Unknown - Probably Infection

[jonathanasdf]

I was stupid. Very stupid. oops

I went and downloaded a keygen. I never will again.

Anyhow, 5 seconds after running it I realised that it was a virus. I immediately disconnected from internet and used system restore to roll back registry changes.

Still, when my computer opened again, damage has been done.

Apparently it targeted major antivirus programs... Whenever I try to run one of them an error appears. The only antivirus program I can run is ad-aware2008, but it found absolutely nothing.

When I open Spyware S&D, it says that its not a valid win32 file. When I open ESET NOD32, it says cannot connect to kernal. When I open HiJackThis it says not a valid win32 program. When I run Security Task Manager it states that th eapplication or DLL ascode.dll is not a valid windows image. Even combofix won't run.

This is not a file association error, as ALL other programs run perfectly. FreshUI works. Also, I have downloaded and applied the EXE association fix, which didn't fix anything. I have reinstalld everything, including the Spyware beta program, but it still doesn't work.

system restore does not delete programs, which is what I think this is. a hidden background process... But I can't shut it down due to the fact that Security Task Manager is not working. I cannot scan the computer as my virus scanners and firewall are not working... I really am in need of a solution. Right now I have no firewall either, so... :S

 

[jonathanasdf]

Old post got archived.

http://forums.spybot.info/showthread.php?t=23380

There are no logs to display.. could someone take a look at this for me?

 

[shelf life]

hi,

try running your antivirus in safe mode. to reach safe mode tap the f8 key during a computer restart, chose the first option from the list: safe mode.
i assume you can get on the internet? if so first stop is here:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

 

[jonathanasdf]

Ok. I will soon. thanks.

Btw the way, so far I don't see any effects on the system. Do you think it is an infection, or just a compatibility (permissions?) issue? all other programs work, and there doesn't seem to be any signs of an infection.

 

[shelf life]

hi,

Do you think it is an infection, or just a compatibility (permissions?) issue?

its a infection.

Ok. I will soon. thanks.

i would do it as soon as possible, malware in alot of cases will only get you more malware.

 

[jonathanasdf]

Well... I guess its more serious than I thought.

I can't boot up safe mode : SPTD.sys won't load, and after a while the computer reboots saying there's been a problem in booting. However, booting normally works.

Also, I have tried system restore, and that hasn't helped either.

I will try the online scanner tonight.

 

[jonathanasdf]

The stupid scan didn't generate a log, which I thought it would have. I clicked random buttons, and it brought me to another page. After clicking back, I had to rescan.

Anyways, I took screenshots of the results.

 

[shelf life]

hi,

you couldnt get the text file it generates? you looked here:
C:\Program Files\EsetOnlineScanner\log.txt

what we would do is look at the log and see what if couldnt clean or delete, then we would go after these manually.

any luck in running your resident antivirus?

download and run this also:
http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=arw

 

[jonathanasdf]

Ah sorry. Here it is.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2868 (20080212)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=e230fc137e9ef54ba6c39410f434eb5d
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-12 05:03:46
# local_time=2008-02-12 09:03:46 (-0800, Pacific Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=513882
# found=7
# scan_time=6361
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\R6Q1146U\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\R6Q1146U\b64_31[1].jpg Win32/Bagle.MI worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\RQ5YCWV9\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\WGCO3FD6\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\mdelk.exe Win32/Bagle.MI worm (unable to clean - error while deleting) 6020FA1550F8C4BABF2AF9F49F7A350F
C:\WINDOWS\system32\drivers\hldrrr.exe Win32/Bagle.MJ worm (unable to clean - error while deleting) 225CF12F76061C142394A14289526CC8
G:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP417\A0124009.exe probably a variant of Win32/IRCBot trojan (unable to clean - deleted) 00000000000000000000000000000000

 

[jonathanasdf]

Ah sorry. Here it is.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2868 (20080212)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=e230fc137e9ef54ba6c39410f434eb5d
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-12 05:03:46
# local_time=2008-02-12 09:03:46 (-0800, Pacific Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=513882
# found=7
# scan_time=6361
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\R6Q1146U\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\R6Q1146U\b64_31[1].jpg Win32/Bagle.MI worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\RQ5YCWV9\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\WGCO3FD6\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\mdelk.exe Win32/Bagle.MI worm (unable to clean - error while deleting) 6020FA1550F8C4BABF2AF9F49F7A350F
C:\WINDOWS\system32\drivers\hldrrr.exe Win32/Bagle.MJ worm (unable to clean - error while deleting) 225CF12F76061C142394A14289526CC8
G:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP417\A0124009.exe probably a variant of Win32/IRCBot trojan (unable to clean - deleted) 00000000000000000000000000000000

Running Trend Micro HiJackThis v2.0.2 still gives error:

This is not a valid Win32 application,

Running Nod32 gives:

The Nod32 Kernel service was unable to start.

