Jump to content

Rootkit.Agent.H Problem - Please Help!


Recommended Posts

I ran Malwarebytes' Anti-Malware and it reported that it had found "Rootkit.Agent.H" in one of my drivers, as well as "Fake.Dropped.Malware". It said that the file would be removed after restarting but I tried this and it was still there. I tried scanning again and it was found, tried cleaning it and it said I needed to reboot but it still hasn't worked.

I am including the log from Malwarebytes as well as one from HijackThis. I have attempted to use Pandasoft and Spybot Search & Destroy, but for some reason they will not work on this computer. I have used both applications on my personal computer, but the infected PC is owned by an older woman I work part-time for. I am trying to help remove the viruses for her and update her protection software, but I need to get rid of these two bugs that refuse to leave first! She uses XP, by the way.

Any help at all would be appreciated! I do not have the option of reformatting, so I have to do something else. If you need any more info, let me know what I can do.

Malwarebytes' Anti-Malware 1.30

Database version: 1316

Windows 5.1.2600 Service Pack 2

10/25/2008 5:45:03 PM

mbam-log-2008-10-25 (17-45-03).txt

Scan type: Quick Scan

Objects scanned: 61613

Time elapsed: 6 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINDOWS\system32\k86.bin (Fake.Dropped.Malware) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:50:49 PM, on 10/25/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\GEARSec.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Tripp Lite\PowerAlert\Engine\paserver.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\WINDOWS\system32\dumprep.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

C:\Program Files\Tripp Lite\PowerAlert\console\status.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn1\yt.dll

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: PowerAlert Log Viewer.lnk = ?

O4 - Startup: PowerAlert Status Console.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003

O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002

O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000

O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001

O15 - Trusted Zone: http://toolbar.imageshack.us

O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab

O16 - DPF: Yahoo! Dominoes - http://origin.games.yahoo.net/games/clients/y/dot9_x.cab

O16 - DPF: Yahoo! Pool 2 - http://origin.games.yahoo.net/games/clients/y/poti_x.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://scan.safety.live.com/resource/downl...wlscbase969.cab

O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab

O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab

O20 - AppInit_DLLs: karna.dat

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PowerAlert Port Manager Engine - Unknown owner - C:\Program Files\Tripp Lite\PowerAlert\Engine\portmgr.exe

O23 - Service: PowerAlert UPS Engine - Unknown owner - C:\Program Files\Tripp Lite\PowerAlert\Engine\paserver.exe

O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--

End of file - 10877 bytes

Link to post
Share on other sites

  • Root Admin

STEP 01

Click on
START - RUN
and type in or copy / paste this DISK CHECK command and then reboot your computer and let it run.
CMD /K ECHO Y|CHKDSK C: /F

STEP 02

Close
ALL
applications and browsers. Disable any security software that may be blocking Registry changes.

Start HJT and do a Scan only and place a check mark on the following items.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

O20 - AppInit_DLLs: karna.dat

Then click on
Fix selected..

STEP 03

Go into the Control Panel, Add/Remove and uninstall ALL versions of JAVA, SunJava, etc.

Delete the JAVA folder C:\Program Files\
JAVA

STEP 04

  • Download
    FixPolicies.exe
    by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.

  • Click on Install. It will create a folder named FixPolicies on your desktop.

  • Open the FixPolicies folder.

  • Double click on
    Fix_policies.cmd
    to run it. Command Prompt will open and close quickly this is normal.

  • Reboot your computer after it runs

STEP 05

    Download and install
    CCleaner
  • CCleaner


  • Double-click on the downloaded file "ccsetup212.exe" and install the application.

  • Keep the default installation folder "C:\Program Files\CCleaner"

  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"

  • Click finish when done and close
    ALL PROGRAMS

  • Start the
    CCleaner
    program.

  • Click on
    Registry
    and
    Uncheck
    Registry Integrity so that it does not run

  • Click on
    Options
    -
    Advanced
    and
    Uncheck
    "Only delete files in Windows Temp folders older than 48 hours"

  • Click back to
    Cleaner
    and click on the
    Run Cleaner
    button on the bottom right side of the program.

  • Click OK to any prompts


STEP 06

Visit this site
SmitFraudFix
and follow the directions and run this scan and repair tool.

STEP 07

When completed please run MBAM, go to the UPDATE tab and updte the program, run a Quick Scan and fix anything found.

Reboot your computer

STEP 08

After the reboot please run a new HJT scan and save log.

STEP 09

Post back ALL the logs on your next reply.
Link to post
Share on other sites

I think I've made it worse.

