Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avg "worm Luder.a" And "generic Trojan",


  • This topic is locked This topic is locked
4 replies to this topic

#1 Hasbeans

Hasbeans

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 14 November 2006 - 04:20 AM

Appreciate any guidance you may offer. We have been 12 months system free since last help.

Some how we slipped up and let something in. :thumbsup:

Symtoms are
1. icons are installing themselves on the desk top, started with 1 and now up to 25 and counting.
start with odd type of alpha names like pfukkpoa.t aaaaamvp.t etc

2. System is really starting to slow down

3. Programs are shutting themsleves down including when doing system scans. I have to restart computer and do check straight away before loosing acess or control.

4 We still have acess to internet but will only use computer now to get the thing fixed via you guys

I have run spybot, adaware, but not able to do a full AVG scan and fix.
Adaware says "Wintrojan.matris has you"
AVG has lots of entries but 2 issues identified Iworm luder.A and Trojan
is common on a lot of entries

Please be patient I am a capital L for learner / looser when it comes to using computer terms and execution within the computer . you guys did a fantastic job last time to get me through and fix things up. Hope I can follow instructions this time.

Here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 7:47:53 PM, on 14/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\wservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cable.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [adir] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www
O16 - DPF: St.George Internet Banking - https://ibank.stgeorge.com.au/html/bbb11s.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133655412656
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\ewido\security suite\ewidoctrl.exe (file missing)
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Unknown owner - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Unknown owner - C:\Program Files\CA\eTrust Antivirus\InoRT.exe (file missing)
O23 - Service: eTrust Antivirus Job Server (InoTask) - Unknown owner - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:38 PM

Posted 14 November 2006 - 09:02 AM

Hello,

You are dealing with a file infector which infects every exe, scr and rar file on your system.
These files may not get deleted, but cured/disinfected instead.
Problem with this infection is, it happens a lot, when this infection is trying to infect a file, it fails in some cases > result > an uninfected file, but corrupt instead.
Also, some scanners do have problems with disinfecting some files and make it corrupt as well.
So, we can give this a try, but keep in mind that damage can still appear afterwards and a format and reinstall will still be the best - fastest and safest option.... especially in your case, because I also see you are doing online banking on this computer.

So if you decide to give it a try, perform next steps in the right order..


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [adir] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then open your taskmanager (pressing CTRL-ALT-DEL together). Choose the tab processes and make sure next processes are ended/killed:

wservice.exe
adirss.exe


Also look if there's any process running, looking similar as those files present on your desktop ( pfukkpoa.t....) and end/kill them as well.

Then, * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv I need that log later.
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Since the log from DrWeb CureIt and the panda log will be huge, I want you to upload them instead of copying and pasting in this thread.
To do this, go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to the Log from DrWeb CureIt (DrWeb.csv) and upload it there.
Do the same for the log from Panda Online.

Then post a NEW Hijackthislog in your next reply. (Don't upload that one)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Hasbeans

Hasbeans
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 15 November 2006 - 01:19 AM

Really appreciate the lightening response. :thumbsup:

After I posted the previous forum entry I lost internet connection not sure if this is permanent. (currently I'm using a friends comp) I noticed the .exe corruption was happening in a lot of the program files. That worried me a lot. And what you have explained made sense of the increasing loss of control. I will try and test the internet connection tonight when I get home.

I have considered your advice .
"but keep in mind that damage can still appear afterwards and a format and reinstall will still be the best - fastest and safest option.... especially in your case, because I also see you are doing online banking on this computer."

I feel I need to action this with a long term view in mind and also my ability to be able to navigate this complex issue. The potential for residual issues is high I feel. I hope this is not a cowards way out.

Even at the loss of a valuable fun lesson in computers.

If you can provide guidance on a " format and reinstall" I will perform this. For your information We did a system save, I think is the term, when we fixed the computer up last year with bleeping computers.

Questions.
1. Will we (the family) loose pictures that are currently stored on the computer which were stored after the last system save?.
2. If we will loose them, Is there anything that I can do to try and save them before we proceed with the system format and reinstall ?
3. What other things will i need to do?
4. What is the name of this nasty piece of work?

I notice you are in Belgium I will get up early in the morning to see if you have been able to respond.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:38 PM

Posted 15 November 2006 - 03:35 AM

Hi,

The reason why you lost internet connection is most probably because of one of the related exe's for your connection got infected as well.
The longer this worm is present, the more files it infects and the more damage it causes.

For your information We did a system save, I think is the term, when we fixed the computer up last year with bleeping computers.


Yes, I looked at that log from last year, but you really can't compare it with this situation here. The log from last year was a piece of cake to deal with, since you weren't dealing with a file infector there. In this case, the malware you are dealing with damages a lot.
Look here for some more info:
http://info.drweb.com/show/2971/en
http://www.sophos.com/security/analyses/w32drefo.html

1. Will we (the family) loose pictures that are currently stored on the computer which were stored after the last system save?.
2. If we will loose them, Is there anything that I can do to try and save them before we proceed with the system format and reinstall ?
3. What other things will i need to do?
4. What is the name of this nasty piece of work?


1. Yes, you will loose them after a format and reinstall - but..

2. Yes, you can save them before you perform the format - save them on a usb or cdrom, but make sure you don't save any exe, scr, or rar file. Also make sure you don't save any file with the .t extension.
So in this case, only save the jpg, jpeg, bmp and gif extension (since they are the extensions for pictures) and please really make sure NO exe, rar, and scr files are saved! Because when they are, it will reinfect again when you replace them after the format and reinstall.

3. To format and reinstall, read the instructions here how to do this (with screenshots):
http://web.mit.edu/ist/products/winxp/adva...all-format.html
Also, from your friends computer healthy, burn an an antivirus and firewall installer on cdrom, because during the format and reinstall, you also have to unplug your internet cable.
Once Windows is installed again, place the Antivirus and firewall installer on the fresh installed windows (before plugging the internet cable back in) and install them.
Then connect with the internet and go to Windows Update and install all updates and patches. Once you've done that, you're safe again.

4. See my previous post where I gave you some links about this infection.

As already explained in those links - it sends itself further via email, so if your friends mailaddress is in your addressbook, he will receive an infected email as well with a malicious attachement. Tell him, when he receives a mail from you with an attachement, NOT to open it. Also, contact your other contacts present in your mailaddressbook and tell them not to open any mails from you with an attachement.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:38 PM

Posted 23 November 2006 - 07:28 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users