OK, will start in Safe mode now, can’t find any of the two dlls in system23 or the hidr.exe.

E4M - Encryption for the masses, one of the projects merged in with drive crypt

Just re-booted and run RootKitBuster, nothing found
SuperAntiSpyware found nothing to

Re-installed Avast, chose a boot time scan, re-booted, it worked, no more message about Avast being changed. Its found a Small-BXN [trj] up to now, I’ll let it finish, do a through scan, also with SuperAntiSpyware and once more with RootKitBuster for good luck.

Sounds good could you post the SAS log, just extract the log file method from the following

[*]On the first page select Check for Updates
[*]On completion select SCAN YOUR COMPUTER
[*]On the next page select COMPLETE SCAN and tick ALL your drives
[*]The next stage will take a while as your entire drive(s), memory and registry are scanned
[*]When it has completed click NEXT
[*]The next screen shows the problems found click OK
[*]On the next screen place a tick against all items and select NEXT
[*]Now to get the log Go to the PREFERENCES button on the right bottom
[*]Select the STATISTICS/LOG tab
[*]Highlight the scan just completed and click VIEW LOG
[*]This will open a notepad text file copy and paste this to your next reply

Back to square one >:(

I just lost all network access, so did a scan with RootKitBuster (RKB) and the hidr.exe file had re-appeared. I used the safe mode fix again, went into safe mode, ran HJT, checked the hidr.exe file and clicked fix.

Once rebooted I checked with RKB, which found hidr.exe and srosa.sys. I highlighted the two files and selected delete, then re-booted the PC. Avast had been deleted again so I reinstalled and set a boot time scan.

Is there anything I can do to detect if these Trojans install again? I had Avast home installed and Comodo firewall. I also checked with RKB and SAS every day and found nothing

No network access ???

Gone through all network settings, re-installed drivers, re-booted router, swapped cables, disabled the firewall, un-installed the firewall, re-installed the firewall, but still can not access the LAN. I could yesterday before the Trojan re-appeared.

I think the Trojan may have changed something or left something behind. Any suggestions?

As a last resource, maybe http://www.majorgeeks.com/download4372.html (WinSock XP Fix 1.2) or, less probably, any function of http://www.majorgeeks.com/download4899.html (Dial-a-fix 0.60.0.24).

WinSock: [i] Fixes the winsock settings on your Windows XP machine. This tool is recommended for IT professionals only. Please read license.

It can often cure the problem of lost connections after the removal of Adware components or improper uninstall of firewall applications or other tools that modify the XP network and Winsock settings.

If you encounter connection problems after removing network related software, Adware or after registry clean-up; and all other ways fail, then give WinSock XP Fix a try.

It can create a registry backup of your current settings, so it is fairly safe to use. We actually tested it on a test machine that was having a Winsock problem due to some Adware removal, and after running the utility and rebooting, the connectivity was restored.[/i]

Thanks, I’ll put them on a memory stick and try them this evening.

You’re welcome. Other users will be here and trying to help.
I’ll be on an one-week trip 8)

Its alright for some, my last holiday was 14 years ago.

Tried the two programs but network still won’t work. It says Status: Connected, Duration: , Speed 100.0 Mbps, Sent: 0 and received: 0.

Anymore suggestions? Anyone??
Can’t ping the router, or any other PC on the network. Can’t view workgroup computers.

Try this
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FxBeagle.exe

Locate the file that you just downloaded.
Double-click the FxBeagle.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean.

Then run
Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

As I was sat here reading this I noticed the Avast icon disappear on my infected PC. A quick scan with RootKitBuster and the two files are back (hidr.exe and srosa.sys). I scanned it less than two minutes ago and it was clean.

W32.Beagle removal tool is now running, lets keep our fingers crossed.

Definitely bagle I will need to look at the winpfind to clear any residue

FxBeagle.exe took hours to finish. Next time I’ll disable my two data hard drives to speed things up. Is it safe to delete files I don’t want, while infected, again to help speed things along?

Unfortunately FxBeagle.exe said it found nothing. I’ll try again this evening in safe mode.

OK it looks like the symantec fix is getting a bit old

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, the Advanced Options Menu should appear;
[*]Select the first option, to run Windows in Safe Mode, then press Enter.
[*]Choose your usual account.

[*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thanks!

I had to run Sdfix twice, because I stupidly ran it from a USB drive the first time and it didn’t finish off after the re-boot.

Logs attached.

