Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virus:DOS/Rovnix.W


  • Please log in to reply
11 replies to this topic

#1 mgriff22

mgriff22

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 09 December 2013 - 01:51 PM

MSE detects it, but cannot remove it.  Malwarebytes doesn't seem to detect it.  However I think Malwarebytes is blocking it from accessing websites.  It appears to use "explorer.exe"  As long as I open whatever windows I need, and then shutdown all running versions of explorer.exe via the task manager I can at least use the computer.  Microsoft Safety Scanner and Malicious Software Removal tool where also unsuccessful.

 

Please help!

 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,071 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:25 AM

Posted 09 December 2013 - 02:13 PM

Hello McGriff, I think we can kill this with these.

Edit, I moved this to the Am I Infected form.

Download RogueKiller from one of the following links and save it to your desktop:
  • Link 1
  • Link 2
    • Close all programs and disconnect any USB or external drives before running the tool.
    • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", click the Delete button.
    • Copy and paste the report that opens into your next reply.
      • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex)
      • The highest number of [X], is the most recent Delete
Download Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

Edited by boopme, 09 December 2013 - 02:14 PM.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#3 mgriff22

mgriff22
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 10 December 2013 - 09:11 AM

RogueKiller V8.7.11 [Dec  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Doc [Admin rights]
Mode : Remove -- Date : 12/10/2013 08:33:19
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Btworks Update (regsvr32.exe C:\Users\Doc\AppData\Local\Btworks\EP0NHF34.DLL [x][x]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-79319592-2783307400-3300590728-1000\[...]\Run : Btworks Update (regsvr32.exe C:\Users\Doc\AppData\Local\Btworks\EP0NHF34.DLL [x][x]) -> [0x2] The system cannot find the file specified.
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) GB1000EAMYC ATA Device +++++
--- User ---
[MBR] 44baa12aba9e831b875689c47ba5affc
[BSP] 233235393b6a4ce9aa62243ee01c61b1 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 200 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 411648 | Size: 953667 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_12102013_083319.txt >>
RKreport[0]_S_12102013_083251.txt

 

 

 

 

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1008
www.malwarebytes.org

Database version: v2013.12.10.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16736
Doc :: HPCOMPAQ [administrator]

12/10/2013 8:43:19 AM
mbar-log-2013-12-10 (08-43-19).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 319173
Time elapsed: 22 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 3
C:\$Recycle.Bin\S-1-5-21-79319592-2783307400-3300590728-1000\$0e9d98ab275a4c69a3133f4678d6b9f3\U (Trojan.Siredef.C) -> No action taken.
C:\$Recycle.Bin\S-1-5-21-79319592-2783307400-3300590728-1000\$0e9d98ab275a4c69a3133f4678d6b9f3\L (Trojan.Siredef.C) -> No action taken.
C:\$Recycle.Bin\S-1-5-21-79319592-2783307400-3300590728-1000\$0e9d98ab275a4c69a3133f4678d6b9f3 (Trojan.Siredef.C) -> No action taken.

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

 

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 10.0.9200.16736

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.294000 GHz
Memory total: 3472179200, free: 1501626368

Downloaded database version: v2013.12.10.04
Downloaded database version: v2013.10.11.02
=======================================
Initializing...
------------ Kernel report ------------
     12/10/2013 08:42:44
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\??\C:\Windows\Temp\MpKslcb92309d.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\b57nd60x.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\drivers\usbohci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\drivers\serial.sys
\SystemRoot\system32\drivers\serenum.sys
\SystemRoot\system32\drivers\fdc.sys
\SystemRoot\system32\drivers\tpm.sys
\SystemRoot\system32\drivers\amdk8.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\lmimirr.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\rdpbus.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\drivers\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\ADIHdAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\HIDPARSE.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\MpNWMon.sys
\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
\??\C:\Windows\system32\drivers\LMIRfsDriver.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\System32\drivers\rdpdr.sys
\SystemRoot\system32\drivers\tdtcp.sys
\SystemRoot\System32\DRIVERS\tssecsrv.sys
\SystemRoot\System32\Drivers\RDPWD.SYS
\SystemRoot\system32\drivers\hidusb.sys
\SystemRoot\system32\drivers\HIDCLASS.SYS
\SystemRoot\system32\drivers\USBD.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\drivers\usbscan.sys
\SystemRoot\system32\DRIVERS\BrUsbSIb.sys
\SystemRoot\system32\DRIVERS\BrSerIb.sys
\SystemRoot\system32\drivers\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B37690EE-6502-4665-AE21-13279BBD30A0}\MpKsla42078bf.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\lmimirr.dll
\SystemRoot\System32\lmimirr2.dll
\??\C:\Windows\system32\TrueSight.sys
\SystemRoot\System32\ATMFD.DLL
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\user32.dll
\Windows\System32\setupapi.dll
\Windows\System32\advapi32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\sechost.dll
\Windows\System32\wininet.dll
\Windows\System32\usp10.dll
\Windows\System32\difxapi.dll
\Windows\System32\shell32.dll
\Windows\System32\lpk.dll
\Windows\System32\iertutil.dll
\Windows\System32\urlmon.dll
\Windows\System32\imagehlp.dll
\Windows\System32\normaliz.dll
\Windows\System32\nsi.dll
\Windows\System32\shlwapi.dll
\Windows\System32\ole32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\imm32.dll
\Windows\System32\psapi.dll
\Windows\System32\oleaut32.dll
\Windows\System32\msctf.dll
\Windows\System32\clbcatq.dll
\Windows\System32\Wldap32.dll
\Windows\System32\gdi32.dll
\Windows\System32\kernel32.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\crypt32.dll
\Windows\System32\comctl32.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\wintrust.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\devobj.dll
\Windows\System32\msasn1.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR4
Upper Device Object: 0xffffffff8535e4c8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a2\
Lower Device Object: 0xffffffff8522a030
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff85f08180
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff85dfe030
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85f08180, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85f09d10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85f08180, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff851728d8, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff85dfe030, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: F2927571

