Jump to content

Need help removing rootkit


steveg45
 Share

Recommended Posts

I have a rootkit I cannot remove. It closes all antispyware, antivirus and removal tools. (except Symantec AV)

I am running windows xp, IE and google chrome.

I had symantec av corp 9.0

Ran kaspersky online scan.

Tried installing kaspersky trial version, it closed down after a few seconds.

Had to remove SAV 9 to install kaspersky

Installed SAV 10. it is running now.

SAV found:

downloader

trojan horse

backdoor.tidserv

kaspersky found:

svchost.exe\CC9A46E0.x86.dll/svchost.exe\CC9A46E0.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 4

globalroot\Device\__max++>\CC9A46E0.x86.dll/globalroot\Device\__max++>\CC9A46E0.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 14

I was able to delete a.exe, b.exe and geyek* files that were threats but they came back.

090609.html

savscreenshot.doc

Link to post
Share on other sites

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Link to post
Share on other sites

Here it is.

Log file is located at: C:\Documents and Settings\Steve\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP85.tmp\ZAP85.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP85.tmp\ZAP85.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Prefetch\Prefetch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Prefetch\Prefetch

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\RestoreSafeDeleted\RestoreSafeDeleted

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\RestoreSafeDeleted\RestoreSafeDeleted

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1547161642-1580818891-1343024091-1004\S-1-5-21-1547161642-1580818891-1343024091-1004

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1547161642-1580818891-1343024091-1004\S-1-5-21-1547161642-1580818891-1343024091-1004

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\RealMediaSDK\RealMediaSDK

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\RealMediaSDK\RealMediaSDK

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Custom Buttons\Enterprise\Enterprise

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Custom Buttons\Enterprise\Enterprise

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\dictionaries\dictionaries

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\dictionaries\dictionaries

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\exceptions\exceptions

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\exceptions\exceptions

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Found mount point : C:\WINDOWS\system32\DRVSTORE\DRVSTORE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\DRVSTORE\DRVSTORE

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-03 23:56:44 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:44 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-03 23:56:44 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\IEAK\IEAK

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\IEAK\IEAK

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\Logoff

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\Logoff

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\Logon

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\Logon

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\KAV6Upgrade\KAV6Upgrade

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\KAV6Upgrade\KAV6Upgrade

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Finished!

Link to post
Share on other sites

Download The Avenger by Swandog46:

http://swandog46.geekstogo.com/avenger2/download.php

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to launch Avenger.
  • Click OK.
  • Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked.

Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:

Files to move:
C:\WINDOWS\system32\dllcache\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

  • Click the Execute button.
  • You will be prompted with "Are you sure you want to execute the current script?"
  • Click "Yes"
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click "Yes".
  • Your PC will reboot.
  • After your PC has completed the necessary reboot, a log should automatically open.
  • If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)
  • Please post the Avenger log in your next reply.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan (quick scan) of common rootkit hiding places.
  • When the "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Note: If you have trouble completing the complete scan , just paste back the "quick" scan results only.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as firefox.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already (if your OS is Vista - then you don't need to install the recovery console):

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

Please post C:\Avenger.txt, Ark.txt, and C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

negster, thanks for your help.

I have all the logs.

Just to let you know, I tried several antispyware and rootkit removal tools that were all closed and rendered useless.

I don't know why I expected a different result, for one of them to work.

You will see these in the combofix log.

I tried, adaware, spybot, unhackme (which has regrun and partizan), sanity, rootkitbuster, rootkit revealer, fsecure easyclean.

I guess that is the definition of stupidity, doing the same thing over and over again and expecting different results.

and normally I'm not that stupid.

OK enough BS.

Here are the logs:

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)

Tue Sep 08 18:51:47 2009

18:51:47: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\WINDOWS\system32\dllcache\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

ARK:

GMER 1.0.15.15077 [ywxf4q19.exe] - http://www.gmer.net

Rootkit scan 2009-09-08 19:21:45

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT 82EAD038 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

? lnpelb.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA}\InProcServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA}\InProcServer32@oajahdcbbibodhldfjlggjdcagiihp 0x6A 0x61 0x6D 0x68 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA}\InProcServer32@najanfebkpbgalpdibgcjocffoff 0x6A 0x61 0x6C 0x68 ...

