[Rik]

Hi all, i have a badly infected pc here that belongs to a friend of a friend.

I am attaching combofix and HJT logs only at the moment as avg antispyware it totally kaput at the moment.

Panda found no problems.

[Howard]

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

FFI
Local Security Manager (LocalAgent)
Microsoft Inet Services

Close the services window.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

XP Codec Pack

Close control panel.


Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

Quote:

File::
C:\WINDOWS\TEMP\hpsvs34a
C:\WINDOWS\vmmreg32.exe
C:\WINDOWS\mmall.exe
C:\WINDOWS\system32\hhoi.dll
C:\WINDOWS\system32\svchost.exe:exm.exe
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\mmoc1.exe
C:\WINDOWS\vmmreg32.exe
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\svchost.tmp
C:\WINDOWS\AviSplitter.INI
C:\WINDOWS\system32\Drivers\Xfk27.sys

Folder::
C:\Program Files\XP Codec Pack
C:\kizzer codedec's

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"XP Codec Pack"=-
"Microsoft all"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Microsoft all"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"CKpvfLRqD"=-
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\F FI]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\i nit_2e73-5195]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Please run the Panda Antirootkit scan as per step 9 of these instructions and let me know the results.

Regards Howard

This thread is for the use of Rik only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[Rik]

LOL, one minor problem has just arisen. Seems my frend took the pc with him when he was supposed to leave it for me to get sorted out.

I will follow all instructions just as soon as said pc has returned.

[Howard]

No worries mate, just follow the instructions as soon as you can get your hands on the machine.

Regards Howard

This thread is for the use of Rik only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[Rik]

Hi, im on the infected pc right now.

Panda found 2 rootkits that i instructed it to remove.

Combofix and HJT logs attached below.


Sorry but the hjt log wont seem to upload at all. (tried 5 times)

[Howard]

Unfortunately, it seems you forgot to attach a fresh HJT log.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

XP Codec Pack

Close control panel.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

mmoc1.exe
vmmreg32.exe
mmall.exe
exm.exe

Close task manager.

Locate and delete the following bold files and/or folders(if there).

C:\qoobox
C:\WINDOWS\system32\svchost.exe:exm.exe
C:\WINDOWS\system32\Drivers\Xfk27.sys
C:\WINDOWS\system32\hhoi.dll

C:\WINDOWS\mmall.exe
C:\WINDOWS\vmmreg32.exe
C:\WINDOWS\system32\svchost.t__

C:\WINDOWS\mmoc1.exe
C:\WINDOWS\AviSplitter.INI
C:\Program Files\XP Codec Pack

C:\kizzer codedec's

Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

Navigate to the following reg keys and delete the bold portions.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\XP Codec Pack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Microsoft all

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run\Microsoft all

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\CKpvfLRqD

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Xfk27.sys

Close regedit.

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs.

Regards Howard

Edit: I have removed your previous HJT log. You should now be able to attach a fresh HJT log after following the instructions above.

This thread is for the use of Rik only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[Rik]

I have now managed to attach the hjt log to the previous post. The file extension had become corrupted somehow, I renamed it and it uploaded ok.

[Howard]

No worries mate, just follow the instructions in my post above and post the log files once done.

Regards Howard

This thread is for the use of Rik only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[Rik]

All instructions followed, eventually, this pc is only a P3 800mhz so it took an ice age or 2 lol.

Hopefully the new logs will attach properly this time.



[EDIT]

I have done a little work on it myself and the only problem i have left is.

O23 - Service: Local Security Manager (LocalAgent) - Unknown owner - C:\WINDOWS\TEMP\hpsvs34a (file missing)

I have checked the destination and the file is definately not there.

[Howard]

There`s still some infections left on that system.


Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Local Security Manager (LocalAgent)

Close the services window.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

Regards Howard

This thread is for the use of Rik only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[Rik]

Local Security Manager (LocalAgent) was stopped in services.msc.

Avenger and HJT logs below.

[Howard]

Have HJT fix this entry.

O23 - Service: Local Security Manager (LocalAgent) - Unknown owner - C:\WINDOWS\TEMP\hpsvs34a (file missing)

Close HJT and reboot the machine.

Run another HJT scan and see if that entry has gone. If it has, you`re good to go.

If it`s still there, please do the following.

Run HJT and click the config button, followed by the misc tools button. Clcik the Delete an NT service button and enter Local Security Manager into the dialogue box. Click ok and follow the prompts.

Once the machine has rebooted, run a HJT scan and see if the entry is still there.

Please let me know the results.

Regards Howard

This thread is for the use of Rik only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[Rik]

Neither worked, the entry is still there.

[Howard]

Ok, please do the following.

Disable all real time security programmes and try again.

See if that helps.

Regards Howard

Edit:

Quote:

Originally Posted by Rik

Local Security Manager (LocalAgent) was stopped in services.msc.

Make sure the service is set to disabled as well as stopped.

This thread is for the use of Rik only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[Rik]

Entry gone, cheerz mate.

Bit of a nightmare one that!

Thanx for all the help muchly apreciated.

[Howard]

That`s great news mate.

Click start/run and type combofix /u into the run box and press the enter key.

This will uninstall Combofix and delete all it`s folders etc.

If you have any further virus/spyware problems, please post in this thread.

You may want to mark this thread as solved, by clicking on the Thread Tools drop down list and selecting Mark Thread As Solved.

Regards Howard

This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

Only the original thread starter can do this. Anyone else, will be ignored.