When you ran A-Squared earlier did you quarantine the detected items or did that fail? I’m surprised to see C:\windows\system32\rlvknlg.exe in your log.

Seconding what David said, you do need to update to Service Pack 2 and install all the patches.

Regarding Norton Antivirus, it looks like a running process rather than just remnants. You will need to choose one resident antivirus and remove the other.

And I concur with FwFrank regarding O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

I also believe C:\WINDOWS\System32\RACLE~1\regedit.exe may be a worm and C:\Program Files\Common Files??crosoft.NET\w?nlogon.exe is PurityScan. I have some manual fixes I can suggest but before doing so I would like you to do the following

Upload a sample of C:\WINDOWS\System32\RACLE~1\regedit.exe to Virus Total and Jotti and post the results

Check in C:\Windows\ to see if there is a file named regedit.exe located there as well

Download, install, and run CleanUp Edit: After reading the thread essexboy linked to below I am changing this step to download but DO NOT YET RUN CleanUp. If abc123.pid turns out to be Agent.AWF as in that thread I do not want to risk deleting any backsups it may have created.

http://www.stevengould.org/software/cleanup/download.html

Turn off System Restore and boot into safemode

As FwFrank suggested, scan with A-Squared and AVG AntiSpyware (in safemode) being sure to quarantine anything found. Post the results of these scans.

Boot back into normal mode

Rename hijackthis.exe to hijackthat.exe, generate and post a new log

Unfortunately unless you update to SP1 you will continue to get infected, and to upgrade to SP2 you need to be malware free

SP1 available here http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx

This is becoming rather nasty now see this thread http://www.windowsbbs.com/showthread.php?t=63047

As essexboy says, you have landed between a rock and a sharp stone, so first try to stop the process from running with this tool (it does not cure the malware, it just stops it, remember): http://download.comodo.com/cpf/download/setups/release/CFP_Setup_English_2.4.18.184.exe
If you haven’t already done this, reconsider this as given here:
Full Ad-Aware Scan
Please download Ad-Aware SE from here:
http://www.majorgeeks.com/download506.html
Install Ad-Aware and run it. In the bottom-right hand corner, click “Check for updates now”. Click “Connect” to download the newest reference file.

Now we will configure Ad-Aware to perform a full scan. In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the “General” window, make sure the following options are selected:

1. Automatically save log-file
2. Automatically quarantine objects prior to removal
3. Safe Mode (always request confirmation)

Click the “Scanning” button on the left-hand side and make sure the following options are selected:

1. Scan within archives
2. Scan active processes
3. Scan registry
4. Deep scan registry
5. Scan my IE Favorites for banned URLs
6. Scan my Hosts file

Please also click on “Select drives & folders to scan” and select your hard drive(s). Then click the “Advanced” button on the left-hand side and make sure all the options under “Log-file Detail Level” are selected. Next, click the “Tweak” button on the left-hand side. Click on “Scanning Engine” and make sure the following options are selected:

1. Unload recognized processes & modules during scanning
2. Obtain command line of scanned processes
3. Scan registry for all users instead of current user only

Click on “Cleaning Engine” and make sure the following options are selected:

1. Always try to unload modules before deletion
2. During removal, unload Explorer and IE if necessary
3. Let Windows remove files in use at next reboot
4. Delete quarantined objects after restoring

Finally, click on “Safety Settings” and make sure the following options are selected:

1. Automatically select problematic objects in results lists
2. Write-protect system files after repair (Hosts file, etc)

Click on “Proceed” to save the preferences. Then please click the “Start” button on the bottom right side to begin a scan. Select “Use custom scanning options” and then click “Next”. Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click “Next” to remove the objects. Then please restart your computer.

When the scan has completed, click “Show Logfile”. Copy/paste the complete log file in a thread of your own. Do not quarantine or remove anything at this time, just post a complete logfile. This sometimes takes 2-3 posts to get it all posted. You will know you are at the end when you see the “Summary of this scan” information has been posted.

