BKDR BEAST.A

reflecx · Mar 26, 2004

Trend Micro found a virus with the name BKDR BEAST.A in more than one hundred files, but couldn't clean them out. Can anyone help?

Logfile of HijackThis v1.97.3
Scan saved at 22:12:50, on 2004-03-26
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Vanliga filer\Real\Update_OB\realsched.exe
C:\Program\QuickTime\qttask.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://login1.telia.com/

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] C:\Program\Vanliga filer\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O9 - Extra button: Kangaroo (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} -

http://www.stop-sign.com/pub/download/scandl_cnry.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -

http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

Thanks, Jamie

carrr · Mar 26, 2004

This log is no help with your problem. You need to disable system restore:

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

Then, reboot and come in in Safe Mode and make a pass with your AV.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

carrr · Mar 26, 2004

From what I can glean, a file called msafje.com might be at the heart of this problem.

"'Tis an ill wind that blows no minds." - Malaclypse the Younger

reflecx · Mar 26, 2004

Cheers! I'll just pour myself a wee Highland Park, and get cracking! Back in a lamb's tail.

reflecx · Mar 28, 2004

Things fall apart! Please have a look at my new thread in the Virus/spyware forum;

http://www.tek-tips.com/viewthread.cfm?SQID=809682&SPID=760&page=1

Thanks,
Jamie

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

BKDR BEAST.A

reflecx

Technical User

carrr

Technical User

carrr

Technical User

reflecx

Technical User

reflecx

Technical User

Part and Inventory Search

Sponsor