Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacktool.Rootkit and more...


  • This topic is locked This topic is locked
15 replies to this topic

#1 lmlevy

lmlevy

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 11 April 2009 - 01:25 PM

Please help,

Symantec AV v10.1 reports multiple instances of Hacktool.Rootkit it is unable to remove (files ksi32sk.sys, i386si.sys, nicsk32.sys -- all in C:\WINDOWS\system32\drivers\)

Also, Task Manager shows Leah.exe as a running process, though I have no idea what this process is. Attempts to terminate result with "Unable to Terminate Process - The operation could not be completed. The operation is not valid for this process."

Any advice on how to get rid of these would be much appreciated.

Thanks,
Leah

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 AM

Posted 11 April 2009 - 03:44 PM

Hi Leah and welcome to BC - Let's try malwarebytes

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 lmlevy

lmlevy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 11 April 2009 - 04:33 PM

Hi Rigel,

This is the log from Malwarebytes:

Malwarebytes' Anti-Malware 1.36
Database version: 1968
Windows 5.1.2600 Service Pack 3

4/11/2009 5:24:34 PM
mbam-log-2009-04-11 (17-24-34).txt

Scan type: Quick Scan
Objects scanned: 73563
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati64si (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati64si (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\ati64si.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Leah\Local Settings\Temp\pdfupd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 AM

Posted 11 April 2009 - 07:42 PM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 lmlevy

lmlevy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 12 April 2009 - 12:32 PM

This is my SDFix log:

SDFix: Version 1.240
Run by Leah on Sun 04/12/2009 at 12:10 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\Leah\LOCALS~1\Temp\tmp28.tmp - Deleted
C:\DOCUME~1\Leah\LOCALS~1\Temp\tmp47.tmp - Deleted
C:\DOCUME~1\Leah\LOCALS~1\Temp\tmp73.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 12:28:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"="C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe:*:Enabled:hotComm CL"
"C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"="C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe:*:Enabled:CrossLoop - Simple Secure Screen Sharing"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"="C:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe"="C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\netsh.exe"="C:\\WINDOWS\\system32\\netsh.exe:*:Enabled:ENABLE"
"C:\\WINDOWS\\system32\\wscntfy.exe"="C:\\WINDOWS\\system32\\wscntfy.exe:*:Enabled:ENABLE"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:ENABLE"
"C:\\WINDOWS\\system32\\tp4mon.exe"="C:\\WINDOWS\\system32\\tp4mon.exe:*:Enabled:ENABLE"
"C:\\Program Files\\Lenovo\\PkgMgr\\HOTKEY\\TPHKMGR.exe"="C:\\Program Files\\Lenovo\\PkgMgr\\HOTKEY\\TPHKMGR.exe:*:Enabled:ENABLE"
"C:\\Program Files\\ThinkPad\\Utilities\\EZEJMNAP.EXE"="C:\\Program Files\\ThinkPad\\Utilities\\EZEJMNAP.EXE:*:Enabled:ENABLE"
"C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe:*:Enabled:ENABLE"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:ENABLE"
"C:\\Program Files\\Common Files\\Lenovo\\Scheduler\\scheduler_proxy.exe"="C:\\Program Files\\Common Files\\Lenovo\\Scheduler\\scheduler_proxy.exe:*:Enabled:ENABLE"
"C:\\Program Files\\ThinkPad\\ConnectUtilities\\ACTray.exe"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\ACTray.exe:*:Enabled:ENABLE"
"C:\\Program Files\\Lenovo\\PkgMgr\\HOTKEY\\TPONSCR.exe"="C:\\Program Files\\Lenovo\\PkgMgr\\HOTKEY\\TPONSCR.exe:*:Enabled:ENABLE"
"C:\\Program Files\\Lenovo\\PkgMgr\\HOTKEY_1\\TpScrex.exe"="C:\\Program Files\\Lenovo\\PkgMgr\\HOTKEY_1\\TpScrex.exe:*:Enabled:ENABLE"
"C:\\Program Files\\iTunes\\iTunesHelper.exe"="C:\\Program Files\\iTunes\\iTunesHelper.exe:*:Enabled:ENABLE"
"C:\\WINDOWS\\system32\\ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe:*:Enabled:ENABLE"
"C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe:*:Enabled:ENABLE"
"C:\\Program Files\\Palm\\Hotsync.exe"="C:\\Program Files\\Palm\\Hotsync.exe:*:Enabled:ENABLE"
"C:\\Program Files\\Logitech\\SetPoint\\SetPoint.exe"="C:\\Program Files\\Logitech\\SetPoint\\SetPoint.exe:*:Enabled:ENABLE"
"C:\\Program Files\\Common Files\\Logishrd\\KHAL2\\KHALMNPR.exe"="C:\\Program Files\\Common Files\\Logishrd\\KHAL2\\KHALMNPR.exe:*:Enabled:ENABLE"
"C:\\WINDOWS\\System32\\scrnsave.scr"="C:\\WINDOWS\\System32\\scrnsave.scr:*:Enabled:ENABLE"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE:*:Enabled:ENABLE"
"C:\\WINDOWS\\system32\\notepad.exe"="C:\\WINDOWS\\system32\\notepad.exe:*:Enabled:ENABLE"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE:*:Enabled:ENABLE"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:ENABLE"
"C:\\WINDOWS\\system32\\Ati2evxx.exe"="C:\\WINDOWS\\system32\\Ati2evxx.exe:*:Enabled:ENABLE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 8 Apr 2009 20,435 ...H. --- "C:\Documents and Settings\Leah\Leah.exe"
Thu 30 Apr 1998 511,424 A..H. --- "C:\Program Files\CarChip 2.0.1\40COMUPD.EXE"
Tue 7 Jan 2003 16,384 A..H. --- "C:\Program Files\CarChip 2.0.1\Helper.exe"
Tue 27 Feb 2001 995,383 A..H. --- "C:\Program Files\CarChip 2.0.1\MFC42.DLL"
Tue 27 Feb 2001 401,462 A..H. --- "C:\Program Files\CarChip 2.0.1\MSVCP60.DLL"
Tue 27 Feb 2001 254,005 A..H. --- "C:\Program Files\CarChip 2.0.1\MSVCRT.DLL"
Thu 29 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 9 Dec 2008 749,504 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\79e122a95a01a4aa6a35444ab9d160eb\BIT2.tmp"
Wed 20 Aug 2008 273,408 ...H. --- "C:\Documents and Settings\Leah\Application Data\Microsoft\Word\~WRL0376.tmp"
Mon 19 Dec 2005 54,272 A..H. --- "C:\Documents and Settings\Leah\My Documents\Law School\International Trade Law\~WRL0552.tmp"
Thu 7 Feb 2008 27,136 A..H. --- "C:\Documents and Settings\Leah\Desktop\Inbox\Dell Desktop\Job Search\~WRL0001.tmp"
Wed 5 Nov 2008 50,552 ..SHR --- "C:\Documents and Settings\Leah\Local Settings\Temp\Juniper Networks\setup\NeoterisSetupApp.exe"
Wed 12 Jan 2005 35,328 A..H. --- "C:\Documents and Settings\Leah\My Documents\Law School\Con crim\TLR Materials\~WRL0416.tmp"
Wed 23 Aug 2006 26,624 A..H. --- "C:\Documents and Settings\Leah\My Documents\Resumes\Job Search 2006\Resume Stuff\~WRL0001.tmp"
Wed 30 Aug 2006 31,232 A..H. --- "C:\Documents and Settings\Leah\My Documents\Resumes\Job Search 2006\Resume Stuff\~WRL0003.tmp"

