Major problems

Viruses and worms
1

Hi all.

The wifey installed a program from a filesharing service that hosed her computer. It disabled Avast as well as all other troubleshooting programs. Cannot install HJT, get *** is not a valid Win32 app. Cannot boot into safemode, get Blue Screen error code 0X0000007B.

Any help would be much appreciated.

2

it’s a Beagle/Bagle infection probably… you can find many threads discussing this issue here :wink:

3

See if you can run this program, using these download instructions.

If it won’t run in normal windows, try using the safe mode fix, then if you get into safe mode, run it from there.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe

4

Combofix ran under normal window mode. Here is the log:

ComboFix 08-04-04.1 - Deb 2008-04-05 12:34:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.621 [GMT -4:00]
Running from: C:\Documents and Settings\Deb\Desktop\Combo-Fix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA

((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-05 11:59 . 2008-04-05 11:59 d-------- C:\Program Files\Trend Micro
2008-04-05 09:53 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-05 09:53 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-05 09:53 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-05 09:53 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-05 09:53 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-05 09:53 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-05 09:53 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-05 09:53 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-04 18:41 . 2008-04-04 18:44 d-------- C:\Documents and Settings\Deb.housecall6.6
2008-04-03 16:42 . 2006-02-21 04:10 688,128 -ra------ C:\WINDOWS\system32\drivers\mdelk.exe
2008-04-03 16:36 . 2008-04-05 11:58 d-------- C:\WINDOWS\system32\drivers\downld
2008-04-03 13:46 . 2008-04-03 13:46 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 19:35 . 2008-03-12 19:35 d-------- C:\Program Files\Common Files\Control Panels
2008-03-12 19:13 . 2008-03-12 19:13 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-03-12 18:42 . 2008-03-12 18:42 d-------- C:\Documents and Settings\All Users\Application Data\ACT
2008-03-12 11:28 . 2008-03-12 11:28 d-------- C:\Documents and Settings\Deb\Application Data\IsolatedStorage
2008-03-12 11:28 . 2008-04-03 22:32 3,350 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-03-12 11:28 . 2008-04-03 22:32 168 -r-hs---- C:\Documents and Settings\All Users\Application Data\AE24D9212B.sys
2008-03-12 11:26 . 2008-03-12 11:26 d-------- C:\Program Files\Common Files\Protexis
2008-03-12 11:26 . 2003-08-28 14:08 536,576 --a------ C:\WINDOWS\system32\msvcr70d.dll
2008-03-12 11:26 . 2003-08-28 14:06 94,208 --a------ C:\WINDOWS\system32\msvci70d.dll
2008-03-12 11:22 . 2008-03-12 11:22 d-------- C:\Program Files\MSXML 6.0
2008-03-12 11:21 . 2008-03-12 11:22 d-------- C:\Program Files\Microsoft SQL Server
2008-03-12 11:21 . 2008-03-12 11:21 d-------- C:\Program Files\ACT
2008-03-12 11:21 . 2008-03-12 11:21 d-------- C:\Documents and Settings\Deb\Application Data\ACT
2008-03-11 15:11 . 1997-01-21 03:02 721,168 --a------ C:\WINDOWS\system32\VB40032.DLL
2008-03-11 15:11 . 1997-01-21 03:02 146,976 --a------ C:\WINDOWS\system32\MFCOLEUI.DLL
2008-03-11 15:11 . 1997-01-21 03:02 109,056 --a------ C:\WINDOWS\system32\MFCUIW32.DLL
2008-03-11 15:11 . 1997-01-21 03:02 94,720 --a------ C:\WINDOWS\system32\SH30W32.DLL
2008-03-11 15:11 . 1997-01-21 03:02 33,280 --a------ C:\WINDOWS\system32\MFC30DEU.DLL
2008-03-11 15:11 . 1997-01-21 03:02 32,256 --a------ C:\WINDOWS\system32\MFC30FRA.DLL
2008-03-11 10:41 . 2008-03-28 11:35 d-------- C:\Program Files\Corel
2008-03-11 10:41 . 2008-03-11 10:41 d-------- C:\Program Files\Common Files\Corel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 03:13 --------- d-----w C:\Program Files\eMule
2008-04-01 23:15 --------- d-----w C:\Documents and Settings\Deb\Application Data\Skype
2008-03-16 13:23 --------- d-----w C:\Program Files\WS_FTP
2008-03-16 12:23 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-03-13 04:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-13 03:33 --------- d-----w C:\Program Files\Bonjour
2008-03-13 03:05 --------- d-----w C:\Program Files\SereneScreen
2008-03-13 03:05 --------- d-----w C:\Program Files\Prolific Publishing, Inc
2008-03-13 03:03 --------- d-----w C:\Program Files\Dell
2008-03-13 02:17 --------- d-----w C:\Program Files\Common Files\Symantec Sharedold
2008-03-13 02:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-12 23:14 --------- d-----w C:\Documents and Settings\Deb\Application Data\Corel
2008-03-12 15:22 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-28 02:16 --------- d-----w C:\Program Files\Fisher-Price
2008-02-20 22:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-13 22:45 --------- d-----w C:\Program Files\GlobalSCAPE
2007-12-29 09:02 866,240,101 ----a-w C:\Documents and Settings\InDesign\Adobe_InDesign_CS3_v5__(with_crack_full_version).zip
2007-01-23 21:14 3,820,104 ----a-w C:\Documents and Settings\Deb\gosetup.exe
2004-10-26 09:05 29,392,739 ----a-w C:\Documents and Settings\Nero6.6.0.1.reloaded\nero6601.exe
2004-10-26 00:55 36,925,055 ----a-w C:\Documents and Settings\Nero6.6.0.1.reloaded\NVE3014.exe
2004-10-25 19:19 7,499,065 ----a-w C:\Documents and Settings\Nero6.6.0.1.reloaded\NMP14025.exe
.

