Styxywyx

Hi - I have a problem with a virus I can't get rid of! Have tried deleting it with BitDefender ( my antiviral software) with no success.
Virus: Backdoor small OL
Path: C:\WINDOWS\Installer\SZProBase4.1.0.0.msi=](embeddedCAB)=]SZScnSvc.dll

I can't find that path at all and it seems to be impervious to deletion. Was initially ignored by Bitdefender as an archived item.

What it does: Every time I double click on My computer, Start or control panel it initiates a windows Installer dialog box that stops all processes. Nothing appears to be installed - its a blank window saying "Installing"..... I can cancel but it immediately pops open another. After 2 or 3 of these it closes and then I can work again.

Before I found this site I tried Killbox and SDFix in Safe mode with no success.


Help.... Please

And now I cant seem to figure out how to attach the ark and dds info ???

Styxywyx

Have used another computer to upload - FFox malfunctioned
Computer ssssloowwwwing.....dow...



DDS (Ver_09-03-16.01) - NTFSx86
Run by Peter Lane at 11:14:16.28 on Sun 19/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.383.104 [GMT 10:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated)
FW: BitDefender Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Quicken\bagent.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Logitech\SetPoint\kem.exe
C:\PROGRAM FILES\LOGITECH\SETPOINT\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\downloads\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uWindow Title = MindSpring Internet Explorer
uInternet Settings,ProxyOverride = localhost;*.local
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: PicLens plug-in for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\PicLens.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\kem.exe
uPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Notify: LBTServ - c:\program files\common files\logitech\bluetooth\lbtserv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\peterl~1.cgy\applic~1\mozilla\firefox\profiles\y60gyiuj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\documents and settings\peter lane.cgyy41s\application data\mozilla\firefox\profiles\y60gyiuj.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300

============= SERVICES / DRIVERS ===============

R0 antispywarebot;antispywarebot;c:\windows\system32\drivers\antispywarebot.sys [2008-3-3 19696]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-2-12 104328]
R3 LHidPPKE;Logitech SetPoint HID Function Driver;c:\windows\system32\drivers\LHidPPKE.Sys [2007-10-8 22536]
S3 ATHFMWDL;108M Wireless USB Adapter Bootloader driver; [x]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\belkin\belkin~1.11g\DNINDIS5.SYS [2005-7-17 17149]

=============== Created Last 30 ================

2009-04-18 15:45 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-18 15:45 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-18 15:45 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-18 15:44 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-18 15:44 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-18 15:44 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-18 15:44 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-18 15:44 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-18 15:44 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-18 15:44 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-18 15:44 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-18 15:44 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-17 23:10 <DIR> --d----- c:\docume~1\peterl~1.cgy\applic~1\BitDefender
2009-04-17 23:08 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\BitDefender
2009-04-17 22:09 <DIR> --d----- C:\!KillBox
2009-04-17 19:58 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-17 19:55 <DIR> --d----- c:\windows\ERUNT
2009-04-17 19:53 <DIR> --d----- C:\SDFix
2009-04-14 12:21 10,520 a------- c:\windows\system32\avgrsstx.dll.install_backup
2009-04-14 12:21 12,424 a------- c:\windows\system32\drivers\avgrkx86.sys.install_backup
2009-04-14 12:18 <DIR> --d----- c:\program files\AVG
2009-04-13 13:46 <DIR> --d----- c:\program files\Bonjour
2009-04-07 23:53 968,344 a------- c:\documents and settings\peter lane.cgyy41s\ConverterDiagnostics20090407235252.zip
2009-03-25 00:58 570 a------- c:\windows\system32\BDUpdateV1.xml
2009-03-22 00:06 989,696 -c------ c:\windows\system32\dllcache\kernel32.dll

==================== Find3M ====================

2009-04-19 11:08 81,984 a------- c:\windows\system32\bdod.bin
2009-03-07 00:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 10:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-21 04:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 22:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 22:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 22:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 22:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 21:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 21:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 21:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 20:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-04 05:59 56,832 a------- c:\windows\system32\secur32.dll
2007-04-05 19:58 604 a---h--- c:\program files\STLL Notifier
2005-11-09 22:52 22,768 a------- c:\documents and settings\peter lane.cgyy41s\usbsermpt.sys
2000-06-27 13:48 23,357 a---h--- c:\program files\FOLDER.HTT
2000-06-27 13:48 271 ---sh--- c:\program files\DESKTOP.INI
2007-10-16 13:21 153 a--shr-- c:\windows\Regbak.dat
2008-09-08 20:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090820080909\index.dat

============= FINISH: 11:17:57.54 ===============

Attached Files

	ark.zip (5.1 KB, 4 views)
	DDS.txt (11.9 KB, 4 views)

Styxywyx

Hi Guys,
Not sure if you can help - its been a while
Should I take it in to the tech - needing my computer.

Styxywyx

Bump. Waiting from 4/19/09

LonnyRJones

Hi Styxywyx
Go start run and past in the bolded line below
c:\docume~1\alluse~1.win\startm~1\programs\startup
delete this link > adobeacrobat
Legitimate program but perhaps it is initiating the windows installer message
restart your pc, still seeing the windows installer message ?

