Jump to content

Rootkit.agent cannot be removed from Drivers folder.


London

Recommended Posts

So my friend got a virus and we have managed to remove everything off the computer except the rootkit.agent

we did a combo fix and a MBAM, we also downloaded another tool and tried to *wipe* the file, and then delete if with MBAB with no avail, multiple reboots and rescans and its still there.

here is my Combo Fix Logg:

ComboFix 09-12-25.04 - User 12/26/2009 3:56.2.4 - x86

Microsoft

Link to post
Share on other sites

Hello London,

First, do NOT run any tools on your own while I am helping you. Be very aware Combofix is a tool that should not be used by the untrained.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Right click the Spybot Icon (blue icon with lock teatimer-systemtray-en.1.png) in the system tray (notification area).

  • If you have the new version, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Step 3

Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

Step 4

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • RIGHT click on avenger.exe and then select "Run as Administrator to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Drivers to disable:
    ovxhbse

    Drivers to delete:
    ovxhbse

    Files to delete:
    c:\windows\System32\drivers\ovxhbse.sys

    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ovxhbse
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ovxhbse

    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

Step 5

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

RIGHT-click gmer.exe and then select "Run as Administrator. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

Step 6

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

  • RIGHT click on RSIT.exe and then select "Run as Administrator to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Step 7

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Step 7

Then copy/paste the following into your post (in order):

  • the contents of the GMER.txt log
  • the contents of Log.txt
  • the contents of Info.txt
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

The GMER.txt log:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2009-12-26 23:06:39

Windows 6.0.6002 Service Pack 2

Running: gmer.exe; Driver: C:\Users\User\AppData\Local\Temp\uxdcapob.sys

---- Kernel code sections - GMER 1.0.15 ----

? system32\drivers\cbista.sys The system cannot find the path specified. !

.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x8071F024]

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E40B340, 0x40AA77, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[836] ole32.dll!CoCreateInstance 76FC9EA6 5 Bytes JMP 0045000A

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 8579C618

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@yumenetworks[6].txt 0 bytes

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

The Info.txt

info.txt logfile of random's system information tool 1.06 2009-12-26 22:41:58

======Uninstall list======

-->"C:\Program Files\Creative Installation Information\CREATIVE_SYNC_MANAGER_U\Setup.exe" /remove /l0x0009

-->"C:\Program Files\Creative Installation Information\CREATIVE_VIDEO_CONVERTER\Setup.exe" /remove /l0x0009

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER

-->MsiExec /X{DD1865F0-AD73-40FB-B23E-1822E02396FF}

2007 Microsoft Office system-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROHYBRIDR /dll OSETUP.DLL

3DMark06-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly

Activation Assistant for the 2007 Microsoft Office suites-->"C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE

Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}

Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}

Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}

Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}

Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}

Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}

Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}

Adobe Color Common Settings-->C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe

Adobe Color Common Settings-->MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}

Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}

Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}

Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}

Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}

Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}

Adobe ExtendScript Toolkit 2-->C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe

Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}

Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}

Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}

Adobe Illustrator CS3-->C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe

Adobe Illustrator CS3-->MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}

Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}

Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}

Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe

Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}

Adobe Reader 8.1.6-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}

Adobe Setup-->MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}

Adobe Setup-->MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}

Adobe Setup-->MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}

Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}

Adobe Shockwave Player-->C:\Windows\System32\Adobe\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Adobe\SHOCKW~1\Install.log

Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}

Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}

Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}

Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}

Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}

Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}

AIM 7-->C:\Program Files\AIM\uninst.exe

AT&T Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

ATI Uninstaller-->C:\Program Files\ATI\CIM\Bin\Atisetup.exe -uninstall all

BatchPhoto v2.5-->"C:\Program Files\BatchPhoto\unins000.exe"

CCleaner-->"C:\Program Files\CCleaner\uninst.exe"

Diablo II-->C:\Windows\DIIUnin.exe C:\Windows\DIIUnin.dat

DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC

DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER

DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER

DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS

DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN

Download Updater (AOL LLC)-->C:\Program Files\Common Files\Software Update Utility\uninstall.exe

ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"

ffdshow (remove only)-->"C:\Program Files\ffdshow\uninstall.exe"

