Jump to content


Photo

Can't run any antivirus program


  • This topic is locked This topic is locked
8 replies to this topic

#1 aka_Pushkin

aka_Pushkin

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 02 November 2008 - 07:39 AM

Good part of the day.
I think I have the same problem as here : http://www.spywarein...hp/t114712.html , at least the symptoms are the same. Can't run any antivirus or diagnosis program, including Hijackthis or online scanners.

I tried downloading ComboFix but I can't drag the windows XP recovery console and this time renaming of the file doesn't work either, I get "..is not a valid win32 application."

I already tried several things, scanning the system with ESET and Trend Micro HouseCall and removed mdelk.exe file manually booting from DOS (I can't find hldrrr.exe file on my system). In fact I have already tried everything I could think of, and nothing works:(

Any ideas, please?

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,482 posts

Posted 04 November 2008 - 07:44 PM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,072 posts

Posted 06 November 2008 - 01:15 PM

Hi aka_Pushkin, and Welcome to SWI.

It's probably a Bagle infection - pretty nasty...

Have you already tried scanning with Malwarebytes' Anti-Malware??. It used to deal with this rootkit infection...

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

If it succeeded, please delete your current version of ComboFix... Then,

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

If the above instructions fail, we'll find another way to kill the infection... :)..
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 aka_Pushkin

aka_Pushkin

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 06 November 2008 - 05:47 PM

Hi! Thanks, that was a breakthrough, actually, but not good enough :(

Here's the log from Malwarebytes' Anti-Malware :

Malwarebytes' Anti-Malware 1.30
Database version: 1370
Windows 5.1.2600 Service Pack 3

07/11/2008 00:39:29
mbam-log-2008-11-07 (00-39-24).txt

Scan type: Quick Scan
Objects scanned: 40266
Time elapsed: 3 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\srosa.sys (Rootkit.Bagle) -> No action taken.

----------------

This is about the best I could do when I remove wintems.exe manually as this program doesn't seem able to do so; still as you can see, srosa.sys strikes back. If I don't remove wintems.exe manually, when I rerun Malwarebytes' Anti-Malware I get the entire list, including the files that have been removed in the previous scan.

I downloaded ComboFix from the link you gave me and renamed it, however when I drag the Windows Recovery console icon into it and try to run it, I get the usual error : *.exe is not a valid Win32 application...

Many thanks!

#5 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,072 posts

Posted 07 November 2008 - 05:38 PM

Hello again and thank you for information!!.. :)..

I downloaded ComboFix from the link you gave me and renamed it, however when I drag the Windows Recovery console icon into it and try to run it, I get the usual error : *.exe is not a valid Win32 application...

I wonder if renaming is still needed as newer variants of Bagle didn't identify ComboFix by its name...
I have just tried removing this infection (probably one of the latest variants...) on my virtual machine... ComboFix (renamed...) run without problems and removed it...

Anyway, we'll try another automatic tool - if it fails, we'll remove an infection manually... :)..

Firstly, please delete your current version of ComboFix...

Secondly,
Please go to this site to download ELIBAGLA tool:
  • Scroll down to the bottom of the site and click Descargar ELIBAGLA 11.93 - please save a file on the Desktop.
  • If it's possible, please disconnect a computer from the internet and disable an antivirus program,
  • Double click on the file you've just downloaded to run the program,
  • Leave the default settings and click Explorar,
  • The tool should automatically remove infected files, if it asks for a reboot, please allow it,
  • When it finishes, click Salir to close the program,
  • Reconnect to the internet and enable an antivirus program, if needed.
  • Please post the contents of the C:\InfoSat.txt in your next reply.

Then, if the tool succeeded, let's try a ComboFix one more time - to make sure we remove everything:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#6 aka_Pushkin

aka_Pushkin

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 08 November 2008 - 12:40 PM

:D

I think it worked!

On each account I can run Hijackthis and I didn't see there anything suspicious.

