Full Version: Antivirus software blocked!
I agree, usualy worms are quite nasty, and who knows what happened (perhaps a lot of changes to the windows registry).
This worm can again infected the PC in less time than one should not to format ...
It is preferable to determine the problem and to include/understand how to push back and avoid these hidden processes…
It is preferable to determine the problem and to include/understand how to push back and avoid these hidden processes…
QUOTE(snook @ 25.09.2006 19:50)
This worm can again infected the PC in less time than one should not to format ...
It is preferable to determine the problem and to include/understand how to push back and avoid these hidden processes…
It is preferable to determine the problem and to include/understand how to push back and avoid these hidden processes…
Thank you for that fasinating lecture, it's of course a good idea to understand why you got in the situation in the first place, but the advice to format and reinstall XP still stands, with all the things going on with Dariks pc which is a lot more imortant than what we can make him try, a lot of time have already been put into this without Darik even being able to install Kaspersky yet....time for biting the bullit.
I think, unfortunately, that it did not wait to read our opinions to format its hard disk… damage!
hello I have the same problem! i got virus from emule, downlowding some exe files with virus. help:)
hello
what are your symptoms?
does kav detect anything?
what are your symptoms?
does kav detect anything?
i had bitdefender 9 installed and then the virus deleted the exe files so i wasn't able to uniinstall bitdefender. i uninstalled it manual but now i can't install any of antivirus and neither i can't reboot into safe mode. the same symptoms.
i delete those two files d:\Documents and Settings\GB\Application Data\hidires\hidr.exe
d:\Documents and Settings\GB\Application Data\hidires\m_hook.sys, but is the same. what to do?
d:\Documents and Settings\GB\Application Data\hidires\m_hook.sys, but is the same. what to do?
First of all.......this is the Kaspersky anti-virus forum, it's not a forum for general help with virus removal, you are of course welcome to try the trial of Kaspersky.
Did you try these steps to remove BD:http://kb.bitdefender.com/KB260-en--Additi...ll-methods.html?
Did you try these steps to remove BD:http://kb.bitdefender.com/KB260-en--Additi...ll-methods.html?
i have good news:) i used avenger and now i can install the antivirus great
now we will see what will be...i reboot the comp and antivirus is still there...now i am scaning the system
QUOTE(mattek33 @ 1.02.2007 23:13)
now we will see what will be...i reboot the comp and antivirus is still there...now i am scaning the system
What AV? Did you read my post?
i will check the system with bd, kaspersky and f-secure I must be shure!
Hello, i have the same problem
I can´t install Kapersky Internet Security 6 and i can´t boot in secure mod.
Here is my Hijack log:
thanks for your help,
Nicolas
I can´t install Kapersky Internet Security 6 and i can´t boot in secure mod.
Here is my Hijack log:
CODE
Logfile of HijackThis v1.99.1
Scan saved at 12:03:42, on 21/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\SYSTEM32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
C:\AppServ\Apache2.2\bin\httpd.exe
E:\WINDOWS\system32\cisvc.exe
C:\AppServ\mysql\bin\mysqld-nt.exe
C:\Archivos de programa\NetLimiter 2 Pro\nlsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\IoctlSvc.exe
C:\AppServ\Apache2.2\bin\httpd.exe
C:\Archivos de programa\NetLimiter 2 Pro\NLClient.exe
E:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\UnHackMe\hackmon.exe
E:\Archivos de programa\Internet Explorer\iexplore.exe
E:\Archivos de programa\Internet Explorer\iexplore.exe
E:\WINDOWS\SYSTEM32\cidaemon.exe
E:\DOCUME~1\Nicolas\CONFIG~1\Temp\Rar$EX00.250\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.es/ie?hl={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.es/ie?hl={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.es/preferences?hl={SUB_RFC1766}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {FDA71F0E-2DF2-5ABA-391C-6EBEB85FA2BE} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ClamWin] "c:\Archivos de programa\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] c:\Archivos de programa\UnHackMe\hackmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Descargar con FDM - file://C:\Archivos de programa\Free Download Manager\dllink.htm
O8 - Extra context menu item: Descargar selección con FDM - file://C:\Archivos de programa\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Descargar todo con FDM - file://C:\Archivos de programa\Free Download Manager\dlall.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Archivos de programa\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: E:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04F414E9-E352-4BC3-963D-7BFE5A5F31A9} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1064_XP.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1CD4E2DC-2DA0-4154-8723-38CB04FB6A58} -
O16 - DPF: {525019DF-8282-40DC-A0E0-13C076889F66} (InstallerSf Control) - http://www.softonic.com/sinespias/installer.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {71DA2A4E-ACB3-4065-9E41-8BC42EABE427} - http://scripts.dlv4.com/binaries/IA/svcia32_ES_XP.cab
O16 - DPF: {87C1805D-C5AE-4455-AB39-E245BB516136} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1059_XP.cab
O16 - DPF: {8D8BAF56-B581-4B90-A549-C4AC6B03F1BB} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1074_XP.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AF7410C1-FBA3-415E-800A-4110CED40536} -
