PDA

View Full Version : All security software (incl. SpybotSD) deleted



kenanoff
2007-08-26, 19:08
There is a troian (I was asked once if I want hidr.exe to start with my windows and then noticed), that deleted all my security software - Nod32, ScanSpyware and Spyware doctor.
They cannot be installed back! If I try to install back - the exe files are deleted immediately. Actually any file (even a empty one) which I rename to scanner.exe nod32kui.exe or spybotSD.exe is immediately deleted!
I cannot boot in safe mode, I get a blue screen at start. I can load normally though.

I have loaded through msconfig and diagnostic startup.

Nod32 online scanner found fome infections, I deleted all files suspected.
Through hijackthis I found suspicious wininit.ini file with content:
[Rename]
nul=C:\gendel32.exe
nul=C:\gendel32.exe
NUL=C:\DOCUME~1\MIKHAI~1\LOCALS~1\Temp\VIES1864
I deleted gendel32.exe and VIES1864 and removed wininit.ini

Still no positive effect.

This is the log from kaspersky online report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 26, 2007 6:56:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 26/08/2007
Kaspersky Anti-Virus database records: 391710
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\MIKHAI~1\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 24025
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:25:00

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\FlyakiteOSX\Tools\pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill.a skipped
C:\WINDOWS\FlyakiteOSX\Tools\wfpdisable.exe Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a skipped
C:\WINDOWS\Installer\{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}\PQBoot.exe Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

Scan process completed.


============

This is the log from HijackThis (file is renamed to scanner.exe.exe, as if only to scanner.exe - it's deleted):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:04:10, on 26.8.2007 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\totalcmd\TOTALCMD.EXE
C:\Documents and Settings\Mikhail Kenanoff\Desktop\HiJackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-507921405-492894223-1202660629-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Mikhail Kenanoff\Application Data\Mozilla\Firefox\Profiles\default.yen\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Mikhail Kenanoff\Application Data\Mozilla\Firefox\Profiles\default.yen\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://10.200.122.222
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05BF3966-9B72-4F5B-9B11-D637040DEAB8}: NameServer = 212.72.202.2,212.72.202.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE5AC606-56C2-4ADE-B53F-7C1488E4D420}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{05BF3966-9B72-4F5B-9B11-D637040DEAB8}: NameServer = 212.72.202.2,212.72.202.8
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

--
End of file - 6925 bytes

=========

Best,
Mikhail

kenanoff
2007-08-26, 19:27
I read recomendation in this thread (http://forums.spybot.info/showthread.php?t=17217) (which looks like mine problem) and ran gmer.

Here's the log (it's still running, if it finds more, I'll post later) - it is here (http://www.soderling.net/kenanoff/img/logGMER.txt) - too long for post only

kenanoff
2007-08-26, 20:05
It seems like this was making my troubles:
C:\WINDOWS\system32\drivers\srosa.sys

I got it from the gmer log and moved it with OTMoveIt.

Then (after a restart) I was able to install everything again. Now I'm going to make extensive scans and will post if everything is fine.

kenanoff
2007-08-26, 20:28
Anyway, I'm still unable to load in safe mode, although now the suspicious software looks gone. Maybe I'm going to reinstall XP anyway (but first to wait for all the checks to be completed and will make a new backup also)

I have a copy of C:\WINDOWS\system32\drivers\srosa.sys
should I submit it somewhere to be checked?

Mr_JAk3
2007-08-26, 21:08
Hello kenanoff and welcome to the Forums :)

We are propably able to fix the safe mode issue...

Please do the following...

To generate a HijackThis Startup list:

1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on "Open the Misc Tools Section"
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:

* List also minor sections (Full)
* List empty sections (Complete)

4. Click "Generate StartupListLog"
5. Click "Yes" at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed
7. Copy & Paste that log to here

That srosa.sys is a baddie but let's see how well it is detected.

Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\drivers\srosa.sys
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

kenanoff
2007-08-27, 22:18
Hi,
Sorry for being late, but I was at work and away from this PC.

