Jump to content

Rootrepeal is not running as it should


Recommended Posts

I hope it's ok to ask you this. I didn't see anywhere else I could post. I finally got to a point where I could run Malwarebytes after several days.

Upon running the software several times I noticed it kept coming up with two repeat offenders. Trojan.agent and some type of registry issue.

I kept trying to remove them over a period of several days after getting rid of System Security 2009. My computer ran fine for a few days but then rebooted itself two days ago and although I have run several pieces of recommended software I still seem to be infected.

Now the browser won't open or when it does I still get the virus software pop ups and redirects. There also seemed to be another search bar at

the top of the browser with a little Microsoft symbol but it was never there before.

I don't know what else to do. I still cannot boot to safe mode, I can't even reinstall Windows. Can you help me?

Thanks so much!

Link to post
Share on other sites

Hi ya,

I have snipped PM advice as would be confusing :D

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:
You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.
Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

Note:
The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.
Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Sorry for the confusion. I loaded Combofix on my Desktop, clicked on it, hit run....nothing happened for over 15 minutes.....I tried it again. Nothing. Any more suggestions? Everything is running but I know that Trojan.agent and Rootkit.trace are still there. My browser is running fine at this moment because before I turned everything off to run Combofix it had blocked something trying to get on my computer and I elected to have it permanantly blocked in the future. I have not rebooted though since then. That's the latest I can tell you. Any more suggestions? Thanks so much.

Hi ya,

I have snipped PM advice as would be confusing :D

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:
You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.
Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

Note:
The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.
Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

I'm actually not sure I can boot in to safe mode. I haven't been able to but I will give it a try this evening.

Again, my thanks.

I tried to boot to safe mode but as I thought my computer won't do that. I have updated Malwarebytes and still the only two things to show up are Trojan.agent and Rootkit.trace.

Sometimes my computer boots, sometimes it locks up on the desktop and I need to reboot. Sometimes the browser will close by it's self.

I'm open to suggestions. Thanks so much for the help.

PS. I read some of the articles your forums point to. I know how I got this virus. Through a codec. What an idiot i was. :-(

Link to post
Share on other sites

Forgot to add this...

Malwarebytes' Anti-Malware 1.39

Database version: 2523

Windows 5.1.2600 Service Pack 3

7/28/2009 4:26:56 PM

mbam-log-2009-07-28 (16-26-56).txt

Scan type: Quick Scan

Objects scanned: 97312

Time elapsed: 1 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

I:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

Ok RootRepeal has just been updated so would like to try that angle of attack again to see if we can attack the rootkit with that.

Download Rootrepeal 1.3.3>>>

http://rootrepeal.googlepages.com/

Extract the file and run rootrepeal.exe

Click on report tab on the bottom right of the software then press scan

Put at check(Tick) in all box's except the 2 SSDT option's then press OK

Place a check(Tick) in drive to be scanned(Usually you will only have to select C).

Please save the logfile generated and copy and paste the contents of that log into your next reply.

Link to post
Share on other sites

Ok RootRepeal has just been updated so would like to try that angle of attack again to see if we can attack the rootkit with that.

Download Rootrepeal 1.3.3>>>

http://rootrepeal.googlepages.com/

Extract the file and run rootrepeal.exe

Click on report tab on the bottom right of the software then press scan

Put at check(Tick) in all box's except the 2 SSDT option's then press OK

Place a check(Tick) in drive to be scanned(Usually you will only have to select C).

Please save the logfile generated and copy and paste the contents of that log into your next reply.

It worked

Here is what I came up with.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/07/28 17:37

Program Version: Version 1.3.3.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: I:\WINDOWS\system32\UACbqbrfwofmxdulhbxv.dll

Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACetjmukeshaxivrtnk.db

Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UAChqipyiuwykltuqrdh.dll

Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\uacinit.dll

Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACllrvxvkbwjpnbgpwy.dll

Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACndjitmairulteppjw.dll

Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACpyqbitltmoiopjqga.dat

Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\UACuniorjihvmwidjary.dll

Status: Invisible to the Windows API!

Path: I:\WINDOWS\Temp\UACaf5a.tmp

Status: Invisible to the Windows API!

Path: I:\Program Files\ArcSoft\TotalMedia Extreme\uActivate.dll

Status: Invisible to the Windows API!