I followed all of your steps successfully up to Step 06. I downloaded SmitFraudFix and ran the program. It scanned just fine, and I continued following the directions at that website. On the second step, I put the computer in Safe Mode and ran the program again, choosing "2" in SmitFraudFix. The program ran for a while, then crashed. The computer rebooted. Now, when I bring up the computer in "Normal" mode, the desktop background comes up, but nothing else. No icons, no Start menu, nothing. When I hit Control-Alt-Delete, an error window comes up that says Windows had to close Windows Task Manager to protect the computer. The only thing I can do is force the computer to Shut Down.

I can boot the computer in Safe Mode just fine. Everything comes up like normal. I attempted to run SmitFraudFix again in Safe Mode, but now all it does is come up and freeze. I left it on for 3+ hours so I know it is frozen and not simply computing slowly. I have ran MBAM in Safe Mode, and I have removed all the viruses. There are no viruses on the system now, I believe. That doesn't do any good though if the system won't come up in Normal mode. A friend of mine that is somewhat computer savvy (but lives in another state) told me he believes some vital driver was deleted by SmitFraudFix because it was infected, but since SmitFraudFix crashed halfway thru, it wasn't given the chance to replace the corrupted file.

I don't know what to do. The computer seems worse off than it was. I am posting the log from CCleaner, the initial log from SmitFraudFix when it scanned, the second log from SmitFraudFix which I assume is after the crash (it is very brief), the log from MBAM I just ran in Safe Mode, and a log from HJT I just ran in Safe Mode.

I hope it makes sense and you can help. I am utterly lost. Thanks.

Link to post
Share on other sites

The CCleaner Log is LONG. I divided it into five parts, and each part was still too long to post in a single post. If you need it, let me know and I'll include it, but for now, I'm leaving all but the first little bit out.

CLEANING COMPLETE - (88.525 secs)

------------------------------------------------------------------------------------------

1,118.0MB removed.

------------------------------------------------------------------------------------------

Details of files deleted

------------------------------------------------------------------------------------------

(not included)

SmitFraudFix v2.368

Scan done at 13:58:40.43, Tue 10/28/2008

Run from C:\Documents and Settings\Ruth James\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

Link to post
Share on other sites

  • Root Admin

Shut down the computer and then start it again and tap the F8 key at the beginning and instead of Safe Mode try selecting Last Known Good menu, if that does not work then reboot and try clicking on the VGA Mode

Do you have access to another computer with a CD burner, or do you have an external USB drive to backup your data in case we need to delve too deep?

Is this an HP computer with an F10 for System Restore shown while it's booting?

Is this a Desktop or a Laptop?

Link to post
Share on other sites

It is not an HP, and there is no F10 option for system restore during boot-up. It is a desktop.

I tried your above measures with no success. However, I have good news. I logged on the computer today in "normal" mode. I can still see only the desktop background and no Start Menu or applications/folders, BUT I could bring up the Windows Task Manager (Control-Alt-Delete) and from there, use the Run Program feature to access all of the files. I'm actually posting on "normal" mode now.

Hrm. I just tried Control-Alt-Delete again, and rather than pop up Windows Task Manager, an error came up, the same from yesterday. It says:

Data Execution Prevention - Microsoft Windows

To help protect your computer, Windows has closed this program.

Name: Windows TaskManager

Publisher: Microsoft Corporation

So, it seems all the files are still ON the computer and accessible, but for some reason, something is stopping them from showing up on the desktop/Start Menu. And its seems to be somewhat sporadic, as for a few minutes, I could pull up Windows Task Manager, but now I cannot. :)

Any further advice?

Oh, and I only have a little USB Drive, 3GB I believe. I don't have it on me at the moment to be certain. My personal computer can burn CDs, too, but there's no way to get that computer here, or vice versa.

Link to post
Share on other sites

  • Root Admin

There should be an option pop up to allow you to add the Task Manager to a list of applications that the Data Execution Prevention program won't kill. It's there to protect your computer but in this case we need to add Task Manager to the list so it won't be killed off.

What may have happened is that something has been corrupted when the crash happened. If you can run the Task Manger again and click on File, New Task (run)

Then type in

CMD /K ECHO Y|CHKDSK C: /F

That will set the Disk Check to run again on reboot. The key between the Y and CHKDSK is the pipe key, often above the Enter key, but may be elsewhere on your keyboard.

Try running the Disk Check first to see if that helps or not. If it does not let me know and we'll look at running some other tests.

Link to post
Share on other sites

There was no pop-up. Is there a way to manually add Windows Task Manager to that list? Also, I've noticed that when the computer comes up only to the background desktop, another error comes up.

