Jump to content

AV Care!!


Recommended Posts

Hello there - my girlfriend's computer came down with a case of AV Care last night - that dastardly deceptive piece of work that is a rogue thing.

I've read most of the sites that I could about removing it, nothings worked so far. I've removed it from the registry, deleted all of its files.

Although I do believe the main problem is that she actually ran an uninstaller for it. I cannot get mbam.exe to work, and I have renamed it to all possible variations. If I do get it to work, it hangs at 'finishing installation'.

What steps do I take next?

Thanks,

Noah

PS Hijackthis wont start up either :/

Link to post
Share on other sites

Welcome to Malwarebytes!!!! <_<

We need to see some additional information about what is happening in your machine.

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool.

    [*]When done, DDS will open two (2) logs

    1. DDS.txt

    2. Attach.txt

    [*] Save both reports to your desktop.

    [*] The instructions here ask you to attach the Attach.txt.

    DDS.jpg

    [*]Instead of attaching, please copy/past both logs into your next reply.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

After downloading the tool, disconnect from the internet and disable all antivirus protection.

Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

========================================

Download RootRepeal:

http://rootrepeal.googlepages.com/RootRepeal.zip

  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.
Link to post
Share on other sites

When I try to run DDS it says 'Not enough main memory to complete the sort' - i was disconnected from the internet with my A/V off.

Here is the report from RootRepeal

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/02 08:51

Program Version: Version 1.3.3.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: 1394BUS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS

Address: 0xF7667000 Size: 53248 File Visible: - Signed: -

Status: -

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF75A8000 Size: 187776 File Visible: - Signed: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: afd.sys

Image Path: C:\WINDOWS\System32\drivers\afd.sys

Address: 0xBA1D1000 Size: 138368 File Visible: - Signed: -

Status: -

Name: atapi.sys

Image Path: atapi.sys

Address: 0xF74C0000 Size: 95360 File Visible: - Signed: -

Status: -

Name: BATTC.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS

Address: 0xF789F000 Size: 16384 File Visible: - Signed: -

Status: -

Name: bcm4sbxp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

Address: 0xF7687000 Size: 65536 File Visible: - Signed: -

Status: -

Name: bcmwl5.sys

Image Path: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

Address: 0xBA5E7000 Size: 604928 File Visible: - Signed: -

Status: -

Name: Beep.SYS

Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF79AD000 Size: 4224 File Visible: - Signed: -

Status: -

Name: BOOTVID.dll

Image Path: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xF7897000 Size: 12288 File Visible: - Signed: -

Status: -

Name: Cdfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xB94C9000 Size: 63744 File Visible: - Signed: -

Status: -

Name: cdrom.sys

Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Address: 0xF76C7000 Size: 49536 File Visible: - Signed: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Address: 0xF7637000 Size: 53248 File Visible: - Signed: -

Status: -

Name: compbatt.sys

Image Path: compbatt.sys

Address: 0xF789B000 Size: 9344 File Visible: - Signed: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF7627000 Size: 36352 File Visible: - Signed: -

Status: -

Name: DLACDBHM.SYS

Image Path: C:\WINDOWS\System32\Drivers\DLACDBHM.SYS

Address: 0xF7993000 Size: 6016 File Visible: - Signed: -

Status: -

Name: DLARTL_M.SYS

Image Path: C:\WINDOWS\System32\Drivers\DLARTL_M.SYS

Address: 0xF77DF000 Size: 21280 File Visible: - Signed: -

Status: -

Name: DRVMCDB.SYS

Image Path: DRVMCDB.SYS

Address: 0xF7861000 Size: 90080 File Visible: - Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xBA0CF000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79BB000 Size: 8192 File Visible: No Signed: -

Status: -

Name: Dxapi.sys

Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xBA3A4000 Size: 12288 File Visible: - Signed: -

Status: -

Name: dxg.sys

Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF000000 Size: 73728 File Visible: - Signed: -

Status: -

Name: dxgthk.sys

Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF7A7F000 Size: 4096 File Visible: - Signed: -

Status: -

Name: Fastfat.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS

Address: 0xBA2CE000 Size: 143360 File Visible: - Signed: -

Status: -

Name: fltMgr.sys

Image Path: fltMgr.sys

Address: 0xF7877000 Size: 128896 File Visible: - Signed: -

Status: -

Name: framebuf.dll

Image Path: C:\WINDOWS\System32\framebuf.dll

Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF79A9000 Size: 7936 File Visible: - Signed: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF74D8000 Size: 125056 File Visible: - Signed: -

