Hi,

I posted a topic about my spybot not installing properly. Some sort of bug has deleted it and my firewall, is crashing my browsers and email software and is preventing me from installing any firewall or antivirus software. Don't know that much about this stuff, was told to download HJT... Here is the log file...

Logfile of HijackThis v1.99.1
Scan saved at 22:00:06, on 30/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\mysql\bin\mysqld-nt.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Martin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\Inicio.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095984890949
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {DF4F4ED9-420B-4F40-AEE6-A620460306E7} (CantocheLivingActorInstaller2 Class) - http://www.cantoche.com/Player/V16/LivingActorInstaller2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D8410EE-3C84-4A84-A16D-89FE450DE383}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: ldr64 - C:\WINDOWS\SYSTEM32\ldr64.dll
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - PANDA SOFTWARE - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Unknown owner - c:\program files\panda software\panda platinum 2006 internet security\firewall\PNMSRV.EXE (file missing)
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe

Again, help would be much appreciated,

Thanks,

Marty.

Redo! I see it now...

O20 - Winlogon Notify: ldr64 - C:\WINDOWS\SYSTEM32\ldr64.dll

Let me go see what's invovled with this (it appears to be associated with a Bagle variant).
http://www.sarc.com/avcenter/venc/data/w32.beagle.dv.html#technicaldetails

You should be able to scan with HijackThis and checkmark this entry, then press the *fix checked* button

O20 - Winlogon Notify: ldr64 - C:\WINDOWS\SYSTEM32\ldr64.dll

Then delete the file:
C:\WINDOWS\SYSTEM32\ldr64.dll

and reboot your PC

It looks like you are using Panda - are you trying d/l another AV program too? Or is it Panda you're trying to reinstall?

I'll do that now...

Was regularily running:

Spybot (once a week)
ZoneAlarm Free Firewall (on all the time)
AdAware (once a week)
Spywareblaster (once a week)

and occassionally used

Ewido (once a month)
A Squared (once a month)

Spybot and ZoneAlarm were wiped from my system and would not install properly. I used Ewido and A Squared and they found problems and fixed them and I thought that was it, but I still had problems re-installing ZoneAlarm and Spybot. It was then that I tried to download a few different Antivirus programs but none of them would install properly, Panda was one of them.

What is the best of the free Firewalls and Antivirus programs to use or should I really be purchasing some?

About to do what you said, what next?

Thankyou so much for the help...

I cannot see the file idr64.dll in the C:\WINDOWS\system32 folder... about to reboot anyway.

Hi,

ldr64 was not there. The computer is getting worse, has just crashed twice and threw up a blue screen and restarted. Not sure whats happening... Any ideas? Thanks.

Please post a Fresh HijackThis log.

I think trying to install Panda on an infected machine may have complicated things. Can you uninstall that for now and we'll help you get some AV and firewall programs when we get you cleaned up and operating.

Let's see if this tool finds anything
Please download Look2Me-Destroyer.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=7

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

After you have uninstall Panda

1. Get this free tool from Trend-Micro
Damage Cleanup Engine / Template

http://www.trendmicro.com/download/dcs.asp
Get the Sysclean Package for non-Trend customers.

2. Grab a copy of the instructions here:
please download the following files
http://www.trendmicro.com/ftp/products/tsc/readme.txt

NOTE:
For instructions on how to use this package, consult the "How to Use" section of the readme file, readme_sysclean.txt. This file also contains the description and the different features of this package.

Note that for the Trend Micro Sysclean Package to be effective, you must download and place the latest pattern file in the same folder as the Trend Micro Sysclean Package[b]
That's in the instruction under III Requirements - follow the directions.


3, DCT CONTROL RELEASE
[b]Download Latest DCT Control Release
http://www.trendmicro.com/download/pattern-dcs-disclaimer.asp

The Damage Cleanup Template (DCT) Control Release is a pre-release version of Damage Cleanup Template (DCT) and is updated by TrendLabs almost as often as new samples come in. Since it is designed to clean registries and system files from 'in-the-wild' malware infections, DCT Control release receives only preliminary testing. DCT Control Release also must be deployed manually to your product.

Click the link above for additional information and deployment instructions. Users are advised to read the succeeding disclaimer carefully before downloading the current DCT Control Release.

Note: This should be able to detect and clean the virus, but is not a permanent solution to the AV. We'll help you get a resident AV program as soon as we get the virus cleaned up. If this won't install for some reason, let me know.
..............................
Free Zone Alarm firewall
http://dl2.zonelabs.com/bin/free/1001_cnet_zdnet/zlsSetup_61_744_001_en.exe

Thanks for getting back to me...

