I was stupid. Very stupid. oops :D

I went and downloaded a keygen. I never will again.

Anyhow, 5 seconds after running it I realised that it was a virus. I immediately disconnected from internet and used system restore to roll back registry changes.

Still, when my computer opened again, damage has been done.

Apparently it targeted major antivirus programs... Whenever I try to run one of them an error appears. The only antivirus program I can run is ad-aware2008, but it found absolutely nothing.

When I open Spyware S&D, it says that its not a valid win32 file. When I open ESET NOD32, it says cannot connect to kernal. When I open HiJackThis it says not a valid win32 program. When I run Security Task Manager it states that th eapplication or DLL ascode.dll is not a valid windows image. Even combofix won't run.

This is not a file association error, as ALL other programs run perfectly. FreshUI works. Also, I have downloaded and applied the EXE association fix, which didn't fix anything. I have reinstalld everything, including the Spyware beta program, but it still doesn't work.

system restore does not delete programs, which is what I think this is. a hidden background process... But I can't shut it down due to the fact that Security Task Manager is not working. I cannot scan the computer as my virus scanners and firewall are not working... I really am in need of a solution. Right now I have no firewall either, so... :S

http://forums.spybot.info/showthread.php?t=23380

There are no logs to display.. could someone take a look at this for me?

hi,

try running your antivirus in safe mode. to reach safe mode tap the f8 key during a computer restart, chose the first option from the list: safe mode.
i assume you can get on the internet? if so first stop is here:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

Ok. I will soon. thanks.

Btw the way, so far I don't see any effects on the system. Do you think it is an infection, or just a compatibility (permissions?) issue? all other programs work, and there doesn't seem to be any signs of an infection.

hi,


Do you think it is an infection, or just a compatibility (permissions?) issue?
its a infection.


Ok. I will soon. thanks.
i would do it as soon as possible, malware in alot of cases will only get you more malware.

Well... I guess its more serious than I thought.

I can't boot up safe mode : SPTD.sys won't load, and after a while the computer reboots saying there's been a problem in booting. However, booting normally works.

Also, I have tried system restore, and that hasn't helped either.

I will try the online scanner tonight.

The stupid scan didn't generate a log, which I thought it would have. I clicked random buttons, and it brought me to another page. After clicking back, I had to rescan.

Anyways, I took screenshots of the results.

http://i207.photobucket.com/albums/bb156/jonathanasdf/esetscan1.jpghttp://i207.photobucket.com/albums/bb156/jonathanasdf/esetscan1right.jpg


http://i207.photobucket.com/albums/bb156/jonathanasdf/esetscan2.jpghttp://i207.photobucket.com/albums/bb156/jonathanasdf/esetscan2right.jpg

hi,

you couldnt get the text file it generates? you looked here:
C:\Program Files\EsetOnlineScanner\log.txt

what we would do is look at the log and see what if couldnt clean or delete, then we would go after these manually.

any luck in running your resident antivirus?

download and run this also:
http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=arw

Ah sorry. Here it is.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2868 (20080212)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=e230fc137e9ef54ba6c39410f434eb5d
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-12 05:03:46
# local_time=2008-02-12 09:03:46 (-0800, Pacific Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=513882
# found=7
# scan_time=6361
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\R6Q1146U\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\R6Q1146U\b64_31[1].jpg Win32/Bagle.MI worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\RQ5YCWV9\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\WGCO3FD6\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\mdelk.exe Win32/Bagle.MI worm (unable to clean - error while deleting) 6020FA1550F8C4BABF2AF9F49F7A350F
C:\WINDOWS\system32\drivers\hldrrr.exe Win32/Bagle.MJ worm (unable to clean - error while deleting) 225CF12F76061C142394A14289526CC8
G:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP417\A0124009.exe probably a variant of Win32/IRCBot trojan (unable to clean - deleted) 00000000000000000000000000000000

Ah sorry. Here it is.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2868 (20080212)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=e230fc137e9ef54ba6c39410f434eb5d
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-12 05:03:46
# local_time=2008-02-12 09:03:46 (-0800, Pacific Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=513882
# found=7
# scan_time=6361
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\R6Q1146U\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\R6Q1146U\b64_31[1].jpg Win32/Bagle.MI worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\RQ5YCWV9\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\WGCO3FD6\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\mdelk.exe Win32/Bagle.MI worm (unable to clean - error while deleting) 6020FA1550F8C4BABF2AF9F49F7A350F
C:\WINDOWS\system32\drivers\hldrrr.exe Win32/Bagle.MJ worm (unable to clean - error while deleting) 225CF12F76061C142394A14289526CC8
G:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP417\A0124009.exe probably a variant of Win32/IRCBot trojan (unable to clean - deleted) 00000000000000000000000000000000