Spybot Full Scan
Next, please download Spybot-S&D from here:
http://www.majorgeeks.com/download.php?det=2471
Install Spybot-S&D and run it. Select “Search for updates” and then select all available updates. Click on the drop-down box in the top center to choose a download location nearest to you. Then click “Download updates”. When all updates have downloaded, close Spybot-S&D, and then run it again. Click on “Check for problems”. When the scan has finished, select any entries listed in red and click “Fix selected problems”. Then please restart your computer again.

If you are free of the malware, upgrade to SP2…

polonus

Thanks for the link to the windowsbbs thread essexboy. Its very informative.

Based on that thread I’ve ammended my post above to NOT run CleanUp at this time.

Hi Natty and Mauserme,

There is more to it, the Spybot S&D protection abilities can restore this malware after it has been cleansed so, please disable Spybot S&D’s protection, or it will interfere.
You can enable it again after you’re clean, and the system is free from malware.
The same goes for Spyware Blaster, in these case of infections these programs are two-sided swords, and are turned against us. Re-enable this program only after your OS is completely clean of any malware, and has been given a clean bill of health, and fully updated and patched.

Open Spybot and click on ‘Mode’ and check ‘Advanced Mode’.
Click on ‘Tools’ in bottom left hand corner.
Click on the ‘System Startup’ icon.
Uncheck ‘Teatimer’ box and/or uncheck ‘Resident’.
Click the ‘Allow Change’ box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose ‘exit Spybot-S&D Resident’.
Reboot the computer.

Download\install CleanUp from http://www.stevengould.org/downloads/cleanup/CleanUp451.exe
Launch CleanUp,then click on ‘Options’.
Now move the slider on the left up to ‘Standard Cleanup!’.
Click ‘Ok’,now run the program by clicking on the ‘Cleanup’ button.
Reboot,or log off/log on when it’s finished.

Download ComboFix© by sUBs from:
http://download.bleepingcomputer.com/sUBs/combofix.exe
Save the file to your Desktop.
Double click combofix.exe & follow the prompts.
Don’t click on the window while the fix is running, because that will cause your system to hang.
When finished, and after reboot, it should open a log, combofix.txt.
Post that log in your next reply.

So and now we wait and see for the results,

polonus aka Damian

What is so specific about these new series of worms (called Downloader.Agent.awf by some AV vendors) that it reads infected computer’s HKLM (or HKCU)\Run keys to find previously installed programs. Then the worm copies the original executable to a new location, and replaces the original with a copy of the worm. When the computer executes the Run\Keys\ it runs the worm instead, which then launches the original program. Read here:
http://weblog.infoworld.com/securityadviser/archives/2006/10/companion_worms.html

This complicates detection and removal process, because the worm will appear as a “known and trusted”, previously installed executable. While this behavior is not new, it’s apparently becoming popular again. So, when looking for malicious code, you cannot simply trust file names and locations. You must verify each file’s integrity hash against a known good copy.

There are many free hash programs available for Windows and Linux. The book ‘PGP and GPG’ turned me onto one for Windows called DigestIT 2004. It like it because it does MD5 and SHA-1 hashs and integrates into Windows as a right-click context menu. So we have to establish which one is the evil-doer and used by the companion_worm to get executed to re-install itself.

polonus

Find AWF is a good tool to use as it will identify the infected files. However the trojan backs up the originals in a backup folder which is good, but don’t clean your backup files yet or you will lose the originals. Use this analysis programme
http://noahdfear.geekstogo.com/FindAWF.exe
Send contents of awf.txt here, please

@ Matty

I’ve asked essexboy to continue contributing to this thread as I think his expertise will be very helpful.

