Win32:Pakes-AKM [Trj]

Hello , this is my 1 time posting here.

My avast 4.7 found a Win32:Pakes-AKM [trj] virus in C:\WINDOWS\system32\d3di.dll (size 83,0 KB)

It can’t delete it our Move/rename our Move to chest! I tried whit boot-time scan … imposible to do enything whit that file only ignore :frowning:
The programm has fool control of my pc!

What should i do? :-\ I’l do enything to get rid finnaly of that *hit…

Oh yes and i found 2 malware whit - Prevx CSI

  1. status- bad, name- C:\windows\system32\drivers\kbd.sys, Malware group - Generic Malware
  2. status- Rootkit, name- C:\windows\system32\drivers\xybygsai.dat, Malware group - Hidden data

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:18:04, on 2008.03.26.
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = battle.net:6112
O2 - BHO: (no name) - {1FD58F1C-E9DC-4C2F-954E-665BFCF15792} - C:\WINDOWS\System32\d3di.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [braviax] C:\WINDOWS\System32\braviax.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Bux.to Autoclicker.lnk = ?
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: GammaTray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip..{00165692-7984-4E36-BFBB-F405B9BEC9B3}: NameServer = 81.198.60.10,195.13.160.52
O17 - HKLM\System\CCS\Services\Tcpip..{EF132A83-0299-435A-99B6-CB55723C66B8}: NameServer = 81.198.60.10,195.13.160.52
O17 - HKLM\System\CS1\Services\Tcpip..{00165692-7984-4E36-BFBB-F405B9BEC9B3}: NameServer = 81.198.60.10,195.13.160.52
O17 - HKLM\System\CS2\Services\Tcpip..{00165692-7984-4E36-BFBB-F405B9BEC9B3}: NameServer = 81.198.60.10,195.13.160.52
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\PrevxCSI.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


End of file - 4869 bytes

fix this item O2 - BHO: (no name) - {1FD58F1C-E9DC-4C2F-954E-665BFCF15792} - C:\WINDOWS\System32\d3di.dll

I tried this one , doest help :-\

ok, scan your system with www.gmer.net :wink:

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-03-26 18:16:09
Windows 5.1.2600

---- System - GMER 1.0.14 ----

SSDT ??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0xB4F28660]

Code 8765DB74 NlsAnsiCodePage
Code xybygsai.dat ObOpenObjectByName

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B79 804D4F8E 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 510 804FCA28 4 Bytes [ 60, 86, F2, B4 ]
PAGE ntoskrnl.exe!ObOpenObjectByName 80572C92 6 Bytes JMP F87B9312 xybygsai.dat
? xybygsai.dat The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\kbd.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Processes - GMER 1.0.14 ----

Process hidden process (*** hidden *** ) 14512
Process hidden process (*** hidden *** ) 15616
Process hidden process (*** hidden *** ) 17048
Process hidden process (*** hidden *** ) 18360
Process hidden process (*** hidden *** ) 18376
Process hidden process (*** hidden *** ) 27764
Process hidden process (*** hidden *** ) 29984
Process hidden process (*** hidden *** ) 51740
Process hidden process (*** hidden *** ) 58200

---- Services - GMER 1.0.14 ----

Service system32\drivers\xybygsai.dat (*** hidden *** ) [BOOT] zriclriv ← ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID{1FD58F1C-E9DC-4C2F-954E-665BFCF15792}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID{1FD58F1C-E9DC-4C2F-954E-665BFCF15792}\InprocServer32@ C:\WINDOWS\System32\d3di.dll
Reg HKLM\SOFTWARE\Classes\CLSID{1FD58F1C-E9DC-4C2F-954E-665BFCF15792}\InprocServer32@ThreadingModel apartment
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions@\xd7ŗł\xa4

---- EOF - GMER 1.0.14 ----

is GMER able to fix the xybygsai.dat related items for you? try it…

No fix no but it can delete it :slight_smile:
I stoped and deleted d3di.dll ,kbd.sys and xybygsai.dat
Now it looks like this!

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-03-26 19:11:15
Windows 5.1.2600

---- System - GMER 1.0.14 ----

Code 8765DB74 NlsAnsiCodePage

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.14 ----

And the HijackThis showed all as the last time exept this

O2 - BHO: (no name) - {1FD58F1C-E9DC-4C2F-954E-665BFCF15792} - C:\WINDOWS\System32\d3di.dll (file missing)

ook, you’re probably not rootkited anymore… you should run an complete avast scan and move infected files to chest, when found… then tell us if you can see some strange behavior etc…

I also suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  6. Immunize your system with SpywareBlaster or Windows Advanced Care.
  7. Check if you have insecure applications with Secunia Software Inspector.