Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! I Have A Virus - Can't Find It, Can't Kill It...


  • This topic is locked This topic is locked
17 replies to this topic

#1 marcolaw

marcolaw

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 11 November 2006 - 10:38 AM

On Thursday my Sony Vaio got infected with Brave Sentry. I used the tool suggested on this site to remove Brave Sentry. After I did this, things got worse...

Brave Sentry appears to have gone. I have Windows Defender installed, and it doesn't see any problems with my computer, but I definately have some.

Since getting infected, here is a list of the problems I am facing...

1. Most exe's won't run - can't load Word, Firefox, PowerPoint, etc... Always throws that MSFT Windows error immediately after trying to launch the application.
2. Computer fills up with (.t) files, mainly on desktop from what I can tell - they all end in .t extension - the desktop contains approx 300 of these .t files
3. Internet connection is like wading through thick mud - I am on 8mb DSL, it's now slower than 56k and most of the time it won't load web pages. I have another laptop going through the same router (I am typing from it now) - when the infected Sony Vaio is connected to the net, the net connection to this other laptop is also virtually non-existent. Pull the net connection from the infected Sony Vaio, and this uninfected laptop is back on high-speed broadband again.

4. Can't delete any .exe files from the infected sony vaio

So, I tried running through the preparation routine listed on this site - here are the results...

1. Using cleanmgr, I did manage to clear out temp files etc...

2. Scan using Ad Aware doesn't work - Ad Aware freezes whenever it gets to the IE folder

3. Spybot - whenever I run this program, I get booted out immediately, 9 times out of 10. The one time I managed to run it successfully, it said there was a problem with DSO Exploit - I removed it - it comes back every time.

4. No browser (IE, FFox, or Opera) will let me run either Housecall, Panda, or Bit Defender.

5. McAfee Stinger - had to download it from another pc - my pc net connection keeps freezing - when I ran Stinger on the infected Sony Vaio, it came back with no problems.

6. Firewall - I have Windows Firewall installed - can't install any others.

7. Windows Update - internet connection not stable enough to complete this process

8. HijackThis - the first 5 attempts to load HijackThis, it immediately closed the app - restarted my machine and managed to get it running. Here is the log from the infected laptop:

Logfile of HijackThis v1.99.1
Scan saved at 3:14:43 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\BT Common Client\btomosrv.exe
C:\Program Files\Nokia\Nokia D211\D211CTL.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\vrstepyw.t
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Nokia\Nokia D211\D211STRT.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system32\_zsk_zlu_zlope04oyrlyrt]uqtzrvmi.exe
C:\Program Files\Star Alliance Timetable\StarUpdater.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Plone 2\Python\PythonService.exe
C:\Program Files\Plone 2\Python\python.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [D211STRT.EXE] "C:\Program Files\Nokia\Nokia D211\D211STRT.EXE"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKLM\..\Run: [_zlu_zlope03] C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM\E^QUWBVEA.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [_zlu_zlope04] c:\windows\system32\_zsk_zlu_zlope04oyrlyrt]uqtzrvmi.exe
O4 - HKLM\..\RunServices: [_zlu_zlope03] C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM\E^QUWBVEA.exe
O4 - HKLM\..\RunServices: [_zlu_zlope04] c:\windows\system32\_zsk_zlu_zlope04oyrlyrt]uqtzrvmi.exe
O4 - HKCU\..\Run: [SkypeClient] "C:\Program Files\PDT\VoIPVoice Integration\VoIPVoice Integration.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [_zlu_zlope04] c:\windows\system32\_zsk_zlu_zlope04oyrlyrt]uqtzrvmi.exe
O4 - Startup: StarUpdater.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163081174419
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BT Common Client - British Telecommunications Plc. - C:\BT Common Client\btomosrv.exe
O23 - Service: Nokia D211 (D211CTL) - Nokia Corporation - C:\Program Files\Nokia\Nokia D211\D211CTL.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Zope instance at C:\Program Files\Plone 2\Data (Zope_565048793) - Unknown owner - C:\Program Files\Plone 2\Python\PythonService.exe


I have no clue what to do now - I can't even find out what malware or whatever I have on my laptop that is making it behave like this.

