[HAPPYCAMPER]

Thanks to your group getting me this far.

I guess this a different person therefore to review this an old computer with a new hard drive and a new XP install that got infected immediately after connecting to the internet. Didn't even have time to download SP2. I can't believe the speed with which it happened.

After running ewido and ad-aware several times I seem to be unable to remove these four infected objects. In regedit I cannot delete the registry keys as they are predefined?? And I cannot remove the system32 file as it is in use. What now???

Here are the ewido & hijack logs.
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:48:20 AM, 7/27/2005
+ Report-Checksum: 887EF8FD

+ Scan result:

HKLM\SOFTWARE\ISTbar -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historyfiles -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\ISTbar\Historystring -> Spyware.ISTBar : Error during cleaning
C:\WINDOWS\system32\rdriv.sys -> Trojan.Rootkit.k : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 1:52:47 PM, on 7/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
E:\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122319165069
O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\rofl.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iTunes MusicService - Unknown owner - C:\WINDOWS\USBBay.exe
O23 - Service: Windows Process Moniter - Unknown owner - C:\WINDOWS\winmon.exe (file missing)

Thanks again for any assistance.

P.S. I have the infected computer off line and am shuffling programs via CD burner.

Edited by HAPPYCAMPER, 28 July 2005 - 10:33 AM.

[Advertisements]

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

[Buckeye_Sam]

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

[HAPPYCAMPER]

Thanks Sam;

I finally decided to go another route which should eliminate malware in the os and the isp.

I formated the hard drive zero filled and formated again. Then I installed XpSP1 with an OEM disk as a new installation. Before connecting I loaded the antivirus and ad-aware and scanned the system. No infections. I went immediately to the microsoft activation site and activated the software and immediately turned off the modem. Next I went directly to to the update site to download SP2. I didn't succeed. I started getting the original problem which was incomplete downloads and lsass.exe critical shut downs.

My isp has firewalls and security built in and I have had no trouble with other computers.

The only other possibility I can think of for this type of problem would be the Bios.
I have concerns with the Bios programing because it does not scan the memory at the start of boot up and when you are setting up the options the curser has wagally shaft which I don't remember seeing before in a setup menu.

Since this computer is a emachine monster 600 there is absolutely no support from the manufacturer in regards to flashing the Bios.

Because I have spent more time on this machine than it is worth I am calling it a write off and salvaging the hard drive and memory.

But for my own peace of mind do you think I was on the right track???

Thank you again for your assistance and for your ear for my rant.

Happycamper.

Edited by HAPPYCAMPER, 30 July 2005 - 06:48 PM.

[Buckeye_Sam]

The infection that shows up in your log is rdriv.sys rootkit. There is a tool and a procedure to remove it that would have likely taken care of it without too much trouble.

I always look at formatting as a very last resort. But it is always an option if you don't mind losing everything on your hard drive.