Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection by flec006.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 gewehR

gewehR

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 18 October 2009 - 06:57 PM

Hi,
I'm new here... I've got a virus when trying to install CPUcool (well, I thought it was that!) on Oct., 14th.

Win XP SP3 32 bits, Avira up-to-date, firewall...

I've received after starting Win messages about flec006.exe. My PC is very slow, the task manager shows almost 100% of CPU use; can't install HijackThis, nor Malwarebytes Anti-Malware. Even renaming them. Avira isn't working anymore.
Tried to run DDS Tool and it opened Wordpad with a lot of symbols in it, the only telegible phrase was "This program cannot be run in DOS mode". dds.scr was AutoCAD script in my PC (I use Autocad), is it wrong?

Is it Bagle?

Thanks in advance,
Gustavo G.



EDIT: I managed to produce a log of RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/19 00:44
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB49C1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB85B0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1082000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Arquivos de programas\Movie Maker\Shared
Status: Invisible to the Windows API!

Path: C:\WINDOWS\ime\shared
Status: Invisible to the Windows API!

Path: C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\dcomcnfg.exd
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\mdelk.exe
Status: Invisible to the Windows API!

Path: c:\windows\system32\ntkrnlpa.exe
Status: Allocation size mismatch (API: 24576, Raw: 2031616)

Path: C:\WINDOWS\system32\wintems.exe
Status: Invisible to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB956572$\ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB956841$\ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:\Arquivos de programas\Arquivos comuns\Corel\Shared
Status: Invisible to the Windows API!

Path: C:\Arquivos de programas\Avira\AntiVir Desktop\avarkt.dll
Status: Locked to the Windows API!

Path: C:\Arquivos de programas\Skype\Toolbars\Shared
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Gustavo\Cookies\iframe3[3].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Gustavo\Dados de aplicativos\hidires
Status: Invisible to the Windows API!

Path: C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
Status: Locked to the Windows API!

Path: c:\windows\system32\dllcache\ntkrnlpa.exe
Status: Allocation size mismatch (API: 16384, Raw: 1540096)

Path: c:\documents and settings\gustavo\configurações locais\temp\~dfe45a.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\gustavo\configurações locais\temp\~dfe951.tmp
Status: Allocation size mismatch (API: 262144, Raw: 16384)

Path: c:\documents and settings\gustavo\configurações locais\temp\~df8a49.tmp
Status: Allocation size mismatch (API: 327680, Raw: 16384)

Path: c:\documents and settings\gustavo\configurações locais\temp\~dfee06.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\gustavo\configurações locais\temp\~dfffb8.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Gustavo\Dados de aplicativos\drivers\downld
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Gustavo\Dados de aplicativos\drivers\wfsintwq.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Gustavo\Dados de aplicativos\drivers\winupgro.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Gustavo\Dados de aplicativos\hidires\flec003.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Gustavo\Dados de aplicativos\m\flec006.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Gustavo\Dados de aplicativos\m\shared
Status: Invisible to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:\Arquivos de programas\Sony\Sony Picture Utility\PMBCore\DiscData\Autorun.inf
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\91b632d7eab098f85ecea8ccd1ea21eb\SP2GDR\ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\91b632d7eab098f85ecea8ccd1ea21eb\SP2QFE\ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\91b632d7eab098f85ecea8ccd1ea21eb\SP3GDR\ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\91b632d7eab098f85ecea8ccd1ea21eb\SP3QFE\ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temp\AVSETUP_49f7a6dd\basic\avarkt.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temp\RarSFX0\basic\avarkt.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temporary Internet Files\Content.IE5\2352XM02\I0D7HRCAETKU9OCANTEWVLCAVX51G9CAQI7PRMCAP9VOVVCA9QSSUICAX3CN6DCAM83GO8CAJRW3SLCAA2SAWCCAADXOELCAY25BI9CAQJET2LCAX1C9ESCA4BMRE1CA1YQS6LCA0H5WO3CACMI6D4.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temporary Internet Files\Content.IE5\34WITBZJ\294ed1851879_r1[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temporary Internet Files\Content.IE5\34WITBZJ\300x250_2[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temporary Internet Files\Content.IE5\5TFQDWT7\st[8]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temporary Internet Files\Content.IE5\5TFQDWT7\avarkt.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temporary Internet Files\Content.IE5\5TFQDWT7\imp[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temporary Internet Files\Content.IE5\7GMLWSJ3\08c5cb2e316d9ff00757feb88893020d[1].gif
Status: Invisible to the Windows API!