Any advice will be most appreciated.

Many thanks - Sorry for the poor spelling -

Marc
- -

BC AdBot (Login to Remove)

 


m

#2 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 11 November 2006 - 01:39 PM

Hey marcolaw

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Whilst completing the fix please use the Internet as little as posssible. Do not install any programs whilst we fix your computer - even the smallest of programs can wreak havoc.

VirusTotal:

1. Go to this website: www.virustotal.com
2. Upload this file by copy/pasting it in to the file box: C:\windows\system32\_zsk_zlu_zlope04oyrlyrt]uqtzrvmi.exe
3. Submit the file and copy/paste the results back into this thread.
4. Repeat the process for this file aswell:

C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM\E^QUWBVEA.exe

[b]Make sure to include both lots of results in your next reply.[/b]

Submit Files:

You have a file/s of interest to us. It would help the detection rates of the tools we use by getting hold of samples of these infections.

1. Go this website: http://www.bleepingcomputer.com/submit-malware.php?channel=15
2. Copy/paste this into the 'Link to Topic' box: http://www.bleepingcomputer.com/forums/t/71523/help-i-have-a-virus-cant-find-it-cant-kill-it/
3. Copy/paste this into the 'Browser for File' box: C:\windows\system32\_zsk_zlu_zlope04oyrlyrt]uqtzrvmi.exe
4. Repeat this process for this file/s aswell:

C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM\E^QUWBVEA.exe

5. Let me know if it was successful or not.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Download Clean.bat to your desktop: This file is used to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat Save it on your desktop for later use

Kaspersky Online Scanner
Go to http://www.kaspersky.com/virusscanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post with another HJT log.
Please can you include the following logs in your next reply - they may need separate posts to stop them getting cut off:

Both results from www.virustotal.com
Kaspersky Log
A new Hijackthis log

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#3 marcolaw

marcolaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 12 November 2006 - 03:55 AM

Hi - thank you for offering to help. It is very appreciated.

Okay - so I followed your instructions and uploaded the files to bleepingcomputer.com - below are the logs from Virustotal...

VirusTotal:

File: C:\windows\system32\_zsk_zlu_zlope04oyrlyrt]uqtzrvmi.exe...

Antivirus Version Update Result
AntiVir 7.2.0.39 11.10.2006 HEUR/Malware
Authentium 4.93.8 11.10.2006 no virus found
Avast 4.7.892.0 11.09.2006 no virus found
AVG 386 11.11.2006 no virus found
BitDefender 7.2 11.11.2006 Trojan.Proxy.Small.R
CAT-QuickHeal 8.00 11.11.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 11.11.2006 no virus found
DrWeb 4.33 11.11.2006 DLOADER.Trojan
eTrust-InoculateIT 23.73.52 11.11.2006 Win32/SillyDL.7hs!Trojan
eTrust-Vet 30.3.3186 11.10.2006 Win32/Cosiam.S
Ewido 4.0 11.11.2006 no virus found
Fortinet 2.82.0.0 11.11.2006 Raser!tr
F-Prot 3.16f 11.10.2006 no virus found
F-Prot4 4.2.1.29 11.10.2006 no virus found
Ikarus 0.2.65.0 11.10.2006 Trojan-Proxy.Win32.Small.BO
Kaspersky 4.0.2.24 11.11.2006 no virus found
McAfee 4893 11.10.2006 Proxy-Raser
Microsoft 1.1609 11.11.2006 Backdoor:Win32/Cosiam.gen
NOD32v2 1862 11.10.2006 a variant of Win32/TrojanProxy.Daemonize
Norman 5.80.02 11.10.2006 W32/DLoader.BEHI
Panda 9.0.0.4 11.11.2006 Trj/Jupillites.G
Sophos 4.11.0 11.07.2006 Mal/Behav-007
TheHacker 6.0.1.116 11.09.2006 no virus found
UNA 1.83 11.10.2006 no virus found
VBA32 3.11.1 11.10.2006 suspected of Embedded.Trojan-Proxy.Win32.Small.bo
VirusBuster 4.3.15:9 11.11.2006 no virus found