Path: I:\Program Files\ArcSoft\TotalMedia Extreme\uActivate.SET

Status: Invisible to the Windows API!

Path: I:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys

Status: Invisible to the Windows API!

Path: i:\documents and settings\admin\local settings\temp\~df41d9.tmp

Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: I:\Program Files\ArcSoft\TotalMedia Extreme\Digital Theatre\uActivate.dll

Status: Invisible to the Windows API!

Path: I:\Program Files\ArcSoft\TotalMedia Extreme\Digital Theatre\uActivate.SET

Status: Invisible to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log

Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log

Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log

Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log

Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgldr.log

Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log

Status: Locked to the Windows API!

Path: I:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log

Status: Locked to the Windows API!

Path: i:\documents and settings\admin\local settings\application data\ahead\nero home\is2.db-journal

Status: Allocation size mismatch (API: 512, Raw: 0)

Path: I:\Documents and Settings\Billy\Local Settings\Apps\2.0\389B0ZLN.GK6\PNKEV4VA.MLG\manifests\clickonce_bootstrap.exe.cdf-ms

Status: Locked to the Windows API!

Path: I:\Documents and Settings\Billy\Local Settings\Apps\2.0\389B0ZLN.GK6\PNKEV4VA.MLG\manifests\clickonce_bootstrap.exe.manifest

Status: Locked to the Windows API!

Link to post
Share on other sites

Great here come's the bomb :)

Run Rootrepeal file scan only.

Highlight the following line and right click on it.Select *wipe file*

Path: I:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys

Status: Invisible to the Windows API!

Then reboot immediately!!

After rebooting please run MBAM quick scan.Allow it to delete what if inds and reboot again.

Please post back the log from that MBAM quickscan :)

Link to post
Share on other sites

Great here come's the bomb :)

Run Rootrepeal file scan only.

Highlight the following line and right click on it.Select *wipe file*

Path: I:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys

Status: Invisible to the Windows API!

Then reboot immediately!!

After rebooting please run MBAM quick scan.Allow it to delete what if inds and reboot again.

Please post back the log from that MBAM quickscan :)

Success!!!!! You are the bomb! I ran Rootrepeal and the culprit was exposed.

Here is the log. (I must add that when I rebooted Avira started killing files as Malwarebytes was finding them. I forgot to turn it off first. So this log might be incomplete.) I ran a second log after I rebooted. I thought you might want to see it as well. It had the Trojan.TDSS. I guess to be expected? I am running a deep scan right now with Malwarebytes.

Malwarebytes' Anti-Malware 1.39

Database version: 2524

Windows 5.1.2600 Service Pack 3

7/28/2009 8:05:10 PM

mbam-log-2009-07-28 (20-04-23).txt

Scan type: Full Scan (I:\|)

Objects scanned: 128550

Time elapsed: 20 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\rp2\A0001009.dll (Trojan.TDSS) -> No action taken.

i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\RP2\A0001010.dll (Trojan.TDSS) -> No action taken.

i:\system volume information\_restore{6d0a4f50-0af5-451b-a8ad-b7da225f6477}\RP2\A0001012.dll (Trojan.TDSS) -> No action taken.

Malwarebytes' Anti-Malware 1.39

Database version: 2523

Windows 5.1.2600 Service Pack 3

7/28/2009 7:33:17 PM

mbam-log-2009-07-28 (19-32-59).txt

Scan type: Quick Scan

Objects scanned: 97520

Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

i:\WINDOWS\system32\UACllrvxvkbwjpnbgpwy.dll (Trojan.TDSS) -> No action taken.

i:\WINDOWS\system32\UACndjitmairulteppjw.dll (Trojan.TDSS) -> No action taken.

i:\WINDOWS\system32\UACuniorjihvmwidjary.dll (Trojan.TDSS) -> No action taken.

i:\WINDOWS\system32\drivers\UACvyxvkiqqhesrrradv.sys (Trojan.Agent) -> No action taken.

If I have any major problems I will let you know. No more codecs for me. Hard lesson learned.

My wife and I would like to contribute to your hard work. Where can we do that?

Link to post
Share on other sites

Hi ya,

Works like a charm when the tech works,the trouble with these very advanced malwares is they know they cant hide from our tech so they have to result to dirty tricks to take us out the equation.

