Last Resort?

Hey fellas, i'm new here and somehow i'm always new in places when I need something of the people over there, hehe, but I hope you guys don't mind. I'm really over the top now with a huge prob. on my pc... I'll try to explain it as chronologically correct and logical as possible:

I have a bot/backdoor thing on my pc now for over a week. My fully updated mcafee virusscan told me it was a "sdbot.worm.gen.j" and it mentioned it needed to delete the file svhost.exe(which is in fact a trojan, but it's used by numerous kinds of virusses and strings, not to confuse with svchost.exe which is a normal windows process). Nevertheless, this file just keeps on turning up, and as long as I have my XP firewall running everything is ok, but as soon as this is down, there is no way of opening taskmanager, the internet connection gets slow, cpu usage high and most of the time the pc crashes. I'm not a total noob in this, so here's what i've done chronologically (as you may have understood nothing helped):

1. tried to restore my comp. to a earlier point (day before infection i believe)
2. turned off system restore
3. ran a fully upgraded ad-aware scan and deleted all malicious processes/keys
4. ran a fully upgraded mcafee scan and did the same
5. Did 3 & 4 again but then in safe mode
6. deleted some registry keys i was certain they were malicious, like the svhost key
7. did 5 again, accompanied by a registry search for svhost
8. did a mydoom fix and some other that i found usefull
9. did online scans; Panda, Trend Micro and mcafee
10. Posted log files at lavasoft and gathering of tweakers

AND now the juicy part......

11. Finally it had me on my knees and I reformatted, Quick NTFS
12. Installed mcafee, no network cables plugged yet
13. Plugged in cable, updated mcafee and windows XP immediately
14. SHABAAAAAM, mcafee tells me it removed the virus named SDBOT.WORM.GEN.J and the accompanying file svhost.exe
15. Again I reformatted, not quick, but normal. I now installed Norton instead of Mcafee and updated it as well as windows XP.
16. Reinfected again, Norton named it differently.

This is what kinda seems like what i'm experiencing, but please don't let this narrow you down...
This is a picture of the svhost entry in my registry!
Well good luck guys, caus' for as far as i'm concerned you will need it...
Thanx in advance Ray

 

Hi RayJay,

We are happy to take a shot at this baddie.

Please send us a HijackThis Log. Be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

PP

 

Here it is... I feel like sitting in the dentist chair, when finally he's going to release me of that horrible toothache! Thanx.

 

Well . . . I don't see anything evil in that log!

Try this. Please download this tool: RKFILES.ZIP

Then, unzip the rkfiles tool to a folder of your choice.

Then, boot to Safe Mode and DoubleClick the rkfiles.bat to run the scan. It will take a while, so let it go until the DOS window closes.

Then, reboot to Normal Windows and look in C:\ Drive for a file named log.txt and attach it with your post.

We'll see if it can tell us anything.

PP

 

The rkfiles log...

 

It is pretty darn clean as well!

I assume these 2 are Monkey Audio related:

C:\WINDOWS\system32\MACDec.dll
C:\WINDOWS\system32\MonkeySource.ax

This one bothers me, though:

C:\WINDOWS\system32\ntosrkl.exe

Note that this is not the legitimate Ntoskrnl.exe
You should check out the imposter and likely delete it (or, if unsure, rename it ntosrkl.BAD).

Other than that, I see nothing . . .

PP

 

And what about the fact that there's a key svhost.exe in my registry and that my pc just crashes if i turn of the firewall?

 

By the way, i have no clue what monkey audio is, so they may not be monkey audio related!

 

Ow and what exaclty does "ntosrkl.exe" do or maybe better; what does the real "ntosrkl.exe" namely "ntosknrl.exe" do? Caus i'm indeed pretty sure that this is the virus, or a least a virus...........

 

Here's a screener of all files in my registry now!!! I believe most of them are malicious.