Google Talk (remove only)-->"C:\Program Files\Google\Google Talk\uninstall.exe"

Guild Wars-->"C:\Program Files\Guild Wars\Gw.exe" -uninstall

Highlight Viewer (Windows Live Toolbar)-->MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}

HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""

Java 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}

Java 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}

Java 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}

Linksys Wireless-G PCI Adapter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe" -l0x9

Logitech GamePanel Software 3.02.173-->MsiExec.exe /X{EB731227-8AC5-4889-ACE9-7D87864A9F19}

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

Map Button (Windows Live Toolbar)-->MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}

Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe

Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}

Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}

Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}

Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}

Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}

Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}

Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}

Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}

Microsoft Office Professional Hybrid 2007-->MsiExec.exe /X{91120000-0031-0000-0000-0000000FF1CE}

Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}

Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}

Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}

Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}

Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}

Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}

Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}

Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}

Microsoft Search Enhancement Pack-->MsiExec.exe /X{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}

Microsoft Sync Framework Runtime Native v1.0 (x86)-->MsiExec.exe /I{8A74E887-8F0F-4017-AF53-CBA42211AAA5}

Microsoft Sync Framework Services Native v1.0 (x86)-->MsiExec.exe /I{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}

Mozilla Firefox (3.5.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}

NCsoft Launcher-->"C:\Program Files\InstallShield Installation Information\{C9FB868B-2086-4EE2-BD4F-BFBA36B131F4}\setup.exe" -runfromtemp -l0x0009 -removeonly

NCsoft Launcher-->C:\Program Files\InstallShield Installation Information\{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}\setup.exe -runfromtemp -l0x0009 -removeonly

NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe UninstallGUI

NVIDIA nTune-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1033

NVIDIA PhysX-->MsiExec.exe /X{DD1865F0-AD73-40FB-B23E-1822E02396FF}

PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}

RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0

Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\Setup.exe -runfromtemp -l0x0009 -removeonly

Realtek High Definition Audio Driver-->RtlUpd.exe -r -m

Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}

Security Update for 2007 Microsoft Office System (KB973704)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {E626DC89-A787-4553-9BB3-DC2EC7E1593F}

Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}

Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}

Security Update for Microsoft Office Excel 2007 (KB973593)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {7D6255E3-3423-4D8B-A328-F6F8D28DD5FE}

Security Update for Microsoft Office Outlook 2007 (KB972363)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {120BE9A0-9B09-4855-9E0C-7DEE45CB03C0}

Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}

Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E}

Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}

Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}

Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}

Smart Menus (Windows Live Toolbar)-->MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}

Sophos Anti-Rootkit 1.5.0-->C:\Program Files\Sophos\Sophos Anti-Rootkit\helper.exe remove

Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"

Spyware Terminator-->"C:\Program Files\Spyware Terminator\unins000.exe"

Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""

Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}

Update for Microsoft Office Access 2007 Help (KB963663)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {6B76A18A-AA1E-42AB-A7AD-6C84BBB43987}

Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}

Update for Microsoft Office InfoPath 2007 (KB976416)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {432C5EE4-8096-4FF1-95E1-65219365DFF7}

Update for Microsoft Office Outlook 2007 Help (KB963677)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {0451F231-E3E3-4943-AB9F-58EB96171784}

Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}

Update for Microsoft Office Publisher 2007 Help (KB963667)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2E40DE55-B289-4C8B-8901-5D369B16814F}

Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}

Update for Microsoft Office Word 2007 (KB974561)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {0CDDBAA2-2111-4A0E-A1B0-76C40C635331}

Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}

Update for Outlook 2007 Junk Email Filter (kb976884)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {FB60F280-C70F-4174-BADB-471412AA42F0}

VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}

Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}

Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}

Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\Windows\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""

Warhammer Online - Age of Reckoning-->C:\Program Files\Electronic Arts\Warhammer Online - Age of Reckoning\uninst2.exe

Winamp-->"C:\Program Files\Winamp\UninstWA.exe"

Windows 7 Upgrade Advisor Beta-->MsiExec.exe /I{4394DC3A-5DAC-4C80-A86E-FF462D0AD653}

Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}

Windows Live Communications Platform-->MsiExec.exe /I{ED00D08A-3C5F-488D-93A0-A04F21F23956}

Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe

Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}

Windows Live Favorites for Windows Live Toolbar-->MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}

Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}

Windows Live OneCare safety scanner-->"C:\Program Files\Windows Live Safety Center\UnInstall.exe"

Windows Live OneCare safety scanner-->MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}

Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}

Windows Live Toolbar Extension (Windows Live Toolbar)-->MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}

Windows Live Toolbar-->MsiExec.exe /X{995F1E2E-F542-4310-8E1D-9926F5A279B3}

Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}

Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}

Windows Vista Upgrade Advisor-->MsiExec.exe /I{C6AA3FB7-804F-4808-AD91-B62D6ED9B788}

WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

WinZip 12.0-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}

ZENcast Organizer-->"C:\Program Files\Creative Installation Information\ZENCAST_ORGANIZER\Setup.exe" /remove /l0x0009

=====HijackThis Backups=====

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [2009-12-25]

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [2009-12-25]

F2 - REG:system.ini: UserInit=C:\Windows\system32\winlogon86.exe [2009-12-25]

O4 - HKLM\..\Run: [winupdate86.exe] C:\Windows\system32\winupdate86.exe [2009-12-25]

O4 - HKLM\..\Run: [winupdate86.exe] C:\Windows\system32\winupdate86.exe [2009-12-25]

F2 - REG:system.ini: UserInit=C:\Windows\system32\winlogon86.exe [2009-12-25]

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe [2009-12-25]

======Hosts File======

127.0.0.1 localhost

======Security center information======

AS: Spybot - Search and Destroy (disabled)

AS: Windows Defender (disabled)

======System event log======

Computer Name: ibuypower

Event Code: 4226

Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 132257

Source Name: Tcpip

Time Written: 20090421165808.066441-000

Event Type: Warning

User:

Computer Name: ibuypower

Event Code: 15016

Message: Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.

Record Number: 132140

Source Name: Microsoft-Windows-HttpEvent

Time Written: 20090421150144.716136-000

Event Type: Error

User:

Computer Name: ibuypower

Event Code: 4001

Message: WLAN AutoConfig service has successfully stopped.

Record Number: 132125

Source Name: Microsoft-Windows-WLAN-AutoConfig

Time Written: 20090421150045.120000-000

Event Type: Warning

User: NT AUTHORITY\SYSTEM

Computer Name: ibuypower

Event Code: 3004

Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:

Not Applicable

Scan ID: {91D515DC-C224-45B9-93BC-D18A2646E748}

User: ibuypower\User

Name: Unknown

ID:

Severity ID:

Category ID:

Path Found: regkey:HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\WinampAgent;runkey:HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\WinampAgent;file:C:\Program Files\Winamp\winampa.exe

Alert Type: Unclassified software

Detection Type:

Record Number: 131482

Source Name: Microsoft-Windows-Windows Defender

Time Written: 20090419155043.000000-000

Event Type: Warning

User:

Computer Name: ibuypower

Event Code: 1002

Message: Windows Defender scan has been stopped before completion.

Scan ID: {C6A0BEC9-7D45-4C84-B38C-143B6EDD552C}

Scan Type: AntiSpyware

Scan Parameters: Quick Scan

User: NT AUTHORITY\NETWORK SERVICE

Record Number: 131367

Source Name: Microsoft-Windows-Windows Defender

Time Written: 20090419070111.000000-000

Event Type: Warning

User:

=====Application event log=====

Computer Name: ibuypower

Event Code: 6005

Message: The winlogon notification subscriber <TrustedInstaller> is taking long time to handle the notification event (CreateSession).

