Virus - Not picked up by Avast (Help Remove!)

Hello. The other day I discovered a virus on my labtop and it completely shut it down. Now I realized its on my desktop.
This virus was not caught by Avast, I happened to catch it myself. This virus gets progressively worse over the course of a few days. in the end it starts systematically shutting down all devices and makes it so virus programs and malware scanners stop working. Avast shut down completely and I had Spybot teatimer which it took over and replaced with tis own weird icon when you look in the Spybot directory. When you try to run anti-virus it says its not a proper win32 application. It even said the same for hijack this but it seems it only checks the filename. All virus scanner filenames it knows blink every so often like it checks them or alters the files.

Also, this virus sends out erroneous encrypted packets on the internet, possibly with keylog info,

I did manage to change the name of hijack this as I downloaded it and I was able to get the log:

Logfile of HijackThis v1.99.1
Scan saved at 10:35:54 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\system32\svchost.exe
D:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\RAM Def XT\ramdef.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Documents and Settings\Kurt Scheuringer\Application Data\m\flec006.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Kurt Scheuringer\Desktop\nothingatall.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eq2players.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.2.107:5190;https=192.168.2.107:5190
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM..\Run: [RAMDef] C:\Program Files\RAM Def XT\ramdef.exe -tray
O4 - HKCU..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://www.onlinegamingradio.com/nsvplayer/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip..{9E10EB17-960F-40D9-8525-3400AAEB551E}: NameServer = 192.168.2.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - D:/mysql/bin/mysqld-nt.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

flec006.exe is the virus because when i go to my application data, it doesn’t have that file in there it runs and actually some other files exist in that M directory which i think its using. Mostly data files, some with tons of IP addresses and ports in them. Also, the process will not kill, even with any method I try.

Another hint, my devices cant seem to shutdown like it wants until my computer reboots (know that from my labtop). I am scared to reboot thinking its going to doom my computer. Trying to do everything i can without rebooting right now.

Please help


Welcome to the forums, copystart. :slight_smile:

You have used an old version of HijackThis and you will need to use the newer version.

Please download HijackThis from the link below, run the program but do not make any fixes, and then post the log results using the “copy & paste” method. It will probably take more than one post to be able to get the complete log posted. OR, you can post it as an attachment to your post by clicking on “Additional Options…” below left of the posting box. Someone will review your log and then offer help.

http://filehippo.com/download_hijackthis/


Gah, I actually let a Combo-fix run over night (took forever) before I read this. I saw the comob fix thing in another thread. Let me post that log and then do what you need as well.

http://ogr.kicks-ass.net:81/log.txt

The log was too large to upload here so I posted it to my web server

You could also have attached it here, click the Additional Options text link in the reply window.

Ya, I tried that but it said my log file was too big to attach. ill make multiple posts though with it attached.

Next portion …

To give some more information, i went to the folder again titled …/application data/m/ and under there it has stored the virus program (icon looks like keys), a shared folder which has a bunch of random rared and zipped files in there which are labeled as different programs and the cracks for them, a data file which ahs a bunch of different IP’s and ports again which my computer is connecting to at random, and another data file which looks encrypted or something.

I suggest you follow the entire general cleaning procedure:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

When I start the trend micro rootkit program, it says the Tmcom service can not be started. Im telling you this program goes through and shuts down services so they cant be started anymore. My system log file is filled with errors of services being shutdown unexpectedly. Also, the Tmcom.sys file in the drivers thing was newly createdon system restart from some reason which shows in one of the log files. This virus screws with drivers.

Can you boot from Safe Mode and work from there?
Did you test avast! antirootkit?

combofix got a lot of it. The down folder is still there and I can’t tell if it’s empty. It probably took longer to log than remove. ::slight_smile:

Go to add remove programs and uninstall this program if present

NetMeter

Open HJT, run a system scan only, check mark these lines if present


O4 - HKCU..\Run: [mule_st_key] C:\Documents and Settings\Kurt Scheuringer\Application Data\m\flec006.exe
O4 - HKCU..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe

Close all other browsers/windows, click fix, close HJT.

Just in case that folder is full again, we’ll use a different removal tool.

Please download
OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\Documents and Settings\Kurt Scheuringer\Application Data\m\flec006.exe
C:\Documents and Settings\Kurt Scheuringer\Application Data\m
C:\WINDOWS\system32\drivers\down

Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

.
Required:
info on the uninstall of netmeter
OTMOVEIT2 results
DSS logs

And…is it any better after the above steps?

edit to add: tmcomm.sys is from trend micro