 

Information overload? yes it is! Please help me out here, the only thing I can do is provide valuable info, so i do....
This is what someone else wrote about the previous reg. keys

 

svhost.exe can be related to a number of different baddies. I was hoping to see something in one of your logs that would narrow the field a bit!

Have you found the actual svhost.exe file on your machine?

ntoskrnl.exe is vital to your machine booting up properly.

See how many of these odd .exes you can find and RightClick them to try to get their property and version info.

Also, try submitting them here: http://www.kaspersky.com/scanforvirus

Maybe you can narrow this down a bit.

Sorry I'm not more help here! I'll try to check back tonight.

Best luck
PP

EDIT PP: I missed your last couple posts as I've been doing 8 things at once here!! Will try to check them out tonight!

 

Ok, will once again follow your instructions, but please allow me to keep you posted on new info acquired, so that you might one day be able to help me....

 

The more info, the better!!

C:\WINDOWS\system32\MACDec.dll
C:\WINDOWS\system32\MonkeySource.ax
Both of these seem to be Audio Filter related - not too much of a leap to Monkey Audio.

ntosrkl.exe still bothers me.

Are you able to find any property and version info for ntosrkl.exe, studio.exe (isn't this winamp?), svhost.exe and services.exe? The Kaspersky scan should tell you what the specific baddies are!

Do you find these guys in C:\Windows\srchasst?

Also, the bit with your machine crashing when firewall is turned off may be unrelated. Or, it may not. Need to keep an open mind. . . I have seen a lot of cases of unfortunate but unrelated coincidences after malware infestations.

I also suggest a few full-blown online scans:

Bitdefender

RavAntivirus <-- select Auto Clean then click Scan My PC

TrojanScan

TrendMicro HouseCall

Maybe they'll tell us something.

PP

 

Hey, been away for a while. The computer is running normal if the firewall is up (either ZA or Windows XP's), but if i turn it of it slowly works it's way towards a crash. And to clarify this; this is solely due to a virus. I know a virus when i see one and i know a system crash when i see one! Almost immediately taskmanager is inaccesible (seems like it tries to start up, but it doesn't get very far). My internet connection is still up, but trying to open up TM seems to affect everything else aswel. Then for example i try to restart, but then my system hangs...It is clearly a virus taking effect.

I did not find any of the files you posted in your last post, however i found some registry keys (after having deleted them for the 10th time now!) BTW, i did the search with "show hidden files & folders", "not hide extensions" and "not hide protected operating system files". I looked in the srchasst folder.

This is again the svhost.exe malicious reg entry!!!
And this are the entries of studio.exe and ntosrkl.exe

As you can see i'm not done with them, i'll run all the scan you posted and keep you informed... I truly believe this ones interesting for you fellas, hehe

Thanx once again
Ray

 

Interesting, indeed! However, if those malicious files don't exist, then the corresponding registry entries are toothless. Odd that they would keep coming back . . . Those files gotta be around somewhere.

Keep us posted as to what those scans find. When I get some free time (& if I can remember) I may try to cross reference some of those files to see if a virus or malware can be pinned down.

PP

 

Right, there is some new info after having completed the scans. The TrojanScan thing said "bad request" somewhere during the scan, but it might just as well have been the end of the scan. I'll do that one again later...

Here is the log of the Ravscan, that showed some interesting virusses found!! And in the attachments to this post you'll find a word doc of the Bitdefender log

Have fun, hehe

 

Well, Bit Defender showed that it removed what it could find - Namely, the same thing on your RavScan! - That Backdoor.RBot. / internet.exe.

The rest are in Norton Quarantine and need to be dealt with manually by you. Looked OK, other than that.

PP

 

Hey,... i'm in trouble again!!!

The previous problem kinda faded away. Every other day all scanners/removers clean several files and i never dared to lower my firewall again. Pc was working fine... Untill this afternoon where i stopped my firewall for like 3 mins. and BOOM there was a ****load of malware etc. on my pc. Ad-aware scanned 144! Madness. Now the problem is that I've once again deleted alot, and i mean ALOT, of malicious files/keys/processes/services but can't seem to clean it entirely. So if you would be so kind to take a look at my hijack this log once again, that would be great...

