Virus Net-Worm Win32 Bobik, Constant Computer Crash

[JPS]

Hi,

We inserted a CD provided by Samsung for a mobile phone to download some photos.

The CD had the Net Worm Win 32 Bobik.dk virus. Kaspersky seemed to handle the virus but we have had constant crashes and bleeping computer since.

Both Kaspersky and your scans do not indicate any infection but computer still crashes.

Any help would be great, logs for Malware and Hijack This are attached.

Cheers,

Justin

PS. Also had this other old Trojan that I was advised was a read error but sill shows up on your scans!!

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4132

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

23/05/2010 3:37:35 PM

mbam-log-2010-05-23 (15-37-35).txt

Scan type: Quick scan

Objects scanned: 180982

Time elapsed: 15 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

D:\WINDOWS\rundll.exe (Trojan.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\rundll32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:45:12 PM, on 23/05/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

D:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\wanmpsvc.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\LTMSG.exe

D:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

D:\WINDOWS\System32\keyhook.exe

D:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

D:\WINDOWS\system32\igfxtray.exe

D:\WINDOWS\system32\hkcmd.exe

D:\WINDOWS\system32\igfxpers.exe

D:\WINDOWS\SOUNDMAN.EXE

D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

D:\WINDOWS\system32\ctfmon.exe

D:\WINDOWS\system32\sistray.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*;172.*;127.*;<local>

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll

O2 - BHO: SearchHelperBho - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [siS Windows KeyHook] D:\WINDOWS\System32\keyhook.exe

O4 - HKLM\..\Run: [siSUSBRG] D:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [mxomssmenu] "D:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [igfxtray] D:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Adobe ARM] "D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Utility Tray.lnk = D:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: Add to Anti-Banner - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm

O8 - Extra context menu item: Google Sidewiki... - res://D:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - D:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe

O23 - Service: MaxBackServiceInt - Unknown owner - D:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

O23 - Service: MaxSyncService (NTService1) - - D:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

O23 - Service: QBCFMonitorService - Intuit - D:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: QuickBooksDB18 - Unknown owner - D:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe (file missing)

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - D:\WINDOWS\wanmpsvc.exe

--

End of file - 7379 bytes

[kahdah]

Hello JPS

Welcome to Malwarebytes.

=====================

• Please download OTH.scr to your desktop.
  
• Download OTL to your desktop.
  
• Double click the OTH file and select Kill All Processes, your desktop will go blank
  
  Then select Start OTL OTL will now run
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Under the Standard Registry box change it to All.
  
• Under Custom scan's and fixes section paste in the below in bold
  

  
  

  netsvcs
  
  
  %SYSTEMDRIVE%\*.*
  
  
  %systemroot%\*. /mp /s
  
  
  CREATERESTOREPOINT
  
  
  %systemroot%\system32\*.dll /lockedfiles
  
  
  %systemroot%\Tasks\*.job /lockedfiles
  
  
  %systemroot%\System32\config\*.sav
  
  
  %systemroot%\system32\drivers\*.sys /90

  
  

• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
    

====================

Download the following GMER Rootkit Scanner from Here

• Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  
• Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  
• It may take a minute to load and become available.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  

  
  

• IAT/EAT
  
  
• Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  
  
• Show All (don't miss this one)

  
  

• Then click the Scan button & wait for it to finish.
  
• Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop
  
• **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  
• Click OK and quit the GMER program.
  
• Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  
• Post that log in your next reply.
  

[JPS]

Hi kahdah,

Thanks for your email.

I am working on an old laptop as can't access internet via the infected computer, in fact at the momenet can not even log onto the system.

Can I attend to your email request via Windows Safe Mode?

Please let me know,

Cheers,

Justin

[JPS]

Hi again,

Just to let you know that I can open windows in any format.

I can open the recovery consule, however not sure what steps are best to follow after this?

Please let me know next options?

Cheers,

Justin

[JPS]

Sorry, meant to say can't open windows in any format!!

[kahdah]

OK do you get a blue screen?

If so what does it say?

Tell me exactly what is happening when you turn on the computer?

[JPS]

Hi Again,

Just to let you know that my monitor has now crashed and I can't access the computer.

I have sent the monitor and computer to the tech to see what is happening.

Thanks for your help, I will post another response when I get my computer back.

Cheers,

Justin

[kahdah]

Ok.

[JPS]

Hi Again,

Just to let you know the tech advised that I managed to fry my motherboard, hence a new computer is on the way!!

I was advised that the monitor crash was not virus related, hence a new monitor is also being purchased.

I hope that the new computer will be virus free, hence you can close down this thread.

I appreciate your help,

Cheers,

Justin

[kahdah]

Ok yes it is true that the monitor issue does not happen from malware.

I will have this thread closed.

You are welcome.