5

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-10 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-09-29 14:01 67584]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-06-16 08:39 7323648]
“SigmatelSysTrayApp”=“stsystra.exe” [2006-02-21 04:10 688128 C:\WINDOWS\stsystra.exe]
“IAAnotif”=“C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe” [2006-07-06 07:15 151552]
“DMXLauncher”=“C:\Program Files\Dell\Media Experience\DMXLauncher.exe” [2005-10-05 03:12 94208]
“DLA”=“C:\WINDOWS\System32\DLA\DLACTRLW.EXE” [2005-09-08 05:20 122940]
“ISUSPM Startup”=“C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” [2005-08-11 16:30 249856]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2005-08-11 16:30 81920]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-10-17 17:59 98304]
“HPDJ Taskbar Utility”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe” [2006-01-06 15:07 188416]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00 132496]
“HPHmon04”=“C:\WINDOWS\system32\hphmon04.exe” [2006-01-06 15:07 348160]
“HPHUPD04”=“C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe”
“GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-27 01:47 31016]
“SSBkgdUpdate”=“C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” [2003-09-30 00:14 155648]
“Opware15”=“C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe” [2005-07-06 00:58 69632]
“OpScheduler”=“C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe”
“PDF3 Registry Controller”=“C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\RegistryController.exe” [2005-04-12 10:16 106496]
“Act.Outlook.Service”=“C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe” [2007-10-23 20:55 9728]
“Act! Preloader”=“C:\Program Files\ACT\Act for Windows\ActSage.exe” [2007-10-23 21:13 393216]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-04-05 12:36 79224]

C:\Documents and Settings\Deb\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme
“EnableLUA”= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“MSVideo8”= VfWWDM32.dll
“vidc.tscc”= tsccvid.dll
“SENTINEL”= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=
“C:\Program Files\Yahoo!\Messenger\YServer.exe”=
“C:\Program Files\Messenger\msmsgs.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=
“C:\Program Files\Microsoft Office\Office12\GROOVE.EXE”=
“C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=
“C:\Program Files\MSN Messenger\msnmsgr.exe”=
“C:\Program Files\MSN Messenger\livecall.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=

R2 MSSQL$ACT7;SQL Server (ACT7);“C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe” -sACT7
R2 PSI_SVC_2;Protexis Licensing V2;“c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe” [2007-07-24 11:15]
R2 SQLWriter;SQL Server VSS Writer;“C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe” [2007-02-10 05:29]
R3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys [2002-07-01 18:30]
S1 srosa;Megadrv3;C:\WINDOWS\system32\drivers\srosa.sys
S2 ACT! Scheduler;ACT! Scheduler;“C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe” [2007-10-23 21:00]
S2 Par1284;Par1284;C:\Program Files\FlexiSIGN-PRO 7.5v5\Program\Par1284.sys
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 03:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 12:43:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
.