Running Trend Micro HiJackThis v2.0.2 still gives error:

This is not a valid Win32 application,

Running Nod32 gives:

The Nod32 Kernel service was unable to start.

hi,

ok thanks for the info. download and run the rootkit scanner from avg.

then:
go to start>run and type in services.msc click ok
under the name column look for:
NOD32 Kernel Service
right click on it and select properties
make sure that the service status is: Started, if not click the Start button
and the Startup type is: Automatic, if not change it to Automatic
click apply, then ok

reboot and try running Nod32

Ok. On running AVG Anti-Rootkit Free, error:

C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\avgarkt.exe is not a valid Win32 application.

Also, in services

http://i207.photobucket.com/albums/bb156/jonathanasdf/nod32services.jpg

hi,

no luck. that service you highlighted, just check that its status is stopped and the startup is disabled.

let try another online scanner since the last one removed some goodies, this time try F-secure:

F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml

uses Internet Explorer only

click on the "start scanning button" near bottom of page.
click to accept/install the ActiveX applet
"accept" the License Agreement, click "full system scan"
Once the download of files completes,the scan will begin automatically.
The scan may take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply please.

some info about the error msg:
http://www.computerhope.com/issues/ch000726.htm

I didn't mean to highlight any service. It's just that Nod32 isn't on the list.

I will scan now.

Additionally, F-Secure online scanner returns the following error:



http://i207.photobucket.com/albums/bb156/jonathanasdf/error.jpg

I checked and
Active-X is enabled, Javascript is enabled, I have administrative priveleges. So...

hi,

uhmm not good. going back to the first online scan lets see if we can delete anything manually. if you can boot into safe mode (tap f8 key during computer restart) do it there, if not try it in normal mode.

to show all files:
FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

navigate here:
C:\windows\ system32\drivers
look for/delete
hldrrr.exe

if you cant delete it try this:
dont know if task manager is working but you can look here:
hit crtl-alt-delete keys at once to bring up task manager
under the process tab look for hldrr.exe-- click on and then click "end process" then go back to the system32\drivers dir and try to delete it.

navigate here
C\windows\system32
look for/ delete:
mdelk.exe
-----------------------
do this also, delete what you can, best in safe mode if thats possible:

using explorer(right click on start>explore) drill down to these you want to delete whats >inside< the folder, not the folder itself.

C:\Windows\Temp\

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

next:
Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
-----------------------------
that avg rootkit you downloaded, try renaming the file to something else like scanner.exe or something.

last:
since it worked last time, repeat the online scan here:
ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

Ok. I deleted what I could, and will scan soon.

hldrrr.exe was nowhere to be found. Yes, I enabled hidden files and system files.

Found mdelk.exe, but could not delete. Reckon I could do it in safe mode, but I can't boot to it. HiJackThis doesn't run so I can't use that file deleter.

Renaming the file proved useless. It probably targeted a command inside common scanners.

I deleted files and everything, and I will scan very soon.

here is a screenshot of everything

http://i207.photobucket.com/albums/bb156/jonathanasdf/screen.jpg

hi,

see if you can get into safe mode this way. only do it if XP is the only operating system on your computer:
if it works run your AV etc in safe mode.

* Close all open programs.
* Click Start, Run and type MSCONFIG in the box and click OK
* The System Configuration Utility appears, On the BOOT.INI tab, Check the "/SAFEBOOT" option, and then click OK and Restart your computer when prompted.
* The computer restarts in Safe mode.
* Perform the troubleshooting steps for which you are using Safe Mode.
When you are finished with troubleshooting in Safe mode, open MSCONFIG again, on the BOOT.INI tab, uncheck "/SAFEBOOT" and click OK to restart your computer

DAMN IT!

After checking the /Safeboot, my computer still won't boot into safe mode. It says that there has been a problem while booting, probably due to a recent hardware or software change, and restarts my computer. If I choose to start windows normally, it restarts my computer. If I choose safe mode, it can't load SPTD.sys. Even most recent good configuration won't work. Now i'm stuck with a desktop that can't boot, and I only have 1 OS so I can't boot to another, XP doesn't support boot to DOS either so I can't do that.... Any way to fix it other than completely reinstall XP, which I don't want to do?

Ok ok I managed to use the XP install disk to get into DOS. I should be able to edit the boot.ini file here... EXCEPT it doesn't support the edit command. Type and More show what's inside the file... I'm so close to it, but I can't edit the file....