Nevertheless, here's the comboBox log :

ComboFix 08-11-07.01 - indigo_montoya 2008-11-08 19:19:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.1723 [GMT 2:00]
Command switches used :: c:\documents and settings\indigo_montoya\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\InfoSat.txt
c:\windows\system32\drivers\downld
c:\windows\system32\drivers\downld\102781.exe
c:\windows\system32\drivers\downld\107906.exe
c:\windows\system32\drivers\downld\114375.exe
c:\windows\system32\drivers\downld\117968.exe
c:\windows\system32\drivers\downld\121453.exe
c:\windows\system32\drivers\downld\14686734.exe
c:\windows\system32\drivers\downld\14835343.exe
c:\windows\system32\drivers\downld\14837484.exe
c:\windows\system32\drivers\downld\14876406.exe
c:\windows\system32\drivers\downld\14885750.exe
c:\windows\system32\drivers\downld\14889812.exe
c:\windows\system32\drivers\downld\14897875.exe
c:\windows\system32\drivers\downld\15002687.exe
c:\windows\system32\drivers\downld\15020656.exe
c:\windows\system32\drivers\downld\15024296.exe
c:\windows\system32\drivers\downld\236734.exe
c:\windows\system32\drivers\downld\256937.exe
c:\windows\system32\drivers\downld\259875.exe
c:\windows\system32\drivers\downld\56281.exe
c:\windows\system32\drivers\downld\70875.exe
c:\windows\system32\drivers\downld\72140.exe
c:\windows\system32\drivers\srosa.sys
c:\windows\system32\drivers\winfilse.exe
c:\windows\system32\mdelk.exe
c:\windows\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SROSA
-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-06 22:59 . 2008-11-06 22:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-06 22:59 . 2008-11-06 22:59 <DIR> d-------- c:\documents and settings\indigo_montoya\Application Data\Malwarebytes
2008-11-06 22:59 . 2008-11-06 22:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-06 22:59 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-06 22:59 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-06 22:55 . 2008-11-06 22:55 2,372,472 --a------ c:\temp\mbam-setup.exe
2008-11-05 14:39 . 2008-11-05 14:39 <DIR> d-------- c:\documents and settings\indigo_montoya\Application Data\Nitro PDF
2008-11-05 14:33 . 2008-11-05 14:33 <DIR> d-------- c:\program files\Nitro PDF
2008-11-05 14:33 . 2008-11-05 14:33 <DIR> d-------- c:\program files\Common Files\Nitro PDF
2008-11-05 14:33 . 2008-11-05 14:33 <DIR> d-------- c:\program files\Common Files\BCL Technologies
2008-11-05 14:33 . 2008-11-05 14:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nitro PDF
2008-11-04 04:09 . 2008-11-04 04:09 <DIR> d-------- c:\documents and settings\indigo_montoya\Application Data\Jasc
2008-11-03 23:16 . 2008-11-04 04:36 <DIR> d-------- c:\program files\AniTuner
2008-11-03 23:16 . 2003-11-03 12:26 24,576 --a------ c:\windows\KeyHH.exe
2008-11-02 05:13 . 2008-11-02 05:33 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-11-02 05:06 . 2008-11-08 19:21 576,399,392 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-11-02 05:06 . 2008-11-08 19:17 6,748,448 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-02 05:05 . 2008-07-08 13:54 148,496 --a------ c:\windows\system32\drivers\11338613.sys
2008-11-02 04:59 . 2008-11-02 05:04 28,552,880 --a------ c:\temp\setup_7.0.0.242_02.11.2008_04-00.exe
2008-11-02 04:50 . 2008-11-02 06:54 42 --a------ C:\blah.exe
2008-11-02 04:27 . 2008-11-02 04:36 <DIR> d-------- c:\windows\BDOSCAN8
2008-11-02 04:20 . 2001-08-17 14:05 314,752 --a--c--- c:\windows\system32\dllcache\camdro21.sys
2008-11-02 04:19 . 2001-08-17 13:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys
2008-11-02 04:18 . 2001-08-17 14:55 382,592 --a--c--- c:\windows\system32\dllcache\atidrab.dll
2008-11-02 04:17 . 2001-08-17 12:19 747,392 --a--c--- c:\windows\system32\dllcache\adm8830.sys
2008-11-02 04:16 . 2008-04-13 21:27 2,188,928 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-02 04:16 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys
2008-11-02 04:16 . 2001-08-17 14:55 689,216 --a--c--- c:\windows\system32\dllcache\3dfxvs.dll
2008-11-02 04:16 . 2001-08-17 12:48 148,352 --a--c--- c:\windows\system32\dllcache\3dfxvsm.sys
2008-11-02 04:16 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll
2008-11-02 04:16 . 2001-08-17 14:06 11,264 --a--c--- c:\windows\system32\dllcache\1394vdbg.sys
2008-11-02 00:08 . 2008-11-02 00:16 <DIR> d-------- c:\documents and settings\indigo_montoya\.housecall6.6
2008-11-01 23:16 . 2008-04-17 21:13 811,008 --a------ C:\gmer.exe
2008-11-01 23:16 . 2008-11-01 23:16 747,873 --a------ c:\temp\gmer.zip
2008-11-01 22:57 . 2008-11-01 22:57 49 --a------ c:\windows\WININIT.INI
2008-11-01 19:19 . 2008-11-01 19:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-11-01 19:18 . 2008-11-01 19:19 <DIR> d-------- c:\temp\ClnExtor
2008-11-01 19:04 . 2008-11-01 19:04 <DIR> d-------- c:\program files\Lavasoft
2008-11-01 19:04 . 2008-11-01 19:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-31 22:39 . 2008-10-31 22:39 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-31 22:23 . 2008-10-31 22:23 <DIR> d-------- C:\Intel
2008-10-31 21:52 . 2008-10-31 21:52 <DIR> d-------- c:\documents and settings\indigo_montoya\Application Data\Uniblue