This is the StartupList Log from HijackThis

StartupList report, 27.8.2007 г., 21:55:57
StartupList version: 1.52.2
Started from : G:\HiJackThis\scanner.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16441)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Spyware Doctor\SDTrayApp.exe
D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\RemotelyAnywhere\ragui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATKKBService.exe
D:\Program Files\StartCop\StartupCopPro.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
D:\Program Files\RocketDock\RocketDock.exe
D:\Program Files\BlueSoleil\BTNtService.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
D:\Program Files\EarthDesk\EarthDesk.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CCHBC\CCHBC VPN Client\cvpnd.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
D:\Program Files\BitComet\BitComet.exe
d:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
D:\Progra~1\eMule\emule.exe
C:\Program Files\Prevx2\PXAgent.exe
d:\Program Files\AutoHotkey\AutoHotkey.exe
D:\Program Files\RemotelyAnywhere\RaMaint.exe
D:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
d:\Program Files\Spyware Doctor\svcntaux.exe
d:\Program Files\Spyware Doctor\swdsvc.exe
d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Weather\ww.exe
D:\Program Files\Samurize\Client.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Samurize\Client.exe
D:\Program Files\totalcmd\TOTALCMD.EXE
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Miranda\miranda32.exe
D:\Program Files\Mozilla Firefox\firefox.exe
G:\HiJackThis\scanner.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Mikhail Kenanoff\Start Menu\Programs\Startup]
Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
renpng.lnk = D:\Program Files\RocketDock\Icons\iCal\renpng.exe
start sofmikhailk.lnk = E:\Cursors and Icons\MyStart.bat
StartupCop Pro.lnk = D:\Program Files\StartCop\StartupCopPro.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nod32kui = "d:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
SDTray = "d:\Program Files\Spyware Doctor\SDTrayApp.exe"
TrueImageMonitor.exe = D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
QuickTime Task = "D:\Program Files\QuickTime\QTTask.exe" -atboottime
PC Suite for Smartphones = "D:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
OODefragTray = C:\WINDOWS\system32\oodtray.exe
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
NeroFilterCheck = C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
iTunesHelper = "D:\Program Files\iTunes\iTunesHelper.exe"
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
AcronisTimounterMonitor = D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
Acronis Scheduler2 Service = "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
PrevxOne = "C:\Program Files\Prevx2\PXConsole.exe"
RemotelyAnywhere GUI = "D:\Program Files\RemotelyAnywhere\ragui.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
STYLEXP = C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
StartupCop Pro Startup Launcher = D:\Program Files\StartCop\StartupCopPro.exe /startup
RocketDock = "D:\Program Files\RocketDock\RocketDock.exe"
mRouterConfig = "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"
EarthDesk = "D:\Program Files\EarthDesk\EarthDesk.exe" /silentstart
BitComet = "D:\Program Files\BitComet\BitComet.exe" /tray

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AdobeUpdater]
=

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\UltraEdit.txt\shell\open\command

(Default) = "D:\Program Files\UltraEdit-32\uedit32.exe" "%1"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\NOSTAL~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
flashget urlcatch - D:\Program Files\FlashGet\jccatch.dll - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}
BitComet ClickCapture - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}
Malicious Scripts Scanner - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB}
(no name) - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - c:\program files\google\googletoolbar3.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing) - {B56A7D7D-6927-48C8-A975-17DF180C71AC}
TGTSoft Explorer Toolbar Changer - (no file) - {C333CF63-767F-4831-94AC-E683D962C63C}
(no name) - D:\Program Files\FlashGet\getflash.dll - {F156768E-81EF-470C-9057-481BA8380DBA}

--------------------------------------------------

Enumerating Download Program Files:

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

[OnlineScanner Control]
InProcServer32 = C:\WINDOWS\system32\ONLINE~1.OCX
CODEBASE = http://www.eset.eu/buxus/docs/OnlineScanner.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = oodbs

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\system32\wuapi.dll.wusetup.492468.bak||C:\WINDOWS\system32\wuauclt.exe.wusetup.492906.bak||C:\WINDOWS\system32\wuaucpl.cpl.wusetup.493750.bak||C:\WINDOWS\system32\wuaueng.dll.wusetup.494406.bak


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

0aMCPClient: *Registry key not found*
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\wpdshserviceobj.dll

--------------------------------------------------
End of report, 10 153 bytes
Report generated in 0.219 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

===================

Here's what virustotal said about srosa.sys

File srosa.sys received on 08.27.2007 21:00:02 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.8.28.0 2007.08.27 -
AntiVir 7.4.1.63 2007.08.27 Worm/Bagle.IX.44
Authentium 4.93.8 2007.08.26 -
Avast 4.7.1029.0 2007.08.27 Win32:Beagle-WF
AVG 7.5.0.484 2007.08.27 I-Worm/Bagle.WY
BitDefender 7.2 2007.08.27 Trojan.Rootkit.Bagle.F
CAT-QuickHeal 9.00 2007.08.25 -
ClamAV 0.91 2007.08.27 -
DrWeb 4.33 2007.08.27 Win32.HLLM.Beagle
eSafe 7.0.15.0 2007.08.26 -
eTrust-Vet 31.1.5088 2007.08.27 -
Ewido 4.0 2007.08.27 -
FileAdvisor 1 2007.08.27 -
Fortinet 2.91.0.0 2007.08.27 -
F-Prot 4.3.2.48 2007.08.26 -
F-Secure 6.70.13030.0 2007.08.27 Email-Worm.Win32.Bagle.ix
Ikarus T3.1.1.12 2007.08.27 Email-Worm.Win32.Bagle.ix
Kaspersky 4.0.2.24 2007.08.27 Email-Worm.Win32.Bagle.ix
McAfee 5106 2007.08.27 -
Microsoft 1.2803 2007.08.27 -
NOD32v2 2486 2007.08.27 -
Norman 5.80.02 2007.08.27 W32/Bagle.ZB
Panda 9.0.0.4 2007.08.27 -
Prevx1 V2 2007.08.27 -
Rising 19.38.02.00 2007.08.27 -
Sophos 4.21.0 2007.08.27 -
Sunbelt 2.2.907.0 2007.08.25 VIPRE.Suspicious
Symantec 10 2007.08.27 -
TheHacker 6.1.9.173 2007.08.27 W32/Bagle.ix
VBA32 3.12.2.3 2007.08.27 -
VirusBuster 4.3.26:9 2007.08.27 -
Webwasher-Gateway 6.0.1 2007.08.27 Worm.Bagle.IX.44
Additional information
File size: 60736 bytes
MD5: a1dba12ebe2be234d3946a7fd6776d65
SHA1: b70707f0c89630ed70a7c25d51bc320e5a3036a2
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