Status: -

Name: GEARAspiWDM.sys

Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys

Address: 0xF76E7000 Size: 40960 File Visible: - Signed: -

Status: -

Name: hal.dll

Image Path: C:\WINDOWS\system32\hal.dll

Address: 0x806FF000 Size: 134272 File Visible: - Signed: -

Status: -

Name: HDAudBus.sys

Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

Address: 0xBA67B000 Size: 155648 File Visible: - Signed: -

Status: -

Name: HIDCLASS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xF74F7000 Size: 36864 File Visible: - Signed: -

Status: -

Name: HIDPARSE.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS

Address: 0xF7777000 Size: 28672 File Visible: - Signed: -

Status: -

Name: hidusb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xBA3BC000 Size: 9600 File Visible: - Signed: -

Status: -

Name: i2omgmt.SYS

Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS

Address: 0xF79A5000 Size: 8192 File Visible: - Signed: -

Status: -

Name: i8042prt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys

Address: 0xF76A7000 Size: 52736 File Visible: - Signed: -

Status: -

Name: iaStor.sys

Image Path: iaStor.sys

Address: 0xF7402000 Size: 778240 File Visible: - Signed: -

Status: -

Name: imapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys

Address: 0xF76B7000 Size: 41856 File Visible: - Signed: -

Status: -

Name: ipfltdrv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

Address: 0xF7527000 Size: 32896 File Visible: - Signed: -

Status: -

Name: ipnat.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Address: 0xBA242000 Size: 134912 File Visible: - Signed: -

Status: -

Name: ipsec.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys

Address: 0xBA2BB000 Size: 74752 File Visible: - Signed: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF75F7000 Size: 35840 File Visible: - Signed: -

Status: -

Name: kbdclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Address: 0xF775F000 Size: 24576 File Visible: - Signed: -

Status: -

Name: KDCOM.DLL

Image Path: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xF7987000 Size: 8192 File Visible: - Signed: -

Status: -

Name: ks.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys

Address: 0xBA505000 Size: 143360 File Visible: - Signed: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF784A000 Size: 92032 File Visible: - Signed: -

Status: -

Name: mouclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Address: 0xF7757000 Size: 23040 File Visible: - Signed: -

Status: -

Name: mouhid.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys

Address: 0xBA3B4000 Size: 12160 File Visible: - Signed: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF7607000 Size: 42240 File Visible: - Signed: -

Status: -

Name: Mpfp.sys

Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys

Address: 0xBA21B000 Size: 159744 File Visible: - Signed: -

Status: -

Name: mrxsmb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Address: 0xBA10F000 Size: 453632 File Visible: - Signed: -

Status: -

Name: Msfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF77F7000 Size: 19072 File Visible: - Signed: -

Status: -

Name: msgpc.sys

Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys

Address: 0xF7567000 Size: 35072 File Visible: - Signed: -

Status: -

Name: mssmbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xBA7B1000 Size: 15488 File Visible: - Signed: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xBA7E5000 Size: 107904 File Visible: - Signed: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF795A000 Size: 182912 File Visible: - Signed: -

Status: -

Name: ndistapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys

Address: 0xF794B000 Size: 9600 File Visible: - Signed: -

Status: -

Name: ndisuio.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys

Address: 0xBA394000 Size: 12928 File Visible: - Signed: -

Status: -

Name: ndiswan.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys

Address: 0xBA4EE000 Size: 91776 File Visible: - Signed: -

Status: -

Name: NDProxy.SYS

Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xF7537000 Size: 38016 File Visible: - Signed: -

Status: -

Name: netbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys

Address: 0xF7517000 Size: 34560 File Visible: - Signed: -

Status: -

Name: netbt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys

Address: 0xBA1F3000 Size: 162816 File Visible: - Signed: -

Status: -

Name: Npfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xF7807000 Size: 30848 File Visible: - Signed: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF7B52000 Size: 574464 File Visible: - Signed: -

Status: -

Name: ntoskrnl.exe

Image Path: C:\WINDOWS\system32\ntoskrnl.exe

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: Null.SYS

Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xF7A53000 Size: 2944 File Visible: - Signed: -

Status: -

Name: ohci1394.sys

Image Path: ohci1394.sys

Address: 0xF7657000 Size: 61056 File Visible: - Signed: -

Status: -

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF770F000 Size: 18688 File Visible: - Signed: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF7597000 Size: 68224 File Visible: - Signed: -

Status: -

Name: pciide.sys

Image Path: pciide.sys

Address: 0xF7A4F000 Size: 3328 File Visible: - Signed: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xF7707000 Size: 28672 File Visible: - Signed: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: psched.sys

Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys

Address: 0xBA43D000 Size: 69120 File Visible: - Signed: -

Status: -

Name: ptilink.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys

Address: 0xF77A7000 Size: 17792 File Visible: - Signed: -

Status: -

Name: PxHelp20.sys

Image Path: PxHelp20.sys

Address: 0xF7647000 Size: 35712 File Visible: - Signed: -

Status: -

Name: rasacd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys

Address: 0xBA528000 Size: 8832 File Visible: - Signed: -

Status: -

Name: rasl2tp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Address: 0xF76F7000 Size: 51328 File Visible: - Signed: -

Status: -

Name: raspppoe.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys

Address: 0xF7587000 Size: 41472 File Visible: - Signed: -

Status: -

Name: raspptp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys

Address: 0xF7577000 Size: 48384 File Visible: - Signed: -

Status: -

Name: raspti.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys

Address: 0xF77B7000 Size: 16512 File Visible: - Signed: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Name: rdbss.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys

Address: 0xBA1A6000 Size: 174592 File Visible: - Signed: -

Status: -

Name: RDPCDD.sys

Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xF79B1000 Size: 4224 File Visible: - Signed: -

Status: -

Name: redbook.sys

Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys

Address: 0xF76D7000 Size: 57472 File Visible: - Signed: -

Status: -

Name: rimmptsk.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rimmptsk.sys

Address: 0xF7697000 Size: 57344 File Visible: - Signed: -

Status: -

Name: rimsptsk.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rimsptsk.sys

Address: 0xBA5D3000 Size: 81920 File Visible: - Signed: -

Status: -

Name: rixdptsk.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rixdptsk.sys

Address: 0xBA582000 Size: 331776 File Visible: - Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB9539000 Size: 49152 File Visible: No Signed: -

Status: -

Name: srv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys

Address: 0xB98D1000 Size: 333184 File Visible: - Signed: -

Status: -

Name: swenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys

Address: 0xF7999000 Size: 4352 File Visible: - Signed: -

Status: -

Name: SynTP.sys

Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys

Address: 0xBA550000 Size: 202912 File Visible: - Signed: -

Status: -

Name: tcpip.sys

Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys

Address: 0xBA263000 Size: 360320 File Visible: - Signed: -

Status: -

Name: TDI.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS

Address: 0xF7797000 Size: 20480 File Visible: - Signed: -

Status: -

Name: termdd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys

Address: 0xF7557000 Size: 40704 File Visible: - Signed: -

Status: -

Name: update.sys

Image Path: C:\WINDOWS\system32\DRIVERS\update.sys

Address: 0xBA3E4000 Size: 364160 File Visible: - Signed: -

Status: -

Name: USBD.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xF7991000 Size: 8192 File Visible: - Signed: -

Status: -

Name: usbehci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Address: 0xF774F000 Size: 27264 File Visible: - Signed: -

Status: -

Name: usbhub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xF7547000 Size: 57600 File Visible: - Signed: -

Status: -

Name: USBPORT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xBA6A1000 Size: 143360 File Visible: - Signed: -

Status: -

Name: usbuhci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys

Address: 0xF773F000 Size: 20480 File Visible: - Signed: -

Status: -

Name: vga.sys

Image Path: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xF77E7000 Size: 20992 File Visible: - Signed: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS

Address: 0xBA376000 Size: 81920 File Visible: - Signed: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF7617000 Size: 52352 File Visible: - Signed: -

Status: -

Name: watchdog.sys

Image Path: C:\WINDOWS\System32\watchdog.sys

Address: 0xF778F000 Size: 20480 File Visible: - Signed: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: win32k.sys

Image Path: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -

Status: -

Name: wmiacpi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

Address: 0xF7943000 Size: 8832 File Visible: - Signed: -

Status: -

Name: WMILIB.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS

Address: 0xF7989000 Size: 8192 File Visible: - Signed: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -

Status: -

Link to post
Share on other sites

Download UnHookExec.inf to your Desktop.

Right-Click on UnHookExec.inf and click on Install.

It doen't display any notice or boxes, don't worry it worked.

See if you can get task manager to work and look for the following in task manager

look and see if you see any random process like. eg 1234567.exe 638476435.exe 453732.exe. If so please kill process. You can do this in Normal mode. Let me know if you have any problems.

Link to post
Share on other sites

Download UnHookExec.inf to your Desktop.

Right-Click on UnHookExec.inf and click on Install.

It doen't display any notice or boxes, don't worry it worked.

See if you can get task manager to work and look for the following in task manager

look and see if you see any random process like. eg 1234567.exe 638476435.exe 453732.exe. If so please kill process. You can do this in Normal mode. Let me know if you have any problems.

it does not give me the option to install

Link to post
Share on other sites

try saving it to your desktop and make sure its saved as Unhookexc.inf. Please try again. Thanks

i have done so, but it acts like a txt document. no option to install. i made sure it was saved as a .inf

using windows xp have something to do with it?

thanks

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.