Record Number: 123

Source Name: Microsoft-Windows-Winlogon

Time Written: 20080130231415.000000-000

Event Type: Warning

User:

Computer Name: ibuypower

Event Code: 1530

Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -

1 user registry handles leaked from \Registry\User\S-1-5-21-1438342224-747510617-516726662-1000_Classes:

Process 852 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1438342224-747510617-516726662-1000_CLASSES

Record Number: 105

Source Name: Microsoft-Windows-User Profiles Service

Time Written: 20080130231054.000000-000

Event Type: Warning

User: NT AUTHORITY\SYSTEM

Computer Name: ibuypower

Event Code: 1530

Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -

1 user registry handles leaked from \Registry\User\S-1-5-21-1438342224-747510617-516726662-1000:

Process 852 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1438342224-747510617-516726662-1000

Record Number: 104

Source Name: Microsoft-Windows-User Profiles Service

Time Written: 20080130231053.000000-000

Event Type: Warning

User: NT AUTHORITY\SYSTEM

Computer Name: ibuypower

Event Code: 1530

Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -

1 user registry handles leaked from \Registry\User\S-1-5-21-1438342224-747510617-516726662-1000:

Process 492 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1438342224-747510617-516726662-1000

Record Number: 71

Source Name: Microsoft-Windows-User Profiles Service

Time Written: 20080130224223.000000-000

Event Type: Warning

User: NT AUTHORITY\SYSTEM

Computer Name: ibuypower

Event Code: 1008

Message: The Windows Search Service is attempting to remove the old catalog.

Record Number: 25

Source Name: Microsoft-Windows-Search

Time Written: 20080130223620.000000-000

Event Type: Warning

User:

=====Security event log=====

Computer Name: ibuypower

Event Code: 4624

Message: An account was successfully logged on.

Subject:

Security ID: S-1-5-18

Account Name: IBUYPOWER$

Account Domain: WORKGROUP

Logon ID: 0x3e7

Logon Type: 5

New Logon:

Security ID: S-1-5-18

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon ID: 0x3e7

Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:

Process ID: 0x218

Process Name: C:\Windows\System32\services.exe

Network Information:

Workstation Name:

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: Advapi

Authentication Package: Negotiate

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Record Number: 1676

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20080223161740.529310-000

Event Type: Audit Success

User:

Computer Name: ibuypower

Event Code: 4648

Message: A logon was attempted using explicit credentials.

Subject:

Security ID: S-1-5-18

Account Name: IBUYPOWER$

Account Domain: WORKGROUP

Logon ID: 0x3e7

Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:

Target Server Name: localhost

Additional Information: localhost

Process Information:

Process ID: 0x218

Process Name: C:\Windows\System32\services.exe

Network Information:

Network Address: -

Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account

Link to post
Share on other sites

checkup.txt:

Results of screen317's Security Check version 0.99.1

Windows Vista Service Pack 2 (UAC is disabled!)