2008-10-31 21:47 . 2008-10-31 21:48 1,677,872 --a------ c:\temp\registrybooster.exe
2008-10-31 20:41 . 2008-10-31 20:43 10,084,225 --a------ c:\temp\10mb.zip
2008-10-31 16:00 . 2008-10-31 16:00 3,163 --a------ c:\windows\AXCursor.INI
2008-10-31 00:21 . 2008-10-31 00:21 <DIR> d-------- c:\program files\Axialis
2008-10-30 23:39 . 2008-11-04 04:41 <DIR> d-------- C:\FSU10
2008-10-30 23:25 . 2008-10-30 23:25 <DIR> d-------- c:\documents and settings\indigo_montoya\Application Data\RealWorld
2008-10-30 17:38 . 2008-11-04 03:26 <DIR> d-------- c:\program files\VeryPDF PDF Editor v2.2
2008-10-30 17:28 . 2008-10-30 17:29 8,562,411 --a------ c:\temp\pdfeditor_setup.exe
2008-10-30 17:06 . 2008-10-30 17:12 30,269,784 --a------ c:\temp\nitro_pdf_professional.exe
2008-10-08 18:49 . 2008-04-14 02:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-10-08 18:30 . 2008-10-08 18:30 <DIR> d-------- c:\windows\system32\scripting
2008-10-08 18:30 . 2008-10-08 18:30 <DIR> d-------- c:\windows\system32\en
2008-10-08 18:30 . 2008-10-08 18:30 <DIR> d-------- c:\windows\system32\bits
2008-10-08 18:30 . 2008-10-08 18:30 <DIR> d-------- c:\windows\l2schemas
2008-10-08 18:27 . 2008-10-08 18:27 <DIR> d-------- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 12:37 --------- d-----w c:\documents and settings\indigo_montoya\Application Data\OpenOffice.org2
2008-11-02 02:11 --------- d-----w c:\program files\Tweak-XP Pro 4
2008-11-01 19:06 --------- d-----w c:\program files\Trend Micro
2008-10-31 20:05 --------- d-----w c:\program files\Broadcom
2008-10-30 22:02 --------- d-----w c:\program files\EMule
2008-09-02 07:34 509,208 ----a-w c:\windows\system32\ICCProfiles.dll
2004-09-28 02:00 26,240 ----a-w c:\windows\inf\RAMDSK.SYS
.
<pre>
----a-w		 6,367,757 2007-02-02 11:22:31  c:\program files\Tweak-XP Pro 4\Tweak-XP Pro v4.0.8 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPropertiesRecycleBin"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)
"NoRecycleFiles"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 04:06 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKLM\~\startupfolder\C:^Documents and Settings^indigo_montoya^Start Menu^Programs^Startup^AntiVir PE Classic.lnk]
path=c:\documents and settings\indigo_montoya\Start Menu\Programs\Startup\AntiVir PE Classic.lnk
backup=c:\windows\pss\AntiVir PE Classic.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^indigo_montoya^Start Menu^Programs^Startup^HijackThis.lnk]
path=c:\documents and settings\indigo_montoya\Start Menu\Programs\Startup\HijackThis.lnk
backup=c:\windows\pss\HijackThis.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^indigo_montoya^Start Menu^Programs^Startup^Shortcut to HijackThis.lnk]
path=c:\documents and settings\indigo_montoya\Start Menu\Programs\Startup\Shortcut to HijackThis.lnk
backup=c:\windows\pss\Shortcut to HijackThis.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 08:47 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-11-07 01:51 266280 c:\program files\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BroadcomWireless]
c:\program files\Broadcom\Wireless\Utility\WlanUtil.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BsMnt]
--a------ 2007-04-05 09:38 274432 c:\windows\BisonCam\BsMnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 02:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-03-26 12:19 162584 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-03-26 12:19 138008 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 09:51 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetLimiter]
--a------ 2008-04-16 01:30 823296 c:\program files\NetLimiter\NetLimiter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nitro PDF Printer Monitor]
--a------ 2008-09-02 09:34 210224 c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
--a------ 2008-11-08 19:15 356429 c:\program files\Trend Micro\OfficeScan Client\PccNTMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-03-26 12:19 138008 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2007-02-15 14:23 851968 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
--------- 2007-03-28 20:02 58416 c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPWAUDAP]
--a------ 2006-09-06 09:38 54824 c:\program files\Lenovo\HOTKEY\TpWAudAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatcherHelper]
--a------ 2006-12-16 13:47 95776 c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2008-04-14 02:12 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"tmlisten"=2 (0x2)
"ntrtscan"=2 (0x2)
"gusvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"AntiVirService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"<NO NAME>"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2005-07-06 14848]
R0 Ramdisk;Ramdisk Driver;c:\windows\system32\DRIVERS\ramdsk.sys [2004-09-28 26240]
R1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2006-02-23 32768]
R1 is-NJREKdrv;is-NJREKdrv;c:\windows\system32\DRIVERS\11338613.sys [2008-07-08 148496]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\DRIVERS\swivspnt.sys [2006-10-12 20352]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)
SafeBoot-sglfb.sys
SafeBoot-tga.sys
SafeBoot-wd.sys
SafeBoot-sacsvr