---- EOF - GMER 1.0.15 ----

Combofix attached

combofix.txt

Link to post
Share on other sites

Couldn'y read the attachment.

Combofix

ComboFix 09-09-08.04 - Steve 09/08/2009 20:15.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.157 [GMT -5:00]

Running from: c:\combo fix\desk.exe

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Steve\Local Settings\Temporary Internet Files\_tmAB51.tmp

c:\documents and settings\Steve\Local Settings\Temporary Internet Files\stb06759.tmp

c:\windows\Installer\100785fc.msi

c:\windows\Installer\3bf6d.msi

c:\windows\Installer\d2764.msi

c:\windows\run.log

c:\windows\system32\geyekrckvicmdq.dat.old

c:\windows\system32\geyekrdjptudyp.dat.old

c:\windows\system32\geyekrsoanprjd.dll.old

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))

.

2009-09-09 00:43 . 2009-09-09 00:43 -------- d-----w- C:\combo fix

2009-09-08 23:47 . 2009-09-09 00:21 -------- d-----w- C:\ark

2009-09-08 02:27 . 2009-09-08 02:27 -------- d-----w- c:\program files\SanityCheck

2009-09-08 02:27 . 2009-03-08 02:23 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys

2009-09-08 02:19 . 2009-09-08 02:19 7680 ----a-w- c:\windows\system32\drivers\RKL11.tmp.sys

2009-09-08 00:15 . 2009-09-08 05:35 -------- d-----w- c:\windows\RestoreSafeDeleted

2009-09-08 00:12 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-08 00:12 . 2009-09-08 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-08 00:12 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-07 23:52 . 2009-09-07 23:52 24416 ----a-w- c:\windows\system32\drivers\regguard.sys

2009-09-07 23:31 . 2009-09-07 23:31 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-09-07 23:15 . 2009-09-07 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2009-09-07 22:01 . 2009-09-07 23:46 35040 ----a-w- c:\windows\system32\Partizan.exe

2009-09-07 22:01 . 2009-09-07 23:46 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys

2009-09-07 21:53 . 2009-09-07 21:53 2 --shatr- c:\windows\winstart.bat

2009-09-07 21:52 . 2009-07-28 00:51 12728 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys

2009-09-07 21:52 . 2009-09-08 01:21 -------- d-----w- c:\program files\UnHackMe

2009-09-07 21:13 . 2009-09-07 21:21 -------- d-----w- c:\program files\RegCleaner

2009-09-07 20:58 . 2009-09-08 23:40 -------- d-----w- C:\_registry

2009-09-07 17:41 . 2009-09-07 20:42 -------- d-----w- C:\_new tech

2009-09-07 04:30 . 2009-09-07 04:30 -------- d-----w- c:\documents and settings\new1\Application Data\Malwarebytes

2009-09-07 03:33 . 2009-09-07 03:33 -------- d-----w- c:\documents and settings\new1\Local Settings\Application Data\Symantec

2009-09-07 03:15 . 2009-09-07 03:15 -------- d-----w- c:\documents and settings\new1\Local Settings\Application Data\Google

2009-09-07 02:50 . 2009-09-08 17:18 -------- d-----w- C:\_new downloads

2009-09-07 02:34 . 2009-09-07 02:34 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat

2009-09-07 02:31 . 2009-09-07 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-09-07 02:31 . 2009-09-07 02:31 -------- d-----w- c:\program files\Kaspersky Lab

2009-09-07 02:16 . 2009-09-07 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-09-07 01:20 . 2009-09-08 05:36 -------- dc----w- c:\windows\system32\DRVSTORE

2009-09-07 01:18 . 2009-09-07 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-09-06 23:25 . 2009-09-06 23:25 411368 ----a-w- c:\windows\system32\deploytk.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-09 01:26 . 2005-05-14 04:07 -------- d-----w- c:\program files\Symantec AntiVirus