My final solution: Delete boot.ini. Now i've booted back into windows. I'm not going to try that again.

Any other ideas on what to do? I googled and found that SPTD.sys was had some incompatibility issues and sometimes prevents the loading of safe mode. I'm upgrading it right now, and going to try loading safe mode again.

Ok. Managed to delete mdelk.exe. Still cannot boot into safe mode, or run any antivirus. Deleted SPTD.sys, and now it restarts at MUP.sys without any warning when booting into safe mode.

I still don't see any suspicious virus behavior... but why would my antivirus suddenly not work after working fine for so long...

Here is the ESET log.




# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2873 (20080213)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=e230fc137e9ef54ba6c39410f434eb5d
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-14 09:20:13
# local_time=2008-02-14 01:20:13 (-0800, Pacific Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=506544
# found=20
# scan_time=5061
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\3L24I2NQ\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\3L24I2NQ\b64_31[1].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\K7932JCS\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_1[2].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_1[3].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_2[2].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_31[1].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_31[2].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_2[2].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[1].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[2].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[3].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[4].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[5].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\mdelk.exe a variant of Win32/Bagle worm (unable to clean - error while deleting) 771623BE7FBD00AAC125685BAA4A35EC
G:\vist\WGA.october.2007.(lildude) (v7).1.7.59.1\Windows Xp Sp2 Keygen with auto key changer\1) Windows XP SP2 Keygen\KeyGen.exe probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000



There must be some registry, as I know I deleted mdelk but it poped back up.

hi,

thanks for the info. iam starting to think its something more than malware now. corrupted registry and or files?
IE: the errors at boot up. you should start thinking about a reformat/reinstall of windows. just in case. you should pull off to cd/dvd, flash drive 2nd HD etc anything you dont want to lose.
i think you can enter safe mode, its the errors at bootup that are preventing it, why you can boot normally with no problems i have no idea. I also wouldnt edit the boot.ini file unless you are sure of what you are doing. could leave you with a door stop.
if you have the windows install cd you can try system file checker although it wont fix a corrupt registry.

run>start and type in sfc /scannow
there is space after the c and before the /
its worth a try anyway at this point.

Thanks for the help. I really hope its not a corrupt file system... I don't have any removable harddrives, that means I would have to upload all backups and everything to the internet, which firstly isn't safe for my files, and secondly I can't access them until I reinstall, and I have tons of school work right now that requires computer.

I'm going to try booting with the /sos switch and seeing the problem. I have already tried the Microsoft disk recovery service, and it requires a floppy that I don't have.

Thanks for all your help. I hope this will work out...

hi,

that last online scan dosnt really look to bad. so lets say you do get into safe mode and manage to clean up some files. if its a corrupt registry or files you will still have the same problem.
if you have the install cd you could try a repair of xp which should preserve your data. see links:

http://www.michaelstevenstech.com/XPrepairinstall.htm
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx

in any case you should really backup what you can.
better to lose some data then all of it.

I would rather not be so hasty...

I just checked the boot sequence and error message from the boot using the /sos switch. The error appears to be:

0x0000007B(0xF7906528, 0xC0000034, 0x00000000, 0x00000000)

I'm posting this on the Microsoft support forum to see if anyone can make sense of it.

I will run sfc soon.

So, now instead of that problem, is there any way to remove the Bagel infection without going to safe mode? I tried Sopho's Bagel remover, which doesn't find it. Spyware S&D Can't load up. So....

Maybe could you also ask around the other helpers? Some of them might know something.

hi,

I would rather not be so hasty...
its not about being hasty, more like being prepared, a just in case.

i think you have the "new" version of the worm. i think the tool you have is for the older versions.
i also think it may be part of a root kit. lets try gmer.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit/Malware tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
-------------------------------------

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-15 18:35:38
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwOpenProcess [0xBAEE831C]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQuerySystemInformation [0xBAEEDC8A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwSetInformationFile [0xBAEE841A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtOpenProcess
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtQuerySystemInformation
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtSetInformationFile

---- Kernel code sections - GMER 1.0.14 ----



I'm skipping the kernel code sections because that section is huge. Also, hldrrr.exe was running as a hidden process, along with winitems.exe.

I can't find the log, so I'm going to try a rescan and post the log.

Ok. The important parts of the log, so the log is shortened from about 3 million characters to the limit of 20k characters.

