The worst of all: hldrrr.exe -don't know what to do

[arda21]

It all started when I looked for a program that would act as an alarm clock to wake me up this morning. Now I have a serious virus and my totally paid 2 years licensed NOD32 is totally unusable.

I have few programs like HiJack this, Combofix and SD fix handy but I need your help to start with correct steps to get this out of my PC, I was able to check some of the steps but now it's gotten very slow and I need to get into attacking position towards the virus.

It's XP service pack 2, and I was able to identify hldrrr.exe working in the background in NetLimiter program before the virus also made that program unusable.

I can't get hijack this work on the infected computer it says it's not a valid win32 application (which I suppose the work of the virus again)

what should I do guys? I really need information cleaned from HD because of some documents that I need for personal reasons, hope I can get a help on this one, thanks for your time.

[arda21]

i was able to do a hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 11:32, on 2008-06-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOCUME~1\ARDAYU~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\explorer.exe
E:\x.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.1.10/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.192.116.37:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CutePDF Form Filler - {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files\Acro Software\CutePDF Pro\CPFillerCo.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{A022323F-0CCE-4901-840A-EC62FC6B389D}: NameServer = 192.168.10.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{108F472E-4452-42C2-8FC3-43C3C67497C2}: NameServer = 192.168.10.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: AWinNotifyVitaKey MC3000 - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

[arda21]

I use an usb flash drive to try to implement Combofix and other malware removal programs but as soon as I connect the flashdrive to the infected laptop I realize the file names blink on the laptop and any program i try to run becomes 'not a valid win32' program virus is doing something on USB flash disk itself too (I hope I won't infect this computer by using that flash disk back and forth?)

[arda21]

the new version Hijack logged this just now, please help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:13, on 2008-06-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Documents and Settings\Arda Yucel\Desktop\arda21.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.1.10/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 193.192.116.37:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CutePDF Form Filler - {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files\Acro Software\CutePDF Pro\CPFillerCo.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{A022323F-0CCE-4901-840A-EC62FC6B389D}: NameServer = 192.168.10.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{108F472E-4452-42C2-8FC3-43C3C67497C2}: NameServer = 192.168.10.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: AWinNotifyVitaKey MC3000 - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7484 bytes

[arda21]

Bagle_Remover.exe
Date: 2008-06-30
Time: 13:24:57.35

---- Files/Folders Quarantined ----

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\drivers\downld\127812.exe
C:\WINDOWS\system32\drivers\downld\82890.exe
C:\WINDOWS\system32\drivers\downld\84281.exe
C:\WINDOWS\system32\drivers\downld

[arda21]

I apologize if you saw this post in one of the similar forums, I just didnt know where to post first, I am just hoping to get in touch with someone with experience

[Ried]

Hello arda21 and welcome,

I understand your state of concern, but let's slow down a bit.

So as not to dilute the efforts of Helpers across the forums, before we begin, kindly inform Spybot forum that you are being assisted at TSF.

Let me know when that has been done.

Also, please stop any additional running of tools or scans while I'm assisting you.

[Ried]

Have you requested that the other thread be closed yet?

[arda21]

Yes I just did, I think I sent you a private message with the link
Thanks man I appreciate you making the effort telling me how it works before banning me

[Ried]

You're welcome. : )

Let's continue...

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

We'll begin with ComboFix.exe. Please download ComboFix.exe from here and save it directly to your desktop.

Do not run it yet.

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console on your machine before doing any malware removal.

The Windows recovery console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


**Insert your flash drive now, so that it can be scanned by ComboFix as well**

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

[arda21]

Ried let me ask first question about the procedure;
I am actually reading your posts from a computer that is already working properly and connected to the internet itself, the infected laptop is not connected right next to me, should I connect it and do the procedures above directly, or can I download for example combofix to this computer, burn it into a cd-r disk and do the things on the other computer via disk,
which approach should I take?

[Ried]

If the infected computer will connect with the internet, then download directly to the infected computer. The downloads won't take very long.

