Jump to content

System Antivirus Pro


Recommended Posts

Need Help Too

Got us while loaded on tryptophan. Nice.

So, "guard" seems to be a common theme in the malicious exes.

Got this today. When I turned my computer back on, I opened task manager immediately (while windows and "warnings" juuuust started popping up) and began ending erroneous processes. In my case, there are a few exes, including one with suffix "guard." All the pop-ups stop after I end "...guard.exe", then I run Malwarebytes Antimalware, which supposedly finds the System Antivirus Pro trojan, and supposedly removes it.

However, when I turn my computer off and back on again, System Antivirus Pro is still there. This and the OP leads me to surmise SAP also has an MBAM-targeting virus built in. Bait and distraction for mbam...?

Also, it tries to access the internet through IE, which, ironically, is still impaired from a previous infection.

How do we get rid of this thing permanently?

Possibly related: has anyone looked into whether malwarebytes or super antispyware contain delayed trojans themselves?

Link to post
Share on other sites

Hello nosebedder.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not nosebedder and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

If this system is running Vista or Windows 7:

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

If this system is running Windows XP:

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 2

Download and Save to the DESKTOP Win32kDiag from any of the following locations and save it to your Desktop.

Click on Start button. Select Run, and copy-paste the following command (the bolded text) into the "Open" textbox, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Step 3

Download RootRepeal from one of these links:

>> Link 1<<

or >>Link 2<<

or >>Link 3<<

  • SAVE the zip download to your Desktop.
  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.

Reply with copy of Rootrepeal log

Link to post
Share on other sites

Nada... Win32Diag didn't come up with anything either (Was it supposed to?)

PS I had to end the malicious .exe process before being able to run any of this. Does that make a difference? It's something like "tqkysguard.exe"

Anyway, here's the RootRepeal log:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/11/29 09:55

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_379.trc

Status: Allocation size mismatch (API: 4096, Raw: 0)

Link to post
Share on other sites

End the process for tqkysguard and then re-run RootRepeal. Then copy and paste the new RootRepeal log

Hi Maurice,

That is what I did the first time. I had already ended the process when I ran RootRepeal - I had to, otherwise my screen is covered in popups.

Also, if this helps, here is what Malwarebytes finds when I do a scan (both quick and full). But, like I said, even after "removing" it, it's still there next time I start my PC:

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

11/29/2009 10:12:09 AM

mbam-log-2009-11-29 (10-12-09).txt

Scan type: Quick Scan

Objects scanned: 132571

Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt

Link to post
Share on other sites

Awesome! Looks like we got it!

I'll reboot now with fingers crossed.

Log:

ComboFix 09-11-29.01 - mcjuju 11/29/2009 10:43.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2288 [GMT -8:00]

Running from: c:\documents and settings\mcjuju.VALUED-C47410C8\My Documents\Downloads\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\mcjuju.VALUED-C47410C8\Local Settings\Application Data\tebslr

c:\documents and settings\mcjuju.VALUED-C47410C8\Local Settings\Application Data\tebslr\tkcqsysguard.exe

c:\recycler\S-1-5-21-108563681-2081967693-4096323971-500

c:\recycler\S-1-5-21-2025429265-413027322-725345543-500

c:\windows\setup.exe

.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))

.

2009-11-29 17:36 . 2009-11-29 17:45 -------- d-----w- C:\RootRepeal

2009-11-29 17:36 . 2009-11-29 17:36 0 ----a-w- c:\documents and settings\mcjuju.VALUED-C47410C8\settings.dat

2009-11-13 02:19 . 2009-11-13 02:19 -------- d-----w- c:\program files\DivX

2009-11-13 02:19 . 2009-11-13 02:19 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-11-11 08:28 . 2009-11-11 08:28 247280 ----a-w- c:\documents and settings\mcjuju.VALUED-C47410C8\Application Data\Mozilla\plugins\npgoogletalk.dll

2009-11-08 19:57 . 2009-11-08 19:57 -------- d-----w- c:\documents and settings\guest user.VALUED-C47410C8\Local Settings\Application Data\Mozilla

2009-11-03 04:12 . 2009-11-24 04:16 -------- d-----w- c:\documents and settings\mcjuju.VALUED-C47410C8\Local Settings\Application Data\Temp

2009-11-01 18:21 . 2009-11-01 18:21 -------- d-----w- c:\documents and settings\mcjuju.VALUED-C47410C8\Local Settings\Application Data\Help

2009-11-01 18:19 . 2009-11-01 18:19 -------- d-----w- c:\documents and settings\mcjuju.VALUED-C47410C8\WINDOWS

2009-11-01 17:57 . 2009-11-01 17:57 -------- d-----w- c:\documents and settings\mcjuju.VALUED-C47410C8\Local Settings\Application Data\WMTools Downloaded Files

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-29 18:19 . 2009-02-20 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-11-29 17:55 . 2009-09-27 17:16 -------- d-----w- c:\program files\MF

2009-11-22 03:08 . 2009-08-03 06:02 -------- d-----w- c:\documents and settings\mcjuju.VALUED-C47410C8\Application Data\Skype

2009-11-19 03:29 . 2008-07-29 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-11-01 18:20 . 2009-11-01 18:20 -------- d-----w- c:\program files\ETS

2009-11-01 17:57 . 2009-08-03 06:03 -------- d-----w- c:\documents and settings\mcjuju.VALUED-C47410C8\Application Data\skypePM

2009-09-27 17:16 . 2009-09-27 17:16 0 ----a-w- c:\windows\nsreg.dat

2009-09-26 22:29 . 2009-09-26 22:29 117760 ----a-w- c:\documents and settings\mcjuju.VALUED-C47410C8\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll

2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll

2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll

2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll

2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll

2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll

2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll

2009-09-11 14:18 . 2008-07-29 09:43 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 21:54 . 2009-09-26 21:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 21:53 . 2009-09-26 21:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 21:03 . 2008-07-29 09:43 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-01-29 01:25 . 2009-01-29 01:25 67072 --sha-w- c:\windows\system32\bebopeto.dll.tmp

2009-01-29 01:25 . 2009-01-29 01:25 67072 --sha-w- c:\windows\system32\jiziwifi.dll.tmp

2009-02-04 02:13 . 2009-02-04 02:13 69632 --sha-w- c:\windows\system32\pusuyogu.dll.tmp

2009-01-29 01:25 . 2009-01-29 01:25 67072 --sha-w- c:\windows\system32\puvabana.dll.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]

@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"

[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]

2008-04-03 20:10 2957312 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]

@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"

[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]

2008-04-03 20:10 2957312 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-25 39408]

"Google Update"="c:\documents and settings\mcjuju.VALUED-C47410C8\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-03 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-14 1032192]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-23 170520]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-23 141848]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2008-03-26 217088]

"VMSwitch"="c:\program files\Sony\VAIO Mode Switch\VMSwitch.exe" [2008-05-15 534368]

"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2008-04-03 48904]

"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2008-05-14 503808]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-05-16 315392]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-05-01 1191936]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malbs\mbam.exe" [2009-09-10 1312080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SOSsas\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SOSsas\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2008-04-03 19:57 90112 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2008-03-25 19:53 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\mcjuju.VALUED-C47410C8\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\mcjuju.VALUED-C47410C8\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [7/29/2008 2:10 AM 22560]

R1 SASDIFSV;SASDIFSV;c:\program files\SOSsas\sasdifsv.sys [9/15/2009 10:42 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SOSsas\SASKUTIL.SYS [9/15/2009 10:42 AM 74480]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/6/2009 6:16 AM 24652]

R3 5U875UVC;Sony Visual Communication Camera;c:\windows\system32\drivers\5U875.sys [7/29/2008 2:30 AM 71296]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [7/29/2008 1:44 AM 41216]

S2 gupdate1c9930f46813e3c;Google Update Service (gupdate1c9930f46813e3c);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2009 7:56 PM 133104]

S3 SASENUM;SASENUM;c:\program files\SOSsas\SASENUM.SYS [9/15/2009 10:42 AM 7408]

.

Contents of the 'Scheduled Tasks' folder

2009-11-29 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-25 03:56]

2009-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 03:56]

2009-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 03:56]

2009-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2895517523-966786002-4068372671-1008Core.job

- c:\documents and settings\mcjuju.VALUED-C47410C8\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 04:13]

2009-11-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2895517523-966786002-4068372671-1008UA.job

- c:\documents and settings\mcjuju.VALUED-C47410C8\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 04:13]

2009-01-24 c:\windows\Tasks\Registration reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2008-07-29 12:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

FF - ProfilePath - c:\documents and settings\mcjuju.VALUED-C47410C8\Application Data\Mozilla\Firefox\Profiles\iehbyncz.default\

FF - plugin: c:\documents and settings\mcjuju.VALUED-C47410C8\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\mcjuju.VALUED-C47410C8\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1508.6312\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\MF\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-udqmkvjo - c:\documents and settings\mcjuju.VALUED-C47410C8\Local Settings\Application Data\tebslr\tkcqsysguard.exe

HKLM-Run-udqmkvjo - c:\documents and settings\mcjuju.VALUED-C47410C8\Local Settings\Application Data\tebslr\tkcqsysguard.exe

AddRemove-Activation Assistant for the 2007 Microsoft Office suites - c:\documents and settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe REMOVE=TRUE MODIFY=FALSE

AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-29 10:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\MCJUJU~1.VAL\LOCALS~1\Temp\RGI1D.tmp 7075 bytes

scan completed successfully

hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys shpf.sys ACPI.sys hal.dll >>UNKNOWN [0x8AC8B618]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\iaStor -> iaStor.sys @ 0xb9e9078c

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)

c:\windows\system32\WININET.dll

c:\program files\SOSsas\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\infra.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\remote.dll

c:\windows\system32\VESWinlogon.dll

c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(1108)

c:\windows\system32\WININET.dll

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\infra.dll

.

Completion time: 2009-11-29 10:58

ComboFix-quarantined-files.txt 2009-11-29 18:58

Pre-Run: 295,784,992,768 bytes free

Post-Run: 296,769,167,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 51E6888FCA1080E4F9A8386C9A13D44E

Link to post
Share on other sites

You have done well to this point. As we need to cleanup a few file/folders and then I'd like for you to do a scan,

please do the following.

Step 1

You will want to print out or copy these instructions to Notepad for offline reference!

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

File::

c:\windows\system32\bebopeto.dll.tmp

c:\windows\system32\jiziwifi.dll.tmp

c:\windows\system32\pusuyogu.dll.tmp

c:\windows\system32\puvabana.dll.tmp

C:\recycler

D:\recycler

e:\recycler

f:\recycler

g:\recycler

h:\recycler

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Trend Micro Damage Cleanup Engine

[*]Make sure you read this document to understand how to use the program.

Trend Micro Sysclean Package README 1st

[*]Basically there are 3 parts that need to be downloaded and SAVED from these links:

[*]Download icon_arrow.gifSysclean Package

[*]Download icon_arrow.gifVirus Pattern Files that will be a LPTxxx.ZIP file

[*]Download icon_arrow.gifSpyware Pattern Files this is a SSAPIPTNxxx.ZIP

It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware)

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.