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-15 19:05:38
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwOpenProcess [0xBAEE831C]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQuerySystemInformation [0xBAEEDC8A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwSetInformationFile [0xBAEE841A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtOpenProcess
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtQuerySystemInformation
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtSetInformationFile


---- Processes - GMER 1.0.14 ----

Process C:\WINDOWS\system32\wintems.exe (*** hidden *** ) 3704 [Registry]

File C:\WINDOWS\system32\drivers\srosa.sys 112432 bytes <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\hldrrr.exe 746967 bytes
File C:\WINDOWS\system32\drivers\down

A Ton of C:\WINDOWS\system32\drivers\down\########.exe
632
File C:\WINDOWS\system32\wintems.exe 71172 bytes
File C:\WINDOWS\ime\SHARED 0 bytes
File C:\WINDOWS\ime\SHARED\imepaden.hlp 81368 bytes
File C:\WINDOWS\ime\SHARED\imepadsm.dll 102463 bytes
File C:\WINDOWS\ime\SHARED\imepadsv.exe 311359 bytes
File C:\WINDOWS\ime\SHARED\imlang.dll 102456 bytes
File C:\WINDOWS\ime\SHARED\RES 0 bytes
File C:\WINDOWS\ime\SHARED\RES\PADRS404.DLL 15872 bytes
File C:\WINDOWS\ime\SHARED\RES\padrs411.dll 36927 bytes
File C:\WINDOWS\ime\SHARED\RES\padrs412.dll 14336 bytes
File C:\WINDOWS\ime\SHARED\RES\padrs804.dll 15360 bytes

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\srosa.sys [SYSTEM] srosa <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

hi,

ok good.

Run gmer app again.
Click the tab called Processes and click on the safe button. The computer will reboot and the Gmer screen will re-open.
Click on files and browse to these:

C:\WINDOWS\system32\drivers\srosa.sys
Now click Delete button

and get these two also:

C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\drivers\hldrrr.exe

Now click on the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.

Re-run gmer
post the new gmer log.

I think the apps are gone, but HiJackThis etc. still can't run.

http://www.sendspace.com/file/b1r3vi

The log was too long, so I uploaded it. I can assure that there's no virus in it.

hi,

ok good you got rid of those processes - no items in red or warnings about rootkits when you reran gmer?
still unable to run anything? can you boot into safe mode?

ive been looking for more info on it. got some links, sometimes they may be helpful, sometimes not. these malware coders can come out with new variations to a infection overnight.

http://www.symantec.com/security_response/writeup.jsp?docid=2007-091411-1857-99&tabid=1

http://www.viruslist.com/en/viruses/encyclopedia?virusid=21780028

Nope. When running Gmer the popup disappeared.

I'm looking through the sites to see if I have any other files / registry.

Yep. It's gone. There still is a registry key, invisible so I can't delete it, pointing to hldrrr.exe. However, it can't find the file, so it can't execute it.

This must be an updated version, because it's no longer hidr.exe.

I'm going to try reinstalling nod32 right now.


Thanks for all your help!

Also, the safe mode problem may not be caused by this at all.

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:11 PM, on 17/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - G:\solidconverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Accessibility Toolbar - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\PROGRA~1\WAT_EN\ACCESS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - G:\solidconverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DayMate] C:\Program Files\DayMate\daymate.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet ×ê?′???÷ - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted Zone: http://www.talkaboutcanada.ca
O15 - Trusted Zone: http://s3.travian.com
O15 - Trusted Zone: http://s5.travian.com
O15 - Trusted Zone: http://s6.travian.com
O15 - Trusted Zone: http://www.travian.com
O15 - Trusted Zone: http://s3.travian.us
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00001025-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter25 Class) - http://download.netmarble.com/web/nmstarter/NMStarter25.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games ?Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble.jp/_common/cab/NMJTransX.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games ?Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8237.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games ?Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {EC824758-3CF5-4C32-BF22-D88413B45EFE} (O2runner Control) - http://o2jam.o2jam.com/ActiveX/o2runner.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 13453 bytes

THANK YOU SO MUCH!!! Now everything works again, I just have to re-dl it.
THANKS!
NB. when i get paypal I WILL donate.

hi jonathanasdf,

glad i could help. you should do a full scan with your updated antivirus and spybot.


start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe

O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe

careful what you download with bitcomet, there is plenty of malware on the networks. i have some p2p tips on my website.

post another hjt log. hows the safe mode problem?

Haven't quite tried safe mode yet. I used FreshUI and deleted Winitems + German from autorun. Also removed the registry files.

Spybot found some other random things. I couldn't find the log, so here's the data..