2009-09-08 14:06 . 2007-03-04 04:23 -------- d-----w- c:\program files\Replay AV 8

2009-09-08 00:07 . 2007-02-12 04:48 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-08 00:07 . 2007-02-12 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-07 21:27 . 2006-09-28 03:26 -------- d-----w- c:\program files\SpeedFan

2009-09-07 21:26 . 2005-05-14 03:36 -------- d-----w- c:\program files\Google

2009-09-07 05:08 . 2007-11-06 23:26 -------- d-----w- c:\program files\AWall

2009-09-07 03:38 . 2005-05-14 04:07 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-09-07 03:32 . 2005-05-14 04:08 -------- d-----w- c:\program files\Symantec

2009-09-07 03:32 . 2005-05-14 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-09-07 02:26 . 2007-06-04 04:00 -------- d-----w- c:\program files\Lavasoft

2009-09-06 23:25 . 2005-06-30 22:54 -------- d-----w- c:\program files\Java

2009-09-06 21:55 . 2007-10-17 21:51 -------- d-----w- c:\program files\Look@LAN

2009-08-31 15:37 . 2006-08-22 04:09 -------- d-----w- c:\documents and settings\Steve\Application Data\UK's Kalender

2009-07-21 02:03 . 2009-07-21 02:03 -------- d-----w- c:\documents and settings\test\Application Data\Malwarebytes

2009-07-18 16:17 . 2006-09-04 13:56 2 ---h--w- C:\time32.sys

2009-07-18 16:17 . 2006-09-04 13:57 442 ---h--w- C:\date.sys

2005-07-14 19:31 . 2006-05-24 17:37 27648 --sha-w- c:\windows\system32\AVSredirect.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-06 133104]

"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2009-07-28 236744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 335872]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2003-10-31 15:01 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-G Notebook Adapter Utility.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless-G Notebook Adapter Utility.lnk

backup=c:\windows\pss\Wireless-G Notebook Adapter Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"CiSvc"=3 (0x3)

"ActiveWall"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=

"c:\\Program Files\\Look@LAN\\LookAtLan.exe"=

"c:\\downloads\\network\\localportscan\\lps.exe"=

"c:\\Program Files\\Look@LAN\\LookAtHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]

R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\Steve\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [x]

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]

R3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-09-07 34760]

R3 RegGuard;RegGuard;c:\windows\system32\Drivers\regguard.sys [2009-09-07 24416]

R3 rspSanity;rspSanity;c:\windows\system32\DRIVERS\rspSanity32.sys [2009-03-08 30136]

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]

R3 TWJENGVV;TWJENGVV;c:\docume~1\Steve\LOCALS~1\Temp\TWJENGVV.exe [x]

S2 Nadim;NAD Proto Driver;c:\windows\system32\DRIVERS\nadim.sys [2007-04-10 18560]

S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\system32\DRIVERS\tnet1130x.sys [2004-03-11 385536]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10920

*Deregistered* - EraserUtilRebootDrv

.

Contents of the 'Scheduled Tasks' folder

2006-10-13 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\system32\cleanmgr.exe [2004-08-04 04:56]

2008-02-18 c:\windows\Tasks\shutdown.job

- c:\windows\system32\shutdown.exe [2004-08-04 04:56]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryMechanic - (no file)

.

------- Supplementary Scan -------

.

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-08 20:25

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA}\InProcServer32*]

"oajahdcbbibodhldfjlggjdcagiihp"=hex:6a,61,6d,68,6e,66,66,6d,65,66,6f,62,69,6a,

6b,61,6d,62,68,63,00,00

"najanfebkpbgalpdibgcjocffoff"=hex:6a,61,6c,68,6e,63,68,61,68,63,6f,64,62,69,

6e,65,67,6f,66,6a,00,00

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\program files\Symantec AntiVirus\DoScan.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-09 20:37 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-09 01:36

Pre-Run: 33,773,805,568 bytes free

Post-Run: 33,812,725,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

190

Link to post
Share on other sites

Your welcome! I can see all the programs you ran in your Combofix log. It's a common reaction to becoming infected.