Victim of our own sucess unfortunetly,ok would like to see a couple more logs before i sound the all clear.

Can you please run ComboFix from regular mode as directed earliar.Now the rootkit is nuked it should be working again :)

Also can yopu post a HijackThis log.

Thanks in advance :)

Link to post
Share on other sites

Hi ya,

Works like a charm when the tech works,the trouble with these very advanced malwares is they know they cant hide from our tech so they have to result to dirty tricks to take us out the equation.

Victim of our own sucess unfortunetly,ok would like to see a couple more logs before i sound the all clear.

Can you please run ComboFix from regular mode as directed earliar.Now the rootkit is nuked it should be working again :)

Also can yopu post a HijackThis log.

Thanks in advance :)

Will do.

Link to post
Share on other sites

Hi yeah,

Yes that CF is good to use,run that routine first.

HiJackThis

[*]Please download this program Trend Micro HijackThis to your desktop.

[*]Double-click on it to run and install it.

[*]Then launch the program and click on Do a system scan and save a logfile. This log file will open in Notepad.

[*]Do not do anything with HJT at this point except copy and paste the contents of the log generated into a reply.

I will give you heaps of support info after we have finished cleaning your PC but first of all lets make sure it's clean then i can point you in the direction of how to secure and avoid malware etc

Link to post
Share on other sites

Hi yeah,

Yes that CF is good to use,run that routine first.

HiJackThis

[*]Please download this program Trend Micro HijackThis to your desktop.

[*]Double-click on it to run and install it.

[*]Then launch the program and click on Do a system scan and save a logfile. This log file will open in Notepad.

[*]Do not do anything with HJT at this point except copy and paste the contents of the log generated into a reply.

I will give you heaps of support info after we have finished cleaning your PC but first of all lets make sure it's clean then i can point you in the direction of how to secure and avoid malware etc

Awesome. Look forward to the advice and tips. Will run tonight. Heading out of town on business so if not tonight next week when I return. Very impressed with the professional help here.

Link to post
Share on other sites

Awesome. Look forward to the advice and tips. Will run tonight. Heading out of town on business so if not tonight next week when I return. Very impressed with the professional help here.

I didn't have time for the Combofix but Hijackthis went fast. Here's the file. I'll try and check in during my trip.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:26:32 PM, on 7/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

I:\WINDOWS\System32\smss.exe

I:\WINDOWS\system32\winlogon.exe

I:\WINDOWS\system32\services.exe

I:\WINDOWS\system32\lsass.exe

I:\WINDOWS\system32\Ati2evxx.exe

I:\WINDOWS\system32\svchost.exe

I:\WINDOWS\System32\svchost.exe

I:\WINDOWS\system32\svchost.exe

I:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

I:\WINDOWS\system32\Ati2evxx.exe

I:\WINDOWS\system32\spoolsv.exe

I:\Program Files\Avira\AntiVir Desktop\sched.exe

I:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

I:\Program Files\Avira\AntiVir Desktop\avguard.exe

I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

I:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

I:\Program Files\Java\jre6\bin\jqs.exe

I:\Program Files\Common Files\LightScribe\LSSrvc.exe

I:\PROGRA~1\AVG\AVG8\avgrsx.exe

I:\PROGRA~1\AVG\AVG8\avgnsx.exe

I:\WINDOWS\Explorer.EXE

I:\Program Files\Java\jre6\bin\jusched.exe

I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

I:\WINDOWS\RTHDCPL.EXE

I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

I:\Program Files\MSI\Live Update 3\LMonitor.exe

I:\Program Files\Nero\Nero 7\InCD\InCD.exe

I:\PROGRA~1\AVG\AVG8\avgtray.exe

I:\Program Files\Avira\AntiVir Desktop\avgnt.exe

I:\WINDOWS\system32\ctfmon.exe

I:\Documents and Settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

I:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe

I:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

I:\WINDOWS\system32\svchost.exe

I:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

I:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

I:\Program Files\Logitech\SetPoint\KEM.exe

I:\Program Files\Logitech\SetPoint\KHALMNPR.EXE

I:\Program Files\Internet Explorer\iexplore.exe

I:\Program Files\Internet Explorer\iexplore.exe

I:\Program Files\Internet Explorer\iexplore.exe

I:\Program Files\Internet Explorer\iexplore.exe

I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O3 - Toolbar: (no name) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - (no file)