Aditional Information:

MD5: 109d4f0bdfa1cd0c245ba7e409b990bd
SHA1: 26568ea5672618161b7067b17f072834d4989f86
packers: FSG, FSG
packers: FSG


File: C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM\E^QUWBVEA.exe...

Antivirus Version Update Result
AntiVir 7.2.0.39 11.10.2006 no virus found
Authentium 4.93.8 11.10.2006 no virus found
Avast 4.7.892.0 11.09.2006 no virus found
AVG 386 11.11.2006 no virus found
BitDefender 7.2 11.11.2006 no virus found
CAT-QuickHeal 8.00 11.11.2006 no virus found
ClamAV devel-20060426 11.11.2006 no virus found
DrWeb 4.33 11.11.2006 no virus found
eTrust-InoculateIT 23.73.52 11.11.2006 no virus found
eTrust-Vet 30.3.3186 11.10.2006 no virus found
Ewido 4.0 11.11.2006 no virus found
Fortinet 2.82.0.0 11.11.2006 no virus found
F-Prot 3.16f 11.10.2006 no virus found
F-Prot4 4.2.1.29 11.10.2006 no virus found
Ikarus 0.2.65.0 11.10.2006 no virus found
Kaspersky 4.0.2.24 11.11.2006 no virus found
McAfee 4893 11.10.2006 no virus found
Microsoft 1.1609 11.11.2006 no virus found
NOD32v2 1862 11.10.2006 no virus found
Norman 5.80.02 11.10.2006 no virus found
Panda 9.0.0.4 11.11.2006 no virus found
Sophos 4.11.0 11.07.2006 no virus found
TheHacker 6.0.1.116 11.09.2006 no virus found
UNA 1.83 11.10.2006 no virus found
VBA32 3.11.1 11.10.2006 no virus found
VirusBuster 4.3.15:9 11.11.2006 no virus found

Aditional Information
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709



Kaspersky Log will be on my next post...

Marc W
- -

#4 marcolaw

marcolaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 12 November 2006 - 04:06 AM

Here's the Kaspersky log...

You will notice a large volume of those .t files that I originally mentioned - this makes the Kaspersky log 6mb, and very long - the .t files are in nearly every dir on my pc - total scan time was +5hrs - Due to the length of the Kaspersky log, If I broke it down, it would take approx 50 posts to this board to post the entire log. Should I upload it to bleepingcomputer in the same way as with the files you requested?

Here's the Kaspersky log summary...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 12, 2006 8:06:20 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/11/2006
Kaspersky Anti-Virus database records: 240751
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
X:\

Scan Statistics:
Total number of scanned objects: 164626
Number of viruses found: 11
Number of infected objects: 32268 / 0
Number of suspicious objects: 0
Duration of the scan process: 05:04:06

And here's a sample:

Infected Object Name / Virus Name / Last Action
C:\aaaaaaye.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Agility Evaluation\Agility Evaluation\aaaaaaix.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Agility Evaluation\Agility Evaluation\aaaaaaqs.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Agility Evaluation\Agility Evaluation\aaaaaqlk.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Agility Evaluation\Agility Evaluation\aaaaewsx.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Agility Evaluation\Agility Evaluation\bcioywim.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Agility Evaluation\Agility Evaluation\dgyrweaw.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Agility Evaluation\Agility Evaluation\extras\QT Installer\aaaaaqlk.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Agility Evaluation\Agility Evaluation\extras\QT Installer\bcioybmx.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Agility Evaluation\Agility Evaluation\extras\QT Installer\bcioyscl.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Agility Evaluation\Agility Evaluation\extras\QT Installer\ceqdxchk.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Agility Evaluation\Agility Evaluation\extras\QT Installer\ceqdxpof.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Agility Evaluation\Agility Evaluation\extras\QT Installer\eihgvwux.t Infected: Email-Worm.Win32.Glowa.g skipped

Next post is the new HijackThis log...

