Free Malware Removal Forum

[kaypo]

ESET Scanner result:

D:\I386\Apps\APP16524\src\HPSummer2005.exe a variant of Win32/AdInstaller application
D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP11\A0006463.exe probably a variant of Win32/Agent.HVEUCPZ trojan

MBRCheck Log:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x000003fd

Kernel Drivers (total 121):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806CE000 \WINDOWS\system32\hal.dll
0xF8973000 \WINDOWS\system32\KDCOM.DLL
0xF8883000 \WINDOWS\system32\BOOTVID.dll
0xF8344000 ACPI.sys
0xF8975000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8333000 pci.sys
0xF8473000 isapnp.sys
0xF8483000 ohci1394.sys
0xF8493000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF8977000 intelide.sys
0xF86F3000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF84A3000 MountMgr.sys
0xF8314000 ftdisk.sys
0xF86FB000 PartMgr.sys
0xF84B3000 VolSnap.sys
0xF82FC000 atapi.sys
0xF82D9000 fasttx2k.sys
0xF82C1000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF84C3000 disk.sys
0xF84D3000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF82A2000 fltMgr.sys
0xF8290000 sr.sys
0xF8703000 PxHelp20.sys
0xF8279000 KSecDD.sys
0xF81EC000 Ntfs.sys
0xF81BF000 NDIS.sys
0xF81A4000 Mup.sys
0xF8553000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF8533000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF77C3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF779F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF879B000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF777C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF87A3000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF776A000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
0xF7634000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF87AB000 \SystemRoot\System32\Drivers\Modem.SYS
0xF87B3000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7620000 \SystemRoot\system32\DRIVERS\parport.sys
0xF8543000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8563000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8573000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF75FD000 \SystemRoot\system32\DRIVERS\ks.sys
0xF87BB000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF8AAF000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF8583000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF894F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF75E6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7932000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7922000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF87C3000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF75D5000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7912000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF87CB000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF87D3000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7902000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF87DB000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF87E3000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF898B000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF75A1000 \SystemRoot\system32\DRIVERS\update.sys
0xF895F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF78E2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA4FA000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA4D9000 \SystemRoot\system32\drivers\portcls.sys
0xF78D2000 \SystemRoot\system32\drivers\drmk.sys
0xF78C2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8991000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF87EB000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF8993000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8B2F000 \SystemRoot\System32\Drivers\Null.SYS
0xF8995000 \SystemRoot\System32\Drivers\Beep.SYS
0xF87FB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF8803000 \SystemRoot\System32\drivers\vga.sys
0xF8997000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8999000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF880B000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8813000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8913000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA38E000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA336000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA30E000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA2EC000 \SystemRoot\System32\drivers\afd.sys
0xF85A3000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF881B000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xAA2C1000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA22A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF85B3000 \SystemRoot\System32\Drivers\Fips.SYS
0xAA209000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF85C3000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF85D3000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF882B000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF883B000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF893B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF85E3000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAA143000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF89A1000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xAA790000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xAA78C000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAA120000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF86C3000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAA0E0000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF89F5000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAA29D000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8753000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8BC1000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF040000 \SystemRoot\System32\ialmdev5.DLL
0xBF070000 \SystemRoot\System32\ialmdd5.DLL
0xA9FB3000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xA9FDC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9D06000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA9C29000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9D5B000 \SystemRoot\system32\drivers\sysaudio.sys
0xA9865000 \SystemRoot\system32\DRIVERS\srv.sys
0xA94B4000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 47):
0 System Idle Process
4 System
508 C:\WINDOWS\system32\smss.exe
576 csrss.exe
600 C:\WINDOWS\system32\winlogon.exe
644 C:\WINDOWS\system32\services.exe
656 C:\WINDOWS\system32\lsass.exe
820 C:\WINDOWS\system32\svchost.exe
876 svchost.exe
944 C:\WINDOWS\system32\svchost.exe
1008 svchost.exe
1096 svchost.exe
1364 C:\WINDOWS\system32\spoolsv.exe
1396 C:\WINDOWS\explorer.exe
1452 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1556 svchost.exe
1592 C:\WINDOWS\system32\hkcmd.exe
1600 C:\WINDOWS\system32\igfxpers.exe
1628 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
1648 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
1708 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1736 C:\WINDOWS\system32\ctfmon.exe
1760 C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
1772 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
1892 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
248 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
392 C:\Program Files\Java\jre6\bin\jqs.exe
416 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
568 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
996 C:\WINDOWS\system32\svchost.exe
1080 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1148 wdfmgr.exe
2460 alg.exe
2700 C:\hp\KBD\KBD.exe
2768 C:\WINDOWS\SOUNDMAN.EXE
2820 C:\WINDOWS\ALCMTR.EXE
2848 C:\WINDOWS\ALCWZRD.EXE
2932 C:\WINDOWS\AGRSMMSG.exe
3076 C:\WINDOWS\system\hpsysdrv.exe
3108 C:\WINDOWS\system32\wuauclt.exe
3204 C:\Program Files\iTunes\iTunesHelper.exe
3232 C:\Program Files\iPod\bin\iPodService.exe
1932 C:\WINDOWS\system32\dllhost.exe
480 msdtc.exe
3180 C:\Program Files\Mozilla Firefox\firefox.exe
1420 C:\Program Files\Mozilla Firefox\plugin-container.exe
3420 C:\Documents and Settings\Compaq_Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`7fe80000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: ST3160023AS, Rev: 3.43

