Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

url.URTBK / trojan.fakeavalert DRIVING ME CRAZY


  • This topic is locked This topic is locked
29 replies to this topic

#1 ChrisMN

ChrisMN

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hurricane, Utah
  • Local time:06:38 AM

Posted 31 July 2009 - 05:29 PM

So I think this all started when my wife downloaded a bad MP3 from LimeWire (Also, Ive hard limewire is bad)

TECH INFO: Windows XP, Wired 10Meg, Norton Internet Sec. 2009 Completely up to date.

I was informed that "Auto Protect has detected Trojan.fakeavalert" STATUS: Blocked, Resolved - No Action.

Since then I cannot open certain websites (INCL: Netflix, GMAIL, MALWAREBYTES ANTIMALWARE, Etc) And often out of nowhere a blank Internet Explorer page will open and be totally blank but the 'progress circle' will be spinning away.

Also, a Internet Explorer page will open with ' url.URTBK.com ' in the address line, but there will no web page, just blank.

Startups are extremely slow now, and everything responds late. Sometimes not at all. When typing this very topic I have to continously backspace and re type words because the keyboard does not function normally.

System constantly seems unstable and crashes occasionally - task mgr shows system resources at 100% power and many processes, yet no applications running.

I downloaded Malwarebytes Anti-Malware but it will not run! It downloded fine, but when I try to open up the program it does nothing, as if I never clicked open. I even disguised the name in the file, and the file to which I downloaded the program.

Norton full system scan comes back normal.

Any help will be appreciated.

THANKS!

Mod Edit: Topic moved from HJT to more appropriate forum~ TMacK

Edited by TMacK, 31 July 2009 - 05:43 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,695 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:38 PM

Posted 31 July 2009 - 06:07 PM

Hi,

since we had no luck renaming and installing Malwarebytes please try to run DrWeb CureIt instead:

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
regards _temp_


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#3 ChrisMN

ChrisMN
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hurricane, Utah
  • Local time:06:38 AM

Posted 31 July 2009 - 06:17 PM

I cannot even download Dr. Web Cure It. The site does not start the download, and the alternate site (MG) does not start the download either. It claims "DONE" in bottom info bar, yet the progress bar is only at like less then 1/2 way and the download prompt box never appears.

NOTE: It seems like te keyboard response is getting worse.... and now whenever I press a button on this site, a new totally blank IE window pops up.

Edited by ChrisMN, 31 July 2009 - 06:21 PM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,695 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:38 PM

Posted 31 July 2009 - 06:48 PM

Hi,

do you have the possibility to download the software on another PC and bring it onto the infected CD via CD or flash drive?
(if you use a flash drive please do not reconnect the drive to a clean computer after attaching it to the infected PC. You might be spreading the infection)

Please try Superantispyware and see if you have more luck with the download:
Download and scan with SUPERAntiSpyware Free for Home Users
If the above link does not work for you, please try the following direct link: Link.
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Please also try to download and run RootRepeal, so we may see what hidden processes are running on your PC:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all six boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.
regards _temp_


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#5 ChrisMN

ChrisMN
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hurricane, Utah
  • Local time:06:38 AM

Posted 31 July 2009 - 06:57 PM

***UPDATE***
When I do a GOOGLE search of trojan.fakeavalert, one of the top five results was this very post of mine. When I clicked on it, I was taken to venesectnymphicus.com/ and IE crashed. Another attempt than said that the page had been moved.

Yes, temp, I have access to another computer and will try DrWeb CureIt using my keychain flash drive.

#6 ChrisMN

ChrisMN
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hurricane, Utah
  • Local time:06:38 AM

Posted 31 July 2009 - 11:01 PM

SUPER AntiSpyware sucessfully dowloaded and installed. All was seeming good, two hours of scanning returned 66 Errors (20+ of which were trojans).
All items were checked and ready to be sent to the quarantine & removal step. When I pressed next Windows crashed and the system restarted.
I am currently trying it one more time again.
??

(One Hour Later)
This time SUPERAntiSpyware scanned and returned the files and placed them into quarantine. Program asked to reboot, and did. This did not cure the problem.