#5 marcolaw

marcolaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 12 November 2006 - 04:08 AM

Finally, here is the HijackThis log...

Logfile of HijackThis v1.99.1
Scan saved at 8:35:24 AM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\BT Common Client\btomosrv.exe
C:\Program Files\Nokia\Nokia D211\D211CTL.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\vrstepyw.t
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Nokia\Nokia D211\D211STRT.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\PDT\VoIPVoice Integration\VoIPVoice Integration.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system32\_zsk_zlu_zlope04oyrlyrt]uqtzrvmi.exe
C:\Program Files\Star Alliance Timetable\StarUpdater.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Plone 2\Python\PythonService.exe
C:\Program Files\Plone 2\Python\python.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [D211STRT.EXE] "C:\Program Files\Nokia\Nokia D211\D211STRT.EXE"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKLM\..\Run: [_zlu_zlope03] C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM\E^QUWBVEA.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [_zlu_zlope04] c:\windows\system32\_zsk_zlu_zlope04oyrlyrt]uqtzrvmi.exe
O4 - HKLM\..\RunServices: [_zlu_zlope03] C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM\E^QUWBVEA.exe
O4 - HKLM\..\RunServices: [_zlu_zlope04] c:\windows\system32\_zsk_zlu_zlope04oyrlyrt]uqtzrvmi.exe
O4 - HKCU\..\Run: [SkypeClient] "C:\Program Files\PDT\VoIPVoice Integration\VoIPVoice Integration.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [_zlu_zlope04] c:\windows\system32\_zsk_zlu_zlope04oyrlyrt]uqtzrvmi.exe
O4 - Startup: StarUpdater.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163081174419
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BT Common Client - British Telecommunications Plc. - C:\BT Common Client\btomosrv.exe
O23 - Service: Nokia D211 (D211CTL) - Nokia Corporation - C:\Program Files\Nokia\Nokia D211\D211CTL.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Zope instance at C:\Program Files\Plone 2\Data (Zope_565048793) - Unknown owner - C:\Program Files\Plone 2\Python\PythonService.exe


I look forward to hearing from you -

Many thanks -
Marc
- -

#6 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 12 November 2006 - 11:12 AM

Yes I do need the Kaspersky report. When you post a reply you should notice an option to attach files. Please could you upload the Kaspersky report like that.

Thanks for submitting the files aswell.
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#7 marcolaw

marcolaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 12 November 2006 - 11:26 AM

Couldn't find the option to attach a file to this reply - so I'm sending the Kaspersky report through in the same way as I sent the previous files.

Hope this works - alternatively, I can upload the report to a webserver for download.

Cheers!
Marc W
- -

#8 marcolaw

marcolaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 12 November 2006 - 11:59 AM

Couldn't upload to bleepingcomputer.com - exeeds max filesize allowed.

I am also having difficulty FTP'ing the file to a webserver.

Any suggestions?

#9 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 12 November 2006 - 05:22 PM

For anybody following the thread:

Sent a PM to marcolaw asking them to e-mail me the log. I will then try and upload it.
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#10 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 14 November 2006 - 05:18 PM

Hey marcolaw

*File cannot be uploaded its over 6Mb...filled with a load of the .t files*

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Whilst completing the fix please use the Internet as little as posssible. Do not install any programs whilst we fix your computer - even the smallest of programs can wreak havoc.

