Infected with Win32:patched LK

Hi, i’m infected with Win32:patched LK.

Some of the files that are infected:

windows\System32\wininet.dll
windows\System32\kernel32.dll
windows\System32\powrprof.dll
windows\System32\nsysk.ini
windows\System32\nsysp.ini

Running Avast before boot didn’t help. It identifies infected files, but can’t cure them. Malwerebyte’s Anti-Malwere didn’t help.

I can’t use many Windows Services, can’t install new USB drives, because Volume manager doesn’t work, can’t install new hardware etc.

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:23:53, on 13.11.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Delete Duplicate Files\DDFS.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\rthdcpl.exe
C:\WINDOWS\system32\svchost.exe
c:\windows\system32\delttray.exe
c:\program files\logitech\gamepanel software\lgdevagt.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\logitech\gamepanel software\lcd manager\lcdmon.exe
c:\program files\linksys wireless-g usb wireless network monitor\InfoMyCa.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
c:\program files\logitech\gamepanel software\g-series software\lgdcore.exe
c:\program files\java\jre6\bin\jusched.exe
c:\program files\google\google desktop search\googledesktop.exe
c:\program files\mindjet\mindmanager 8\mmreminderservice.exe
c:\program files\logitech\gamepanel software\lcd manager\applets\lcdclock.exe
c:\program files\microsoft security essentials\msseces.exe
c:\progra~1\alwils~1\avast4\ashdisp.exe
c:\windows\system32\rundll32.exe
c:\program files\logitech\gamepanel software\applets\lcdcountdown.exe
c:\windows\system32\ctfmon.exe
c:\program files\logitech\gamepanel software\applets\lcdmedia.exe
c:\program files\logitech\gamepanel software\applets\lcdpop3.exe
c:\program files\du meter\dumeter.exe
c:\program files\google\google desktop search\GoogleDesktop.exe
c:\program files\messenger\msmsgs.exe
c:\program files\common files\lightscribe\lightscribecontrolpanel.exe
c:\program files\windowspace\wspace.exe
c:\program files\daemon tools lite\daemon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\ultramon\ultramon.exe
c:\windows\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\ultramon\ultramontaskbar.exe
c:\program files\tortoisegit\bin\tgitcache.exe
c:\program files\tortoisesvn\bin\tsvncache.exe
C:\WINDOWS\system32\wscntfy.exe
c:\windows\system32\wuauclt.exe
c:_downloads_\the bat_beta_\thebat.exe
c:\program files\mozilla firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Notepad++\notepad++.exe
c:\windows\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\trend micro\hijackthis\hijackthis.exe

HijackThis log (continued)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
R3 - URLSearchHook: Niooiee@Mail.Ru - {09900DE8-1DCA-443F-9243-26FF581438AF} - c:\program files\mail.ru\sputnik\MailRuSputnik.dll
R3 - URLSearchHook: (no name) - {83821C2B-32A8-4DD7-B6D4-44309A78E668} - C:\Program Files\Mail.Ru\Agent\Mra\dll\newmrasearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: CmjBrowserHelperObject Object - {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll
O2 - BHO: Niooiee@Mail.Ru - {8984B388-A5BB-4DF7-B274-77B879E179DB} - c:\program files\mail.ru\sputnik\MailRuSputnik.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Niooiee@Mail.Ru - {09900DE8-1DCA-443F-9243-26FF581438AF} - c:\program files\mail.ru\sputnik\MailRuSputnik.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM..\Run: [DeltTray] DeltTray.exe
O4 - HKLM..\Run: [Launch LgDeviceAgent] “C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe”
O4 - HKLM..\Run: [Launch LCDMon] “C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe”
O4 - HKLM..\Run: [Launch LGDCore] “C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe” /SHOWHIDE
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 8\MMReminderService.exe
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] “c:\program files\malwarebytes’ anti-malware\mbam.exe” /runcleanupscript
O4 - HKLM..\Run: [MSSE] “C:\Program Files\Microsoft Security Essentials\msseces.exe” -hide
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [DU Meter] c:\program files\du meter\DUMeter.exe
O4 - HKCU..\Run: [NVIDIA nTune] “C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU..\Run: [WindowSpace] “C:\Program Files\WindowSpace\wspace.exe” /startup
O4 - HKCU..\Run: [DAEMON Tools Lite] “c:\program files\daemon tools lite\daemon.exe” -autorun
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: books
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Send to Mindjet MindManager - {2F72393D-2472-4F82-B600-ED77F354B7FF} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll
O9 - Extra button: Mail.Ru Aaaio - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\Program Files\Mail.Ru\Agent\magent.exe
O9 - Extra ‘Tools’ menuitem: Mail.Ru Aaaio - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\Program Files\Mail.Ru\Agent\magent.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe (file missing)
O9 - Extra ‘Tools’ menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {cafeefac-0015-0000-0000-abcdeffedcba} (Java Plug-in 1.5.0) -
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.6.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.6.0_10) -
O20 - AppInit_DLLs: SysDaJH.dll,msosping00.dll,msoscqit00.dll,msosmhfp00.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Delete Duplicate Files Scan on Schedule Service - Author: Brana Bujenovic - C:\Program Files\Delete Duplicate Files\DDFS.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: Google Desktop Manager 5.9.906.4286 (GoogleDesktopManager-060409-093314) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndorfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Games\Electronic Arts\Need for Speed ProStreet\PB\PnkBstrA.exe (file missing)
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