LOG!! (http://www.freewebs.com/homeworkjs/stuff/Spybot%20-%20Search%20%26%20Destroy%20scan%20report.pdf)

AdWatch found the remnants of Bagle and removed them.

Thanks a lot. Really.

hi jonathanasdf

ok good. how about one more hjt log. if all is good we can make a new restore point.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:06 PM, on 18/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - G:\solidconverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program

Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft

Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download

Manager\iefdmcks.dll
O3 - Toolbar: &Accessibility Toolbar - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\PROGRA~1\WAT_EN\ACCESS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} -

G:\solidconverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless

Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program

Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program

Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download

Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download

Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download

Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program

Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12

\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2

\Office12\ONBttnIE.dll
O9 - Extra button: BitComet ×ê?′???÷ - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program

Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted Zone: http://www.talkaboutcanada.ca
O15 - Trusted Zone: http://s3.travian.com
O15 - Trusted Zone: http://s5.travian.com
O15 - Trusted Zone: http://s6.travian.com
O15 - Trusted Zone: http://www.travian.com
O15 - Trusted Zone: http://s3.travian.us
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00001025-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter25 Class) -

http://download.netmarble.com/web/nmstarter/NMStarter25.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) -

http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) -

https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-

secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) -

http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -

http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games ?Buddy Invite) -

http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-

games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) -

http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) -

http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-

UNO1/GAME_UNO1.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) -

http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-

secure.com/ols3beta/fscax.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -

http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) -

http://www.netmarble.jp/_common/cab/NMJTransX.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games ?Hearts) -

http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) -

http://download.netmarble.com/kdefence/kdfense8237.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -

http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) -

http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} -

http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) -

http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games ?Game Communicator) -

http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {EC824758-3CF5-4C32-BF22-D88413B45EFE} (O2runner Control) - http://o2jam.o2jam.com/ActiveX/o2runner.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12

\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007

\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32

\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. -

C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision

Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program

Files\WinPcap\rpcapd.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows

Live\installer\WLSetupSvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 13599 bytes


Thanks

hi jonathanasdf,

ok thanks. one more item to check out.
navigate here:
C:\WINDOWS\system32

see if you can find:
conime.exe

if so go to this website below- browse for the file again and upload it using the send button. you can copy/paste the results you get in your next reply.

http://www.virustotal.com/

Antivirus Version Last Update Result
AhnLab-V3 2008.2.6.10 2008.02.05 -
AntiVir 7.6.0.62 2008.02.07 -
Authentium 4.93.8 2008.02.06 -
Avast 4.7.1098.0 2008.02.06 -
AVG 7.5.0.516 2008.02.07 -
BitDefender 7.2 2008.02.07 -
CAT-QuickHeal 9.00 2008.02.04 -
ClamAV 0.92 2008.02.07 -
DrWeb 4.44.0.09170 2008.02.07 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5518 2008.02.07 -
Ewido 4.0 2008.02.07 -
FileAdvisor 1 2008.02.07 -
Fortinet 3.14.0.0 2008.02.07 -
F-Prot 4.4.2.54 2008.02.06 -
F-Secure 6.70.13260.0 2008.02.07 -
Ikarus T3.1.1.20 2008.02.07 -
Kaspersky 7.0.0.125 2008.02.07 -
McAfee 5224 2008.02.06 -
Microsoft 1.3204 2008.02.07 -
NOD32v2 2856 2008.02.07 -
Norman 5.80.02 2008.02.07 -
Panda 9.0.0.4 2008.02.07 -
Prevx1 V2 2008.02.07 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.07 -
Sunbelt 2.2.907.0 2008.02.07 -
Symantec 10 2008.02.07 -
TheHacker 6.2.9.211 2008.02.06 -
VBA32 3.12.6.0 2008.02.07 -
VirusBuster 4.3.26:9 2008.02.07 -
Webwasher-Gateway 6.6.2 2008.02.07 -
Additional information
File size: 27648 bytes
MD5: 054df8f752497c6b74dd7b65cca61132
SHA1: f4dfd45a4e08f385277a1fde27878fa11eb6cc46
PEiD: -

I've had conime for a couple of years now...

conime.exe is a part of the the Microsoft Windows Operating System and is essential for the secure and safe operation of your computer.. This process is used when a Asian laguage is used in Windows.

hi,

i dont remember ever seeing that .exe before. thanks for the info. if all is good its time to make a new restore point. the why and the how:

One of the features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.Don't do it on a regular basis.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

i have some prevention tips at my site, link below.

happy safe surfing out there.

Again, thanks a lot. I won't download any random files off the internet again.

Thanks