Ta for the logs

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O4 - HKCU..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hidr.exe
O23 - Service: W - Unknown owner - D:\TEMP\W.exe (file missing)

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

D:\TEMP\W.exe
C:\WINDOWS\system32\drivers\hidr.exe

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If you could now follow up with the winpfind

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]On the left under drivers services select non-microsoft
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

Reg - Disabled MS Config Items
Reg - Security Settings
Reg - Software Policy Settings

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Thanks again. Log atached.

OTMoveit said it couldn’t find the files.

Avast icon went again, hidr.exe and srosa.sys are back
I think I’ll order a new hard disk and re-install windows

I would wait until essexboy has a chance to review the WinPFind3u log.

Not good news I’m afraid you also had Goldun and Haxdoor as well as bagle and they were all kind of cooperating to stop you getting fixed. With this fix I am going to kill explorer so you may loose the desktop etc.

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Kill Explorer] [Win32 Services - Non-Microsoft Only] YY -> (W) W [Win32_Own | Disabled | Stopped] -> D:\TEMP\W.exe [Driver Services - Non-Microsoft Only] YY -> (Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> YY -> (abp480n5) abp480n5 [Kernel | Disabled | Stopped] -> YY -> (adpu160m) adpu160m [Kernel | Disabled | Stopped] -> YY -> (Aha154x) Aha154x [Kernel | Disabled | Stopped] -> YY -> (aic78u2) aic78u2 [Kernel | Disabled | Stopped] -> YY -> (aic78xx) aic78xx [Kernel | Disabled | Stopped] -> YY -> (AliIde) AliIde [Kernel | Disabled | Stopped] -> YY -> (amsint) amsint [Kernel | Disabled | Stopped] -> YY -> (asc) asc [Kernel | Disabled | Stopped] -> YY -> (asc3350p) asc3350p [Kernel | Disabled | Stopped] -> YY -> (asc3550) asc3550 [Kernel | Disabled | Stopped] -> YY -> (catchme) catchme [Kernel | On_Demand | Stopped] -> D:\TEMP\catchme.sys YY -> (cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] -> YY -> (Changer) Changer [Kernel | System | Stopped] -> YY -> (Cpqarray) Cpqarray [Kernel | Disabled | Stopped] -> YY -> (dac960nt) dac960nt [Kernel | Disabled | Stopped] -> YY -> (dpti2o) dpti2o [Kernel | Disabled | Stopped] -> YY -> (hpn) hpn [Kernel | Disabled | Stopped] -> YY -> (i2omgmt) i2omgmt [Kernel | System | Stopped] -> YY -> (i2omp) i2omp [Kernel | Disabled | Stopped] -> YY -> (ini910u) ini910u [Kernel | Disabled | Stopped] -> YY -> (kednl6) AVSearch service [Kernel | On_Demand | Stopped] -> %System32%\kednl6.sys YY -> (lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> YY -> (mmx432) MMX2 virtualization service [Kernel | Auto | Stopped] -> %System32%\mmx464.sys YY -> (mmx464) MMX virtualization service [Kernel | System | Stopped] -> %System32%\mmx464.sys YY -> (ql1080) ql1080 [Kernel | Disabled | Stopped] -> YY -> (Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] -> YY -> (ql12160) ql12160 [Kernel | Disabled | Stopped] -> YY -> (ql1240) ql1240 [Kernel | Disabled | Stopped] -> YY -> (ql1280) ql1280 [Kernel | Disabled | Stopped] -> YY -> (Simbad) Simbad [Kernel | Disabled | Stopped] -> YY -> (srosa) Megadrv3 [Kernel | System | Stopped] -> %System32%\drivers\srosa.sys YY -> (sw848b) sw848b [Kernel | Auto | Running] -> %System32%\drivers\sw848b.sys YY -> (sw878b) sw878b [Kernel | Auto | Running] -> %System32%\drivers\sw878b.sys YY -> (symc810) symc810 [Kernel | Disabled | Stopped] -> YY -> (symc8xx) symc8xx [Kernel | Disabled | Stopped] -> [Files/Folders - Created Within 30 days] NY -> wintems.exe.ren -> %System32%\wintems.exe.ren NY -> srosa.sys.ren -> %System32%\drivers\srosa.sys.ren [Files/Folders - Modified Within 30 days] NY -> DEBUGSM.INI -> %SystemRoot%\DEBUGSM.INI NY -> wintems.exe.ren -> %System32%\wintems.exe.ren NY -> srosa.sys.ren -> %System32%\drivers\srosa.sys.ren [File String Scan - Non-Microsoft Only] NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable [Empty Temp Folders] [Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

THEN follow that up with a combofix run

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

Thanks again, I was just about to say I would wait for your reply, it’s only courteous, but your post beat me to it.

Logs are attached.