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 409600
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 411648  Numsec = 1953110016

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953505168-1953525168)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff8535e4c8, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8521e280, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8535e4c8, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8522a030, DeviceName: \Device\000000a2\, DriverName: \Driver\USBSTOR\
------------ End ----------
Infected: C:\$Recycle.Bin\S-1-5-21-79319592-2783307400-3300590728-1000\$0e9d98ab275a4c69a3133f4678d6b9f3\U --> [Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-79319592-2783307400-3300590728-1000\$0e9d98ab275a4c69a3133f4678d6b9f3\L --> [Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-79319592-2783307400-3300590728-1000\$0e9d98ab275a4c69a3133f4678d6b9f3 --> [Trojan.Siredef.C]
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_2048_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,071 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:25 AM

Posted 10 December 2013 - 11:10 AM

OK, that was good,, As there was a Sireref infection we should run ESET..

How is it now?
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#5 mgriff22

mgriff22
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 10 December 2013 - 04:34 PM

C:\Users\Doc\AppData\Local\Temp\is1244477948\266562022_Setup.EXE Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\Doc\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\61a82dde-42241ccb a variant of Java/Exploit.CVE-2013-0422.AJ trojan cleaned by deleting - quarantined
 



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,071 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:25 AM

Posted 10 December 2013 - 11:23 PM

How is it now?
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#7 mgriff22

mgriff22
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 11 December 2013 - 07:47 AM

I hate to say it, but it is the same.



#8 mgriff22

mgriff22
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 11 December 2013 - 09:43 AM

I decided to run RogueKiller again.  This is what I got:

 

 

 

RogueKiller V8.7.11 [Dec  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Doc [Admin rights]
Mode : Scan -- Date : 12/11/2013 09:33:45
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] IAT @iexplore.exe (GetProcAddress) : KERNEL32.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x68411E4B)
[Address] IAT @iexplore.exe (RegGetValueW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x77810DC5)
[Address] IAT @iexplore.exe (RegOpenKeyExW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x7781460D)
[Address] IAT @iexplore.exe (RegCloseKey) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x7781461D)
[Address] IAT @iexplore.exe (RegQueryValueExW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x7781462D)
[Address] IAT @iexplore.exe (StrStrIW) : api-ms-win-downlevel-shlwapi-l1-1-0.dll -> HOOKED (C:\Windows\system32\shlwapi.DLL @ 0x764746E9)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) GB1000EAMYC ATA Device +++++
--- User ---
[MBR] 44baa12aba9e831b875689c47ba5affc
[BSP] 233235393b6a4ce9aa62243ee01c61b1 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 200 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 411648 | Size: 953667 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_12112013_093345.txt >>
RKreport[0]_D_12102013_083319.txt;RKreport[0]_S_12102013_083251.txt



#9 mgriff22

mgriff22
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 11 December 2013 - 10:44 AM

The Siredef virus is also still present



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,071 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:25 AM

Posted 11 December 2013 - 10:46 AM

Ok, we need stronger tools to kill the Siredef..
Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#11 tobey1

tobey1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 AM

Posted 22 January 2014 - 01:47 PM

I also had rovnix.w on my computer, Windows XP Home Edition Version 2002 Service Pack 3.

 

I did the steps in post #2 a couple of times (always pressing "Cleanup" as the final step.)

 

I finally got the message "Congratulations, no cleanup is required!"

 

I restarted my computer several times, turned my computer off and on several times, repeated the steps in post #2, and got the "Congratulations, no cleanup is required!" message.

 

Can I be confident that rovnix.w is not on my computer?



#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 60,071 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:25 AM

Posted 22 January 2014 - 09:21 PM

@tobey ,,,, yes
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users