O4 - HKLM\..\Run: [sunJavaUpdateSched] "I:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [startCCC] "I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] I:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [LiveMonitor] I:\Program Files\MSI\Live Update 3\LMonitor.exe

O4 - HKLM\..\Run: [inCD] I:\Program Files\Nero\Nero 7\InCD\InCD.exe

O4 - HKLM\..\Run: [AVG8_TRAY] I:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [avgnt] "I:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sansaDispatch] I:\Documents and Settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] I:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "I:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [ccleaner] "I:\Program Files\CCleaner\CCleaner.exe" /AUTO

O4 - HKCU\..\Run: [Advanced SystemCare 3] "I:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup

O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = I:\Program Files\Logitech\SetPoint\KEM.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://I:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238224748875

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - I:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - I:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft - I:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - I:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - I:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - I:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - I:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - I:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - I:\Program Files\Common Files\LightScribe\LSSrvc.exe

--

End of file - 6495 bytes

Link to post
Share on other sites

Ok well nothing bad in the HJT log :)

ComboFix will dig a bit deeper + it will remove the orphaned service load value for the recently evicted Rootkit.So before we give you the green light would rather wait for that report first.

np if you cant do today just post it up when you get around to it :)

Link to post
Share on other sites

Ok well nothing bad in the HJT log :)

ComboFix will dig a bit deeper + it will remove the orphaned service load value for the recently evicted Rootkit.So before we give you the green light would rather wait for that report first.

np if you cant do today just post it up when you get around to it :)

Well that's great news! I will run the other program when I get back in town.

You rock!!!

Link to post
Share on other sites

Well that's great news! I will run the other program when I get back in town.

You rock!!!

Hi!

I'm back and ready to run ComboFix but when I run it, it says it may be a tainted version. Can you give me the safest location for the file. It says I should download another copy before I run it.

Thanks

Link to post
Share on other sites

Hi!

I'm back and ready to run ComboFix but when I run it, it says it may be a tainted version. Can you give me the safest location for the file. It says I should download another copy before I run it.

Thanks

I found it...sorry. Here it is.

ComboFix 09-08-04.02 - Billy 08/04/2009 18:44.1.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2521 [GMT -5:00]

Running from: i:\documents and settings\Billy\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

i:\windows\system32\UACetjmukeshaxivrtnk.db

i:\windows\system32\UACpyqbitltmoiopjqga.dat

i:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

-------\Legacy_PCMSTUB

-------\Service_6to4

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))

.

2009-07-29 20:26 . 2009-07-29 20:26 -------- d-----w- i:\program files\Trend Micro

2009-07-28 20:31 . 2009-07-03 17:09 594432 -c----w- i:\windows\system32\dllcache\msfeeds.dll

2009-07-28 20:31 . 2009-07-03 17:09 55296 -c----w- i:\windows\system32\dllcache\msfeedsbs.dll

2009-07-28 20:29 . 2009-07-28 20:29 -------- d-----w- i:\documents and settings\ADMIN\Application Data\Malwarebytes

2009-07-27 21:58 . 2009-07-29 00:21 15 ----a-w- i:\documents and settings\Billy\settings.dat

2009-07-27 00:43 . 2009-07-29 01:25 -------- d---a-w- i:\documents and settings\All Users\Application Data\TEMP

2009-07-25 21:09 . 2009-03-30 15:33 96104 ----a-w- i:\windows\system32\drivers\avipbb.sys

2009-07-25 21:09 . 2009-03-24 21:08 55640 ----a-w- i:\windows\system32\drivers\avgntflt.sys

2009-07-25 21:09 . 2009-02-13 17:29 22360 ----a-w- i:\windows\system32\drivers\avgntmgr.sys

2009-07-25 21:09 . 2009-02-13 17:17 45416 ----a-w- i:\windows\system32\drivers\avgntdd.sys

2009-07-25 21:09 . 2009-07-25 21:09 -------- d-----w- i:\program files\Avira

2009-07-25 21:09 . 2009-07-25 21:09 -------- d-----w- i:\documents and settings\All Users\Application Data\Avira

2009-07-25 13:33 . 2009-07-25 13:33 -------- d-----w- i:\documents and settings\ADMIN\Application Data\IObit

