your post beat me to it.
Logs are attached.
-
OK 'tis nuclear time
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hidr.exe
O23 - Service: W - Unknown owner - D:\TEMP\W.exe (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.- Click on Avenger.zip to open the file
- Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Drivers to unload:
drvsyskit
Files to delete:
C:\WINDOWS\system32\9B3821D7CB.sys
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\F5BC36F762.sys
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Paste the text copied to clipboard into this window by pressing (Ctrl+V).
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
-
Hit a problem.
It rebooted twice, then after logging into windows I get the error:
Windows – No Disk
Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6f9c 75b6bf9c
And a cmd window saying:
The system cannot find the file specified.
Could Not Find C:\avenger\*.reg
1 file(s) copied.
zip warning: C:/backup.zip not found or empty
adding: avenger/9B3821D7CB.sys (104 bytes security) (deflated 36%)
adding: avenger/avenger.txt (188 bytes security) (deflated 72%)
adding: avenger/backup.reg (188 bytes security) (stored 0%)
adding: avenger/F5BC36F762.sys (104 bytes security) (stored 0%)
I have left these windows open and run hjt, logs attached.
-
Ok you can close those windows and delete the following in Hijackthis,and the file on your drive. It appears that avenger stalled. However, there is no longer any sign of Bagle
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O4 - HKLM\..\Run: [esdaffjc] C:\ldttwerh.bat
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
As a final check could you re-run DSS and let me now how your system is running now
-
Thanks again.
Ran HJT, but O4 - HKLM\..\Run: [esdaffjc] C:\ldttwerh.bat wasn’t listed.
I connected the network cable, the status says connected, but no packets have been sent or received. I can’t connect to the internet or local computers on the same network, I can’t even ping the router.
I tried winsockxpfix but that didn’t help. I have checked all the usual IP settings and windows firewall is disabled. Any ideas?
DSS log attatched.
-
Well on the bright side DSS shows no problems. I see you have comodo firewall.
Have you allowed Ashwebserve access ?
Have you tried it with Avast paused
-
Three avast functions that require access:
ashWebSv.exe - the avast Web Shield.
ashMaiSv.exe - the avast email scanner (for the Internet Mail provider).
avast.setup - this is what does the avast virus signature and program updates.
-
:'(
The virus had deleted my previous firewall (sygate) but must have left something behind. I uninstalled it, rebooted and packets started to flow.
FireFox still couldn’t find web sites, but I could ping their IP’s (DNS problem ??? ), so I tried IE, a window popped up asking me which file I wanted to crack ???, Avast icon disappeared and RKB is showing a whole list of files.
HJT log attatched.
-
Only one file that I can find no info on in your log nspksrv.exe.
Jotti File Submission:
- Please go to Jotti's malware scan (http://virusscan.jotti.org/)
- Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- C:\WINDOWS\system32\nspksrv.exe
- Click on the submit button
- Please post the results in your next reply.
.
Then
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.- Close all other windows before proceeding.
- Double-click on dss.exe and follow the prompts.
- When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
-
DSS log attatched. Nothing found in NSPKSRV.EXE. It took a bit of finding, but its a network serial port driver, by Fabula Tech.
-
OK srosa has reared it's head again but it is now deeply hidden
Please download F-Secure Blacklight (fsbl.exe) (http://ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe) and save to your C:\ drive.- Open a command window by going to Start > Run and typing: cmd
- Copy/paste or type the following in the command window: C:\fsbl.exe /expert
- Hit "Enter" to start the program and then close the cmd box.
- Accept the user agreement and click "Next".
- Click "Scan".
- After the scan is complete, click "Next", then "Exit".
- BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
- The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
- Exit Blacklight and post the contents of the log in your next reply.
Thanks for the info on that file
-
@ essexboy
You need to edit your link to f-secure blacklight, as it is an ftp url you shouldn't rap it in the URL tags as it puts an http:// in front of the ftp::// and that messes up the link.
e.g. ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
-
Thanks again, but last night before I read you post I had a play around.
hidr.exe and srosa.sys came back, so I booted in safe mode and removed them. It appears one of the IE Add-ons is responsible for re-infecting. I disabled all add-ons in safe mode, now in normal mode IE works fine. Before IE would lockup if it didn't have network access.
The DNS problem is caused by Comodo firewall. Even though I trust an application it is still blocking it, unless I select the 'Skip advanced security checks', in the miscellaneous tab in the application control rule.
I also un-installed avast and installed Comodos antivirus, because the infection kept deleting avast. However Comodo antivirus can't enable the on access scanner. At that point I gave up and went to bed
I'll give fsbl a go this evening and see what it comes up with.
-
The DNS problem is caused by Comodo firewall. Even though I trust an application it is still blocking it, unless I select the 'Skip advanced security checks', in the miscellaneous tab in the application control rule.
I'm not with Comodo in this computer, but if I remember correctly, there is an entry for DNS queries in the advanced tab of settings of the firewall.
Because the infection kept deleting avast. However Comodo antivirus can't enable the on access scanner. At that point I gave up and went to bed
Don't try to install two antivirus at the same time.
See http://forum.avast.com/index.php?topic=31559.msg263039#msg263039 to correct avast misinstallation problems...
-
@ essexboy
You need to edit your link to f-secure blacklight, as it is an ftp url you shouldn't rap it in the URL tags as it puts an http:// in front of the ftp::// and that messes up the link.
e.g. ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
Thankee David I actually amended the URL myself as it had changed from the original I had on my canned - Guess I blew it ??? However lesson learnt Ta
-
Thankee David I actually amended the URL myself as it had changed from the original I had on my canned - Guess I blew it ??? However lesson learnt Ta
Your welcome, it has caught me out a couple of times in the past.
-
Backlight didn't find anything.
I thought I'd un-installed Avast before installing Comodo. Perhaps something was left behind. How do I completely remove Avast?
-
ASWclear from here will do that http://www.avast.com/eng/avast-uninstall-utility.html
Could you try an F-Secure online scan
Please run the F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols3.shtml#)
Note: This Scanner is for Internet Explorer Only!- Follow the Instruction Here (http://support.f-secure.com/enu/home/ols3.shtml) for installation.
- Accept the License Agreement.
- Once the ActiveX installs,Click Full System Scan
- Once the download completes,the scan will begin automatically.
- The scan will take some time to finish,so please be patient.
- When the scan completes, click the Automatic cleaning (recommended) button.
- Click the Show Report button and Copy&Paste the entire report in your next reply.