Data Execution Prevention shuts down this file for "safety:"

Userinit Logon Application

I'm getting ready to run DiskCheck again, so it may be a while before I can get WTM to come back up. That's why I'm hoping you can tell me how to put it on that list before I shut down.

Link to post
Share on other sites

  • Root Admin

See if you can do this then.

Click on the File, New Task (run) and type in CONTROL and click OK

That should bring up the Control Panel. From there see if you can click on the SYSTEM icon and then from there click on the Advanced tab, then click on the SETTINGS button. Then click on the Data Execution Prevention tab.

Then click on the lower Radio button to allow you to add applications that it won't monitor. Then click on the Add... button and browse to C:\Windows\System32\taskmgr.exe and add that. Also add C:\WINDOWS\explorer.exe

Then also add: C:\WINDOWS\system32\userinit.exe

From the sound of it, the C:\WINDOWS\system32\userinit.exe entry in the Registry may have an invalid entry in it now.

Try added those items and reboot and let me know where you're at.

Link to post
Share on other sites

Doing so now. Only... There are two other options I can click to turn off DEP for already listed on the list. They are Windows Logon UI and WMI.

Both of those are the pop-ups that come up over and over and over when I turn on the computer, making me think they are associated with a virus rather than being an actual program. I'll leave them alone for now and restart real quick, but I thought you should know.

Link to post
Share on other sites

That worked, in that it made the desktop, start menu, etc. come up without problems. It made the computer run rather slow, though, and additional windows popped up saying DEP had closed the following Apps:

Verify Class ID

dsca.exe

Run a DLL as an App

Quicktime Task

igfxsrvc Module

When I go to the Data Execution Prevention menu in the control panel, I have two options. It was set on "Turn on DEP for essential Windows programs and services only." In order to make special exceptions (use the Add feature), I have to select "Turn on DEP for all programs and services except those I select"

I don't really know what the latter means, but I'm guessing it means its going to block ALOT of applications from working, and I'm going to have to individually select the ones I want it to ignore. However, since I don't know which ones are good and which ones aren't, that's difficult.

Just to experiment, I tried to click on the first option again and restart. It resulted in the blank background again until I repeated the steps to make it ignore Userinit Logon Application again.

So that's where I'm at. And yes, I have the two initial viruses back on my computer... even though I haven't done anything. So I must have never gotten rid of them. *sigh*

Link to post
Share on other sites

Here you go!

Malwarebytes' Anti-Malware 1.30

Database version: 1340

Windows 5.1.2600 Service Pack 2

10/30/2008 7:04:51 PM

mbam-log-2008-10-30 (19-04-51).txt

Scan type: Quick Scan

Objects scanned: 54829

Time elapsed: 4 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINDOWS\system32\k86.bin (Fake.Dropped.Malware) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:05:06, on 10/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\GEARSec.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Tripp Lite\PowerAlert\Engine\paserver.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\dumprep.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Tripp Lite\PowerAlert\console\status.exe

C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn1\yt.dll

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: PowerAlert Log Viewer.lnk = ?

O4 - Startup: PowerAlert Status Console.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003

O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002

O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000

O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001

O15 - Trusted Zone: http://toolbar.imageshack.us

O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab

O16 - DPF: Yahoo! Dominoes - http://origin.games.yahoo.net/games/clients/y/dot9_x.cab

O16 - DPF: Yahoo! Pool 2 - http://origin.games.yahoo.net/games/clients/y/poti_x.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://scan.safety.live.com/resource/downl...wlscbase969.cab

O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1225235340093

O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PowerAlert Port Manager Engine - Unknown owner - C:\Program Files\Tripp Lite\PowerAlert\Engine\portmgr.exe

O23 - Service: PowerAlert UPS Engine - Unknown owner - C:\Program Files\Tripp Lite\PowerAlert\Engine\paserver.exe

O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--

End of file - 10854 bytes

Link to post
Share on other sites

  • Root Admin

Okay well I'll need to write up some specific methods for you. This Malware you have is a bit tricky to locate and remove properly and I don't have pre-written instructions for it.

I'll get back to you as soon as I can but please remember that this is all on volunteer basis so I don't have unlimited time.

Link to post
Share on other sites

  • Root Admin

One or more of the identified infections is related to a nasty
rootkit component
which is difficult to remove. Rootkits and
backdoor Trojans
are
very dangerous
because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use
backdoor Trojans
and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately
to include those used for banking, email, eBay, paypal and online forums
from a CLEAN COMPUTER
. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again.
It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure.
In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the OS.

Please read:

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

.

Link to post
Share on other sites

  • Root Admin

Since there has been no reply in 5 days I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.