BTW, Combofix says you have both Kaspersky and Symantec AV and that KAV is enabled. Both these should be disabled before running Combofix again. If you do have two active AVs, then you have to choose which one you'd like to keep and uninstall the other.

We have files to clean up that we will manually specify for deletion by using a Combofix script. You will have to relocate your renamed Combofix (desk.exe) from c:\combo fix\ to your desktop for the next step to work.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

KillAll::

Driver::
TWJENGVV

File::
c:\docume~1\Steve\LOCALS~1\Temp\TWJENGVV.exe

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA\InProcServer32]

Save this to your desktop as CFScript.txt by selecting File -> Save as.

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!! You can re-enable all after the Combofix log is generated.

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdskor any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into your renamed ComboFix.exe (desk.exe)

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes (C:\Combofix.txt)

Do you know what these directories are? Did you create them?

C:\_registry

C:\_new tech

C:\_new downloads

Open a command prompt by doing the following:

  • Click Start -> run
  • type cmd
  • Hit Enter

Copy and paste the following onto the command line:

type c:\windows\winstart.bat > c:\winstart.txt && notepad c:\winstart.txt

  • Post back the log that opens c:\winstart.txt

Launch MBAM

  • Select the Update tab -> Check for Updates
  • After MBAM updates, select the Scanner tab.
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK -> Show Results to view the scan results.
  • Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  • When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

If you are unable to complete a scan with or launch MBAM, then do the following:

  • Rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\explorer.exe"
  • Now relaunch MBAM from the Start Menu or by double-clicking explorer.exe in the MBAM folder.
  • Select the Update tab -> Check for Updates
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK -> Show Results to view the scan results.
  • Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  • When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

Link to post
Share on other sites

I removed Kaspersky trial when it bombed out from rootkit, from add remove programs.

I guess it didn't uninstall properly.

When I got the popup from combofix that kaspersky was active I checked all processes. I did not see anything Kaspersky related.

Before the second run of combo fix, I manually deleted kaspersky folder from program files.

Then a tried a couple of reg cleaners that didn't detect kaspersky. Do you know a good registry clean utility?

I manually removed kaspersky folders in registry using find next. I guess I missed some

C:\_registry

C:\_new tech

C:\_new downloads

Yes I created those folders.

Here are the logs.

winstart did nothing except open a notepad winstart.txt. that was blank. Does it take a long time?

ComboFix 09-09-08.04 - Steve 09/09/2009 1:01.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.188 [GMT -5:00]

Running from: c:\documents and settings\Steve\Desktop\desk.exe

Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::

"c:\docume~1\Steve\LOCALS~1\Temp\TWJENGVV.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TWJENGVV

-------\Service_TWJENGVV

((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))

.

2009-09-09 00:43 . 2009-09-09 00:43 -------- d-----w- C:\combo fix

2009-09-08 23:47 . 2009-09-09 00:21 -------- d-----w- C:\ark

2009-09-08 02:27 . 2009-03-08 02:23 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys

2009-09-08 02:19 . 2009-09-08 02:19 7680 ----a-w- c:\windows\system32\drivers\RKL11.tmp.sys

2009-09-08 00:15 . 2009-09-08 05:35 -------- d-----w- c:\windows\RestoreSafeDeleted

2009-09-07 23:52 . 2009-09-07 23:52 24416 ----a-w- c:\windows\system32\drivers\regguard.sys

2009-09-07 23:31 . 2009-09-07 23:31 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-09-07 23:15 . 2009-09-07 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure

2009-09-07 21:53 . 2009-09-07 21:53 2 --shatr- c:\windows\winstart.bat

2009-09-07 21:13 . 2009-09-07 21:21 -------- d-----w- c:\program files\RegCleaner

2009-09-07 20:58 . 2009-09-09 05:40 -------- d-----w- C:\_registry

2009-09-07 17:41 . 2009-09-07 20:42 -------- d-----w- C:\_new tech

2009-09-07 04:30 . 2009-09-07 04:30 -------- d-----w- c:\documents and settings\new1\Application Data\Malwarebytes

