PDA

View Full Version : Problem With Malware/virus [Re-Opened]



xpgo2007
2007-01-07, 12:26
Hello,

I'm having a problem now:
Some kind of virus deleted my mcafee software and spybot program i had earlier installed in my computer.

I can't boot in safe mode, i get an error with agp440.sys and after BSOD.
I can't install mcafee neither spybot.

Running an online antivirus search i have this:



C:\WINDOWS\system32\directx.exe is infected with Backdoor.Sdbot
C:\WINDOWS\system32\Suchspur.dll is infected with Adware.Webprefix
C:\WINDOWS\exefld\15103357.exe is infected with Bloodhound.Beagle
C:\WINDOWS\exefld\15127251.exe is infected with Bloodhound.Beagle
C:\WINDOWS\exefld\29844383.exe is infected with Bloodhound.Beagle
C:\WINDOWS\exefld\29912041.exe is infected with Bloodhound.Beagle
C:\WINDOWS\exefld\44532794.exe is infected with Bloodhound.Beagle
C:\WINDOWS\exefld\44722787.exe is infected with Bloodhound.Beagle
C:\WINDOWS\exefld\457137.exe is infected with Bloodhound.Beagle
C:\WINDOWS\exefld\529421.exe is infected with Bloodhound.Beagle
C:\WINDOWS\exefld\59205833.exe is infected with Bloodhound.Beagle
C:\WINDOWS\exefld\59433420.exe is infected with Bloodhound.Beagle
C:\WINDOWS\exefld\73872923.exe is infected with Bloodhound.Beagle
C:\WINDOWS\exefld\74126187.exe is infected with Bloodhound.Beagle
C:\WINDOWS\exefld\88617214.exe is infected with Bloodhound.Beagle
C:\WINDOWS\exefld\88912068.exe is infected with Bloodhound.Beagle
C:\WINDOWS\$NtUninstallKB911564$\IEXPLORE.EXE is infected with Backdoor.Sdbot
C:\WINDOWS\$NtUninstallKB911562$\IEXPLORE.EXE is infected with Backdoor.Sdbot




Running HIJACKTHIS i get this log file:



Logfile of HijackThis v1.99.1
Scan saved at 10:24:40, on 07-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hldrrr.exe
C:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
C:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
C:\WINDOWS\$NtUninstallKB905749$\IEXPLORE.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Goncalo\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.136.191.26:3127
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Suchspur - {5D945E9A-DC10-4670-83EB-99DAA616628A} - C:\WINDOWS\system32\Suchspur.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: &Suchen - res://C:\WINDOWS\system32\Suchspur.dll/Suchspur.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DirectX Service (DirectPumc) - Unknown owner - c:\windows\system32\directx.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe




Can someone help me out either booting in SAFE MODE or installing any antivirus program?

Thanks

xpgo2007
2007-01-07, 21:24
Here is also a ROOKIT SCAN LOG of GMER:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-07 19:07:37
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\Documents and Settings\Goncalo\Application Data\hidires\m_hook.sys ZwCreateFile
SSDT \??\C:\Documents and Settings\Goncalo\Application Data\hidires\m_hook.sys ZwEnumerateKey
SSDT \??\C:\Documents and Settings\Goncalo\Application Data\hidires\m_hook.sys ZwEnumerateValueKey
SSDT \??\C:\Documents and Settings\Goncalo\Application Data\hidires\m_hook.sys ZwQueryDirectoryFile
SSDT \??\C:\Documents and Settings\Goncalo\Application Data\hidires\m_hook.sys ZwQueryKey
SSDT \??\C:\Documents and Settings\Goncalo\Application Data\hidires\m_hook.sys ZwQuerySystemInformation

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + E1 804E273D 3 Bytes [ D5, FD, F1 ]