Hi Matty,

I second that, as we have established it as a twinner (companion worm) thanks to mauserme (he identified the bstrd actually), we like to have essexboy have his way with it, and if you follow up his instructions all’s well that ends well,

polonus

Here’s the info. on Agent.awf replacing legitimate files:

http://www.spywarefix.org/blog/index.php?entryid=9

http://www.infoworld.com/article/06/10/20/43OPsecadvise_1.html

EDIT: Trojan.Zonebac also does the same thing:

http://www.symantec.com/security_response/writeup.jsp?docid=2006-091612-5500-99&tabid=1

Here’s a thread with FindAWF.exe in use for future reference:

http://www.lavasoftsupport.com/index.php?showtopic=6128&st=0

The utility finds where the Trojan has hidden the original files so they can be restored after the ‘Cuckoo’ files have been deleted.

Here’s an alternative method from the Symantec write-up:

5. To restore the backup file

Using the following registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

find all files referenced in entries that have the folder bak in the path e.g. “1” = “%System%\bak\notepad.exe”. For these files, move/copy them up to the same level in the directory tree as the bak folder and then delete the bak folder. For instance, the file %System%\bak\notepad.exe should be moved to: %System%\notepad.exe.

Hi FF I think a batch file would be preferable to save the chance of error

Something along the lines of

Delete

@Echo off attrib -s -r -h "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"

@Echo off move /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"

Then for the registry something along the lines of

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
DATA here from a comboscan log =-

Just out of curiosity, I notice a delete and move approach is usually used instead of copy and overwrite. Is there and advantage to the former over the latter?

Yes this method is used because the trojan protects itself which is why the first part is an attribute change : attrib -s -r -h followed by the deletion. It makes it a bit tidier and a tad easier to write

Well, I was thinking something like

echo off attrib -s -r -h C:\Program Files\QuickTime\qttask.exe copy /y C:\Program Files\QuickTime\bak\qttask.exe C:\Program Files\QuickTime\qttask.exe

But I suppose with this you would then want to delete the bak files to prevent any problems with future Find AWF scans. The method you posted saves a step.

Correct, in a way I just like things nice and tidy, but the bak folders will still need to be deleted. I think the number of steps will still be the same but this way you delete the bad files in one go and then move the good ones back in one go. Personal preference really I suppose 8)

I removed Norton and quarentied rvklnlg.exe in A-squared. I have Adaware Se Personal and will give the log from that. There is a regedit in Windows and scanned the file at virustotal and jotti and most said no virus found and 1 said no threat detected. I looked in Windows\System32\ for the folder RACLE~1 but i cant find it - C:\WINDOWS\System32\RACLE~1\regedit.exe . Also can you give me steps to turn off system restore and boot in safe mode and scan with those programs. Comodo is picking up rlvknlg.exe when Im on the computer and says it could be trojan/spyware/virus activity. The cryptographic signature of the parent application rlvknlg.exe has changed too. This case is too suspicious it says. I denied it.

I would hold of on deleting system restore, as at the end of the day a bad restore is better than none.

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

If you wish I can investigate via a comboscan log after you have done your scans

Download ComboScan to your Desktop.
[*]Close all applications and windows.
[*]Double-click on comboscan.exe to run it, and follow the prompts.
[*]The scan may take a minute. When the scan is complete, a text file will open - ComboScan.txt
Extra Note: When running Comboscan, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags Comboscan as suspicious. Please allow the Comboscan to run and don’t let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the Comboscan.txt from the Comboscan into your next reply.

EDIT I have just looked at your previous log and I see you have purity as well. So possibly the initial way to go would be to use combofix

O4 - HKCU\..\Run: [Jthl] "C:\Program Files\Common Files\??crosoft.NET\w?nlogon.exe" 99001122

The choice is yours of course as to which route to go but I would recommend combofix after the safe mode scans

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

Does ComboScan does a full scan or just to this particular infection?

Sorry tech I have just edited my previous. But comboscan does a one week and 3 month check on created files, a registry dump of the start up files and locations, plus dumps of other registry areas. It has no specific target and is an analysis tool

One for matty if you use combo fix it will remove the infected files. So you will need to replace the bak files to their correct location , so in this cas maybe just the comboscan initially