Help - Worm and Trojan

kmp4life · Feb 9, 2008

:cryMy problems started 02/07/08. My symptoms are my laptop on startup after the Windows logo comes up (OS is XP) I can see the task bar at the bottom but thats it. Task manager is disabled some how and the mouse pointer is a constant hour glass.

Infections I have found so far:
trojandownloader.xs
w32/ircbot.worm!ms05-039

I'm no pro, but can follow instructions so I've read items on this forum and have done the following:

Installed STNG380.exe from McAfee(have additional laptop that I'm xfrg files using jump drive - infected laptop will only work in safe mode)

Installed ComboFix, Spybotsd152.exe, avgas, mgtools.exe (which i get this error: 0xc0000135 and says i am missing C:\documents and settings\administrator\desktop\procdll.txt)

I've also ran avenger using various scripts that I have found on this forum (which are attached to). I have not ran ATF Cleaner yet

attached are my logs created by the things I've ran.

TimW · Feb 10, 2008

Please use add/remove programs to uninstall:
J2SE Runtime Environment 5.0 Update 10"
J2SE Runtime Environment 5.0 Update 2"
Java 2 Runtime Environment, SE v1.4.2_03"
Java 2 Runtime Environment, SE v1.4.2_09

Please disable all anti-virus and anti-spyware programs while we do the following:

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rxjddnvj.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [drmsrv32] C:\arbfikac.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\mmmtvztv.dll
O20 - Winlogon Notify: byxwvvt - byxwvvt.dll (file missing)
Click to expand...

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb936323-19fa-4521-ba29-eca6a121bc78}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"drmsrv32"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwvvt]
Click to expand...

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:\arbfikac.exe
C:\WINDOWS\system32\rxjddnvj.exe
C:\WINDOWS\system32\mmmtvztv.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\system32\eshopee.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\rxjddnvj.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\4fdw.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\apiuse~1.dll
C:\WINDOWS\system32\mmmnxrnx.dll
C:\WINDOWS\system32\mmmtvztv.dll
C:\188822~1
C:\rbfikac.exe
C:\exujd.exe
C:\wpohl.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\settn.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad$.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\kvnab.exe
C:\WINDOWS\dynkzovy.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-~1.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbecheck.exe
C:\WINDOWS\wbeinst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll"
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

Folders to delete:
C:\Program Files\3721
C:\Program Files\ACCOONA
C:\Program Files\AKL
C:\Program Files\AMSYS
C:\Program Files\E-ZSHO~1
C:\Program Files\P2PNET~1
C:\188822~1
C:\WINDOWS\system32\ACESPY
Click to expand...

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Now download and install:
Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Be sure to tell us how things are running.

kmp4life · Feb 10, 2008

Quick question before I do what you have told me too. I have too operate my laptop in safe mode and in safe mode the add\remove programs function is not enabled. How do I uninstall the programs you are telling me to uninstall? Do I just need to find there uninstall.exe file and do it manually?

TimW · Feb 11, 2008

We will do the JAva removal later ...just go ahead and do the other items.

kmp4life · Feb 12, 2008

I think this may have worked. I'm now about to reboot my computer in regular mode. I did notice in safe mode that my task manager access did come back after completing your instructions, so BIG THANKS!!!! So now the true test. Attached are my logs per your request and for your review.

TimW · Feb 13, 2008

Your logs are from Monday ...not Wednesday (today). Please run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

kmp4life · Feb 13, 2008

You gave me the instructions on 2-10-08 and I asked a question which you replied on 2-11 and thats when I followed your instructions. I posted the logs afterwards, I havent done anything today or yesterday but wait for your feedback.

I am attaching screen shots of errors i received when i ran the MG tool on Monday.

TimW · Feb 14, 2008

The reason I asked was because nothing appears to be fixed...the HJT log still has the entries we wanted removed ....Are you doing the fix in safe mode as administrator? And did you disable all of your security software before you ran it?
Go ahead and do the fix I gave you again ....and then re-attach the new logs after doing it.

Where you in normal or safe mode when you tried to run the MGTools\getlogs.bat?

kmp4life · Feb 19, 2008

Ok attached are my logs from me running the instructions you gave me again. Sorry about the delay, finally had time to do it today.

And I still get the same error messages that i mentioned in previous posts.

TimW · Feb 19, 2008

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [xjpagxrb] C:\swxwuqqm.bat
O4 - HKLM\..\Run: [wvupxvbx] C:\knqjhade.bat
Click to expand...

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"drmsrv32"=-
"xjpagxrb"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 0

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwvvt]
Click to expand...

* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:\WINDOWS\system32\drivers\adson^rg.sys
C:\WINDOWS\system32\drivers\jqtlnibg.sys
C:\WINDOWS\system32\drivers\mqtqsa^i.sys
C:\WINDOWS\system32\drivers\ouerpnxm.sys
C:\stng380.exe
C:\exujd.exe
C:\WINDOWS\system32\mmmnxrnx.dll
C:\WINDOWS\dynkzovy.dll
C:\wpohl.exe
C:\WINDOWS\system32\rxjddnvj.exe
C:\arbfikac.exe
C:\1888227279
C:\ADBEFLPRCS3_WWE.exe
C:\WINDOWS\764.exe
C:\WINDOWS\system32\4fdw.dll
C:\WINDOWS\system32\drivers\pctfw2.sys
C:\WINDOWS\daxtime.dll
C:\swxwuqqm.bat
C:\knqjhade.bat

Folders to delete:
C:\Program Files\e-zshopper
C:\Program Files\p2pnetworks
C:\Program Files\amsys
C:\Program Files\akl
C:\Program Files\Accoona
C:\Program Files\3721
C:\1888227279
Click to expand...