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\indigo_montoya\Application Data\Mozilla\Firefox\Profiles\r58ubk87.default\
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 19:21:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\srosa]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\program files\Lenovo\HOTKEY\tphklock.dll

PROCESS: c:\windows\system32\lsass.exe
-> c:\program files\NetLimiter\nl_lsp.dll
-> c:\windows\system32\nl_msgc.dll
.
Completion time: 2008-11-08 19:23:03
ComboFix-quarantined-files.txt 2008-11-08 17:23:00

Pre-Run: 26,817,466,368 bytes free
Post-Run: 26,814,066,688 bytes free

257 --- E O F --- 2008-10-08 16:34:50


Thanks galore! I have never before been in a position when I wasn't able to fix something, and the help was the most professional!

#7 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,072 posts

Posted 08 November 2008 - 03:07 PM

Hi again!..:).
I'm glad we succeeded in removing main infection... ;)..

On each account I can run Hijackthis and I didn't see there anything suspicious.

You may want to know: HijackThis is almost useless nowadays... It shows so little information that you can tell almost nothing about the system and possible infections...
Nevertheless, please post a fresh Hijack this log in your next reply, after performing all the steps from this post...

Thanks galore! I have never before been in a position when I wasn't able to fix something, and the help was the most professional!

Thank you... :thumbup:
There are still, however, a few steps to perform...

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the quotebox below into it:

RenV::
----a-w 6,367,757 2007-02-02 11:22:31 c:\program files\Tweak-XP Pro 4\Tweak-XP Pro v4.0.8 .exe
Driver::
srosa
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPropertiesRecycleBin"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"=-
"NoRecycleFiles"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"<NO NAME>"=-
DirLook::
C:\FSU10


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Post it in your next reply.

Then,
Download the latest version of Kaspersky Virus Removal Tool
  • Close all other applications and double-click and run the installer.
  • When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

Then,
Please go to http://www.virustotal.com/ , click on Browse, and upload the following file for analysis:

c:\windows\system32\drivers\11338613.sys

Then click Send File. Allow the file to be uploaded and scanned. Then, please post a link to the results page for me to see.

Please scan also these two files:
c:\temp\setup_7.0.0.242_02.11.2008_04-00.exe
C:\blah.exe


Finally:
Download Security Check by screen317 and save it to your Desktop.
  • Unzip SecurityCheck.zip and a folder named Security Check should appear.
  • Open the Security Check folder and double-click Security Check.bat
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: if a security program requests permission from dig.exe to access the Internet, allow it to do so.

Logs to post:
- new ComboFix log after using CFScript...
- AVPTool report...
- VirusTotal's analysis of 3 files...
- checkup.txt
- a fresh HijackThis log...
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,072 posts

Posted 25 November 2008 - 01:06 PM

Still with us, aka_Pushkin??..
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#9 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,072 posts

Posted 11 December 2008 - 02:15 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button