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!LoadResource 7C809FB5 7 Bytes JMP 27001B70 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!FindResourceExW 7C80AC88 7 Bytes JMP 27001AE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!FindResourceW 7C80BBCE 7 Bytes JMP 27001A60 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!SizeofResource 7C80BC69 7 Bytes JMP 27001C20 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!LockResource 7C80CC97 5 Bytes JMP 27001CD0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!CreateEventA 7C8308AD 5 Bytes JMP 27001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] kernel32.dll!SetUnhandledExceptionFilter 7C84479D 5 Bytes JMP 004E12D0 C:\Program Files\MSN Messenger\msnmsgr.exe
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] ADVAPI32.dll!CryptDeriveKey 77DEA685 7 Bytes JMP 27001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] ADVAPI32.dll!CryptDecrypt 77DEA7B1 2 Bytes JMP 27001050 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] ADVAPI32.dll!CryptDecrypt + 3 77DEA7B4 4 Bytes [ 21, AF, CC, CC ]
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!PeekMessageW 77D4929B 5 Bytes JMP 27003760 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!CreateWindowExW 77D4FF50 5 Bytes JMP 27003270 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!SetWindowRgn 77D502DD 7 Bytes JMP 27004AB0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!CreateDialogParamW 77D584EE 5 Bytes JMP 27004E30 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!SetWindowPlacement 77D5DF46 5 Bytes JMP 270049D0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!FlashWindow 77D85C5C 5 Bytes JMP 27004B50 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!MessageBoxIndirectW 77D96093 5 Bytes JMP 27004F90 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] USER32.dll!TrackPopupMenuEx 77D9CB1A 5 Bytes JMP 27003F30 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WS2_32.dll!send 71AB428A 5 Bytes JMP 270095A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 27009390 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WS2_32.dll!recv 71AB615A 5 Bytes JMP 27009200 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 27009720 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 27009930 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] SHELL32.dll!Shell_NotifyIconW 7CA21B5A 5 Bytes JMP 27002BA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] ole32.dll!CoInitializeEx 774FEF6B 5 Bytes JMP 27001D30 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] ole32.dll!CoRegisterClassObject 77518720 5 Bytes JMP 27001E30 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WININET.dll!HttpOpenRequestA 771C36AD 5 Bytes JMP 27008180 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WININET.dll!InternetCloseHandle 771C4D6C 5 Bytes JMP 27008460 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WININET.dll!HttpSendRequestA 771C6249 5 Bytes JMP 270083B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1872] WININET.dll!InternetReadFile 771C80F4 5 Bytes JMP 270082E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll

---- Processes - GMER 1.0.12 ----

Process C:\WINDOWS\system32\wintems.exe (*** hidden *** ) 1624

Can somebody help me out?
thanks

xpgo2007
2007-01-08, 10:27
anyone?

Mr_JAk3
2007-01-10, 09:02
Hi xpgo2007 and welcome to the Forums :)

One or more of the identified infections is a backdoor trojan :sick:
You also have a rootkit there.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning if you don't want to reformat but I can't promise that we'll get you 100% clean.

Please let us know what you have decided to do in your next post:bigthumb:

tashi
2007-01-16, 19:22
This topic has been closed to prevent others with similar issues posting in it.

If you need it re-opened, please send me a private message (pm) and provide a link to this thread. :)

Mr_JAk3
2007-02-04, 21:33
Re-Opened :)

I'll be happy to help you with the cleaning. Please post a fresh HijackThis log and a fresh Gmer log to here :bigthumb:

xpgo2007
2007-02-04, 21:53
Thank you.
I cannot install any kind of antivirus neither spybot.
all executables disappear as soon as i install any kind of software like norton, mcafee, kaspersky, spybot, etc

What can i do?
I cannot format PC at this time and i cannot run in safe mode (error loading AGP.sys)


Here is a highjackthis log:



Logfile of HijackThis v1.99.1
Scan saved at 19:44:00, on 04-02-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webteh\BSplayerPro\bsplayer.exe
C:\WINDOWS\system32\divxsm.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Goncalo\Desktop\desk\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.136.191.26:3127
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy new\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [Kaspersky Anti-Virus 2006] C:\Program Files\Kaspersky Lab\AVP6\avp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy new\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Script Checker - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\AVP6\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

xpgo2007
2007-02-05, 00:55
hello once more.
Forgot to say, the computer is extremly slow now!

here is gmer log: http://www.sendspace.com/file/ty6xzt


Please help me!
Thanks

Mr_JAk3
2007-02-05, 12:32
Sorry for the delay...

Ok good, now we'll get rid of the bug.

Run a new rootkit scan with GMER.

When you see the following process(es) on the list:

Process C:\WINDOWS\system32\wintems.exe (*** hidden *** )

Rigthclick it with your mouse and a menu will open. Choose "Kill Process" from the list.

When you see the following files on the list:

C:\Documents and Settings\Goncalo\Application Data\hidires\hidr.exe
C:\Documents and Settings\Goncalo\Application Data\hidires\m_hook.sys
C:\WINDOWS\system32\wintems.exe

Rigthclick those with your mouse and a menu will open. Choose "Delete file" from the list. You need to do this one by one.

When you see the following service on the list:

Service C:\Documents and Settings\Goncalo\Application Data\hidires\m_hook.sys

Rigthclick it with your mouse and a menu will open. Choose "Delete the service" from the list.
If GMER asks for a reboot allow it to do it.

Then close GMER and restart your computer.