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

WMIC entry does not exist for antivirus; attempting automatic update.

``````````````````````````````

Anti-malware/Other Utilities Check:

Spyware Terminator

Spybot - Search & Destroy

Sophos Anti-Rootkit 1.5.0

HijackThis 2.0.2

CCleaner

Java 6 Update 13

Java 6 Update 5

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 8.1.6

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

Step 1

  • Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    *****************************************************************
    :processes
    killallprocesses
    :files
    C:\Windows\tasks\efmslcvn.job
    C:\Users\User\AppData\Local\Temp\uxdcapob.sys
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
    :Commands
    [purity]
    [emptytemp]
    [CREATERESTOREPOINT]
    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 2

Next: Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to ESET Online Scanner website:

http://www.eset.com/onlinescan/

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break popcorn.gifpepsi.gif

Step 3

Download RootRepeal:

http://rootrepeal.googlepages.com/RootRepeal.zip

  • Extract the archive to a folder you create such as C:\RootRepeal
  • right-click RootRepeal.exe and select "Run as Administrator" to launch the program.
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.

Step 4

I do not see an antivirus program running on your system. Do you have one? If yes, make sure it is active. If not, get an antivirus program installed as your first priority.

If cost is an issue, you may get Avira AntiVir free edition (for personal non-commercial use)

http://www.free-av.com

Step 5

javaicon.gif See this topic in the AumHa Security forum and get the latest Java run-time

http://aumha.net/viewtopic.php?f=26&t=42611

Reply with copy of the C:\Avenger.txt

OTL MovedFiles log

Eset scan log

and the RootRepeal log

Link to post
Share on other sites

He ran RootRepeal it ran for a while then when it got to scanning c:\windows\winsxs\manifests it sat there for about 20 mins and it isnt moving.

He ran OTL and its made him unable to logg into regular windows after the scan it needed to reboot. When it was done booting back up he started getting the same pop ups as when he first got the virus. Now explorer locks up every reboot until he goes into safemode to continue on.

Link to post
Share on other sites

he just got a root repeal error:

attempt to write to address: 0X704

it prompted for okay and he clicked it and now its spamming the error over and over until it crashes. It gave this report:

ROOTREPEAL CRASH REPORT

-------------------------

Windows Version: Windows Vista SP2

Exception Code: 0xc0000005

Exception Address: 0x0040ab12

Attempt to write to address: 0x00000004

Link to post
Share on other sites

Eset logg:

C:\haypsixd.exe a variant of Win32/PSW.WOW.NNL trojan cleaned by deleting - quarantined

C:\waxfhosk.exe a variant of Win32/Kryptik.BNZ trojan cleaned by deleting - quarantined

C:\ProgramData\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined

C:\ProgramData\Spybot - Search & Destroy\Recovery\DNSFlushcws24.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined

C:\ProgramData\Spybot - Search & Destroy\Recovery\DNSFlushcws3.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined

C:\ProgramData\Spybot - Search & Destroy\Recovery\DNSFlushcws5.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined

C:\ProgramData\Spybot - Search & Destroy\Recovery\WinAgentwiw.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined

C:\ProgramData\Spybot - Search & Destroy\Recovery\WinAgentwiw1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined

C:\ProgramData\Spybot - Search & Destroy\Recovery\WinQhostaei.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined

C:\ProgramData\Spybot - Search & Destroy\Recovery\ZlobDownloadersit.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\oqnqso.exe.vir a variant of Win32/Cimag.BI trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Windows\System32\HOponUtv.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Windows\System32\IjTENXyb.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Windows\System32\pqrqXaHk.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Windows\System32\Qstwxxbc.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Windows\System32\yxEOqXyb.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined

C:\Users\Test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4WFQNL4O\SetupIS2010[1].exe Win32/Adware.AdvancedVirusRemover.B application cleaned by deleting - quarantined

C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N4QQWZE6\SetupIS2010[1].exe Win32/Adware.AdvancedVirusRemover.B application cleaned by deleting - quarantined

C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N4QQWZE6\SetupIS2010[2].exe Win32/Adware.AdvancedVirusRemover.B application cleaned by deleting - quarantined

C:\Windows\System32\AVR10.exe Win32/Adware.AdvancedVirusRemover.B application cleaned by deleting - quarantined

C:\Windows\System32\critical_warning.html Win32/TrojanDownloader.FakeAlert.AED virus deleted - quarantined

C:\Windows\System32\winlogon86.exe a variant of Win32/Kryptik.BNZ trojan cleaned by deleting - quarantined

C:\Windows\System32\winupdate86.exe a variant of Win32/Kryptik.BNZ trojan cleaned by deleting - quarantined

C:\Windows\temp\bu9x7plr.exe a variant of Win32/Kryptik.BLS trojan cleaned by deleting - quarantined

C:\Windows\temp\hx0eek.exe a variant of Win32/Kryptik.BLS trojan cleaned by deleting - quarantined

C:\Windows\temp\msaouahn.dll Win32/PSW.WOW.NNZ trojan cleaned by deleting - quarantined

Link to post
Share on other sites

All processes killed

========== PROCESSES ==========

No active process named :files was found!

No active process named efmslcvn.job was found!

No active process named uxdcapob.sys was found!

