Infected with flec006.exe

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by fritz614, Jan 13, 2008.

  1. fritz614

    fritz614 Private E-2

    I have found 2 rootkits infecting me. It has disabled my spyware removal programs and unable to boot into safe mode. I have found flec006.exe & hldrrr.exe

    What are my first steps to resolving this?
     
    Last edited: Jan 13, 2008
  2. fritz614

    fritz614 Private E-2

    I am unable to install AVG and when I run Combofix, it states it is going to run and then get an empty blue box with nothing, can not find any logs for it. CCleaner, installed fine, but when I try to open it, i get a real quick splash of it on the screen and then it shuts down automatically.

    PS I completed the RUN ME FIRST as seen in other post for initial cleaning.
     

    Attached Files:

    Last edited: Jan 13, 2008
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I see you use this PC for financial matters. It is a VERY VERY BAD idea to be downloading and installing cracks and illegal software. The infection you picked up by doing this may have compromised your financial security. You have this:

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FAGENT%2EAOV&VSect=P


    Notice that is steals information, such as user names and passwords. All you account info, user names passwords etc could have been stolen. You need to take the below actions seriously.



    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    Java(TM) 6 Update 2
    Spybot - Search & Destroy 1.4

    Is your copy of Ad-Aware 2007 a paid version or free trial?
    Uninstall PrevxCSI now.

    Now Disable Spybot's TeaTimer as requested in the READ & RUN ME
    • Run Spybot and click Mode
    • Select Advanced Mode.
    • Then click Tools and select Resident.
    • Now in the right window pane, uncheck TeaTimer.
    • Also while this is open, in the left column now select IE Tweaks
    • and then in the right pane make sure all the Miscellaneous locks are unchecked.
    • Now quit Spybot!
    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis. And click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\DOCUME~1\James\LOCALS~1\Temp\svchost.exe
    C:\Documents and Settings\James\Application Data\m\flec006.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Dynamic System Bios] MSLOG.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\RunServices: [Dynamic System Bios] MSLOG.exe
    O4 - HKCU\..\Run: [Dynamic System Bios] MSLOG.exe

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
  4. fritz614

    fritz614 Private E-2

    1. I am running Adaware 2007 Free, I uninstalled it.
    2. Uninstalled on Spybot and tried to reinstall newer version, unable to.
    3. Removed Windows Messenger with tool and removed Java.
    4. I am unable to open Spybot to disable Teatime, so I disabled it thru HiJack This.
    5. Killed all requested processes and entered Reg key.
    6. Ran Avenger and attached Logfile.
    7. Ran GetLogs.bat files and attached .zip file


    As far as things running, I am still unable to run CCleaner and unable to install Spybot. When I run a program called gmer.exe, it still shows hdlrrr.exe running.

    Also, when running the analyse.exe tool, unable to fine the C:\DOCUME~1\James\LOCALS~1\Temp\svchost.exe & C:\Documents and Settings\James\Application Data\m\flec006.exe
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach anything.

    You can have GMER fix this.
     
  6. fritz614

    fritz614 Private E-2

    Try reattaching again
     

    Attached Files:

  7. fritz614

    fritz614 Private E-2

    I killed the process with gmer.exe and still unable to get back to "norm"
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to delete the file too! What do you mean by "back to norm"? Are you referring to normal boot mode?
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You said you uninstall Ad-Aware but I still see this line:

    O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

    Also I ask you to uninstall Prevx and I still see this line:

    O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot

    Also I asked you to fix the below lines and they are still in your log:

    O4 - HKLM\..\Run: [Dynamic System Bios] MSLOG.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

    Is Antivir working? HJT shows the files to be missing:
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing)
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)
     
  10. fritz614

    fritz614 Private E-2

    I dont know what happened there. I followed everything you had to offer on the last post. I redid it again and attaching log.

    Also, yo say I need to delete the file after I kill the process. How do I do this, I can not find them. Now there seems to be 2 of them, one shows after I kill the process of the first one. First one that shows is hldrrr.exe then wintems.exe shows up. After I kill, how do I delete?
     

    Attached Files:

  11. fritz614

    fritz614 Private E-2


    I am just meaning to get back to normal with no spyware, maleware, etc... I am in normal boot mode now.


    Also, I have AntiVir installed, but this malware has disabled it too.
     
    Last edited: Jan 14, 2008
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Kill the processes and the delete the below folder as quickly as possible:
    C:\WINDOWS\system32\drivers\down


    Also delete the below file
    C:\Documents and Settings\James\Local Settings\Temp\D653F3EC.TMP


    Download the newest version of MGtools.exe to c:\ and run it.

    Attach a new MGlogs.zip file.
     
    Last edited: Jan 14, 2008
  13. fritz614

    fritz614 Private E-2


    OK, able to sucessfully delete them and from recyle bin too.

    Downloaded new MGTools and attached logs
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run analyse.exe and fix the below line:

    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    Are you still having problems?
     
  15. fritz614

    fritz614 Private E-2

    Deleted and I am still having problems, can not install Windows Defender, Spybot or AntiVir.

    I attached another log to see if there is anything new
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure what you mean. Based on your logs they are already installed. However Antivir and Windows Defender do not appear to be running.

    Please explain exactly what you are trying to do. Are you trying to reinstall them? If so, first uninstall them, reboot, redownload them, and then reinstall. Do not try to reinstall from any existing copies. Download new copies.


    Does GMER still detect hdlrrr.exe running? All of your logs are clean right now.
     
  17. fritz614

    fritz614 Private E-2

    I thank you for EVERYTHING you have done and your patience. I will heed your advice from the beginning of the thread.
    I am going to just do a clean install of Windows just to be sure there are no traces of anything left. The more I thought about it, it just seemed like the right thing to do. Again, thank you for all you have done.
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That is really the safest thing to do based on the infections you had. Also DO NOT just reinstall over your current version of Windows. You MUST DELETE YOUR PARTITION, re-partition, format, and then reinstall from scratch to be sure you are clean. Just a simple reinstalling could leave things hanging around.
     
  19. fritz614

    fritz614 Private E-2

    Yes, that is what I am planning, now. I forgot about deleting the partition first. Again, thankyou.
     
  20. fritz614

    fritz614 Private E-2

    I am not sure if this is an appropriate place for me to post this or not, but I did find an interesting program that did help me out some. Many times, the trojans or viruses that disable antivirus programs and such also deny you access into Safe Boot. I found this attached reg entry that replaces the deleted files by the virus to allow you to get into Safe Mode.
    Just a FYI for you.
     

    Attached Files:

  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It does not replace any files. Only registry keys. Yes we are very aware of these patches we have our own that we have used from time to time. They do not always fix the inability to boot in safe mode. Sometimes the problem is occurring for other reasons.

    This is not going to remove your infection. You still need to repartition....etc.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds