Possible Tojan

system · 2007-11-14T22:28:00.000Z

Thanks!

I had to run Sdfix twice, because I stupidly ran it from a USB drive the first time and it didn’t finish off after the re-boot.

Logs attached.

essexboy · 2007-11-14T22:42:31.000Z

Ta for the logs

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O4 - HKCU..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hidr.exe
O23 - Service: W - Unknown owner - D:\TEMP\W.exe (file missing)

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

D:\TEMP\W.exe
C:\WINDOWS\system32\drivers\hidr.exe

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If you could now follow up with the winpfind

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]On the left under drivers services select non-microsoft
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

Reg - Disabled MS Config Items
Reg - Security Settings
Reg - Software Policy Settings

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

system · 2007-11-14T23:24:05.000Z

Thanks again. Log atached.

OTMoveit said it couldn’t find the files.

system · 2007-11-15T20:12:11.000Z

Avast icon went again, hidr.exe and srosa.sys are back
I think I’ll order a new hard disk and re-install windows

oldman960 · 2007-11-15T20:39:05.000Z

I would wait until essexboy has a chance to review the WinPFind3u log.

essexboy · 2007-11-15T21:03:36.000Z

Not good news I’m afraid you also had Goldun and Haxdoor as well as bagle and they were all kind of cooperating to stop you getting fixed. With this fix I am going to kill explorer so you may loose the desktop etc.

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Kill Explorer] [Win32 Services - Non-Microsoft Only] YY -> (W) W [Win32_Own | Disabled | Stopped] -> D:\TEMP\W.exe [Driver Services - Non-Microsoft Only] YY -> (Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> YY -> (abp480n5) abp480n5 [Kernel | Disabled | Stopped] -> YY -> (adpu160m) adpu160m [Kernel | Disabled | Stopped] -> YY -> (Aha154x) Aha154x [Kernel | Disabled | Stopped] -> YY -> (aic78u2) aic78u2 [Kernel | Disabled | Stopped] -> YY -> (aic78xx) aic78xx [Kernel | Disabled | Stopped] -> YY -> (AliIde) AliIde [Kernel | Disabled | Stopped] -> YY -> (amsint) amsint [Kernel | Disabled | Stopped] -> YY -> (asc) asc [Kernel | Disabled | Stopped] -> YY -> (asc3350p) asc3350p [Kernel | Disabled | Stopped] -> YY -> (asc3550) asc3550 [Kernel | Disabled | Stopped] -> YY -> (catchme) catchme [Kernel | On_Demand | Stopped] -> D:\TEMP\catchme.sys YY -> (cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] -> YY -> (Changer) Changer [Kernel | System | Stopped] -> YY -> (Cpqarray) Cpqarray [Kernel | Disabled | Stopped] -> YY -> (dac960nt) dac960nt [Kernel | Disabled | Stopped] -> YY -> (dpti2o) dpti2o [Kernel | Disabled | Stopped] -> YY -> (hpn) hpn [Kernel | Disabled | Stopped] -> YY -> (i2omgmt) i2omgmt [Kernel | System | Stopped] -> YY -> (i2omp) i2omp [Kernel | Disabled | Stopped] -> YY -> (ini910u) ini910u [Kernel | Disabled | Stopped] -> YY -> (kednl6) AVSearch service [Kernel | On_Demand | Stopped] -> %System32%\kednl6.sys YY -> (lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> YY -> (mmx432) MMX2 virtualization service [Kernel | Auto | Stopped] -> %System32%\mmx464.sys YY -> (mmx464) MMX virtualization service [Kernel | System | Stopped] -> %System32%\mmx464.sys YY -> (ql1080) ql1080 [Kernel | Disabled | Stopped] -> YY -> (Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] -> YY -> (ql12160) ql12160 [Kernel | Disabled | Stopped] -> YY -> (ql1240) ql1240 [Kernel | Disabled | Stopped] -> YY -> (ql1280) ql1280 [Kernel | Disabled | Stopped] -> YY -> (Simbad) Simbad [Kernel | Disabled | Stopped] -> YY -> (srosa) Megadrv3 [Kernel | System | Stopped] -> %System32%\drivers\srosa.sys YY -> (sw848b) sw848b [Kernel | Auto | Running] -> %System32%\drivers\sw848b.sys YY -> (sw878b) sw878b [Kernel | Auto | Running] -> %System32%\drivers\sw878b.sys YY -> (symc810) symc810 [Kernel | Disabled | Stopped] -> YY -> (symc8xx) symc8xx [Kernel | Disabled | Stopped] -> [Files/Folders - Created Within 30 days] NY -> wintems.exe.ren -> %System32%\wintems.exe.ren NY -> srosa.sys.ren -> %System32%\drivers\srosa.sys.ren [Files/Folders - Modified Within 30 days] NY -> DEBUGSM.INI -> %SystemRoot%\DEBUGSM.INI NY -> wintems.exe.ren -> %System32%\wintems.exe.ren NY -> srosa.sys.ren -> %System32%\drivers\srosa.sys.ren [File String Scan - Non-Microsoft Only] NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable [Empty Temp Folders] [Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

THEN follow that up with a combofix run

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

system · 2007-11-15T22:07:04.000Z

Thanks again, I was just about to say I would wait for your reply, it’s only courteous, but your post beat me to it.

Logs are attached.

essexboy · 2007-11-15T22:36:58.000Z

OK 'tis nuclear time

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O4 - HKCU..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hidr.exe
O23 - Service: W - Unknown owner - D:\TEMP\W.exe (file missing)

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Please download The Avenger by Swandog46 to your Desktop.
[*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

[QUOTE]Drivers to unload:
drvsyskit

Files to delete:
C:\WINDOWS\system32\9B3821D7CB.sys
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\F5BC36F762.sys
[/quote]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
[*] Under “Script file to execute” choose “Input Script Manually”.
[*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script”
[*] Paste the text copied to clipboard into this window by pressing (Ctrl+V).
[*] Click Done
[*] Now click on the Green Light to begin execution of the script
[*] Answer “Yes” twice when prompted.
The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

system · 2007-11-15T23:19:39.000Z

Hit a problem.