End Bad Processes:

1. Click Ctrl + Alt + Del and select the Processes tab.
2. Click on these processes and click End Process for each:

vrstepyw.t

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Download Clean.bat to your desktop: This file is used to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat Save it on your desktop for later use

Panda Online Scan:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected then clean it.
Dr.Web CureIt

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Reboot your computer in safe mode by pressing F8 continually whilst your computer starts up.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
Make sure to run both scans it is important in killing this infection. Please can you now post a new Hijackthis log after these scans.
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#11 marcolaw

marcolaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 15 November 2006 - 02:39 PM

Hi, Jamielaw - thanks for your recent post. I went through the instructions, and here's the results...

1. End bad processes - no processes such as vrstepw.t were running - so none to end.

2. Ran ATF cleaner - all went smoothly there

3. Panda Online Scan - took about 3 hours to complete, and it deleted approx 40,000 infected files - some files it couldn't remove.

4. Dr. Web Cureit - also took about 3 hours to complete the in-depth scan - it identified about 8 infected objects - some it cured, some remaned incrurable - moved the incurable files - they are saved on my laptop

5. Here is the latest Hijackthis Log...

Logfile of HijackThis v1.99.1
Scan saved at 4:32:56 PM, on 11/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\BT Common Client\btomosrv.exe
C:\Program Files\Nokia\Nokia D211\D211CTL.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Plone 2\Python\PythonService.exe
C:\Program Files\Plone 2\Python\python.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Nokia\Nokia D211\D211STRT.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [D211STRT.EXE] "C:\Program Files\Nokia\Nokia D211\D211STRT.EXE"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [_zlu_zlope03] C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM\E^QUWBVEA.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\RunServices: [_zlu_zlope03] C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM\E^QUWBVEA.exe
O4 - HKCU\..\Run: [SkypeClient] "C:\Program Files\PDT\VoIPVoice Integration\VoIPVoice Integration.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: StarUpdater.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163081174419
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BT Common Client - British Telecommunications Plc. - C:\BT Common Client\btomosrv.exe
O23 - Service: Nokia D211 (D211CTL) - Nokia Corporation - C:\Program Files\Nokia\Nokia D211\D211CTL.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Zope instance at C:\Program Files\Plone 2\Data (Zope_565048793) - Unknown owner - C:\Program Files\Plone 2\Python\PythonService.exe

Many thanks -

Marcola
- -

#12 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 15 November 2006 - 04:53 PM

Hey marcolaw

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Whilst completing the fix please use the Internet as little as posssible. Do not install any programs whilst we fix your computer - even the smallest of programs can wreak havoc.

Fix the HJT entries:
  • Open hijackthis and select the DO A SYSTEM SCAN ONLY option.
  • Place a check next to the following items:

    O4 - HKLM\..\Run: [_zlu_zlope03] C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM\E^QUWBVEA.exe
    O4 - HKLM\..\RunServices: [_zlu_zlope03] C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM\E^QUWBVEA.exe
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
  • Close all open browsers and windows, except hijackthis. Then select fix checked . Now close HJT.
To enable the Show Hidden Folders option:
  • From your Desktop, right-Click: My Computer. Left-Click: Explore.
  • Select from the Tools menu:Folder Options.
  • Select the View Tab.
  • Under the Advanced Settings>Hidden files and folders, select: Show hidden files and folders.
  • Uncheck: Hide extensions for known file types
  • Also, uncheck the Hide protected operating system files (recommended) option.
  • Click: Yes to confirm warning[s].
  • Click: OK.
Please could you reboot in safe - restart your computer and continually tap the F8 key. Then delete these:

C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM
C:\WINDOWS\system32\rpcc.dll
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Download Clean.bat to your desktop: This file is used to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat Save it on your desktop for later use

AVG Anti-Spyware:

First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
* Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions"
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

How is your computer running now? Please post a Hijackthis log aswell.
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#13 marcolaw

marcolaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 16 November 2006 - 10:02 AM

Thanks for the latest set of instructions - I went through, and here are the results...

