Nasty Rootkit

[Captain Computer]

My computer has picked up a very nasty rootkit virus. All of my antivirus software has been either disabled or deleted, Network connection (both wired and wireless) have been disabled. I can't boot into safe mode (BSOD) and I can not display hidden files or folders.

I have discovered several known virus files on my system which include:
Beep.sys
Hidr.exe
Hldrrr.exe
Srosa.sys
Flec006.exe
Wintems.exe
There may be others but these are the ones that I am aware of.

When my computer starts the virus is launched and makes itself invisable immediately. System resources are pegged out at 100% but "Task Manager" shows nothing in particular using up all of the resources. I have a Barts PE disk and a Hiren's ultimate boot disk which give me some tools which allow me to access my Windows installation off line. I can then delete the suspect files and after doing that I can get into Windows. If I work fast when entering Windows for the first time after deleting the bad files I can run Spybot S&D which finds the virus and cleans the bogus registry entries. For that brief moment I can breathe a sigh of relief however, after the scan Spybot tells me to reboot the system and in the process of the reboot Spybot does another scan which takes about a half hour. After the scan Spybot congratulates me on freeing my system from viruses. Unfortunately my celebration is short lived as the system quickly re-infects itself and I'm isnstantly put back to square 1.

I have been dealing with this for 6 days and I'm very frustrated. Most cleanup tools won't run at all but a very few will. Unfortunately Hijackthis will not run. Windows tells me tha it is not a valid w32 application.

Any help or suggestions would be deeply apprciated.
Thanks,
CC

 

[Osiris]

So there is no way for you to go thru this at all?

http://www.techist.com/forums/f51/spyware-removal-guide-osiris-updated-8-18-2008-a-165828/

 

[Captain Computer]

I have tried about half of the apps that are listed in the spyware removal guide but the majority refuse to run with Windows complaining that the application is "not a valid Win32 application".

I've been fighting this virus for nearly a week now and it's very frustrating. I boot up using a Barts PE disk and I am able to find and delete the virus files on my C drive but they come back as soon as I reboot Windows (I'm running XP pro) normally so they are obviously still hiding on my disk somewhere. If I really act fast, and I mean REAL FAST! I am able to get Spybot S&D to run on the first reboot after deleting the files. At that time Spybot detects the virus and deletes several files and registry keys. The system then reboots and Spybot gives the system another deep scan (takes about 20 minutes) before my desktop appears and Spybot congratulates me for having cleaned my system but the virus returns within a minute. I've done this drill no less than 20 times since last Sunday.

No network connection and unable to boot into Safe mode, plus the virus spread to my flash drive. This virus is a real beauty!

cc

 

[Osiris]

Kaspersky Rescue Disk
Avira AntiVir Rescue System

Try that

 

[Captain Computer]

:laughing:

THANK YOU!!!!!!

I am on finally on my way to recovery. I used the Avira utility disk and it found and removed MDELK.EXE (plus a bunch of other crap) which I previously had not detected. I can now boot into my system virus free. However I am not home yet. I still have a lot of issues to address. First, I can't get my wireless connection to work. The Windows Zero Config service won't run. It doesn't start automatically the way it should and I get a "1038 ERROR" when I attempt to start it manually. It complains that a dependant service is not running. I believe that my wired connection doesn't work either but I am mostly concerned with the wireless connection right now. I am also having a problem displaying hidden files. Even though I have selected to show them they refuse to display themselves. The virus had disabled my ability to display hdden files. Oddly enough, however, I can search and locate a hidden file individually and uncheck the "hidden" attribute and make it visible that way but I don't like doing that.

I also have an issue where 2 of my flash drives are infected with the virus and if I plug them into my PC it will get infected again. I need to figure out how to clean them. I don't mind losing the data on them so I'm willing to format them but how do I format a flash drive without re-infecting my PC

Thanks again,
CC

 

[Osiris]

Can you post a hijackthis log?

 

[Captain Computer]

I don't think that a HJT scan is needed at this time. I have scanned my system several times with a few different AV apps and they all come back negative. The system seems to be running very well and I see no unusual processes running. I have finally got pretty much everything back to "Normal". Network is back up, and resolved the hidden folder issue. Only problem that remains is that I can't boot into safe mode. The hidden folders and Network connection issues were caused by changes that the virus made to my registry. I believe that the safe mode problem is somewhere in the registry as well. I just don't know exactly where in the registry to look. I've been doing a lot of Google searching, Maybe I'll find something there. I see a utility called "ComboFix" but I'm afraid to run it for fear of breaking something else. That would be a real bummer since I'm so close to being fixed.

Any ideas on why I get the BSOD when entering safe mode?

Thanks so much for all of your help,
CC

 

[Osiris]

I still need to see the log. Just because other programs dont report anything doesn't mean your system is clean or free on invalid entries, etc.

 

[Captain Computer]

Sorry for the delay. Things have been really hectic around here for the last week or so. Here is my HJT log.

--------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:17 AM, on 10/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\WINDOWS\system32\Fidmsflt.exe
C:\WINDOWS\system32\FidGrap.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program

Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot -

Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program

Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt

9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [FIDMSFLT] Fidmsflt.exe
O4 - HKLM\..\Run: [FIDMGREP] FidGrap.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\Bob\Application Data\m\flec006.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program

Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program

Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks

2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network

Associates\VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network

Associates\McShield\Mcshield.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero

BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. -

C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common

Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common

Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program

Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program

Files\WinPcap\rpcapd.exe
O23 - Service: Z-SAN Service (Z-SANService) - Zetera Corporation - C:\Program Files\NETGEAR\NETGEAR Storage

Central Manager Utility\Z-SANService.exe

--
End of file - 7747 bytes
--------------------------------------------------------------------------

System appears to be running fine right now. Only issue that I can see is that I am still unable to boot into "Safe Mode". I will fix that when I get some time. I can live with it like that for a few days.

Files that I cleaned off of my system were. Wintems.exe, Beep.sys, Hidr.exe, Hldrrr.exe, Srosa.sys, Flec006.exe, and Mdelk.exe. Plus a folder named Dwnload that was full of executable files with numbers for file names. (264869147.exe for example) and located in my Windows\System32\Drivers folder plus a ton of registry entries that were either added or changed on my system. Truly a virus that I will never forget. My flash drives were infected and they would, in turn, infect anything else that they were plugged into. I disabled "Autorun" on an old XP system that I had and was able to then plug the flash drive into that system without infecting it and then format the drives so my flash drives are again usable.

Thanks,
CC

 

[Osiris]

remove these entries

O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\Bob\Application Data\m\flec006.exe

O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)