 

[shelf life]

hi,

ok thanks for the info. download and run the rootkit scanner from avg.

then:
go to start>run and type in services.msc click ok
under the name column look for:
NOD32 Kernel Service
right click on it and select properties
make sure that the service status is: Started, if not click the Start button
and the Startup type is: Automatic, if not change it to Automatic
click apply, then ok

reboot and try running Nod32

 

[jonathanasdf]

Ok. On running AVG Anti-Rootkit Free, error:

C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\avgarkt.exe is not a valid Win32 application.

Also, in services

 

[shelf life]

hi,

no luck. that service you highlighted, just check that its status is stopped and the startup is disabled.

let try another online scanner since the last one removed some goodies, this time try F-secure:

F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml

uses Internet Explorer only

click on the "start scanning button" near bottom of page.
click to accept/install the ActiveX applet
"accept" the License Agreement, click "full system scan"
Once the download of files completes,the scan will begin automatically.
The scan may take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply please.

some info about the error msg:
http://www.computerhope.com/issues/ch000726.htm

 

[jonathanasdf]

I didn't mean to highlight any service. It's just that Nod32 isn't on the list.

I will scan now.

 

[jonathanasdf]

Additionally, F-Secure online scanner returns the following error:

I checked and
Active-X is enabled, Javascript is enabled, I have administrative priveleges. So...

 

[shelf life]

hi,

uhmm not good. going back to the first online scan lets see if we can delete anything manually. if you can boot into safe mode (tap f8 key during computer restart) do it there, if not try it in normal mode.

to show all files:
FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

navigate here:
C:\windows\ system32\drivers
look for/delete
hldrrr.exe

if you cant delete it try this:
dont know if task manager is working but you can look here:
hit crtl-alt-delete keys at once to bring up task manager
under the process tab look for hldrr.exe-- click on and then click "end process" then go back to the system32\drivers dir and try to delete it.

navigate here
C\windows\system32
look for/ delete:
mdelk.exe
-----------------------
do this also, delete what you can, best in safe mode if thats possible:

using explorer(right click on start>explore) drill down to these you want to delete whats >inside< the folder, not the folder itself.

C:\Windows\Temp\

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

next:
Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
-----------------------------
that avg rootkit you downloaded, try renaming the file to something else like scanner.exe or something.

last:
since it worked last time, repeat the online scan here:
ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

 

[jonathanasdf]

Ok. I deleted what I could, and will scan soon.

hldrrr.exe was nowhere to be found. Yes, I enabled hidden files and system files.

Found mdelk.exe, but could not delete. Reckon I could do it in safe mode, but I can't boot to it. HiJackThis doesn't run so I can't use that file deleter.

Renaming the file proved useless. It probably targeted a command inside common scanners.

I deleted files and everything, and I will scan very soon.

here is a screenshot of everything

 

[shelf life]

hi,

see if you can get into safe mode this way. only do it if XP is the only operating system on your computer:
if it works run your AV etc in safe mode.

* Close all open programs.
* Click Start, Run and type MSCONFIG in the box and click OK
* The System Configuration Utility appears, On the BOOT.INI tab, Check the "/SAFEBOOT" option, and then click OK and Restart your computer when prompted.
* The computer restarts in Safe mode.
* Perform the troubleshooting steps for which you are using Safe Mode.
When you are finished with troubleshooting in Safe mode, open MSCONFIG again, on the BOOT.INI tab, uncheck "/SAFEBOOT" and click OK to restart your computer

 

[jonathanasdf]

DAMN IT!

After checking the /Safeboot, my computer still won't boot into safe mode. It says that there has been a problem while booting, probably due to a recent hardware or software change, and restarts my computer. If I choose to start windows normally, it restarts my computer. If I choose safe mode, it can't load SPTD.sys. Even most recent good configuration won't work. Now i'm stuck with a desktop that can't boot, and I only have 1 OS so I can't boot to another, XP doesn't support boot to DOS either so I can't do that.... Any way to fix it other than completely reinstall XP, which I don't want to do?

 

[jonathanasdf]

Ok ok I managed to use the XP install disk to get into DOS. I should be able to edit the boot.ini file here... EXCEPT it doesn't support the edit command. Type and More show what's inside the file... I'm so close to it, but I can't edit the file....