I uninstalled Panda and run Look2Me and HJT here are the logs:

Look2Me

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 31/03/2006 00:39:03


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


HJT

Logfile of HijackThis v1.99.1
Scan saved at 00:47:21, on 31/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095984890949
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {DF4F4ED9-420B-4F40-AEE6-A620460306E7} (CantocheLivingActorInstaller2 Class) - http://www.cantoche.com/Player/V16/LivingActorInstaller2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D8410EE-3C84-4A84-A16D-89FE450DE383}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

Gonna do the rest of what you said now.

Gonna do the rest of what you said now.
Ok, if Sysclean finds anything, please make careful note of the file names/ full path (exact location) and what virus name it was detected as. May be important to know.

Me again,

I finished running the Trend Micro thing. As far as I can make out it found nothing, no viruses. It does say that it detected some errors or could not set file for reading. Does any of this make any sense?

How is your computer acting now? Are you still seeing problems?

No no problems, but there hasn't been since I said about the crashes last time. The telltale sign was when I could not install ZoneAlarm or SpyBot. Should I try to install them now?

No no problems, but there hasn't been since I said about the crashes last time. The telltale sign was when I could not install ZoneAlarm or SpyBot. Should I try to install them now?
Yes, let's try that now :)

Let me know how that goes.

And some very good free Antivirus Programs to try...something to start with anyway :) Pick one that works well for you. (Don't run all 3 at once - just run one as your resident program)

AVG
http://www.grisoft.com/us/us_dwnl_free.php

Antivir
http://www.free-av.com/

Avast
http://www.avast.com/i_idt_226.html

Sorry, still getting the error when installing ZoneAlarm...

The file

C:\WINDOWS\system32\ZoneLabs\vsmon.exe
could not be opened

will try SpyBot but got a feeling it will not work. The way it works is that it installs, but when I try to run it, it is missing the main .exe file, the shortcut comes up as an unrecognised file and when clicked cannot locate the original.

Will try to download and install AVG but this was also not working before

Can you try this please?
http://support.microsoft.com/default.aspx?scid=555067

Sorry your head must be twisted with me...

Went through this and can't get it working, get the message:

The system cannot find the file specified and

The system cannot find the file regedit.com

Got regedit open by just searching for it. Followed the instructions but where it says to change the current value to data its already them same as whats there...

How about Spybot, is it also giving you a problem on install?

I found a similar problem described with Zone Alarm here:
http://forum.zonelabs.org/zonelabs/board/message?board.id=inst&message.id=42588

I'm not sure what the problem is, whether it is ZA itself or a result of the virus infection. You could try uninstalling/reinstalling SP2, which would essentially reinstall IE and put your security registry settings back to default.

Zone Labs has a forum for Installation problems here:
http://forum.zonelabs.org/zonelabs/board?board.id=inst

Nah,

Tried to install Spybot and got the same problem, a shortcut but no actual .exe file in the programs folder. My internet stopped working as well so I uninstalled it and got back online. Can't seem to see a resolution in the ZoneAlarm Forum either...

Thanks so much for your help, but it looks like this is beyond repair, I've got my other computer out of work and gonna get all the antivirus and firewall stuff up to date and transfer my files across and format this machine.

Thanks again and if you have any other ideas it would be great, but I sort of thought I would need to format the machine in the end.

Cheers,

Marty.

Hi Marty,

A reformat might be best in the long run as I'm not certain what damage this thing has done but I did think you might have gotten one of the newest Bagle variants with rootkit and it is designed to disable security software in the manner we might be seeing here.

Run this tool from F-Secure called Blacklight, and then we'll need to search for the files listed in this description.
Read here
Bagle.GE Trojan.rootkit
http://www.f-secure.com/v-descs/bagle_ge.shtml

Post a report from this tool
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the *I accept* button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new text file on your desktop near Blacklite. Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

!!Do not rename any files yet

Yes, hows things,

Cheers for getting back to us again. I set up my other machine and am installing all my software on it, but I do need to get my files across from this infected machine and I'm a bit wary of transfering anything across while this is still infected so it would be great to get it cleaned out.

I run that Blacklight and it found a few things... that ldr64 file is listed there...