It rebooted twice, then after logging into windows I get the error:
Windows – No Disk
Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6f9c 75b6bf9c

And a cmd window saying:
The system cannot find the file specified.
Could Not Find C:\avenger*.reg
1 file(s) copied.
zip warning: C:/backup.zip not found or empty
adding: avenger/9B3821D7CB.sys (104 bytes security) (deflated 36%)
adding: avenger/avenger.txt (188 bytes security) (deflated 72%)
adding: avenger/backup.reg (188 bytes security) (stored 0%)
adding: avenger/F5BC36F762.sys (104 bytes security) (stored 0%)

I have left these windows open and run hjt, logs attached.

essexboy · 2007-11-16T18:31:30.000Z

Ok you can close those windows and delete the following in Hijackthis,and the file on your drive. It appears that avenger stalled. However, there is no longer any sign of Bagle

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O4 - HKLM..\Run: [esdaffjc] C:\ldttwerh.bat

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

As a final check could you re-run DSS and let me now how your system is running now

system · 2007-11-18T10:19:24.000Z

Thanks again.
Ran HJT, but O4 - HKLM..\Run: [esdaffjc] C:\ldttwerh.bat wasn’t listed.

I connected the network cable, the status says connected, but no packets have been sent or received. I can’t connect to the internet or local computers on the same network, I can’t even ping the router.

I tried winsockxpfix but that didn’t help. I have checked all the usual IP settings and windows firewall is disabled. Any ideas?

DSS log attatched.

essexboy · 2007-11-18T14:23:19.000Z

Well on the bright side DSS shows no problems. I see you have comodo firewall.

Have you allowed Ashwebserve access ?

Have you tried it with Avast paused

DavidR · 2007-11-18T15:01:07.000Z

Three avast functions that require access:
ashWebSv.exe - the avast Web Shield.
ashMaiSv.exe - the avast email scanner (for the Internet Mail provider).
avast.setup - this is what does the avast virus signature and program updates.

system · 2007-11-19T19:59:23.000Z

The virus had deleted my previous firewall (sygate) but must have left something behind. I uninstalled it, rebooted and packets started to flow.

FireFox still couldn’t find web sites, but I could ping their IP’s (DNS problem ??? ), so I tried IE, a window popped up asking me which file I wanted to crack ???, Avast icon disappeared and RKB is showing a whole list of files.

HJT log attatched.

essexboy · 2007-11-19T20:23:47.000Z

Only one file that I can find no info on in your log nspksrv.exe.

Jotti File Submission:

[*]Please go to Jotti’s malware scan

[*]Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

[*]C:\WINDOWS\system32\nspksrv.exe

[*] Click on the submit button

[*] Please post the results in your next reply.

.
Then

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

system · 2007-11-19T21:03:41.000Z

DSS log attatched. Nothing found in NSPKSRV.EXE. It took a bit of finding, but its a network serial port driver, by Fabula Tech.

essexboy · 2007-11-19T23:32:52.000Z

OK srosa has reared it’s head again but it is now deeply hidden

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
[*]Open a command window by going to Start > Run and typing: cmd
[*]Copy/paste or type the following in the command window: C:\fsbl.exe /expert
[*]Hit “Enter” to start the program and then close the cmd box.
[*]Accept the user agreement and click “Next”.
[*]Click “Scan”.
[*]After the scan is complete, click “Next”, then “Exit”.
[*]BlackLight will create a log in C:\ drive named “fsbl-xxxxxxx.log” (the xxxxxxx will be the date and time of the scan).
[*]The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present…like “wbemtest.exe” and "tcptest.exe.
[*]Exit Blacklight and post the contents of the log in your next reply.

Thanks for the info on that file

DavidR · 2007-11-19T23:57:57.000Z

@ essexboy
You need to edit your link to f-secure blacklight, as it is an ftp url you shouldn’t rap it in the URL tags as it puts an http:// in front of the ftp::// and that messes up the link.

e.g. ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

system · 2007-11-20T12:44:40.000Z

Thanks again, but last night before I read you post I had a play around.

hidr.exe and srosa.sys came back, so I booted in safe mode and removed them. It appears one of the IE Add-ons is responsible for re-infecting. I disabled all add-ons in safe mode, now in normal mode IE works fine. Before IE would lockup if it didn’t have network access.

The DNS problem is caused by Comodo firewall. Even though I trust an application it is still blocking it, unless I select the ‘Skip advanced security checks’, in the miscellaneous tab in the application control rule.

I also un-installed avast and installed Comodos antivirus, because the infection kept deleting avast. However Comodo antivirus can’t enable the on access scanner. At that point I gave up and went to bed

I’ll give fsbl a go this evening and see what it comes up with.

Lisandro · 2007-11-20T18:18:39.000Z

ecotack post:52:

The DNS problem is caused by Comodo firewall. Even though I trust an application it is still blocking it, unless I select the ‘Skip advanced security checks’, in the miscellaneous tab in the application control rule.

I’m not with Comodo in this computer, but if I remember correctly, there is an entry for DNS queries in the advanced tab of settings of the firewall.

ecotack post:52:

Because the infection kept deleting avast. However Comodo antivirus can’t enable the on access scanner. At that point I gave up and went to bed

Don’t try to install two antivirus at the same time.
See http://forum.avast.com/index.php?topic=31559.msg263039#msg263039 to correct avast misinstallation problems…

Announcements