Thanx Philie,

Ray

PS. i know of several files that are threats already, but i just need a sequence of actions that perminently removes them...

 

Hey RayJay,

Still haven’t updated XP, huh? You really need to do that!

Look in Add/Remove programs and remove IstSvc or IstBar if it is there. You may want to run the linked tool below for good measure.

http://securityresponse.symantec.com/avcenter/FxIstbar.exe

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled .

I suggest removing the below with HijackThis :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: Name - {3E824072-7DE8-4AF9-BAA7-883C2C5FF2A4} - (no file)
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [VKSHA] C:\WINDOWS\rhqselrk.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\bimikzvc.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Internet Explorer\bimikzvc.exe
C:\Program Files\ISTbar --> The Folder
C:\WINDOWS\rhqselrk.exe

Then, Go Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

See if that does the trick and attach a fresh log.

PP

 

You're absolutely right m8. I'm working on finding out what would be cheapest for me since i need to buy a new license and my dad has his a company that has bougt a few already... Don't know much 'bout the license stuff so i'll give it some time. For the time being, THANX! You're beginning to become a god to me now, hehe. Fresh hijackthis log seems clean to me

You're the best spyware fighter i've even met Phillie (right, now stop shoving your hand up his ****)

Ray

Btw. I know it's prob. not your field of expertise and this is absolutely the wrong place to ask, but do you incidentally know of a way to remove the msn messenger that comes with Windows XP, caus i already have the newest beta version and the other one is disturbing and useless, but still there.

 

Though i must admit i just found a few reg. keys that should not be there. And what do ya say? they are in the exact same place as the keys of the previous "unsolved?" problem! I will delete them and again here is a pic of that registry location...(two pics in fact, two locations both under search assistant)
Pic1
Pic2

Btw, i did exactly what you last told me to do

 

Doubts doubts doubts. Norton gave me a message it found some trojan, didn't remove it but denied acces to the file. My cursor randomly, not frequently goes into the "sand/time/thingy?" (dunno the english word). I've again posted my new hijackthis log, caus i feel as though things have changed again without even touching the pc

????slserves.exe?????

 

Funny to see how i keep on replyin to myself,

Another scan with norton showed these two couldn't be removed or quarantained. The last to pics were .bmp's sorry bout that...

Ray

 

Also i get this message once in a while, which definately is a virus!

 

Hi Ray,

Will take a look when free tonight - Have to cook dinner!

PP

 

I couldn't read the .bmps - Eyes are bothering me.

These two that Norton detected are adware. 1 is this one we removed:
C:\Program Files\Internet Explorer\bimikzvc.exe You ought to make sure it is gone.
Also, look for the other one: luorda.exe and see what you can turn up.


I highly doubt the below are Norton AV related. But, to be certain, find it and RightClick it to get property and version info. If, as I imagine, it is bad, delete it.

C:\WINDOWS\System32\slserves.exe
O4 - HKLM\..\Run: [NAV Auto Updates] slserves.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe

Sone questions:
What firewall are you running? Do you get get requests from it to allow strange things to access the net? When the cursor turns to hourglass, did you check Task Manager to see what was running and if you could ID the culprit?

Regarding the last message, it is likely adware of some sort. Not sure what kind, but it is not a virus.

Without the XP updates, you are always going to be at a higher risk of becoming infected.

PP

 

Thanx m8, did all the stuff you said already, deleted all .exe files i could find and disable the "windows messenger service" in services so that's gone aswell. Zonealarm indeed asked me several times for strange .exe files to acces the net, of course i denied. Traced every .exe that was in zonealarm, looked it up on the net, deleted, reversed keys, updated windows xp a bit (not everything yet). I'm ok once again, i've learned just never to lower your firewall with a non-fully-upgraded version of windows.

Ray

 

Indeed! That's not a fun lesson to learn
Glad to hear thing are OK!

PP