04/01/06 02:18:36 [Info]: BlackLight Engine 1.0.33 initialized
04/01/06 02:18:36 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/01/06 02:18:37 [Note]: 7019 4
04/01/06 02:18:37 [Note]: 7005 0
04/01/06 02:18:47 [Note]: 7006 0
04/01/06 02:18:47 [Note]: 7011 1088
04/01/06 02:18:47 [Note]: 7024 3
04/01/06 02:18:47 [Info]: Hidden process: C:\WINDOWS\system32\wintems.exe
04/01/06 02:18:48 [Note]: FSRAW library version 1.7.1015
04/01/06 02:19:20 [Info]: Hidden file: C:\Documents and Settings\Martin\Application Data\hidires\hidr.exe
04/01/06 02:19:20 [Note]: 10002 2
04/01/06 02:19:20 [Info]: Hidden file: C:\Documents and Settings\Martin\Application Data\hidires\m_hook.sys
04/01/06 02:19:20 [Note]: 10002 2
04/01/06 02:19:20 [Note]: 10002 3
04/01/06 02:19:20 [Note]: 10002 3
04/01/06 02:19:20 [Note]: 10002 2
04/01/06 02:19:20 [Note]: 10002 2
04/01/06 02:20:04 [Info]: Hidden file: C:\WINDOWS\system32\wintems.exe
04/01/06 02:20:04 [Note]: 10002 2
04/01/06 02:20:04 [Info]: Hidden file: C:\WINDOWS\system32\ldr64.dll
04/01/06 02:20:04 [Note]: 10002 2
04/01/06 02:22:04 [Note]: 7007 0

Bingo!... about a week old, new variant of Bagle
Virus Profile: W32/Bagle.ea
http://forums.spybot.info/showthread.php?t=3355&goto=newpost

run blacklight again

when you get to the second phase of blacklight scan
highlight each item, select rename
then click finish and allow blacklight to reboot the computer

rename these:

04/01/06 02:18:47 [Info]: Hidden process: C:\WINDOWS\system32\wintems.exe

04/01/06 02:19:20 [Info]: Hidden file: C:\Documents and Settings\Martin\Application Data\hidires\hidr.exe

04/01/06 02:19:20 [Info]: Hidden file: C:\Documents and Settings\Martin\Application Data\hidires\m_hook.sys

04/01/06 02:20:04 [Info]: Hidden file: C:\WINDOWS\system32\wintems.exe

04/01/06 02:20:04 [Info]: Hidden file: C:\WINDOWS\system32\ldr64.dll

after reboot

Delete all the renamed files listed above...they will have a new extension of .ren. For example

This file: C:\WINDOWS\system32\ldr64.dll will be:

C:\WINDOWS\system32\ldr64.dll.ren

Happy days!

I run that again and renamed all the files and deleted them.

Just to check though, one of the things you listed was a process:

04/01/06 02:18:47 [Info]: Hidden process: C:\WINDOWS\system32\wintems.exe

Will I do anything about this? (I renamed everything that came up in Blacklight and deleted 4 files in total)

and should I delete the hidires folder altogether?

Do you think that this is it sorted? Do I need to do anything else apart from reinstall my Firewall and Antivirus software? Would you recommend that I reformat my machine anyway?

Cheers for all the help, really appreciated.

Thanks,

Marty.

Good catch, yes delete the enitre hidires folder (directory)

If you were able to rename and then delete the file:
C:\WINDOWS\system32\wintems.exe
It should be good!

Run Blacklight once more to produce a log and let's check?

Then please run Ewido and Panda Active scan. They may find more files that were previously hidden.

Post those logs and a fresh HijackThis log, along with the Blacklight (new) log.

Here is the Blacklight Log:

04/01/06 03:22:05 [Info]: BlackLight Engine 1.0.33 initialized
04/01/06 03:22:05 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/01/06 03:22:05 [Note]: 7019 4
04/01/06 03:22:05 [Note]: 7005 0
04/01/06 03:22:30 [Note]: 7006 0
04/01/06 03:22:30 [Note]: 7011 1140
04/01/06 03:22:30 [Note]: FSRAW library version 1.7.1015
04/01/06 03:23:57 [Note]: 7007 0

Now running Ewido and Panda, and then HJT will post the logs when done.

Cheers

M.

Blacklight log looks good :)

Will wait for the others - it may take a while.

I'm about to sign off for the night here (it's late). But will be checking back in here in the morning :)

Fingers crossed, its looking good so far...

Here is the log from Ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:52:58, 01/04/2006
+ Report-Checksum: 68C4ABF6

+ Scan result:

No infected objects found.


::Report End

I don't have Panda anymore (we uninstalled it) I can install it again, but it wasn't a package that I used. I only tried it because I was having problems with my other software. I'm running a check with a-squared at the minute. Should I install Panda or something else and run it? Or should I just try to install ZoneAlarm and Spybot again?