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972


Done!

[deltalima]

Hi kaypo,

There is a file we need to check on drive D:
If it is a USB drive make sure the drive that was inserted when the ESET scan was run is still inserted.

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:

D:\I386\Apps\APP16524\src\HPSummer2005.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

[kaypo]

Virustotal results:

: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5: 5b059443bea4964f15cf628b59b8a56d
Date first seen: 2007-06-10 12:34:19 (UTC)
Date last seen: 2010-08-10 07:36:18 (UTC)
Detection ratio: 19/42

[deltalima]

Hi kaypo,

• Click Start, point to Settings, and then click Control Panel.
• In Control Panel, double-click Add or Remove Programs.
• In Add or Remove Programs,
  highlight J2SE Runtime Environment 5.0
  click Remove
• Close the Add or Remove Programs and the Control Panel windows.

Run OTL Script

• Double-click OTL.exe to start the program.
• Copy and Paste the following code into the textbox. Do not include the word Code
  

  Code: Select all

  :files
  c:\program files\mywebsearch
  c:\program files\funwebproducts
  D:\I386\Apps\APP16524\src\HPSummer2005.exe
  :commands
  [EMPTYTEMP]
  [EMPTYFLASH]
  [REBOOT]
  

• Then click the Run Fix button at the top.
• Click .
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Please let me know how the computer is running now.

[kaypo]

Hello, please find the OTL log below.

OTL log:

All processes killed
========== FILES ==========
File\Folder c:\program files\mywebsearch not found.
File\Folder c:\program files\funwebproducts not found.
D:\I386\Apps\APP16524\src\HPSummer2005.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Compaq_Owner
->Temp folder emptied: 198518835 bytes
->Temporary Internet Files folder emptied: 49735928 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 106044085 bytes
->Flash cache emptied: 3669 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
->Flash cache emptied: 56502 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4266120 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 10616 bytes

Total Files Cleaned = 342.00 mb


[EMPTYFLASH]

User: All Users

User: Compaq_Owner
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.20.1 log created on 01112011_100627

Files\Folders moved on Reboot...
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll moved successfully.

Registry entries deleted on Reboot...

[deltalima]

Hi kaypo,

Now that you are clean, please follow these steps in order to keep your computer clean and secure.

Remove GMER

Delete the GMER icon from your desktop.

Clean up with OTL

• Double-click OTL.exe to start the program. This will remove all the tools we used to clean your pc.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CleanUp! button
• Say Yes to the prompt and then allow the program to reboot your computer.

Create a new, clean System Restore point which you can use in case of future system problems:

• Press Start >> All Programs >> Accessories >>System Tools >> System Restore
• Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
• Now remove old, infected System Restore points:
• Next click Start >> Run and type cleanmgr in the box and press OK
• Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
• Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
• Press OK and Yes to confirm

Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

IMPORTANT – you need to update to XP SP3 and IE version 8
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

[kaypo]

Will do, and thank you so much.

[deltalima]

You're weclome!

Glad we could help.

[NonSuch]

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.