2009-07-25 13:24 . 2009-07-25 13:24 -------- d-sh--w- i:\documents and settings\ADMIN\PrivacIE

2009-07-24 22:00 . 2009-07-24 22:00 3775176 ----a-w- i:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-07-24 21:31 . 2001-08-23 12:00 4224 -c--a-w- i:\windows\system32\dllcache\beep.sys

2009-07-24 21:31 . 2001-08-23 12:00 4224 ----a-w- i:\windows\system32\drivers\beep.sys

2009-07-22 10:53 . 2009-07-25 22:51 -------- d-----w- i:\documents and settings\Billy\Application Data\IObit

2009-07-22 10:53 . 2009-07-22 10:53 -------- d-----w- i:\program files\IObit

2009-07-13 20:35 . 2009-07-13 20:35 -------- d-----w- i:\documents and settings\Billy\Application Data\Malwarebytes

2009-07-13 20:27 . 2009-07-13 20:27 3550592 ----a-w- I:\winlogon.exe.exe

2009-07-13 03:44 . 2009-07-13 03:44 3561752 ----a-w- I:\mbam-setup.exe

2009-07-13 03:06 . 2009-06-17 16:27 38160 ----a-w- i:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 03:06 . 2009-07-13 18:36 19096 ----a-w- i:\windows\system32\drivers\mbam.sys

2009-07-13 03:06 . 2009-07-13 03:06 -------- d-----w- i:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-13 03:02 . 2009-07-13 03:02 -------- d-----w- i:\program files\FileASSASSIN

2009-07-13 00:55 . 2009-07-03 14:49 15688 ----a-w- i:\windows\system32\lsdelete.exe

2009-07-13 00:13 . 2009-07-03 14:49 64160 ----a-w- i:\windows\system32\drivers\Lbd.sys

2009-07-13 00:13 . 2009-07-13 00:13 -------- dc-h--w- i:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

2009-07-13 00:13 . 2009-07-08 17:28 2920112 -c--a-w- i:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe

2009-07-13 00:13 . 2009-07-13 00:13 -------- d-----w- i:\program files\Lavasoft

2009-07-13 00:13 . 2009-07-13 00:13 -------- d-----w- i:\documents and settings\All Users\Application Data\Lavasoft

2009-07-12 23:11 . 2009-07-12 23:11 -------- d-----w- i:\documents and settings\Billy\Application Data\Yahoo!

2009-07-12 23:11 . 2009-07-25 17:38 -------- d-----w- i:\program files\Yahoo!

2009-07-12 23:06 . 2009-07-12 23:07 49492 ----a-w- I:\cc_20090712_180634.reg

2009-07-11 22:26 . 2009-07-12 22:28 -------- d-----w- i:\documents and settings\All Users\Application Data\4545

2009-07-11 22:25 . 2009-07-11 22:25 -------- d-sh--w- i:\windows\system32\config\systemprofile\IETldCache

2009-07-11 15:03 . 2009-07-11 15:04 -------- d-----w- i:\documents and settings\Billy\Local Settings\Application Data\Temp

2009-07-11 15:03 . 2009-07-11 15:03 -------- d-----w- i:\documents and settings\Billy\Local Settings\Application Data\Deployment

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-04 23:10 . 2009-04-11 03:27 -------- d-----w- i:\program files\Microsoft Silverlight

2009-07-25 16:26 . 2009-03-31 01:22 -------- d-----w- i:\documents and settings\Billy\Application Data\LimeWire

2009-07-25 13:12 . 2009-07-25 13:12 12720 ----a-w- i:\documents and settings\ADMIN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-25 13:12 . 2009-07-25 13:12 -------- d-----w- i:\documents and settings\ADMIN\Application Data\Logitech

2009-07-25 13:12 . 2009-07-25 13:12 -------- d-----w- i:\documents and settings\ADMIN\Application Data\ATI

2009-07-19 12:40 . 2009-03-31 01:28 -------- d-----w- i:\documents and settings\All Users\Application Data\avg8

2009-07-17 13:49 . 2009-03-31 01:28 335752 ----a-w- i:\windows\system32\drivers\avgldx86.sys