If you have difficulty maintaining a connection, then use the 'good' computer to burn to disc and transfer over to infected computer.

If ComboFix.exe won't run, then run Beagled.exe again, and follow immediately with ComboFix.exe instructions

[arda21]

Ok, on it now as we speak, I have done the Disc approach instead.

[arda21]

Few Complications has had occured:

1-I was able to start the process after I have downloaded the windows recovery boot, and drag it on to combofix. However after the reboot, it got locked up, and computer froze.

2-After a second reboot, I went in to add/remove programs and deleted anything to do with virus protection programs (although they have been stopped working since the infection occured) then rebooted.

3-then when I tried dragging again, this time combofix said that "reboot recovery has already been installed in this machine, aborting process"

however I still have no reports being produced.

so this time I just started combofix itself without dragging reboot recovery, and it gave me the following log;

ComboFix 08-06-30.1 - Arda Yucel 2008-06-30 15:24:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1261 [GMT -4:00]
Running from: C:\Documents and Settings\Arda Yucel\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\downld
.
---- Previous Run -------
.
C:\WINDOWS\system32\ACER.exe
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\kmd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-30 12:07 . 2008-06-30 12:07 <DIR> d-------- C:\Program Files\AVG8
2008-06-30 12:07 . 2008-06-30 12:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-30 11:09 . 2008-06-30 11:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 11:07 . 2008-06-30 11:08 <DIR> d-------- C:\Combo-Fix
2008-06-30 11:02 . 2008-06-30 11:02 4,150 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-30 11:01 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-30 11:01 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-30 11:01 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-30 01:30 . 2008-06-30 01:30 507 --a------ C:\WINDOWS\system32\drivers\Shortcut to drivers.lnk
2008-06-17 15:09 . 2008-06-17 15:09 <DIR> d-------- C:\Program Files\TVAnts
2008-06-07 12:59 . 2008-06-07 12:59 <DIR> d-------- C:\Program Files\SopCast
2008-05-09 17:48 . 2008-05-09 17:48 <DIR> d-------- C:\Documents and Settings\Arda Yucel\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 05:19 --------- d-----w C:\Program Files\eMule047c
2008-06-18 23:07 --------- d-----w C:\Documents and Settings\Arda Yucel\Application Data\Skype
2008-05-28 23:39 --------- d-----w C:\Program Files\Launch Manager
2008-05-19 01:27 --------- d-----w C:\Documents and Settings\Arda Yucel\Application Data\AdobeUM
2008-02-23 21:40 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-18 21:12 100 ----a-w C:\Documents and Settings\Arda Yucel\drvkeys.bat
.

((((((((((((((((((((((((((((( snapshot@2008-06-30_15.19.10.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-30 19:15:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 19:21:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 19:21:40 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_974.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Preload"="C:\Windows\RUNXMLPL.exe" [2007-04-20 20:56 20480]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 02:03 704512]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 22:51 53248]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 23:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 23:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 23:00 455168]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 23:26 68640]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 23:17 52256]
"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 12:25 208896]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-05-24 13:18 475136]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 23:12 579584]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-03-30 13:52 342528]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 15:07 421888]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2007-06-07 13:17 850704]
"NetLimiter"="C:\Program Files\NetLimiter\NetLimiter.exe" [2004-03-31 09:23 823296]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 19:32 16132608 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2007-04-03 13:04]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2007-04-02 19:11]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 P1171VID;Creative WebCam Notebook #2;C:\WINDOWS\system32\DRIVERS\P1171Vid.sys [2004-03-19 02:00]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 15:25:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\NetLimiter\nl_lsp.dll
-> C:\WINDOWS\system32\nl_msgc.dll
.
Completion time: 2008-06-30 15:26:43
ComboFix-quarantined-files.txt 2008-06-30 19:26:28

Pre-Run: 17,666,678,784 bytes free
Post-Run: 17,644,134,400 bytes free

128 --- E O F --- 2008-06-03 12:02:59

I am kind of suspicious about this report log since I didn't get it right after the first boot when I did the dragging action. But I still wanted to show it to you if there could be a help for the next step, perhaps?

