Win32:Pakes-AKM [Trj]

[ssolo]

 Hello , this is my 1 time posting here.

My avast 4.7 found a Win32:Pakes-AKM [trj] virus in C:\WINDOWS\system32\d3di.dll  (size 83,0 KB)

It can't delete it our Move/rename our Move to chest! I tried whit boot-time scan ... imposible to do enything whit that file only ignore   
The programm has fool control of my pc!

What should i do?    I'l do enything to get rid finnaly of that *hit...


Oh yes and i found 2 malware whit - Prevx CSI
1. status- bad, name- C:\windows\system32\drivers\kbd.sys, Malware group - Generic Malware
2. status- Rootkit, name- C:\windows\system32\drivers\xybygsai.dat, Malware group - Hidden data

[ssolo]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:18:04, on 2008.03.26.
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = battle.net:6112
O2 - BHO: (no name) - {1FD58F1C-E9DC-4C2F-954E-665BFCF15792} - C:\WINDOWS\System32\d3di.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Bux.to Autoclicker.lnk = ?
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: GammaTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{00165692-7984-4E36-BFBB-F405B9BEC9B3}: NameServer = 81.198.60.10,195.13.160.52
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF132A83-0299-435A-99B6-CB55723C66B8}: NameServer = 81.198.60.10,195.13.160.52
O17 - HKLM\System\CS1\Services\Tcpip\..\{00165692-7984-4E36-BFBB-F405B9BEC9B3}: NameServer = 81.198.60.10,195.13.160.52
O17 - HKLM\System\CS2\Services\Tcpip\..\{00165692-7984-4E36-BFBB-F405B9BEC9B3}: NameServer = 81.198.60.10,195.13.160.52
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4869 bytes

[Maxx_original]

fix this item O2 - BHO: (no name) - {1FD58F1C-E9DC-4C2F-954E-665BFCF15792} - C:\WINDOWS\System32\d3di.dll

[ssolo]

fix this item O2 - BHO: (no name) - {1FD58F1C-E9DC-4C2F-954E-665BFCF15792} - C:\WINDOWS\System32\d3di.dll

I tried this one , doest help 

[Maxx_original]

ok, scan your system with www.gmer.net

[ssolo]

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-03-26 18:16:09
Windows 5.1.2600


---- System - GMER 1.0.14 ----

SSDT            \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys                                                ZwTerminateProcess [0xB4F28660]

Code            8765DB74                                                                                          NlsAnsiCodePage
Code            xybygsai.dat                                                                                      ObOpenObjectByName

---- Kernel code sections - GMER 1.0.14 ----

.text           ntoskrnl.exe!KeInitializeInterrupt + B79                                                          804D4F8E 1 Byte  [ 06 ]
.text           ntoskrnl.exe!KeI386Call16BitCStyleFunction + 510                                                  804FCA28 4 Bytes  [ 60, 86, F2, B4 ]
PAGE            ntoskrnl.exe!ObOpenObjectByName                                                                   80572C92 6 Bytes  JMP F87B9312 xybygsai.dat
?               xybygsai.dat                                                                                      The system cannot find the file specified. !
?               C:\WINDOWS\system32\drivers\kbd.sys                                                               The system cannot find the file specified. !

---- Devices - GMER 1.0.14 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                            aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                          aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                         aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                         aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                       aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Processes - GMER 1.0.14 ----

Process         hidden process (*** hidden *** )                                                                  14512                                                                         
Process         hidden process (*** hidden *** )                                                                  15616                                                                         
Process         hidden process (*** hidden *** )                                                                  17048                                                                         
Process         hidden process (*** hidden *** )                                                                  18360                                                                         
Process         hidden process (*** hidden *** )                                                                  18376                                                                         
Process         hidden process (*** hidden *** )                                                                  27764                                                                         
Process         hidden process (*** hidden *** )                                                                  29984                                                                         
Process         hidden process (*** hidden *** )                                                                  51740                                                                         
Process         hidden process (*** hidden *** )                                                                  58200                                                                         

---- Services - GMER 1.0.14 ----

Service         system32\drivers\xybygsai.dat (*** hidden *** )                                                   [BOOT] zriclriv                                                                <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg             HKLM\SOFTWARE\Classes\CLSID\{1FD58F1C-E9DC-4C2F-954E-665BFCF15792}\InprocServer32                 
Reg             HKLM\SOFTWARE\Classes\CLSID\{1FD58F1C-E9DC-4C2F-954E-665BFCF15792}\InprocServer32@                C:\WINDOWS\System32\d3di.dll
Reg             HKLM\SOFTWARE\Classes\CLSID\{1FD58F1C-E9DC-4C2F-954E-665BFCF15792}\InprocServer32@ThreadingModel  apartment
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions@\xd7ŗł\xa4           

---- EOF - GMER 1.0.14 ----

[Maxx_original]

is GMER able to fix the xybygsai.dat related items for you? try it..

[ssolo]

No fix no but it can delete it 
I stoped and deleted d3di.dll ,kbd.sys and xybygsai.dat
Now it looks like this!


GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-03-26 19:11:15
Windows 5.1.2600


---- System - GMER 1.0.14 ----

Code            8765DB74                     NlsAnsiCodePage

---- Devices - GMER 1.0.14 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs       aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Ip     aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Tcp    aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Udp    aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\RawIp  aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.14 ----



And the HijackThis showed all as the last time exept this

O2 - BHO: (no name) - {1FD58F1C-E9DC-4C2F-954E-665BFCF15792} - C:\WINDOWS\System32\d3di.dll (file missing)

[Maxx_original]

ook, you're probably not rootkited anymore... you should run an complete avast scan and move infected files to chest, when found... then tell us if you can see some strange behavior etc...

[Lisandro]

I also suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
6. Immunize your system with SpywareBlaster or Windows Advanced Care.
7. Check if you have insecure applications with Secunia Software Inspector.