.
Completion time: 2008-04-05 12:52:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-05 16:52:55
Pre-Run: 141,582,098,432 bytes free
Post-Run: 143,442,292,736 bytes free
.
2008-03-13 07:02:05 — E O F —

6

unfortunately - your wife uses a 4.7 version of avast… the malicious driver (srosa.sys) can be discovered by the 4.8 version, which has antirootkit function built in… and the 4.8 version is able to resist against the beagle attack… now you must do a manual cleaning of beagle (run a standalone antirootkit etc)… after doing that i can advice you to install the newest version of avast, cause it is more powerfull and “bullet-proof”… it’s always important to keep your security software up to date :wink:

7

Hi. That took some of it out.

Run this fix, then try safe mode. If you can’t get into safe mode, please use the safe mode fix, I posted earlier.

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\drivers\mdelk.exe C:\WINDOWS\system32\drivers\srosa.sys

Rootkit::
C:\WINDOWS\system32\drivers\srosa.sys

DirLook::
C:\WINDOWS\system32\drivers\downld

Driver::
srosa
Megadrv3

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

We’ll also look at this a little differently.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

You can attach the logs by using the additional options button on the reply page.

Thanks

8

Hi Maxx

Combofix is very effective against bagel, as you can see from the log. But do agree keeping it out would have been better.

9

Ran script with ComboFix and was able to get into safemode. Ran HJT. Was unable to download DSS, looks like a prob on their end. Attached HJT and Combofix logs. Am in safemode with Net now and will stay here until told to do otherwise.

10

Finally got DSS to download and informed me that in prefers normal windows mode. Booted into windows and ran. Also reran HJT in windows thinking you may need. Attached logs

11

Well, this looks promising. We have a couple of files to check. You can do that from safe mode. But I will need you to boot to normal windows and run HJT from there. The safmode log is too bare to determine anyhting.
Submit the files and try to get your antivrus running again and make sur your firewall is enabled.

Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\drivers\downld\17459843.exe
C:\WINDOWS\system32\drivers\downld\137968.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Edit, you are ahead of. Skip the steps regarding booting to normal windows. Do the file sumbits and your security programs. I’ll check DSS while you are doing that.

Thanks

12

Here are the results. Looks sloppy cut and pasted to notepad, but all of the results for both files were -

DLing security SW now. Should I do a complete scan with Avast once installed?

13

Those files came back clean. If you are interested, they are all in a folder in the C:\windows\system32\drivers folder in a folder called downld. Was this a folder you created. The high number of these files with numbered names seems unusall. I have no idea of which program they would be related to. You could right click one of them and see whats under the properties for th file.

Yese you should do a scan after you have the antivirus up and running, but first let’s remove the tools, as avast may find them.

  • Click start button, run, then copy and paste the following line into the box and click ok.

Combo-Fix /u

Double click OTCleanIt, click the Clean Up button.

You may get prompted by your firewall that OTCleanit/OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

Post back after the scan.

14

Thanks for all of the help and info. As for those executables…I have no clue what they could be. I do know that my wife is a habitual program installer…nuff said. I’ll rename the Dir and if she doesn’t complain in a few weeks of anything not working I will delete them. Scanning now and will let you know if it finds anything nasty.

Thanks again,

Joe

15

All right thanks. I can’t get any from google on the couple I tried so, I had you sunbmit a couple of random ones. There’s also quiet a few that have the same size. Again unusal. I’ll try a few more, who knows.

16

I did some more searching. I think bagel is getting smarter. It usually includes a folder called C:\WINDOWS\system32\drivers\down with the same type of files in it… It looks like it has changed the folder name to downld. I started to get some hits on some of the file names. It’s quiet possible the files have been changed and avoid detection.

We will use this to remove the folder. After it has finished, review the results. If it says “folder move succesfully”, then reopen the program and click the clean up button. The procedure will be the same as when you ran OTCLEANIT.

Please download
OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\WINDOWS\system32\drivers\downld

Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)