Thanks I am awaiting.

[Ried]

Hi arda,

Quote:

then when I tried dragging again, this time combofix said that "reboot recovery has already been installed in this machine, aborting process"

That's because the drag and drop is a one-time step to install the Recovery Console.


If you run into any problems carrying out any of these instructions, post here describing them, then wait for my reply. Bear in mind that we do volunteer in our spare time. As such, I am not online 24/7, so you may have to be patient and wait for a reply. When that is the case--do nothing, until you hear from me.

The ComboFix.txt you just posted tells me everything I need to know. Please relax and let me take the lead here.


It's important to run an online scan to search for any remnants that may be lurking. Please go here to run an online scannner from ESET.

• Note: You will need to use Internet Explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure to set the options as follows:

• Remove found threats is unticked,
• Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[arda21]

Reid Thanks, Scan from ESET online started a while ago, but it's still running, I will write my reply right away when it produces the text document.

[Ried]

That scan will likely take at least an hour. I'll be going offline for the next few hours. I'll reply as soon as I am able to.

[arda21]

Thank you, in the meantime I will just wait for your presence and will post what it comes up with after the scan. I appreciate your kind and thoughtful approach as this might be very critical for me. Thanks again,

[arda21]

Dear Ried, here is the log from ESET online scanner: (found 18 threats)

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3228 (20080630)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=6c558e18a19e9348a334693816450d2b
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-06-30 08:21:46
# local_time=2008-06-30 04:21:46 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=205531
# found=18
# scan_time=1778
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Win32/Bagle.PB worm DCAF01461C460606BC1FA04D3CC021FD
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hldrrr.exe.vir Win32/Bagle.PB worm DCAF01461C460606BC1FA04D3CC021FD
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\mdelk.exe.vir Win32/Bagle.PB worm DCAF01461C460606BC1FA04D3CC021FD
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.vir Win32/Bagle.PB worm 0B4E4E8A5EBA9592A21C65121F3A5603
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\downld\82890.exe.vir Win32/Bagle.OD worm 2A8BCA86B51C95A2B17D09024BE03259
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\downld\84281.exe.vir Win32/Bagle.OV worm 26DBF0320C73FC4B2FC69FD48DB39524
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP140\A0013767.exe Win32/Bagle.PB worm DCAF01461C460606BC1FA04D3CC021FD
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP140\A0013768.sys Win32/Bagle.PB worm 0B4E4E8A5EBA9592A21C65121F3A5603
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP140\A0013769.exe Win32/Bagle.PB worm DCAF01461C460606BC1FA04D3CC021FD
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP141\A0013829.exe Win32/Bagle.PB worm DCAF01461C460606BC1FA04D3CC021FD
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP141\A0014828.exe Win32/Bagle.PB worm DCAF01461C460606BC1FA04D3CC021FD
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP141\A0014829.exe Win32/Bagle.PB worm DCAF01461C460606BC1FA04D3CC021FD
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP141\A0014830.sys Win32/Bagle.PB worm 0B4E4E8A5EBA9592A21C65121F3A5603
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP141\A0014837.exe Win32/Bagle.PB worm DCAF01461C460606BC1FA04D3CC021FD
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP141\A0014838.exe Win32/Bagle.PB worm DCAF01461C460606BC1FA04D3CC021FD
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP141\A0014839.sys Win32/Bagle.PB worm 0B4E4E8A5EBA9592A21C65121F3A5603
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP141\A0014841.exe Win32/Bagle.OD worm 2A8BCA86B51C95A2B17D09024BE03259
C:\System Volume Information\_restore{AFDD5784-4FFA-413C-84B1-64EE165D77E0}\RP141\A0014842.exe Win32/Bagle.OV worm 26DBF0320C73FC4B2FC69FD48DB39524

[arda21]

Just checking in mate... hope you didn't forget me :))))

didn't touch anything after I posted that report from Eset Online scanner.