C:\WINDOWS\Installer\SZProBase4.1.0.0.msi that file doesnt exist ?
have you ever had stopzilla installed ?

antispywarebot is uninstalled ?
If so go start run and past in this line
sc delete antispywarebot
press enter or click ok

Styxywyx

Hi Lonny will try that.
Yes I have had stopzilla installed but uninstalled about 2 yrs ago
The path I quoted appeared after I ran a CAD programme a mate lent me to do some design work on my home - downloaded it of CD- ran a virus scan and found it to be infected and immediately deleted it.
Had advice not to run antispybot- told they were not kosher - is this not correct.
Thanks for your help - am using a laptop as my computer is not functioning so will get back to you once I have tried the fix.
Regards
Peter

Styxywyx

Hi Lonny,
No Luck - still getting the install screen.
My research on the net suggests this is a trojan install virus with about 3 or 4 names that modifies the computers function... is that correct?
I can't seem to find the little sucker anywhere.
Have had no problem at all after uninstalling stopzilla - only started after the CAD programme - have gone back in to the disc I borrowed and have found the szprobase file on that - chucked the disc!!!!
So that seems to be the source - I probably also have the virus in my backup system as well as a back up has occred since this started.
PS Please excuse the time delay factor from down under!

LonnyRJones

Yes antispywarebot is a baddie, do use that sc command on it.

You were sucessfull deleting that acrobat link at that location ?

Sounds to me like bitedefender was a bit extreme and accidentally caused these problems.
Lets get another opinion with an online scan , two to choose from here


Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Pess "scan your PC now" allow the active x to install (if prompted)
Do a full scan > Click the my computer button
After the scan click see report then Save the report and post it back here please.
If you have problems read the FAQ http://www.pandasoftware.com/actives...q.asp?IdLang=2

http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Styxywyx

Hi Lonny,
Have run the sc spybot
Deleted the link to adobe
still getting the install screen especially when I double click on the My Computer Icon - so I think still infected
Will run the scans as requested and post - have to go to work but will run them asap and get back to
Thank you for your help!
Peter

LonnyRJones

Download the Windows Installer CleanUp Utility
Locate and run msicuu2.exe to install the Windows Installer CleanUp Utility.
Locate and launch the Windows Installer CleanUp Utility on the Start menu.
From the Windows Installer CleanUp Utility window, locate that CAD programme in the list and click the Remove button.
Once CAD programme has been removed, click the Exit button to close the utility

You can use it on other items as long as you are possitive it is no longer installed, be carefull with the utility, best to uninstall it even..

Reboot your PC
Any Windows installer messages ?

Styxywyx

Hi Lonny,
The CAD programme was never installed which was the weird bit.
I unpacked it from rar, burnt it to the disc direct then ran the virus scan and stopped there = it was never actually installed= but it was immediately after this that the computer went pear shaped. So I can't actually uninstall the CAD
It is running verrry slow it takes about 15 min to open firefox, which then keeps crashing, the screen freezes for hours on end, the response to mouse clicks is delayed by about 5 min and so on. It is very hard to do any thing on it.
I am in the process of running the Panda scan and will try the windows uninstaller once that is run
Regarsd
Peter

Styxywyx

Hi Lonny,
Sorry this has taken so long to get to you
Computer is almost seized up - had to do all this in safe mode! It took a full day just to get the scan done.
Log attached - not looking pretty
Haven't tried uninstaller yet until you have had a look at this log
Peter

Attached Files

ActiveScan.txt (9.4 KB, 2 views)

LonnyRJones

I see you have killbox, use it on
C:\WINDOWS\Installer\SZProBase4.1.0.0.msi
By pasting in the whole line above, was it deleted ?
If so check again in a few hours (same method) with killbox to see if it can be deleted again ? , Im wanting to see if it came back.

C:\Documents and Settings\Peter Lane.CGYY41S\Application Data\AntiSpywareBot
Delete that folder to either with killbox or manualy.

Styxywyx

Hi Lonny,
I have used killbox on it before and it came back.
I will try again.
the computer will only run now in safe mode so I will have to do it there.
Currently am running the kapersky scan as the Panda scan didnt do my back up external hard drive. I should have that for you later tonight.
Doing this by my laptop at the moment so can't paste. Watching the scan is like watching paint dry!!!!
Peter

LonnyRJones

If possible zip that file up and submit it there please.
http://www.bleepingcomputer.com/submit-malware.php?

Please keep the internet to a minimum while in safe mode.

Styxywyx

Have used Killbox on all 3 SZProBase -did 4.1.1.0 first
So far they havent come back when trying a repeat Killbox but the computer is still locking , crashing and the installer screens are still happening when not in safe mode.
I deleted the spybot folder
The Kapersky scan is still running

Styxywyx

Hi Lonny,
That is one of my problems - I can not find that file at all... no matter how I search the file doesn't show itself. I have turned off all hidden files, I have used the search function and even manually followed the path but can't find it. Killbox seems to be able to find it though as it worked same as before but eventually the little nasty pops up again.... its got me beat!!!

Styxywyx

Hi Lonny,
Have tried to upload to bc.
Not sure how it went.my computer inet connection crashed as I was trying to send
Is there anyway you can check and I will try to send again.
I found them as Backup files in Killbox

LonnyRJones

Im not seeing it there yet Styxywyx, try again when possible please
List for us each problem you have noticed even if you think they arent related, other than the windows installer message and that SZProBase file.

Styxywyx

Hi Lonny,
Have had 2 further attempts to send those files - internet went down both times.
Also tried to send you a list of problems - didnt come through.
so now working on another computer.
Problems
long log on time
install screens - comp may freeze about 3rd or fourth of these.
if i get through that the computer works for a few minutes then gradually gets slower and slower then stops responding to mouse - either freezes or develops a permanent hour glass.
Firefox will not open or if I can get it to open it crashes
I have had some programmes start up spontaneously without clicking
that is all I can remember at the moment