0

Hi everyone,

I know how busy everyone is and sincerely apologize for taking up your time, but I believe I've been bested by some sort of malicious program.
I knew I had some sort of infection for a while, as google chrome would redirect to random websites whenever i clicked on a web search result.
The situation took a turn for the worse when i left my computer on for a few hours while I ran some errands, when I got back Chrome would no longer work, and my email has become difficult to access. By difficult I mean it seems to only let me log in 1 out of ten times that I try.
I have quarantined this value {3CA2F312-6F6E-4B53-A66E-4E65E 497C8C0} using "security task manager". I ran a search for it in my registry and it was apparently found under the folder "root" with a bunch of stuff called "LEGACY". I didn't mess with my registry beyond that though. Also Malwarebytes has informed me that I have a Rootkit.agent located at C:\WINDOWS\system32\drivers\zhklr.sys
I would greatly appreciated some assistance with this, thank you for taking the time to read this.

4
Contributors
8
Replies
9
Views
7 Years
Discussion Span
Last Post by NomDeGrilla
0

Hi
I am a novice myself but the guys on here are really helpful. I would suggest you read all the threads at the start of the Microsoft virus section as the will tell you what to do and where to go next to get a response for your query.
The best advice I can give you is not to delay if you suspect you have a virus it is better to solve the problem quickly before too much damage is done. I am sorry I cannot be of more help
Kind Regards Marie

0

Rootkits typically spell disaster. I would recommend not risking it and reformatting your drives. Removing them is extremely difficult and getting all of it is nigh impossible. There are some people who feel they are confident in removing the rootkit, however in my opinion unless you have written the rootkit yourself you never truly know everything it can do and therefore you know nothing. Play it safe, computer security is serious business even though most people tend to wave their hands disparagingly at it ;)

0

Here are the the Hijackthis! log and the Malwarbytes log for myh computer

Again I thank in advance anyone who can take a small amount of time to help me with this !

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:44 PM, on 2/14/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SeaMonkey\seamonkey.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:///
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6236 bytes


Malwarebytes' Anti-Malware 1.44
Database version: 3739
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/14/2010 6:37:20 PM
mbam-log-2010-02-14 (18-37-19).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 156452
Time elapsed: 42 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\zhklr.sys (Rootkit.Agent) -> Delete on reboot.

0

Files Infected:
C:\WINDOWS\system32\drivers\zhklr.sys (Rootkit.Agent) -> Delete on reboot.

And DID you reboot? This is a KEY part of MBA-M instructions, REBOOT after clicking Remove Selected.

Turn this program OFF and leave it turned off.
BitTorrent DNA
Good way to get infected is by doing P2P file sharing.
Do the following:
Run the ESET Online Scanner and post the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.

* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

Reboot the computer.

Post back here with the ESET scan log.
Judy

0

Thank you so much for listening to my situation, I truly do appreciate it.

In answer to your question, I did reboot after finishing my MBA-M scan.. Ive done that scan a few times recently, and even after rebooting and running another MBAM scan....the nasty file is still there.

I've removed Bittorrent Dna, I dont use it anymore...I'm pretty sure its completely off my computer now.

Ive run the ESET scan as per your instructions, and rebooted ...here is the log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85f73205db79fd49aa0d742cbb65cebd
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-11-28 06:13:07
# local_time=2009-11-27 10:13:07 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 6951660 6951660 0 0
# compatibility_mode=8192 67108863 100 0 6946502 6946502 0 0
# scanned=35209
# found=0
# cleaned=0
# scan_time=747
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85f73205db79fd49aa0d742cbb65cebd
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-03 02:23:51
# local_time=2010-01-03 06:23:51 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 10091159 10091159 0 0
# compatibility_mode=1024 16777215 100 0 5247770 5247770 0 0
# compatibility_mode=8192 67108863 100 0 10086001 10086001 0 0
# scanned=35607
# found=2
# cleaned=2
# scan_time=1094
C:\WINDOWS\Temp\c7cf8d90.exe a variant of Win32/Kryptik.BIP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
${Memory} a variant of Win32/Bamital.B trojan (contained infected files) 00000000000000000000000000000000 C
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85f73205db79fd49aa0d742cbb65cebd
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-03 03:38:47
# local_time=2010-01-03 07:38:47 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 10095765 10095765 0 0
# compatibility_mode=1024 16777175 100 0 5252376 5252376 0 0
# compatibility_mode=8192 67108863 100 0 10090607 10090607 0 0
# scanned=36187
# found=1
# cleaned=1
# scan_time=981
${Memory} a variant of Win32/Bamital.B trojan (contained infected files) 00000000000000000000000000000000 C
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85f73205db79fd49aa0d742cbb65cebd
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-04 10:33:53
# local_time=2010-01-04 02:33:53 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 10160907 10160907 0 0
# compatibility_mode=1024 16777191 100 0 5317518 5317518 0 0
# compatibility_mode=8192 67108863 100 0 10155749 10155749 0 0
# scanned=35241
# found=0
# cleaned=0
# scan_time=3948
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85f73205db79fd49aa0d742cbb65cebd
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-12 04:27:23
# local_time=2010-01-11 08:27:23 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 10831304 10831304 0 0
# compatibility_mode=1024 16777191 100 0 5987915 5987915 0 0
# compatibility_mode=8192 67108863 100 0 10826146 10826146 0 0
# scanned=37804
# found=0
# cleaned=0
# scan_time=2757
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85f73205db79fd49aa0d742cbb65cebd
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-02-06 01:00:42
# local_time=2010-02-05 05:00:42 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 12978223 12978223 0 0
# compatibility_mode=1024 16777191 100 0 8134834 8134834 0 0
# compatibility_mode=8192 67108863 100 0 12973065 12973065 0 0
# scanned=37489
# found=0
# cleaned=0
# scan_time=3448
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85f73205db79fd49aa0d742cbb65cebd
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-02-14 01:55:12
# local_time=2010-02-13 05:55:12 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 13671791 13671791 0 0
# compatibility_mode=1024 16777215 100 0 8828402 8828402 0 0
# compatibility_mode=8192 67108863 100 0 13666633 13666633 0 0
# scanned=37820
# found=0
# cleaned=0
# scan_time=4341
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=85f73205db79fd49aa0d742cbb65cebd
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-02-15 08:20:12
# local_time=2010-02-15 12:20:12 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 13780142 13780142 0 0
# compatibility_mode=1024 16777215 100 0 8936753 8936753 0 0
# compatibility_mode=8192 67108863 100 0 13774984 13774984 0 0
# scanned=38200
# found=0
# cleaned=0
# scan_time=5506

0

Update MBA-M and do another Full Scan and Remove all found. Reboot and run another HJT scan.
Post back with both logs.
Judy

0

this morning when i started it up, the screen was blank. It wouldnt respond to the power button on the CPU so i hit the power bar switch off then back on again. it worked then..... I ran another MBAM scan, and this time it found 6 malicious items..and none of them were the initial zhklr.sys ?! i clicked remove selected. However upon reboot, the screen was blank. i have tried to power off and on multiple times and the screen is still blank
I tried hitting F8, and 1 out of 5 times i power it back on i can get to the F8 screen....but when i try to boot in safe mode, safe mode with networking, or last set working settings....it freezes again
Should i try all the different F8 options ?

0

I did a system recovery..not the destructive one. In the end my computer is back online and all my data was saved !

Thanks jholland1964 and everyone else who commented on this thread !!

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.