2009-09-07 03:33 . 2009-09-07 03:33 -------- d-----w- c:\documents and settings\new1\Local Settings\Application Data\Symantec

2009-09-07 03:15 . 2009-09-07 03:15 -------- d-----w- c:\documents and settings\new1\Local Settings\Application Data\Google

2009-09-07 02:50 . 2009-09-09 05:53 -------- d-----w- C:\_new downloads

2009-09-07 02:34 . 2009-09-07 02:34 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat

2009-09-07 02:31 . 2009-09-07 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-09-07 02:16 . 2009-09-07 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-09-07 01:20 . 2009-09-08 05:36 -------- dc----w- c:\windows\system32\DRVSTORE

2009-09-07 01:18 . 2009-09-07 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-09-06 23:25 . 2009-09-06 23:25 411368 ----a-w- c:\windows\system32\deploytk.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-09 06:13 . 2005-05-14 04:07 -------- d-----w- c:\program files\Symantec AntiVirus

2009-09-09 05:30 . 2005-05-13 20:17 -------- d-----w- c:\program files\microsoft frontpage

2009-09-08 14:06 . 2007-03-04 04:23 -------- d-----w- c:\program files\Replay AV 8

2009-09-08 00:07 . 2007-02-12 04:48 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-08 00:07 . 2007-02-12 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-07 21:27 . 2006-09-28 03:26 -------- d-----w- c:\program files\SpeedFan

2009-09-07 21:26 . 2005-05-14 03:36 -------- d-----w- c:\program files\Google

2009-09-07 05:08 . 2007-11-06 23:26 -------- d-----w- c:\program files\AWall

2009-09-07 03:38 . 2005-05-14 04:07 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-09-07 03:32 . 2005-05-14 04:08 -------- d-----w- c:\program files\Symantec

2009-09-07 03:32 . 2005-05-14 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-09-06 23:25 . 2005-06-30 22:54 -------- d-----w- c:\program files\Java

2009-09-06 21:55 . 2007-10-17 21:51 -------- d-----w- c:\program files\Look@LAN

2009-08-31 15:37 . 2006-08-22 04:09 -------- d-----w- c:\documents and settings\Steve\Application Data\UK's Kalender

2009-07-21 02:03 . 2009-07-21 02:03 -------- d-----w- c:\documents and settings\test\Application Data\Malwarebytes

2009-07-18 16:17 . 2006-09-04 13:56 2 ---h--w- C:\time32.sys

2009-07-18 16:17 . 2006-09-04 13:57 442 ---h--w- C:\date.sys

2005-07-14 19:31 . 2006-05-24 17:37 27648 --sha-w- c:\windows\system32\AVSredirect.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-09_01.25.55 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-09 06:13 . 2009-09-09 06:13 16384 c:\windows\temp\Perflib_Perfdata_13c.dat

+ 2001-08-18 17:00 . 2009-09-09 05:37 62746 c:\windows\system32\perfc009.dat

- 2001-08-18 17:00 . 2009-09-09 00:00 62746 c:\windows\system32\perfc009.dat

+ 2001-08-18 17:00 . 2009-09-09 05:37 401632 c:\windows\system32\perfh009.dat

- 2001-08-18 17:00 . 2009-09-09 00:00 401632 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 335872]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2003-10-31 15:01 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-G Notebook Adapter Utility.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless-G Notebook Adapter Utility.lnk

backup=c:\windows\pss\Wireless-G Notebook Adapter Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"CiSvc"=3 (0x3)

"ActiveWall"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=

"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=

"c:\\Program Files\\Look@LAN\\LookAtLan.exe"=

"c:\\downloads\\network\\localportscan\\lps.exe"=

"c:\\Program Files\\Look@LAN\\LookAtHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]

R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\Steve\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [x]

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]

R3 RegGuard;RegGuard;c:\windows\system32\Drivers\regguard.sys [2009-09-07 24416]

R3 rspSanity;rspSanity;c:\windows\system32\DRIVERS\rspSanity32.sys [2009-03-08 30136]

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]

S2 Nadim;NAD Proto Driver;c:\windows\system32\DRIVERS\nadim.sys [2007-04-10 18560]

S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\system32\DRIVERS\tnet1130x.sys [2004-03-11 385536]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10920

.