2009-07-07 22:30 . 2009-03-27 21:39 12720 ----a-w- i:\documents and settings\Billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-05 15:04 . 2009-07-05 15:04 0 ----a-w- i:\windows\Infob.dat

2009-07-05 15:04 . 2009-07-05 15:04 0 ----a-w- i:\windows\Infoa.dat

2009-07-05 15:04 . 2009-07-05 14:34 -------- d-----w- i:\program files\Free MKV Video2Dvd

2009-07-05 14:12 . 2009-04-06 01:06 -------- d-----w- i:\documents and settings\All Users\Application Data\Apple Computer

2009-07-05 14:06 . 2009-07-05 14:06 -------- d-----w- i:\program files\Sonic Foundry

2009-07-05 14:06 . 2009-07-05 14:06 -------- d-----w- i:\program files\Pure Motion

2009-07-05 14:06 . 2009-07-05 14:06 -------- d-----w- i:\program files\DebugMode

2009-07-03 17:09 . 2008-04-14 10:42 915456 ----a-w- i:\windows\system32\wininet.dll

2009-06-24 20:51 . 2009-03-31 01:28 11952 ----a-w- i:\windows\system32\avgrsstx.dll

2009-06-24 20:51 . 2009-03-31 01:28 27784 ----a-w- i:\windows\system32\drivers\avgmfx86.sys

2009-06-19 14:56 . 2009-06-19 14:56 -------- d-----w- i:\documents and settings\Billy\Application Data\x3watch

2009-06-16 14:36 . 2008-04-14 10:42 119808 ----a-w- i:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2008-04-14 10:41 81920 ----a-w- i:\windows\system32\fontsub.dll

2009-06-15 03:26 . 2009-03-28 07:26 -------- d-----w- i:\documents and settings\Billy\Application Data\AdobeUM

2009-06-03 19:09 . 2008-04-14 10:42 1291264 ----a-w- i:\windows\system32\quartz.dll

2009-06-01 14:29 . 2009-06-01 14:29 12328 ----a-w- i:\documents and settings\Florence\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-25 18:06 . 2009-05-25 18:06 79872 ----a-w- i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

2009-05-25 18:06 . 2009-05-25 18:06 349184 ----a-w- i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe

2009-05-25 18:06 . 2009-05-25 18:06 541696 ----a-w- i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe

2009-05-07 15:32 . 2008-04-14 10:41 345600 ----a-w- i:\windows\system32\localspl.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SansaDispatch"="i:\documents and settings\Billy\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-05-25 79872]

"Nero PhotoShow Media Manager"="i:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" [2006-05-10 249856]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="i:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]

"ccleaner"="i:\program files\CCleaner\CCleaner.exe" [2009-06-25 1578736]

"Advanced SystemCare 3"="i:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"StartCCC"="i:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

"QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"NeroFilterCheck"="i:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"LiveMonitor"="i:\program files\MSI\Live Update 3\LMonitor.exe" [2009-02-24 498688]

"InCD"="i:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-11-10 1051648]

"AVG8_TRAY"="i:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-24 1948440]

"avgnt"="i:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"MSConfig"="i:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

"RTHDCPL"="RTHDCPL.EXE" - i:\windows\RTHDCPL.exe [2008-07-03 16876032]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - i:\windows\KHALMNPR.Exe [2004-10-21 29696]

i:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - i:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Logitech SetPoint.lnk - i:\program files\Logitech\SetPoint\KEM.exe [2009-3-27 581632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-24 20:51 11952 ----a-w- i:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"avg8wd"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"i:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"i:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"j:\\Unreal Tournament 3\\Binaries\\UT3.exe"=

R0 Lbd;Lbd;i:\windows\system32\drivers\Lbd.sys [7/12/2009 7:13 PM 64160]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;i:\windows\system32\drivers\avgldx86.sys [3/30/2009 8:28 PM 335752]

R1 AvgTdiX;AVG Free8 Network Redirector;i:\windows\system32\drivers\avgtdix.sys [3/30/2009 8:28 PM 108552]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;i:\program files\Avira\AntiVir Desktop\sched.exe [7/25/2009 4:09 PM 108289]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;i:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]

R3 AtiHdmiService;ATI Function Driver for HDMI Service;i:\windows\system32\drivers\AtiHdmi.sys [3/27/2009 9:54 PM 93184]

S2 bjftulks;bjftulks;i:\windows\system32\drivers\brrshma.sys --> i:\windows\system32\drivers\brrshma.sys [?]

