Jump to content

infected with avcare - cant run combofix


levn05
 Share

Recommended Posts

Hello,

My laptop has been infected with avcare. I ran NOD32 and then used rootrepeal to remove what I could find. The pop ups and such stopped but I am still prevented from running malwarebytes (it shuts down 2 seconds into the scan) and I can't use the rootrepeal feature to scan for locked files (shuts down again). I also can't use AVG and hijackthis. Combofix (even though I rename it to combo-fix before downloading, and I've tried other names) gives a small loading bar that says combofix above but never actually starts. I can run avenger successfully though. Here is the lot from rootrepeal except the files feature (can't run that).

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/12 22:47

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xA9503000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA5D6000 Size: 8192 File Visible: No Signed: -

Status: -

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xBA5BA000 Size: 7872 File Visible: No Signed: -

Status: -

Name: REGSYS701.SYS

Image Path: C:\WINDOWS\system32\Drivers\REGSYS701.SYS

Address: 0xA8A45000 Size: 33184 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA9183000 Size: 49152 File Visible: No Signed: -

Status: -

Name: win32k.sys:1

Image Path: C:\WINDOWS\win32k.sys:1

Address: 0xBA458000 Size: 20480 File Visible: No Signed: -

Status: -

SSDT

-------------------

#: 041 Function Name: NtCreateKey

Status: Hooked by "<unknown>" at address 0x8aa99210

#: 047 Function Name: NtCreateProcess

Status: Hooked by "<unknown>" at address 0x8aa9b128

#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "<unknown>" at address 0x8aa8dd68

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0x8aabd238

#: 063 Function Name: NtDeleteKey

Status: Hooked by "<unknown>" at address 0x8aab1618

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "<unknown>" at address 0x8aabe020

#: 180 Function Name: NtQueueApcThread

Status: Hooked by "<unknown>" at address 0x8aad05e8

#: 186 Function Name: NtReadVirtualMemory

Status: Hooked by "<unknown>" at address 0x8aad8268

#: 192 Function Name: NtRenameKey

Status: Hooked by "<unknown>" at address 0x8aa941e8

#: 213 Function Name: NtSetContextThread

Status: Hooked by "<unknown>" at address 0x8aa31238

#: 226 Function Name: NtSetInformationKey

Status: Hooked by "<unknown>" at address 0x8aa9b2e8

#: 228 Function Name: NtSetInformationProcess

Status: Hooked by "<unknown>" at address 0x8aa5c1e0

#: 229 Function Name: NtSetInformationThread

Status: Hooked by "<unknown>" at address 0x8aa8d0a0

#: 247 Function Name: NtSetValueKey

Status: Hooked by "<unknown>" at address 0x8aa8d308

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "<unknown>" at address 0x8aa992f8

#: 254 Function Name: NtSuspendThread

Status: Hooked by "<unknown>" at address 0x8aa311c0

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0x8aa4a4b0

#: 258 Function Name: NtTerminateThread

Status: Hooked by "<unknown>" at address 0x8aa8d020

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "<unknown>" at address 0x8aad82e0

Stealth Objects

-------------------

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]

Process: System Address: 0x8a7d6a18 Size: 1175

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x8a7d6838 Size: 1655

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]

Process: System Address: 0x8a7d67c0 Size: 1775

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]

Process: System Address: 0x8a7d6748 Size: 1895

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]

Process: System Address: 0x8a7d66d0 Size: 2015

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8a7d6658 Size: 2135

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8a7d65e0 Size: 2255

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]

Process: System Address: 0x8a7d6568 Size: 2375

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]

Process: System Address: 0x8a7d64f0 Size: 2495

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8a7d6478 Size: 2615

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8a7d6400 Size: 2735

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8a7d6388 Size: 2855

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8a7bea20 Size: 1504

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8a7be9a8 Size: 1624

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a7be930 Size: 1744

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a7be8b8 Size: 1864

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8a7be840 Size: 1984

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8a7be7c8 Size: 2104

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]

Process: System Address: 0x8a7be750 Size: 2224

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x8a7be6d8 Size: 2344

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8a7be660 Size: 2464

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8a7be5e8 Size: 2584

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]

Process: System Address: 0x8a7be570 Size: 2704

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a7be4f8 Size: 2824

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x8a7be480 Size: 2944

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8a7be408 Size: 3064

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8a815020 Size: 3655

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]

Process: System Address: 0x8a815750 Size: 1815

Hidden Services

-------------------

Service Name: UACd.sys

Image Path: C:\WINDOWS\system32\drivers\UACcfvbnnojkm.sys < I removed this file (it hasn't come back after restarts).

==EOF==

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.