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Be sure to tell us how things are running.

kmp4life · Feb 20, 2008

Attached are my logs from doing the instructions in the previous post. I still got the same error messages as before and this file was not listed in the scan that analyse.exe ran - O4 - HKLM\..\Run: [wvupxvbx] C:\knqjhade.bat

TimW · Feb 20, 2008

You copies the Avenger fix to remove all under the "Files to delete" setting ...I wanted you to copy it all ...let's do it again exactly as it is written (to include the "Folders to delete"):

* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:\WINDOWS\system32\drivers\adson^rg.sys
C:\WINDOWS\system32\drivers\jqtlnibg.sys
C:\WINDOWS\system32\drivers\mqtqsa^i.sys
C:\WINDOWS\system32\drivers\ouerpnxm.sys
C:\stng380.exe
C:\exujd.exe
C:\WINDOWS\system32\mmmnxrnx.dll
C:\WINDOWS\dynkzovy.dll
C:\wpohl.exe
C:\WINDOWS\system32\rxjddnvj.exe
C:\arbfikac.exe
C:\1888227279
C:\ADBEFLPRCS3_WWE.exe
C:\WINDOWS\764.exe
C:\WINDOWS\system32\4fdw.dll
C:\WINDOWS\system32\drivers\pctfw2.sys
C:\WINDOWS\daxtime.dll
C:\swxwuqqm.bat
C:\knqjhade.bat

Folders to delete:
C:\Program Files\e-zshopper
C:\Program Files\p2pnetworks
C:\Program Files\amsys
C:\Program Files\akl
C:\Program Files\Accoona
C:\Program Files\3721
C:\1888227279
Click to expand...

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

kmp4life · Feb 29, 2008

Avenger is giving me error can not create zip file. The error code 1813. Sorry its been a few days, was out of town on business. I manually went to look for the folders its trying to delete and couldnt find them if this helps any.

TimW · Mar 1, 2008

Are you saying that all the files and folders I asked you to remove are gone?

Please run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

kmp4life · Mar 10, 2008

Here is the new log file. I'm still missing the procdll.txt file, will I ever get this back?

TimW · Mar 11, 2008

OK..since you are having problems with Avenger ...let's use ComboFix to do the next step:

Please use add/remove programs to uninstall:
My Way Search Assistant
Spyware Doctor 5.5 --> unless paid for version.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [dmpukcfl] C:\mqqhdrjx.bat
O4 - HKLM\..\Run: [bqvysdlg] C:\xltqqmri.bat
O4 - HKLM\..\Run: [aoqywlss] C:\fsavqcpn.bat
O4 - HKLM\..\Run: [oykflsyt] C:\xjeumlsl.bat
O4 - HKLM\..\Run: [eyyxfvvl] C:\smkejycn.bat
Click to expand...

After clicking Fix, exit HJT.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
Files::
C:\Documents and Settings\cgbuxrmb.txt
C:\Program Files\nvwddjlu.txt
C:\cfhluyoj.txt
C:\craggwxu.txt
C:\fsavqcpn.bat
C:\mqqhdrjx.bat
C:\smkejycn.bat
C:\xjeumlsl.bat  
C:\xltqqmri.bat
C:\zia01580      
C:\zia03160     
C:\zia03312
C:\WINDOWS\lbayvygw.txt
C:\WINDOWS\system32\drivers\flwrpopi.sys 
C:\WINDOWS\system32\drivers\hmhpxxqi.sys
C:\WINDOWS\system32\drivers\mymqaudy.sys  
C:\WINDOWS\system32\drivers\nwfvqlgk.sys  
C:\WINDOWS\system32\drivers\ohjvwone.sys  
C:\WINDOWS\system32\drivers\uaubtvdq.sys  
C:\WINDOWS\system32\drivers\wisraxxt.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"dmpukcfl"=-
"bqvysdlg"=-
"aoqywlss"=-
"oykflsyt"=-
"eyyxfvvl"=-
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from ComboFix.

kmp4life · Mar 28, 2008

I got all the way to the step to run combo fix and it told me combofix has expired and to update. Do you know where i can install a new version?

TimW · Mar 29, 2008

There were problems with the latest version of COmboFIx....it may have been fixed and downloadable now. Please try it again.

Log in or Sign up

Help - Worm and Trojan

kmp4life Private E-2

Attached Files:

MGlogs.zip

Report-Scan-20080209-054246.txt

ComboFix.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

kmp4life Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

kmp4life Private E-2

Attached Files:

MGlogs.zip

avenger.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

kmp4life Private E-2

Attached Files:

error messages.doc

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

kmp4life Private E-2

Attached Files:

MGlogs.zip

avenger.txt

ComboFix.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

kmp4life Private E-2

Attached Files:

MGlogs.zip

avenger.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

kmp4life Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

kmp4life Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

kmp4life Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member