send the files to www.virustotal.com and post the results here…

You are still running Windows Service Pack 2 so you should install Windows Service Pack 3 that has been available for over a year and contains several Critical Security updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

Update to IE8 as it is more secure than IE6:
http://www.microsoft.com/windows/internet-explorer/default.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Can you try:

hope they can help you :slight_smile:


In addition to what has been posted above, an analysis of your HJT log shows the following problems :

We couldn’t detect any active process of a firewall on your system. Possible reasons:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s one way firewall that provides inbound protection only. A 2-way firewall that provides both inbound and outbound protection would be better.

Platform: Windows XP SP2 (WinNT 5.01.2600)
As noted above, newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft’s windowsupdate site to download the newest version of the service pack.

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Very outdated and very insecure version of IE. Also noted above.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
Possible signs of a trojan or bot infection. See the example at the link below.
http://www.threatexpert.com/report.aspx?md5=34888a2a50fd1b162974ae752f7e4d11

O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
Unnecessary (deactivated) entry that can be fixed - Google Toolbar Notifier.

O4 - Startup: books
Unknown application. If you do not know this application, it should be fixed.

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe (file missing)
Unnecessary (deactivated) entry that can be fixed. Related to ICQ.

O9 - Extra ‘Tools’ menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe (file missing)
Unnecessary (deactivated) entry that can be fixed. Related to ICQ.

Overview of running tasks :

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

MsMpEng.exe
Anti Add/Spyware software
Microsoft Windows Defender Antispyware

svchost.exe
System task
Microsoft Service Host Process

aswUpdSv.exe
Virusscan
Avast Anti-Virus Component

ashServ.exe
Virusscan
Avast

spoolsv.exe
System task
Microsoft Printer Spooler Service

DDFS.exe
Unknown task ( Delete Duplicate Files Scan )
Unknown task

DUMeterSvc.exe
Backgroundtask
DU Meter Service

jqs.exe
Backgroundtask
Java Quick Starter Service

nHancerService.exe
Backgroundtask
nHancerService.exe

nTuneService.exe
Driver
NVIDIA Access Manager

rthdcpl.exe
Driver
Realtek HD Audio Sound Effect Manager

svchost.exe
System task
Microsoft Service Host Process

delttray.exe
Driver
M Audio Delta Control Panel Interface System Tray

lgdevagt.exe
Driver
Logitech GamePanel Agent

WLService.exe
Driver
BELKIN USB Wireless Monitor

lcdmon.exe
Driver
Logitech G-series LCD Monitor

InfoMyCa.exe
Driver
Wireless-G Network Monitor

WUSB54Gv2.exe
Driver
Wireless Network Monitor

lgdcore.exe
Driver
Logitech G-Series Profiler

jusched.exe
Backgroundtask
Sun Java Update Scheduler

googledesktop.exe
Application
Google desktop Search

mmreminderservice.exe
Backgroundtask
MindManager

lcdclock.exe
Security software
Logitech G-series LCD Clock

msseces.exe
Backgroundtask
Microsoft Security Essentials

ashdisp.exe
Virusscan
Avast AntiVirus

rundll32.exe
System task
Microsoft Rundll32

lcdcountdown.exe
Backgroundtask
LCDCountdown

ctfmon.exe
System task
Alternative User Input Services

lcdmedia.exe
Driver
Logitech G-series Media Display

lcdpop3.exe
Driver
G-series Software

dumeter.exe
Backgroundtask
Hagel Technologies DU Meter

GoogleDesktop.exe
Backgroundtask
Google Desktop Search

msmsgs.exe
Application
MSN Messenger

lightscribecontrolpanel.exe
Backgroundtask
lightscribecontrolpanel.exe

wspace.exe
Backgroundtask
WindowSpace

daemon.exe
Backgroundtask
Daemon Tools

ashWebSv.exe
Virusscan
avast! Web Scanner

ultramon.exe
Backgroundtask
UltraMon

explorer.exe
System task
Microsoft Windows Explorer

ashMaiSv.exe
Virusscan
Avast Anti-Virus Component

ultramontaskbar.exe
Backgroundtask
UltraMon

tgitcache.exe
Unknown task ( TortoiseGit )
Unknown task http://en.wikipedia.org/wiki/TortoiseGit

tsvncache.exe
Backgroundtask
TortoiseSVN

wscntfy.exe
System task
Microsoft Windows Security Center

wuauclt.exe
System task
AutoUpdate Client

thebat.exe
Backgroundtask
The Bat! E-Mail Client

firefox.exe
Application
Mozilla Firefox

taskmgr.exe
System task
The Windows Task Manager.

notepad++.exe
Backgroundtask
notepad++.exe

notepad.exe
Application
Notepad

wuauclt.exe
System task
AutoUpdate Client

hijackthis.exe
Application
Merijn Hijackthis


O20 - AppInit_DLLs: SysDaJH.dll,msosping00.dll,msoscqit00.dll,msosmhfp00.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL Looks a bad entry,however, HJT is not going to help you, its next to useless.Why did you not carry on with the help you were getting from MBAM forum ?

http://www.malwarebytes.org/forums/index.php?showtopic=28382

I tried to use this scan service prior to posting here, but I kept receiving something like “uploaded 0 bytes”, now I suspect avast was blocking the file, I suspended it today and it worked:

http://www.virustotal.com/analisis/f6a4e008bc16d049e6c2418062b0c2326eebe1a17e1c4c4f6be2476ca5592d2f-1258375588

This is from C:\WINDOWS\SoftwareDistribution\Download\4f34fed83363df83031761e8fceb73ae\sp2gdr\ folder though.

The one from the system32 folder appears to be clean now: http://www.virustotal.com/analisis/aa647f11fae6e3dd39c87389bb431d8d47fefeb0df1146481c34fa925a1023e6-1257376425.

c:\windows\system32\kernel32.dll is now also clean, looks like it was MS Essentials that disinfected it, but it (as well as other anti-junk programs) keep finding infected copies of this file in subfolders of C:\WINDOWS.

Concerning Service Pack 3: automatic update was trying to install updates when I was shutting down the PC, I suspect SP3 was among them. The installation stuck at one item for more than 3-4 hours, I had to restart the PC, so I kind of hesitate to risk it again.

Windows Firewall is usually on, but it was off when I was fighting the infection and making the HJT log.

The zero bytes error indicates something is blocking it possibly avast is alerting when you try to upload.

Did avast alert when you tried to upload it ?

If so:
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

AFAIR it didn’t alert me, but this is not an issue anymore, since it seems to work now. What I wonder is what keeps infecting files in system 32 subfolders.

Lets first confirm the detection/s at virustotal before we try to work out what that might be.

A file that was primarily detected but no longer detected could well have been a false positive (the reason why we suggest VT for confirmation) and the virus signature corrected and issued in a VPS Update.

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.