S2 rayar;rayar;\??\i:\windows\system32\drivers\skvelixtl.sys --> i:\windows\system32\drivers\skvelixtl.sys [?]

S2 vkcyvsjbs;vkcyvsjbs;\??\i:\windows\system32\drivers\jkqtor.sys --> i:\windows\system32\drivers\jkqtor.sys [?]

S4 avg8wd;AVG Free8 WatchDog;i:\progra~1\AVG\AVG8\avgwdsvc.exe [3/30/2009 8:28 PM 298776]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"i:\windows\system32\rundll32.exe" "i:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-07-28 i:\windows\Tasks\Ad-Aware Update (Weekly).job

- i:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-04 i:\windows\Tasks\WGASetup.job

- i:\windows\system32\KB905474\wgasetup.exe [2009-04-30 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

IE: Add to Google Photos Screensa&ver - i:\windows\system32\GPhotos.scr/200

DPF: Microsoft XML Parser for Java - file://i:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-04 18:47

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)

i:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2472)

i:\windows\system32\WININET.dll

i:\program files\Logitech\SetPoint\lgscroll.dll

i:\windows\system32\ieframe.dll

i:\windows\system32\webcheck.dll

i:\windows\system32\WPDShServiceObj.dll

i:\windows\system32\PortableDeviceTypes.dll

i:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

i:\windows\system32\ati2evxx.exe

i:\windows\system32\ati2evxx.exe

i:\program files\AVG\AVG8\avgrsx.exe

i:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

i:\program files\Avira\AntiVir Desktop\avguard.exe

i:\program files\Nero\Nero 7\InCD\InCDsrv.exe

i:\program files\Java\jre6\bin\jqs.exe

i:\program files\Common Files\LightScribe\LSSrvc.exe

i:\windows\system32\wbem\unsecapp.exe

i:\program files\Lavasoft\Ad-Aware\AAWTray.exe

i:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

i:\program files\AVG\AVG8\avgtray.exe

i:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

i:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

i:\program files\Logitech\SetPoint\KHALMNPR.exe

.

**************************************************************************

.

Completion time: 2009-08-04 18:49 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-04 23:49

Pre-Run: 94,835,458,048 bytes free

Post-Run: 94,961,287,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

i:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

210 --- E O F --- 2009-08-04 23:09

Link to post
Share on other sites

Hi and welcome back :)

Combofix has finished up the clean as anticipated.

At the moment your showing as running 2 antivirus's in realtime this is ot a reccomended practice since both perform simillar roles then there is a high probability they will conflict with each other and instead of giving extra protection they could in fact null each other out at worst or a negative impact on pc performance at best.So best to decide to keep 1 resident and uninstall the second or else configure 1 to only run as on demand scan(backup scan) and not load in realtime.

ComboFix log is showing clear so any more issue's to report on the PC ?

Link to post
Share on other sites

Hi and welcome back :)

Combofix has finished up the clean as anticipated.

At the moment your showing as running 2 antivirus's in realtime this is ot a reccomended practice since both perform simillar roles then there is a high probability they will conflict with each other and instead of giving extra protection they could in fact null each other out at worst or a negative impact on pc performance at best.So best to decide to keep 1 resident and uninstall the second or else configure 1 to only run as on demand scan(backup scan) and not load in realtime.

ComboFix log is showing clear so any more issue's to report on the PC ?

I plan on uninstalling my other resident software and going with the one I found through Malwarebytes.

So my plan is to run Avira and Malwarebytes. Avira runs in realtime but Malwarebytes does not correct?

I plan on purchasing Malwarebytes and I have been asked to write a review which I will most certainly do.

Earlier in the thread you had mentioned giving me some additional tips or direction to avoid future problems

so I am ready for that if you have the time.

You have done an awesome job. Thank you very much for all your help and patience.

Link to post
Share on other sites

Hi ya the pay for version of MBAM is realtime protection component,we dont operate at the same level as an AV software so no conflicts there and i know quite a few folks that use AntiVir and MBAM combo :)

As promised here's my closing spiel for all help sessions once finished :)

Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

We hope our application has helped you eradicate this malicious Malware.

If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.

Safe surfing :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.