Run a new scan with GMER but don't use your computer during the scan.
When the scan has finished please copy/upload the results to me along with a fresh HijackThis log

:bigthumb:

xpgo2007
2007-02-06, 19:23
Here it is:



Logfile of HijackThis v1.99.1
Scan saved at 17:22:07, on 06-02-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Goncalo\Desktop\desk\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.136.191.26:3127
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy new\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKLM\..\Run: [Kaspersky Anti-Virus 2006] C:\Program Files\Kaspersky Lab\AVP6\avp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Goncalo\Application Data\hidires\hidr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy new\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Script Checker - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\AVP6\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe




GMER LOG: http://www.sendspace.com/file/vyy4iv

Mr_JAk3
2007-02-06, 21:18
Hi :)

Looks better.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O4 - HKLM\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Goncalo\Application Data\hidires\hidr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following folder (if present):
C:\Documents and Settings\Goncalo\Application Data\hidires

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

xpgo2007
2007-02-07, 10:43
Here you have:

AVG SCAN LOG: http://www.sendspace.com/file/krau4m
HIJACKTHIS LOG: http://www.sendspace.com/file/kv4psh

Thanks

Mr_JAk3
2007-02-07, 19:57
Hi again, it is looking good now :)
The computer runs fine ?

Delete the following folder if found:
C:\WINDOWS\exefld

Then the usage of cracks is illegal and gets you infected.
You should remove all these immediately:

C:\Program Files\Bowlfish\Incoming\ Email Address Collector 3.2Inc Keygen.RAR/[PC GAME MULTILANGUAGE] Europa Casino - Free games for play with money or just for fun.exe -> Adware.Casino : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\ Email Address Collector 3.2Inc Keygen\Email Address Collector 3.2Inc Keygen.rar/[PC GAME MULTILANGUAGE] Europa Casino - Gioca da casa - Play from your home - Bonus 2400 _ to all new players.exe -> Adware.Casino : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\ Email Address Collector 3.2Inc Keygen\Email Address Collector 3.2Inc Keygen\[PC GAME MULTILANGUAGE] Europa Casino - Gioca da casa - Play from your home - Bonus 2400 € to all new players.exe -> Adware.Casino : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\ Power Email Extractor Pro v3.4 + Serial.RAR/[PC GAME MULTILANGUAGE] Europa Casino - Free games for play with money or just for fun.exe -> Adware.Casino : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\shopfactory v6 crack.rar/shopfactory v6 crack.exe -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\Online Email Grabber Professional v1 3 patch crack multiLanguage with serial by ParadoX.zip/online_email_grabber_professional_v1.3_run.exe -> Adware.Stud : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\Online Email Grabber Professional v1.3 NoCD Patch - Crack - Serial.zip/crackfix.exe -> Adware.Stud : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\Ontrack EasyRecovery Professional v6.10.07 Crack - Keygen - Serial(1).zip/crackfix.exe -> Adware.Stud : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\Sms-Mms.Gateway.v5.0\1356.-Now-SMS-MMS-Gateway-v4.1-25-Kb-01.02.03_crack.zip/1356.-Now-SMS-MMS-Gateway-v4.1-25-Kb-01.02.03_crack.exe -> Dialer.Generic : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\lencom fast email extractor pro v4.5 serial by scotch.zip/lencom fast email extractor pro v4.5 serial by scotch.exe -> Downloader.Bagle.ak : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\Fast Email Extractor Pro v5.1 Incl Keymaker-Acme Crack(1).zip/ac-lenm1.exe -> Dropper.Agent.aic : Cleaned with backup (quarantined).
rogram Files\Bowlfish\Incoming\Selteco.Bannershop.GIF.Animator.v5.0.7.WinALL.Incl.Keygen-ARN.rar/Keygen\keygen.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\BACKUP OLD DISK\Program Files\BACKUPS\DESK\DESK\Eudora_v6[1].0.0.22_Final\Eudora_60022_crk.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\BACKUP OLD DISK\Program Files\BACKUPS\Eudora\Eudora\Eudora_60022_crk.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\e-mail address collector 4.0.42 crack.zip/e-mail address collector 4.0.42 crack.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\fast_email_extractor_pro_v4.5.zip/fast_email_extractor_pro_v4.5.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\postcast 1.9.946 crack.zip/postcast 1.9.946 crack.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\Program Files\Bowlfish\Incoming\Hide Hack Modified for vBulletin 3[1].03 updated-fixed 06-2006.zip/Setup.exe -> Worm.Kapucen.b : Cleaned with backup (quarantined).

You could also read this about P2P (http://forums.spybot.info/showthread.php?t=282).

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

Then you should update your Java to the latest version (6.0) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 9
Download the latest version of Java Runtime Environment (JRE) 6.0 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

xpgo2007
2007-02-07, 22:26
Thank you very much!

Hope it is ok now!

Mr_JAk3
2007-02-08, 12:49
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: