Vundo and Redirected Searches

[staryfury]

couple additional things.

the rpcapd seems to be something on the whole that is of not legit concern online, so i'm wondering if this is something that we should consider a problem.

Also note that my popups and redirections stopped.

[Maniac]

Hi!

Sorry about delay.

According to HJT, this entrie is still here:

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)

This is a mistake, which will be sent to Trend Micro.

Several recent log files.

Step 1:

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:
  
• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Now click on Advanced Settings and select the following:
  

• • Remove found threats
    
  • Scan archives
    
  • Scan for potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth Technology
    

[*]Now click on:

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on:

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Step 2:

Next, download Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Step 3:

Download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
  
• Click on the Report tab at the bottom of the program window
  
• Click the Scan button
  
• In the Select Scan dialog, check:
  • 
    
  • Drivers
    
  • Files
    
  • Processes
    
  • SSDT
    
  • Stealth Objects
    
  • Hidden Services
    

  [*]Click the OK button

  [*]In the next dialog, select all drives showing

  [*]Click OK to start the scan

  Note: The scan can take some time.
  DO NOT
  run any other programs while the scan is running

  [*]When the scan is complete, the Save Report button will become available

  [*]Click this and save the report to your Desktop as RootRepeal.txt

  [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
  
• Under the reply panel is the Attachments Panel
  
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on to insert the attachment into your post
  

[staryfury]

Sorry about the delay, i had a 13 page report that needed to be completed and handed off this morning, and was exhausted this afternoon.

The HijackThis Log has bee repaired (the entry you put up) 3 seperate times and reappeared, so it is as you say.

here is the ESET from step 1. I will post 2 and 3 within short order.

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=90ffbdfc0e484947ba7b314f9e0e039b

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-12-08 11:52:26

# local_time=2009-12-08 05:52:26 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=1028 16777214 0 5 19488690 25481862 0 0

# compatibility_mode=5121 16776533 100 96 651509 12314625 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=203319

# found=1

# cleaned=1

# scan_time=6846

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.RF virus (deleted - quarantined) 00000000000000000000000000000000 C

[staryfury]

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

McAfee Uninstaller

McAfee SecurityCenter

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

Windows Defender

Secunia PSI

Trojan Remover 6.7.5

HijackThis 2.0.2

Java 6 Update 17

Adobe Flash Player 10

Adobe Reader 9.2

``````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

[staryfury]

Step 3 comes up as follows for now:

The bandwidth or page view limit for this site has been exceeded and the page cannot be viewed at this time. Once the site is below the limit, it will once again begin serving as normal.

I will try again later i suppose, will let you know if the problem continues.

[Maniac]

I attach RootRepeal to my post.

RootRepeal.zip

[staryfury]

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/12/09 15:34

Program Version: Version 1.3.5.0

Windows Version: Windows XP Media Center Edition SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF36A0000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7A11000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB8919000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

==EOF==

[Maniac]

Your logs seems to be clean. How are things now?

[staryfury]

The system on the whole has been running smoothly lately, i feel it's doing a little better than before i started seeing all of these popup's and redirections.

Let me know if theres anything else you'd suggest i run in addition to what i have already.

[Maniac]

Good!

Here some final steps:

Step 1:

Click Start > Run in the run box copy and paste or type ComboFix /uninstall then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.

Please check and verify that C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

Follow these steps to uninstall Combofix and all of its files and components.

• Click START then RUN
  
• Now type Combo-Fix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

Step 2:

Please navigate to C:\Program Files\ESET\ESET Online Scanner and run OnlineScannerUninstaller.exe. Then, follow the instructions to successfully remove the ESET Online Scanner.

Step 3:

Manually delete the following files: DDS, HiJackThis.exe, avgremover.exe, SecurityCheck.exe and RootRepeal.exe .

And to finish some prevention:

http://users.telenet.be/bluepatchy/miekiem...prevention.html

I wish you all the best!