=============

And this was the initial infection - hidr.exe

File hidr.Vexe received on 08.27.2007 21:04:19 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.8.28.0 2007.08.27 -
AntiVir 7.4.1.63 2007.08.27 Worm/Bagle.IX.27
Authentium 4.93.8 2007.08.26 -
Avast 4.7.1029.0 2007.08.27 -
AVG 7.5.0.484 2007.08.27 I-Worm/Bagle.WV
BitDefender 7.2 2007.08.27 Trojan.Downloader.Bagle.DF
CAT-QuickHeal 9.00 2007.08.25 (Suspicious) - DNAScan
ClamAV 0.91 2007.08.27 Worm.Bagle-99
DrWeb 4.33 2007.08.27 Win32.HLLM.Beagle
eSafe 7.0.15.0 2007.08.26 suspicious Trojan/Worm
eTrust-Vet 31.1.5088 2007.08.27 -
Ewido 4.0 2007.08.27 -
FileAdvisor 1 2007.08.27 -
Fortinet 2.91.0.0 2007.08.27 W32/PackBag.A
F-Prot 4.3.2.48 2007.08.26 -
F-Secure 6.70.13030.0 2007.08.27 Email-Worm.Win32.Bagle.ix
Ikarus T3.1.1.12 2007.08.27 -
Kaspersky 4.0.2.24 2007.08.27 Email-Worm.Win32.Bagle.ix
McAfee 5106 2007.08.27 New Poly Win32
Microsoft 1.2803 2007.08.27 Worm:Win32/Bagle.gen!C
NOD32v2 2486 2007.08.27 Win32/Bagle.JC
Norman 5.80.02 2007.08.27 -
Panda 9.0.0.4 2007.08.27 -
Prevx1 V2 2007.08.27 Worm.Bagle.EK
Rising 19.38.02.00 2007.08.27 -
Sophos 4.21.0 2007.08.27 -
Sunbelt 2.2.907.0 2007.08.25 VIPRE.Suspicious
Symantec 10 2007.08.27 -
TheHacker 6.1.9.173 2007.08.27 W32/Bagle.ix
VBA32 3.12.2.3 2007.08.27 -
VirusBuster 4.3.26:9 2007.08.27 I-Worm.Bagle.OB
Webwasher-Gateway 6.0.1 2007.08.27 Worm.Bagle.IX.27
Additional information
File size: 165700 bytes
MD5: a52fc2d429c692bd254e19f5629ad831
SHA1: a00de48e424262a078ad733981f9994dfbdf5c45
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=5A3FF5EF4442D94487E002ECCD576B00593DD08C
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Mr_JAk3
2007-08-28, 20:17
Hello :)

Ok those files weren't perfectly detected so I'd like to have samples if possible.

Please go to this forum (http://www.thespykiller.co.uk)
There's no need to register. Just start a new topic in the "Uploads" section, titled "bagle files fo Jak3".
Add the link of this topic to the message.

Use the Attachment box to upload srosa.sys and hidr.exe

NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorised users who can download them

Thank you :bigthumb:

Then I'd like to see a fresh GMER log as you've done some cleaning there...

Also

Make a new folder in the C:\drive called silentrunners
Download 'silent runners" from here: (direct download)
http://www.silentrunners.org/Silent%20Runners.vbs
Save it to your silentrunners folder.

Click start> run> type cmd and hit enter
Type the following exactly and hit enter after each line.
cd c:\silentrunners and hit enter
"silent runners.vbs" -all and hit enter

Wait until it pops up saying its completed, then post the resulting logfile here
It will be very large. You may need several posts to include everything. You may also upload the whole log to eg rapidshare (http://rapidshare.com/). Then just post the link to your log to me

kenanoff
2007-08-28, 22:21
Hi again,

The two files are uploaded to this thread (http://www.thespykiller.co.uk/index.php?topic=4816.0)
srosa.sys is renamed to srosa.Vsys
hidr.exe is renamed to hidr.Vexe

The new gmer log is here (http://www.soderling.net/kenanoff/img/gmer_log_20070828.txt)

The silent runners log is here (http://www.soderling.net/kenanoff/img/Startup%20Programs%20(ENTERFORNONE)%202007-08-28%2022.08.18.txt)

Best,
Mikhail

Mr_JAk3
2007-08-29, 21:54
Hello :)

Thanks for the upload. You may now delete the files.

The logs are looking pretty good now. You should install an antivirus immediately.

Install one firewall too.

You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:

These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)

Then

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

tashi
2007-09-10, 19:24
Due to lack of feedback this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.