Help needed - disappearing avast, spybot etc.

I have some kind of virus which removes Avast, Spybot and Zone-alarm from my computer. Every time I try to re-install Avast or Spybot the exe immediately disappears.
I’m also unable to start in safe mode.
The computer also randomly shuts down every now and again.
Nothing is picked up by Ad-aware, Stinger, AVG, Superantivirus etc, other than the odd tracking cookie. I’d really appreciate any suggestions! I’m getting pretty close to reformatting…

I can post the hjt log here if that’s useful.

Thankyou.

by all means post a log ,at least it gives us somewhere to start.

Any logs of events from Avast! or system to post as well?

Ok, so here’s the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:45 PM, on 10/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\STDSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\iriver\iriver plus 2\iAgent2.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: 2nd &Speech Center - {CFE40ED8-564E-4693-A9D9-80DB70C8E460} - C:\PROGRA~1\2NDSPE~1\tts4ie.dll
O4 - HKLM..\Run: [STDSB] C:\WINDOWS\system32\STDSB.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [TWCU] “C:\Program Files\TP-LINK\TWCU\TWCU.exe” -nogui
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [DVD43] “C:\Program Files\DVDIdle Pro\DVDIdlePro.exe” /hidden
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [iPlusAgent2] “C:\Program Files\iriver\iriver plus 2\iAgent2.exe”
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{84CF98E0-92BD-458B-BD14-210D7D23F810}: NameServer = 203.2.75.132,198.142.0.51
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

I don’t have a log for Avast - the exe gets deleted before I have a chance to run a scan.

I am also unable to install AVG anti-virus (the AVG i was referring to above is the anti-spyware, sorry, got confused).

Here’s the log for SmitFraudFix, just in case it’s useful (means nothing to me):

SmitFraudFix v2.132

Scan done at 10:44:57.17, Thu 11/01/2007
Run from C:\Documents and Settings\cam.CAMPUTER\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\cam.CAMPUTER

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\cam.CAMPUTER\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CAM~1.CAM\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“My Current Home Page”

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLs”=“”

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“System”=“”

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

what you have is a baddie . read this thread
http://forum.avast.com/index.php?topic=25534.msg211424#msg211424

in the second or third post there are removal instructions

post back if you need any help

good luck

Thanks for your quick replies.

I downloaded Spyware doctor as per Polonus’ post in the thread you link to above.

But same problem - when I tried to install it, all the exe files got deleted.

In the meantime, a friend has run avg on my HD from his computer:

@HL_UpdateOK iavi:632-623; @HL_TestStarted @TestName_13 @HL_ReportFind F:\WINDOWS\system32\hldrrr.exe @EID_Id_vir I-Worm/Bagle @HL_TestEnded @TestName_13 1 @HL_ActionTaken F:\WINDOWS\system32\hldrrr.exe @HL_ActCleaned

I think I found (and deleted) a ‘bagle’ worm (perhaps with adaware) yesterday, with no change to the computer’s behaviour.

My friend also ran Avast, which didn’t turn up anything.

can i suggest if you have tried those methods from the other thread and have still had no luck that you try with windows explorer to work through C drive into windows folder then find system 32 and within that folder find the lzx32file . this is the drivers for the rootkit as explained in the other thread. If you can delete this you are half way there.

The program recommended in the other post was what I understood to be spysweeper rather than spyware doctor .

Only antirootkit tools will take of this…
Anti-Rootkit Software - Detection, Removal & Protection: http://www.antirootkit.com/software/index.htm

can i suggest if you have tried those methods from the other thread and have still had no luck that you try with windows explorer to work through C drive into windows folder then find system 32 and within that folder find the lzx32file .

Do you mean lz32.dll?

Yes, I believe that’s what Cloussau meant.

But are you getting adware popups with this infection?

Try scanning with AVG Anti-RootKit Beta

http://www.softpedia.com/get/Antivirus/AVG-Anti-Rootkit.shtml

Click the “Perform in-depth search” button and, if anything is found, save the log and post it before removing anything.

The program recommended in the other post was what I understood to be spysweeper rather than spyware doctor

I ran spysweeper, it came up with ‘bagle-b’ and ‘backdoor-goyftp’ trojans.

F-secure blacklight came up with hidr.exe and m_hook.sys. Is it safe to use the rename function on them?

I ran GMER, but when I tried to delete …\hidires\m_hook.sys, it returned the message “…\m_hook.sys couldn’t be deleted. Error 00XC000003A.”

I think the Smitfraudfix scan result shows that lzx32 was scanned for, not detected.

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

I agree.

I need to research a little before I can answer this. Or maybe someone else knows.

I ran the AVG Anti-RootKit Beta - it didn’t find anything.

Also, now when I run F-Secure Blacklight the files mentioned above don’t appear. Nor do they come up in GMER (I’ll post the log if needed, but it’s big).

  Spysweeper still finds 'torjan-backdoor-goyftp'
  Actually, the hidr file is still coming up in msconfig. I have     'fixed' it in HJT (but I can't find the file in Explorer).

But I still can’t open in safe mode… not sure what’s going on.

Whats needed here is a deeper look into your system. There are 2 ways of doing this you can use either combofix or winpfind. These will enable us to look at your recently created files that may be hiding from HJT or hooked into one of your dll/exe files

Combo fix

1. Download ComboFix.exe using either of these links:

BleepingComputer

Techsupportforum.com

2. Double click on combofix.exe & follow the prompts to allow the tool to run.

3. When it has finished, it will produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Winpfind

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Thanks essexboy. I’m at work and haven’t had much chance to look at this. I would have deferred to your greater experience anyway.

For what its worth I think its bagle.ge and mitglieder.q (with bagle.kf already being cleaned). I’ll be interested to see where this leads.

apologies for this wild goos chase ,im not accustomed to the smitfraudfix log and those file names hit a nerve ;D

Hi Cloussau it is right to be aware of that file name (although there are several variants now)

Pe 386 is generally searched for now in several fixes and they all state that the search has been conducted (albeit not very clearly), and if the infection is found it will generally display the following Rootkit driver pe386 is present. A rootkit scan is required but if you are not aware of the distinction then you can be misled into thinking the rootkit is present. But I always think better safe than sorry
;D

Further research indicates that the file in question resides in a hidden folder

%UserProfile%\Application Data\hidn\m_hook.sys

You may be able to delete this with file assassin by malwarebytes http://www.malwarebytes.org/fileassassin.php

But you must show hidden files and folders first

To enable the viewing of Hidden files follow these steps:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and close My Computer.
Now your computer is configured to show all hidden files.

no worries :slight_smile:

It never hurts to confirm the presence or absence of a suspect file.