No active process named recycler was found!

No active process named recycler was found!

No active process named recycler was found!

No active process named recycler was found!

No active process named recycler was found!

No active process named recycler was found!

No active process named :Commands was found!

No active process named [purity] was found!

No active process named [emptytemp] was found!

No active process named [CREATERESTOREPOINT] was found!

OTL by OldTimer - Version 3.1.20.1 log created on 12272009_090815

Link to post
Share on other sites

The OTL procedure was either not started properly or ran into a hitch. Let's try it one more time.

Plus I'll have you do a couple more things. Also, NOTE: I need a copy posted of the last C:\Avenger.txt log

One of my concerns is the amount of trojans found by the Eset scan, in addition to the other issues.

Do this to close any rogue or popup window. Repeat as needed.

Use ALT+F4 keys to close those rogue pop-up windows. Press and hold the ALT key & then press F4 key.

You must do as much as possible in Normal mode; otherwise if not possible, then only in Safe mode with Networking

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

Step 1

Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

At the command prompt, type the following command, and then press ENTER key:

ipconfig /flushdns

Close the command prompt window.

Check settings in Internet Eplorer

Internet Explorer > Tools > Internet Options > Connections Tab

then Click on LAN Settings >

* Uncheck* the Automatically detect settings.

Make sure _no other_ settings on this screen are enabled.

Step 2

  • Please RIGHT-click on OTL.exe otlDesktopIcon.png and choose Run As Administrator to start it.
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    *****************************************************************
    :files
    C:\Windows\tasks\efmslcvn.job
    C:\Users\User\AppData\Local\Temp\uxdcapob.sys
    c:\Program Files\AdvancedVirusRemover
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
    :Commands
    [purity]
    [emptytemp]
    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 3

Close any previously running browsers.

Start Internet Explorer (fresh) by pressing Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

icon_arrow.gifAttention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

Read the Information block presented on the screen, and then press the Accept button.

1) Accept the agreement

2) The necessary files will be downloaded and installed. Please have plenty of patience.

3) After Kaspersky AntiVirus Database is updated, look at the Scan box.

4) Click the My Computer line

5 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

6) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.

Kaspersky is a report only and does not remove files.

Post back with copies of the C:\Avenger.txt log

OTL MovedFiles log

Kaspersky.txt report.

How is your system now icon_question.gif

Link to post
Share on other sites

He cannot find the avenger log. Should he run it again? He said isnt sure what happened to it, or if it even did one. He said after these runs his comp is acting the same, hes having issues with programs locking up and is asking about doing a recovery disc, but I told him I didnt think that would fix this... I could be wrong though >< i will get the OTLmoved file log in just a sec and post it.

here is the kaspersky log.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Sunday, December 27, 2009

Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Sunday, December 27, 2009 18:59:04

Records in database: 3411235

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - Critical areas:

C:\Program Files

C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp

C:\Windows

Scan statistics:

Objects scanned: 122897

Threats found: 1

Infected objects found: 2

Suspicious objects found: 0

Scan duration: 01:24:54

File name / Threat / Threats count

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83PVM361\w[1].bin Infected: Trojan.Win32.Koblu.bql 1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8FNAGRAU\w[1].bin Infected: Trojan.Win32.Koblu.bql 1

Selected area has been scanned.

Link to post
Share on other sites

here is what he sent me for the otlmoved files.

All processes killed

========== FILES ==========

C:\Windows\tasks\efmslcvn.job moved successfully.

File\Folder C:\Users\User\AppData\Local\Temp\uxdcapob.sys not found.

File\Folder c:\Program Files\AdvancedVirusRemover not found.

File\Folder C:\recycler not found.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

File\Folder :Commands not found.

File\Folder [purity] not found.

File\Folder [emptytemp] not found.

OTL by OldTimer - Version 3.1.20.1 log created on 12272009_124835

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Ill post back in a min with the description of how his computer is acting.. i know he has program lock ups etc. though.

Link to post
Share on other sites

hey after trying everything and wanting to pull out his hair he went ahead and reformatted and reinstalled everything this afternoon.

he had an external drive so he just moved the important stuff there and cleared it.

hopefully this solves the problem finally :rolleyes:

but he wanted me to thank you guys for all the help, one sec it seemed fine and then bam all over again ><

so tyvm for the help!

Link to post
Share on other sites

Have your friend make sure he/she installed their antivirus program straight away after Windows re-install.

Never be without an AV.

Please also pass on these tips:

We are finished here. Best regards.

As this case is resolved, I am closing it.

Note to any casual viewers: The methods and procedures used here were only for this system.

If you have similar issues, follow forum procedures and then create your own New topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.