Path: c:\documents and settings\gustavo\configurações locais\temporary internet files\content.ie5\aahb0t1o\search[2].htm
Status: Allocation size mismatch (API: 28672, Raw: 49152)

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temporary Internet Files\Content.IE5\IYXXS9DB\896d097030000_r1[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temporary Internet Files\Content.IE5\N5KY7FEW\imp[1]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temporary Internet Files\Content.IE5\N5KY7FEW\img39970c1452602919l2[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temporary Internet Files\Content.IE5\S3RZBQEA\R_buscape_120x600_CS3_Oridian_TESTE1[4].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temporary Internet Files\Content.IE5\S3RZBQEA\D3PP0VCA71TUAXCAX5YFA5CAO5X9ISCAPW514JCA66JT63CAUAOEXTCAZRS0I6CA77RWG3CA8H0B1CCA7ZSI7BCAHYD30WCAOQQ960CA1MY3EQCA32WFBKCAEZQER9CAW47BXECAA9AB7YCAB2YMLO.txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Gustavo\Configurações locais\Temporary Internet Files\Content.IE5\S3RZBQEA\iframe3[5].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Arquivos de programas\Luxology\modo 401 sp2\extra\PerlModules\auto\threads\shared
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Gustavo\Dados de aplicativos\Macromedia\Flash Player\#SharedObjects\HLC257Q4\archiv.nova.cz\static\cz\shared
Status: Invisible to the Windows API!


Processes
-------------------
Path: C:\Documents and Settings\Gustavo\Dados de aplicativos\m\flec006.exe
PID: 3640 Status: Hidden from the Windows API!

Path: C:\Documents and Settings\Gustavo\Dados de aplicativos\drivers\winupgro.exe
PID: 3796 Status: Hidden from the Windows API!

Path: C:\Documents and Settings\Gustavo\Dados de aplicativos\hidires\flec003.exe
PID: 3844 Status: Hidden from the Windows API!

Path: C:\WINDOWS\system32\wintems.exe
PID: 5556 Status: Hidden from the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "<unknown>" at address 0x8b196818

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xb87b243e

#: 050 Function Name: NtCreateSection
Status: Hooked by "<unknown>" at address 0x8aff1ee8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xb87b2434

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xb87b2443

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xb87b244d

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xb87b2452

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8b328ae8

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\SNSMS.sys" at address 0xb82dcbde

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xb87b2420

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8af8d9b8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xb87b2425

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\SNSMS.sys" at address 0xb82dcd94

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xb87b245c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xb87b2457

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xb87b2448

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xb87b242f

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8b17cb28

Hidden Services
-------------------
Service Name: srosa
Image Path: system32\DRIVERS\sr.sys

==EOF==


EDIT 2:
After running a Bagle remover, a very precious find, things started to get better (it's getting better all the time, better...).
Then I ran a Hij. and generated a file. In the end, ran Malwarebytes and ran a quick scan, it removed about 370 malwares. Some o them could only be removed in restart. OK. When it restarted, Win didn't fully open up. The green field was there, but the icons and the toolbar were missing. I can start stuff through New task: even Winamp, what wasn't working.

Attached Files

  • Attached File  ark.txt   20.13KB   2 downloads

Edited by gewehR, 18 October 2009 - 11:44 PM.


BC AdBot (Login to Remove)

 


#2 gewehR

gewehR
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 22 October 2009 - 10:33 PM

I have solved this issue. It was BAGLE. :(

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:55 PM

Posted 23 October 2009 - 07:12 PM

Hello

Thank you for letting us know. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users