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\ARCHIV~1\MSNMES~2\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\
O20 - Winlogon Notify: SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Apache2.2 - Unknown owner - C:\AppServ\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: MySql - Unknown owner - C:/AppServ/mysql/bin/mysqld-nt.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Archivos de programa\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - E:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Windows Archiver (winarc) - Unknown owner - E:\WINDOWS\devldr.exe (file missing)
Scan saved at 12:03:42, on 21/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\SYSTEM32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
C:\AppServ\Apache2.2\bin\httpd.exe
E:\WINDOWS\system32\cisvc.exe
C:\AppServ\mysql\bin\mysqld-nt.exe
C:\Archivos de programa\NetLimiter 2 Pro\nlsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\IoctlSvc.exe
C:\AppServ\Apache2.2\bin\httpd.exe
C:\Archivos de programa\NetLimiter 2 Pro\NLClient.exe
E:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\UnHackMe\hackmon.exe
E:\Archivos de programa\Internet Explorer\iexplore.exe
E:\Archivos de programa\Internet Explorer\iexplore.exe
E:\WINDOWS\SYSTEM32\cidaemon.exe
E:\DOCUME~1\Nicolas\CONFIG~1\Temp\Rar$EX00.250\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.es/ie?hl={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.es/ie?hl={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.es/preferences?hl={SUB_RFC1766}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {FDA71F0E-2DF2-5ABA-391C-6EBEB85FA2BE} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ClamWin] "c:\Archivos de programa\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] c:\Archivos de programa\UnHackMe\hackmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Descargar con FDM - file://C:\Archivos de programa\Free Download Manager\dllink.htm
O8 - Extra context menu item: Descargar selección con FDM - file://C:\Archivos de programa\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Descargar todo con FDM - file://C:\Archivos de programa\Free Download Manager\dlall.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Archivos de programa\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: E:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04F414E9-E352-4BC3-963D-7BFE5A5F31A9} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1064_XP.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1CD4E2DC-2DA0-4154-8723-38CB04FB6A58} -
O16 - DPF: {525019DF-8282-40DC-A0E0-13C076889F66} (InstallerSf Control) - http://www.softonic.com/sinespias/installer.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {71DA2A4E-ACB3-4065-9E41-8BC42EABE427} - http://scripts.dlv4.com/binaries/IA/svcia32_ES_XP.cab
O16 - DPF: {87C1805D-C5AE-4455-AB39-E245BB516136} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1059_XP.cab
O16 - DPF: {8D8BAF56-B581-4B90-A549-C4AC6B03F1BB} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1074_XP.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AF7410C1-FBA3-415E-800A-4110CED40536} -
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\ARCHIV~1\MSNMES~2\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\
O20 - Winlogon Notify: SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Apache2.2 - Unknown owner - C:\AppServ\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: MySql - Unknown owner - C:/AppServ/mysql/bin/mysqld-nt.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Archivos de programa\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - E:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Windows Archiver (winarc) - Unknown owner - E:\WINDOWS\devldr.exe (file missing)
thanks for your help,
Nicolas
try a rootkit scan with gmer: http://www.gmer.net/
and post the log, is anything found?
and post the log, is anything found?
I don´t paste all the log beacause it´s very long, but Gmer found these:
GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-21 13:51:40
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwCreateFile
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwEnumerateKey
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwOpenProcess
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwQueryDirectoryFile
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwQueryKey
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys
---- Services - GMER 1.0.12 ----
Service E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys [MANUAL] m_hook <-- ROOTKIT !!!
---- EOF - GMER 1.0.12 ----
GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-21 13:51:40
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwCreateFile
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwEnumerateKey
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwOpenProcess
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwQueryDirectoryFile
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwQueryKey
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys
---- Services - GMER 1.0.12 ----
Service E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys [MANUAL] m_hook <-- ROOTKIT !!!
---- EOF - GMER 1.0.12 ----
right click thw m_hook.sys in the service tab and choose "delete this service".
Also, are there any hidden processes in the process tab (if i recall they are displayed in red)?
Also, are there any hidden processes in the process tab (if i recall they are displayed in red)?
Thank, i clen it with GMER and then i finally can install Kaspersky .
Thanks for all your help!
Thanks for all your help!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.