I'll run HJT after a-squared has finished and post the logs

Cheers,

Marty

Be careful with a-squared. Don't remove anything until we can see the logs as it has a tendancy for false positives and you could end up potentially deleting something you shouldn't with that program. It doesn't make backups either. I'd much prefer you use Ewido and make backups of deleted files, unless you know what you are doing.

I don't have Panda anymore (we uninstalled it) I can install it again, but it wasn't a package that I used. I only tried it because I was having problems with my other software. I'm running a check with a-squared at the minute. Should I install Panda or something else and run it? Or should I just try to install ZoneAlarm and Spybot again?

I'll run HJT after a-squared has finished and post the logs

Cheers,

Marty
No, don't install Panda again if you are going to use something else like AVG. Just be sure you have an Antivirus program. If that installs, updates and runs ok, then go for installing Spybot again and Zone Alarm. Let us know how that goes.

When all done, it wouldn't hurt to see a fresh HijackThis log too.

a-squared Report
Scan started: 01/04/2006 11:53:27
Scan finished: 01/04/2006 12:52:16
Scan duration: 0h 58min 48sec
Scanned files: 179430
Infected files: 2

Object Diagnosis
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy__11f*00df*00e4*0006#*00b7*00ba*00c4*00d6`i Trace.Registry.CWS.HomeSearch
C:\Program Files\ewido\security suite\zlib.dll Adware.GameHouse

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 20:14:24, on 01/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Martin\Application Data\hidires\hidr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Suitcase Startup.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095984890949
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {DF4F4ED9-420B-4F40-AEE6-A620460306E7} (CantocheLivingActorInstaller2 Class) - http://www.cantoche.com/Player/V16/LivingActorInstaller2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D8410EE-3C84-4A84-A16D-89FE450DE383}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

On the a-squared detections....

Ok to let it fix this one:
Key: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy__11f*00df*00e4*0006#*00b7*00ba*00c4*00d6`i Trace.Registry.CWS.HomeSearch

Do NOT let it fix this one (that's part of Ewido) - it's a False Positive.
C:\Program Files\ewido\security suite\zlib.dll Adware.GameHouse

And please report that to them so they can fix their detection database, if you are a regular user of A-2

Now, I'll go look at your HijackThis log and let you know what I see there.

Hi CalamityJane,

Thanks for all the help before. If your about again I think I got this thing again or something else. I was able to install SpyBot and ZoneAlarm again. I then began to network my two machines so that I could format this machine. (The one that got the Bagel thing)

When I was networking my machines I kept having problems with ZoneAlarm so I uninstalled it while trying a few things. I found out what the problem was and tried to install ZoneAlarm again but had a few problems. The problems where ordinal 350 and I found some stuff on the internet about it.

My machine started crashing though and I run AdAware, SpyBot and Ewido and they found some stuff and fixed it. But I crashed a few times again and run F-Secure Blacklight to see...

Here is the log file

04/05/06 03:36:08 [Info]: BlackLight Engine 1.0.35 initialized
04/05/06 03:36:08 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/05/06 03:36:08 [Note]: 7019 4
04/05/06 03:36:08 [Note]: 7005 0
04/05/06 03:36:12 [Note]: 7006 0
04/05/06 03:36:12 [Note]: 7011 1188
04/05/06 03:36:12 [Note]: 7026 0
04/05/06 03:36:12 [Note]: 7026 0
04/05/06 03:36:12 [Note]: 7024 3
04/05/06 03:36:12 [Info]: Hidden process: C:\Program Files\Internet Explorer\iexplore.exe
04/05/06 03:36:12 [Note]: FSRAW library version 1.7.1015
04/05/06 03:45:38 [Info]: Hidden file: C:\WINDOWS\system32\lipsfeog.dll
04/05/06 03:45:38 [Note]: 10002 1
04/05/06 03:45:46 [Info]: Hidden file: C:\WINDOWS\system32\drivers\lipsfeog.sys
04/05/06 03:45:46 [Note]: 10002 1
04/05/06 03:47:29 [Note]: 7007 0

Sorry to be such a pain, but should I do the same again and rename them and delete them?

Thanks,

Marty.

Sorry,

Should have also mentioned that I run TuneUp on my machine as well.

Rename and delete these two ONLY:

C:\WINDOWS\system32\lipsfeog.dll

C:\WINDOWS\system32\drivers\lipsfeog.sys

Then scan for infections.

Include an online AV scan (full system scan)
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Let me know how you make out

We would like to know how it's going martybelfast. :wink::

Closed topic.

Thank you CalamityJane