1. Fix the HJT entires:

O4 - HKLM\..\Run: [_zlu_zlope03] C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM\E^QUWBVEA.exe
[b]Successful[/b]

O4 - HKLM\..\RunServices: [_zlu_zlope03] C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM\E^QUWBVEA.exe
[b]Successful[/b]

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
Couldn't fix

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
Couldn't fix

2. Show hidden files - restarted in safe-mode

3. Tried to delete the files you mentioned - here's what happened...

C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM - [b]This file wasn't there[/b]

C:\WINDOWS\system32\rpcc.dll Can't delete - file in use

C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll Can't delete - file in use

4. ATF Cleaner - this runs smoothly, with no errors

5. AVG Anti-Spyware - Install went fine - Update went fine - Scanned, and took a couple of hours - found one file, a Trojan, and then threw an error when trying to remove it / fix it - as you will see in the AGV report below...

Here's the AGV report...

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:51:06 PM 11/16/2006

+ Scan result:



[248] C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll -> Trojan.Agent.oh : Error during cleaning.


::Report end

And here is the latest Hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 1:04:27 PM, on 11/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\BT Common Client\btomosrv.exe
C:\Program Files\Nokia\Nokia D211\D211CTL.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Nokia\Nokia D211\D211STRT.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\PDT\VoIPVoice Integration\VoIPVoice Integration.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Star Alliance Timetable\StarUpdater.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Plone 2\Python\PythonService.exe
C:\Program Files\Plone 2\Python\python.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [D211STRT.EXE] "C:\Program Files\Nokia\Nokia D211\D211STRT.EXE"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SkypeClient] "C:\Program Files\PDT\VoIPVoice Integration\VoIPVoice Integration.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: StarUpdater.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163081174419
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BT Common Client - British Telecommunications Plc. - C:\BT Common Client\btomosrv.exe
O23 - Service: Nokia D211 (D211CTL) - Nokia Corporation - C:\Program Files\Nokia\Nokia D211\D211CTL.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Zope instance at C:\Program Files\Plone 2\Data (Zope_565048793) - Unknown owner - C:\Program Files\Plone 2\Python\PythonService.exe



Many thanks -
Marcola
- -

#14 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 16 November 2006 - 04:38 PM

Hey marcolaw

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Whilst completing the fix please use the Internet as little as posssible. Do not install any programs whilst we fix your computer - even the smallest of programs can wreak havoc.

Submit Files:

You have a file/s of interest to us. It would help the detection rates of the tools we use by getting hold of samples of these infections.

1. Go this website: http://www.bleepingcomputer.com/submit-malware.php?channel=15
2. Copy/paste this into the 'Link to Topic' box: http://www.bleepingcomputer.com/forums/t/71523/help-i-have-a-virus-cant-find-it-cant-kill-it/
3. Copy/paste this into the 'Browser for File' box: C:\WINDOWS\system32\rpcc.dll
4. Repeat this process for this file/s aswell:

C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

5. Let me know if it was successful or not.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\system32\_zsk_zlu_zlope03HXV[BM
    C:\WINDOWS\system32\rpcc.dll
    C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Fix the HJT entries:
  • Open hijackthis and select the DO A SYSTEM SCAN ONLY option.
  • Place a check next to the following items:

    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

  • Close all open browsers and windows, except hijackthis. Then select fix checked . Now close HJT.

Was it successful this time? How is your computer running?

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#15 marcolaw

marcolaw
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 16 November 2006 - 05:35 PM

Hi, Jamielaw...

Thanks for the info - Outcome is...

1. Uploaded sample files to bleepingcomputer.com - successful

2. Download and run KilBox - it didn't present the message PendingFileRenameOperations - restarted automatically

3. Ran HJT, and fixed the the files - this time it worked.

As for how my computer is running: The net connection seems to be a lot better now - this infected machine is no-longer killing the net connection for my other laptop. However, my apps still don't work - as soon as I load Word, Firefox (I'm having to use IE for this), PowerPoint, etc... they always throw the 'Whatever program has encountered a problem' error, and won't load. This has happened ever since my laptop got infected - all MSFT Office apps apart from Excel do not load.

Marcola
- -




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users