Here is the logs from my 5 seperate scans using SUPER AntiSpyware



Generated 07/31/2009 at 10:24 PMSUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/31/2009 at 09:04 PM

Application Version : 4.27.1000

Core Rules Database Version : 4031
Trace Rules Database Version: 1971

Scan type : Complete Scan
Total Scan Time : 01:36:58

Memory items scanned : 467
Memory threats detected : 3
Registry items scanned : 5835
Registry threats detected : 10
File items scanned : 93234
File threats detected : 54

Trojan.Unclassified/C00-WL/G
C:\WINDOWS\SYSTEM32\__C0051F76.DAT
C:\WINDOWS\SYSTEM32\__C0051F76.DAT
C:\WINDOWS\SYSTEM32\__C00C1C3E.DAT
C:\WINDOWS\SYSTEM32\__C00C1C3E.DAT

Trojan.Agent/Gen-NumTemp
C:\WINDOWS\SYSTEM32\24.TMP
C:\WINDOWS\SYSTEM32\24.TMP

Trojan.Unclassified/C00-Installer
[A00F58E9CB8.exe] C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00F58E9CB8.EXE
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00F58E9CB8.EXE
[A00FBC5CB.exe] C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00FBC5CB.EXE
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00FBC5CB.EXE
[A00F58AC3.exe] C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00F58AC3.EXE
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00F58AC3.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\_A00F58AC3.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\_A00F58E9CB8.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\_A00FBC5CB.EXE
C:\WINDOWS\Prefetch\_A00F58E9CB8.EXE-2C40FE17.pf

Trojan.Unclassified/C00-WL/B
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\__c0051F76
C:\WINDOWS\SYSTEM32\__C00FD16C.DAT

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@rambler[1].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Grama\Cookies\grama@2o7[1].txt
C:\Documents and Settings\Grama\Cookies\[email protected][2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt
C:\Documents and Settings\Grama\Cookies\[email protected][2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt
C:\Documents and Settings\Grama\Cookies\grama@advertising[2].txt
C:\Documents and Settings\Grama\Cookies\grama@apmebf[1].txt
C:\Documents and Settings\Grama\Cookies\grama@atdmt[2].txt
C:\Documents and Settings\Grama\Cookies\grama@chitika[2].txt
C:\Documents and Settings\Grama\Cookies\grama@collective-media[2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][3].txt
C:\Documents and Settings\Grama\Cookies\grama@doubleclick[1].txt
C:\Documents and Settings\Grama\Cookies\grama@fastclick[2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][3].txt
C:\Documents and Settings\Grama\Cookies\grama@imrworldwide[2].txt
C:\Documents and Settings\Grama\Cookies\grama@interclick[1].txt
C:\Documents and Settings\Grama\Cookies\grama@invitemedia[2].txt
C:\Documents and Settings\Grama\Cookies\grama@lfstmedia[2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt
C:\Documents and Settings\Grama\Cookies\grama@media6degrees[1].txt
C:\Documents and Settings\Grama\Cookies\grama@petfinder[2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt
C:\Documents and Settings\Grama\Cookies\[email protected][3].txt
C:\Documents and Settings\Grama\Cookies\grama@socialmedia[2].txt
C:\Documents and Settings\Grama\Cookies\grama@specificmedia[2].txt
C:\Documents and Settings\Grama\Cookies\grama@windowsmedia[1].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt
C:\Documents and Settings\Grama\Cookies\[email protected][2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][3].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt

Trojan.Unclassified/C00-WL
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0051F76
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0051F76#Asynchronous
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0051F76#DllName
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0051F76#Impersonate
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0051F76#Startup
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0051F76#Logon

Trace.Known Threat Sources
C:\Documents and Settings\Grama\Local Settings\Temporary Internet Files\Content.IE5\34C1C2IT\FeatTab_Twista_v1[1].gif
C:\Documents and Settings\Grama\Local Settings\Temporary Internet Files\Content.IE5\1XXQRHJ4\mmt[1].htm
C:\Documents and Settings\Grama\Local Settings\Temporary Internet Files\Content.IE5\WJJIKAW8\twista_marquee1[1].swf


Application Version : 4.27.1000

Core Rules Database Version : 4031
Trace Rules Database Version: 1971

Scan type : Complete Scan
Total Scan Time : 00:33:17

Memory items scanned : 437
Memory threats detected : 0
Registry items scanned : 5820
Registry threats detected : 7
File items scanned : 17225
File threats detected : 5

Trojan.Unclassified/C00-WL/A
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\__c00581A0
C:\WINDOWS\SYSTEM32\__C00581A0.DAT

Trojan.Unclassified/C00-WL
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C00581A0
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C00581A0#Asynchronous
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C00581A0#DllName
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C00581A0#Impersonate
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C00581A0#Startup
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C00581A0#Logon

Trojan.Unclassified/C00-Installer
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\_A00F88DA2.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Grama\Local Settings\Temporary Internet Files\Content.IE5\34C1C2IT\FeatTab_Twista_v1[1].gif
C:\Documents and Settings\Grama\Local Settings\Temporary Internet Files\Content.IE5\1XXQRHJ4\mmt[1].htm
C:\Documents and Settings\Grama\Local Settings\Temporary Internet Files\Content.IE5\WJJIKAW8\twista_marquee1[1].swf


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/31/2009 at 09:43 PM

Application Version : 4.27.1000

Core Rules Database Version : 4031
Trace Rules Database Version: 1971

Scan type : Quick Scan
Total Scan Time : 00:10:52

Memory items scanned : 434
Memory threats detected : 0
Registry items scanned : 546
Registry threats detected : 0
File items scanned : 6446
File threats detected : 35

Adware.Tracking Cookie
C:\Documents and Settings\Grama\Cookies\grama@advertising[2].txt
C:\Documents and Settings\Grama\Cookies\grama@invitemedia[2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][3].txt
C:\Documents and Settings\Grama\Cookies\grama@petfinder[2].txt
C:\Documents and Settings\Grama\Cookies\grama@windowsmedia[1].txt
C:\Documents and Settings\Grama\Cookies\grama@imrworldwide[2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt
C:\Documents and Settings\Grama\Cookies\grama@atdmt[2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][3].txt
C:\Documents and Settings\Grama\Cookies\[email protected][2].txt
C:\Documents and Settings\Grama\Cookies\grama@lfstmedia[2].txt
C:\Documents and Settings\Grama\Cookies\grama@specificmedia[2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][2].txt
C:\Documents and Settings\Grama\Cookies\grama@2o7[1].txt
C:\Documents and Settings\Grama\Cookies\grama@chitika[2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt
C:\Documents and Settings\Grama\Cookies\grama@fastclick[2].txt
C:\Documents and Settings\Grama\Cookies\grama@socialmedia[2].txt
C:\Documents and Settings\Grama\Cookies\grama@doubleclick[1].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt
C:\Documents and Settings\Grama\Cookies\grama@interclick[1].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt
C:\Documents and Settings\Grama\Cookies\[email protected][2].txt
C:\Documents and Settings\Grama\Cookies\grama@collective-media[2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][2].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt
C:\Documents and Settings\Grama\Cookies\[email protected][2].txt
C:\Documents and Settings\Grama\Cookies\grama@apmebf[1].txt
C:\Documents and Settings\Grama\Cookies\[email protected][3].txt
C:\Documents and Settings\Grama\Cookies\[email protected][1].txt
C:\Documents and Settings\Grama\Cookies\grama@media6degrees[1].txt
C:\Documents and Settings\Grama\Cookies\[email protected][3].txt

Trojan.Unclassified/C00-WL/B
C:\WINDOWS\SYSTEM32\__C00C1C3E.DAT
C:\WINDOWS\SYSTEM32\__C00FD16C.DAT

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/31/2009 at 09:25 PM

Application Version : 4.27.1000

Core Rules Database Version : 4031
Trace Rules Database Version: 1971

Scan type : Complete Scan
Total Scan Time : 00:04:36

Memory items scanned : 435
Memory threats detected : 1
Registry items scanned : 5822
Registry threats detected : 14
File items scanned : 432
File threats detected : 12

Trojan.Unclassified/C00-WL/G
C:\WINDOWS\SYSTEM32\__C0082921.DAT
C:\WINDOWS\SYSTEM32\__C0082921.DAT

Trojan.Unclassified/C00-Installer
[A00F4562B.exe] C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00F4562B.EXE
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00F4562B.EXE

Trojan.Unclassified/C00-WL/B
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\__c0082921

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@rambler[1].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Trojan.Unclassified/C00-WL
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0051F76
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0051F76#Asynchronous
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0051F76#DllName
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0051F76#Impersonate
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0051F76#Startup
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0051F76#Logon
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0082921
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0082921#Asynchronous
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0082921#DllName
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0082921#Impersonate
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0082921#Startup
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0082921#Logon

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/31/2009 at 09:13 PM

Application Version : 4.27.1000

Core Rules Database Version : 4031
Trace Rules Database Version: 1971

Scan type : Complete Scan
Total Scan Time : 00:01:06

Memory items scanned : 475
Memory threats detected : 3
Registry items scanned : 666
Registry threats detected : 4
File items scanned : 0
File threats detected : 7

Trojan.Unclassified/C00-WL/A
C:\WINDOWS\SYSTEM32\__C0051F76.DAT
C:\WINDOWS\SYSTEM32\__C0051F76.DAT

Trojan.Unclassified/C00-WL/G
C:\WINDOWS\SYSTEM32\__C0094C4.DAT
C:\WINDOWS\SYSTEM32\__C0094C4.DAT

Trojan.Agent/Gen-NumTemp
C:\WINDOWS\SYSTEM32\24.TMP
C:\WINDOWS\SYSTEM32\24.TMP

Trojan.Unclassified/C00-Installer
[A00F58E9CB8.exe] C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00F58E9CB8.EXE
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00F58E9CB8.EXE
[A00FBC5CB.exe] C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00FBC5CB.EXE
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00FBC5CB.EXE
[A00F58AC3.exe] C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00F58AC3.EXE
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00F58AC3.EXE
[A00F4EDE6.exe] C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00F4EDE6.EXE
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\_A00F4EDE6.EXE

Edited by ChrisMN, 31 July 2009 - 11:46 PM.


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,695 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:38 PM

Posted 01 August 2009 - 03:58 AM

Hi,

please try to run RootRepeal, to see if you have a rootkit present. :thumbsup:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all six boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.
regards _temp_


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#8 ChrisMN

ChrisMN
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hurricane, Utah
  • Local time:06:38 AM

Posted 01 August 2009 - 05:09 PM

•Check all six boxes:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

•Click Ok

There are 7 boxes
Shadow SST <--- Should I click that one to.

#9 ChrisMN

ChrisMN
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hurricane, Utah
  • Local time:06:38 AM

Posted 01 August 2009 - 05:09 PM

Last night root repeal wouldn't download. But today it is.
Today I have been experiencing major system instabilities, and a NORTON has popped up and said "BLOCKED: Trojan.fakeavalert" 3 times so far and it has also blocked numerous high and medium severity intrusion attempts, Most recent intrusion attempt: Trojan.malscript!html , Portscan, Trojan.fakeavalert.

In my history there are instances where norton is letting trojan.fakeavalert run and is currently "processing" now.

Is there any way that exporting my history to you, you could examine these?

Edited by ChrisMN, 01 August 2009 - 05:22 PM.


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,695 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:38 PM

Posted 01 August 2009 - 05:49 PM

Hi,

rootrepeal has been updated recently. I wasn't up to date, sorry. Please check all 7 boxes including the one for shadow ssdt.

I am not familiar with Norton programs, but it would be useful to see the logs.

Please check if these instructions will work for you:
Double click the tray icon to start Norton, then under Computer click onview Security History, in the new window click on Export at the bottom, choose a name for the log and select .txt textfile in the "Save file as" drop down menu.

regards _temp_


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#11 ChrisMN

ChrisMN
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hurricane, Utah
  • Local time:06:38 AM

Posted 01 August 2009 - 05:50 PM

ROOT REPEAL RESULTS:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/01 16:36
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB1C43000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79EB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB04CA000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7B90000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HRYAS4T3\142[1].htm
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x889f6050

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8942e050

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x888a3d00

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8942a050

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x894cecd8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb1f6e040

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x888a34a0

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x888a2f80

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x888adda8

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8942b050

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb1f6e2c0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb1f6e820

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x888a3e58

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x888a3b60

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8942d050

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8897a050

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x894c0a70

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x888a3a80

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x889f5050

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x888a3f78

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8943b050

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8942c050

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x888a3ee8

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x888a3058

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x894fa7f0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8942f050

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x888a3928

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x889f4050

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb1f6ea70

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x88979050

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8897b050

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb1e6cdf0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x889f7050

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x88987050

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x888a3c30

Stealth Objects
-------------------
Object: Hidden Module [Name: __c00A31F1.dat]
Process: services.exe (PID: 980) Address: 0x00050000 Size: 40960

Object: Hidden Module [Name: normaliz.dll]
Process: services.exe (PID: 980) Address: 0x00060000 Size: 32768

Object: Hidden Module [Name: ole32.dll]
Process: services.exe (PID: 980) Address: 0x774e0000 Size: 1294336

Object: Hidden Module [Name: version.dll]
Process: services.exe (PID: 980) Address: 0x77c00000 Size: 28672

Object: Hidden Module [Name: shell32.dll]
Process: services.exe (PID: 980) Address: 0x7c9c0000 Size: 8466432

Object: Hidden Module [Name: __c0076E29.dat]
Process: Explorer.EXE (PID: 2012) Address: 0x008d0000 Size: 40960

Object: Hidden Module [Name: pdfshell.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x00c70000 Size: 110592

Object: Hidden Module [Name: pdfshell.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x01440000 Size: 110592

Object: Hidden Module [Name: xprt5.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x037f0000 Size: 237568

Object: Hidden Module [Name: aimtb.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x03d70000 Size: 1286144

Object: Hidden Module [Name: aolradiotb.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x03b80000 Size: 1286144

Object: Hidden Module [Name: swg.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x03cc0000 Size: 688128

Object: Hidden Module [Name: GdiPlus.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x03eb0000 Size: 1712128

Object: Hidden Module [Name: pdfshell.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x04400000 Size: 110592

Object: Hidden Module [Name: asfsipc.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x41f00000 Size: 24576

Object: Hidden Module [Name: MCPS.DLL]
Process: Explorer.EXE (PID: 2012) Address: 0x36d30000 Size: 98304

Object: Hidden Module [Name: xprt5.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x40000000 Size: 237568

Object: Hidden Module [Name: GdiPlus.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x4ec50000 Size: 1712128

Object: Hidden Module [Name: msisip.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x605f0000 Size: 53248

Object: Hidden Module [Name: mfc42.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x73dd0000 Size: 1036288

Object: Hidden Module [Name: wshext.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x74ea0000 Size: 61440

Object: Hidden Module [Name: comdlg32.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x763b0000 Size: 294912

Object: Hidden Module [Name: __c0076E29.dat]
Process: iexplore.exe (PID: 2856) Address: 0x03190000 Size: 40960

Object: Hidden Module [Name: ccSubEng.dll]
Process: iexplore.exe (PID: 2856) Address: 0x6aff0000 Size: 249856

Object: Hidden Module [Name: IDSxpx86.dll]
Process: iexplore.exe (PID: 2856) Address: 0x6be20000 Size: 450560

Object: Hidden Module [Name: mpr.dll]
Process: iexplore.exe (PID: 2856) Address: 0x71b20000 Size: 69632

Object: Hidden Module [Name: samlib.dll]
Process: iexplore.exe (PID: 2856) Address: 0x71bf0000 Size: 73728

Object: Hidden Module [Name: wdmaud.drv]
Process: iexplore.exe (PID: 2856) Address: 0x72d20000 Size: 32768

Object: Hidden Module [Name: cryptui.dll]
Process: iexplore.exe (PID: 2856) Address: 0x754d0000 Size: 520192

Object: Hidden Module [Name: cscdll.dll]
Process: iexplore.exe (PID: 2856) Address: 0x76600000 Size: 114688

Object: Hidden Module [Name: rasdlg.dll]
Process: iexplore.exe (PID: 2856) Address: 0x768d0000 Size: 667648

Object: Hidden Module [Name: atl.dll]
Process: iexplore.exe (PID: 2856) Address: 0x76b20000 Size: 65536

Object: Hidden Module [Name: mprapi.dll]
Process: iexplore.exe (PID: 2856) Address: 0x76d40000 Size: 94208

Object: Hidden Module [Name: adsldpc.dll]
Process: iexplore.exe (PID: 2856) Address: 0x76e10000 Size: 147456

Object: Hidden Module [Name: cscui.dll]
Process: iexplore.exe (PID: 2856) Address: 0x77a20000 Size: 339968

Object: Hidden Module [Name: activeds.dll]
Process: iexplore.exe (PID: 2856) Address: 0x77cc0000 Size: 200704

Object: Hidden Module [Name: normaliz.dll]
Process: iexplore.exe (PID: 3604) Address: 0x02650000 Size: 32768

Object: Hidden Module [Name: __c0076E29.dat]
Process: iexplore.exe (PID: 3604) Address: 0x02f80000 Size: 40960

Object: Hidden Module [Name: SASSEH.DLL]
Process: iexplore.exe (PID: 3604) Address: 0x094e0000 Size: 77824

Object: Hidden Module [Name: wmvcore.dll]
Process: iexplore.exe (PID: 3604) Address: 0x15110000 Size: 2461696

Object: Hidden Module [Name: WMASF.dll]
Process: iexplore.exe (PID: 3604) Address: 0x11c70000 Size: 229376

Object: Hidden Module [Name: winshfhc.dll]
Process: iexplore.exe (PID: 3604) Address: 0x5a680000 Size: 28672

Object: Hidden Module [Name: wups.dll]
Process: iexplore.exe (PID: 3604) Address: 0x50640000 Size: 36864

Object: Hidden Module [Name: ccSubEng.dll]
Process: iexplore.exe (PID: 3604) Address: 0x6aff0000 Size: 249856

Object: Hidden Module [Name: IDSxpx86.dll]
Process: iexplore.exe (PID: 3604) Address: 0x6be20000 Size: 450560

Object: Hidden Module [Name: zipfldr.dll]
Process: iexplore.exe (PID: 3604) Address: 0x73380000 Size: 352256

Object: Hidden Module [Name: normaliz.dll]
Process: iexplore.exe (PID: 1356) Address: 0x02650000 Size: 32768

Object: Hidden Module [Name: __c0076E29.dat]
Process: iexplore.exe (PID: 1356) Address: 0x02f90000 Size: 40960

Object: Hidden Module [Name: IDSxpx86.dll]
Process: iexplore.exe (PID: 1356) Address: 0x6be20000 Size: 450560

Object: Hidden Module [Name: normaliz.dll]
Process: iexplore.exe (PID: 3432) Address: 0x02650000 Size: 32768

Object: Hidden Module [Name: __c0076E29.dat]
Process: iexplore.exe (PID: 3432) Address: 0x03090000 Size: 40960

Object: Hidden Module [Name: IDSxpx86.dll]
Process: iexplore.exe (PID: 3432) Address: 0x6be20000 Size: 450560

Object: Hidden Module [Name: normaliz.dll]
Process: iexplore.exe (PID: 3452) Address: 0x02650000 Size: 32768

Object: Hidden Module [Name: __c0076E29.dat]
Process: iexplore.exe (PID: 3452) Address: 0x03090000 Size: 40960

Object: Hidden Module [Name: ccSubEng.dll]
Process: iexplore.exe (PID: 3452) Address: 0x6aff0000 Size: 249856

Object: Hidden Module [Name: IDSxpx86.dll]
Process: iexplore.exe (PID: 3452) Address: 0x6be20000 Size: 450560

Object: Hidden Module [Name: jkernel.dll]
Process: iexplore.exe (PID: 3452) Address: 0x6d3b0000 Size: 208896

Object: Hidden Module [Name: wdmaud.drv]
Process: iexplore.exe (PID: 3452) Address: 0x72d20000 Size: 32768

Object: Hidden Module [Name: shfolder.dll]
Process: iexplore.exe (PID: 3452) Address: 0x76780000 Size: 32768

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x888c6050

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x888eca30

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x888af4d8

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x8889ca50

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x888aab00

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x8884b2f8

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x8888ea30

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x88867440

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x895ad1f8

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x89737dd0

==EOF==


------ChrisMN

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,695 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:38 PM

Posted 01 August 2009 - 06:05 PM

Hi,

our posts may have overlapped. :thumbsup: Did you see my last reply?

Also did you have any luck running DrWeb?

regards _temp_


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#13 ChrisMN

ChrisMN
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hurricane, Utah
  • Local time:06:38 AM

Posted 01 August 2009 - 06:13 PM

Ok, Ill get that Norton Hist Report on here in a few.

And I had DrWeb brought here by Flash Drive, and followed all directions. And when I would press "start" It would show dr. web logo, and give me the option the download the full version 30 day trial, no scanning would start. And when I attempted to click on the link for FULL VERSION the page would not display, in safe mode OR normal mode.

-ChrisMN

#14 ChrisMN

ChrisMN
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hurricane, Utah
  • Local time:06:38 AM

Posted 01 August 2009 - 06:24 PM

The post was to long (with my norton history, that is). Do you want me to attatch it? Or Email?

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,695 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:38 PM

Posted 01 August 2009 - 06:27 PM

Hi,

please try to attach it. :thumbsup:
EDIT: if the file is too big to be attached let me know.


regards _temp_

Edited by _temp_, 01 August 2009 - 06:39 PM.


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users