Contents of the 'Scheduled Tasks' folder

2006-10-13 c:\windows\Tasks\Disk Cleanup.job

- c:\windows\system32\cleanmgr.exe [2004-08-04 04:56]

2008-02-18 c:\windows\Tasks\shutdown.job

- c:\windows\system32\shutdown.exe [2004-08-04 04:56]

.

.

------- Supplementary Scan -------

.

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-09 01:14

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA}\InProcServer32*]

"oajahdcbbibodhldfjlggjdcagiihp"=hex:6a,61,6d,68,6e,66,66,6d,65,66,6f,62,69,6a,

6b,61,6d,62,68,63,00,00

"najanfebkpbgalpdibgcjocffoff"=hex:6a,61,6c,68,6e,63,68,61,68,63,6f,64,62,69,

6e,65,67,6f,66,6a,00,00

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Symantec AntiVirus\DoScan.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-09 1:25 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-09 06:25

ComboFix2.txt 2009-09-09 01:37

Pre-Run: 33,732,984,832 bytes free

Post-Run: 33,699,762,176 bytes free

169

MBAM log

Malwarebytes' Anti-Malware 1.40

Database version: 2763

Windows 5.1.2600 Service Pack 2

9/9/2009 1:45:07 AM

mbam-log-2009-09-09 (01-44-57).txt

Scan type: Quick Scan

Objects scanned: 131783

Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

processes.doc

Link to post
Share on other sites

Hi steveg45,

There must be some registry stragglers left by KAV.

I use CCleaner because it gives the option to backup registry changes, though I don't recommend registry cleaners in general. It is a good temp file cleaner, as well. Here's my canned for temp file cleaning only.:

Download CCleaner by clicking the Latest Version arrow on the right.

http://www.filehippo.com/download_ccleaner/Download

Double-click CC setup file to launch the installer

1. Note: CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, When the install options are presented, UNCHECK the last install option to "Add CCleaner Yahoo! Toolbar and use CCLeaner from your browser".

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:

* Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.

* Clean all the entries in the "Windows Explorer" section.

* Clean all entries in the "System" section.

* Clean all entries in the "Advanced" section.

* Clean any others that you choose.

In the Applications Tab:

* Clean all except cookies in the Firefox/Mozilla section if you use it.

* Clean all in the Opera section if you use it.

* Clean Sun Java in the Internet Section.

* Clean any others that you choose.

4. Click the "Run Cleaner" button.

5. A pop up box will appear advising this process will permanently delete files from your system.

6. Click "OK" and it will scan and clean your system.

7. Click "exit" when done.

Your logs look good except there is a locked registry key that is being stubborn. It is not dangerous since anything it references is gone but I'd like to try to remove it, if at all possible.

Download RegDelNull and unzip it to your desktop.

Open a command prompt (start - > run -->, type cmd, and hit Enter)

Copy/Paste the following command onto the command line to launch RegDelNull and then accept the User License Agreement when prompted to.

"%userprofile%\desktop"\regdelnull hklm -s

Let the utility run until you see "Scan complete"

Run Combofix again:

Open Notepad and and copy/paste the text in the code box below into Notepad:

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA}\InProcServer32*]

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA}\InProcServer32*]

Save the it to your desktop as CFScript.txt

Drag CFScript.txt into the renamed Combofix on your desktop to start a new Combofix run

Please post back the log Combofix.txt when it opens.

Launch Avenger.by double-clicking on avenger.exe or its desktop (sword) shortcut

  • Click OK.
  • Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked.

Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:

Registry keys to delete:
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA}\InProcServer32*]

  • Click the Execute button.
  • You will be prompted with "Are you sure you want to execute the current script?"
  • Click "Yes"
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click "Yes".
  • Your PC will reboot.
  • After your PC has completed the necessary reboot, a log should automatically open.
  • If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)
  • Please post the Avenger log, in your next reply.

Please post back:

1. C:\Combofix.txt

2. C:\Avenger.txt

Link to post
Share on other sites

  • 5 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.