Finished!

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 AM

Posted 12 April 2009 - 06:58 PM

Our next step...

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Happy Easter Leah

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 OldPhil

OldPhil

    Doppleganger


  • Members
  • 4,129 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island New York
  • Local time:01:23 AM

Posted 12 April 2009 - 07:22 PM

Late model Linksys routers firmware program is named Leah.

Phil

Edited by OldPhil, 12 April 2009 - 07:22 PM.

Honesty & Integrity Above All!


#8 trollocks

trollocks

  • Members
  • 369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:06:23 AM

Posted 12 April 2009 - 08:30 PM

whats that got to do with anything????????

#9 OldPhil

OldPhil

    Doppleganger


  • Members
  • 4,129 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island New York
  • Local time:01:23 AM

Posted 12 April 2009 - 08:43 PM

whats that got to do with anything????????


Just a thought if she is running a late Linksys router Leah.exe might possibly show as a running process.

Honesty & Integrity Above All!


#10 lmlevy

lmlevy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 13 April 2009 - 06:46 AM

Rigel,

My Superantispyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/12/2009 at 11:43 PM

Application Version : 4.26.1000

Core Rules Database Version : 3839
Trace Rules Database Version: 1795

Scan type : Complete Scan
Total Scan Time : 03:24:15

Memory items scanned : 230
Memory threats detected : 0
Registry items scanned : 6201
Registry threats detected : 0
File items scanned : 97237
File threats detected : 0

Edited by lmlevy, 13 April 2009 - 06:54 AM.


#11 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 AM

Posted 13 April 2009 - 10:29 AM

Welcome back Leah,

The Superantispyware log looks great! I love 0's Let's continue with the next step.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Next, please update and rerun MalwareBytes. Post the new log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#12 lmlevy

lmlevy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 14 April 2009 - 05:30 PM

My laptop got shutdown 3/4 of the way through the Dr. Web Cure It scan. I ran the scan over again and am attaching the log from this second scan (though a very long list of items were deleted during the first scan that I didn't get a log for, including Leah.exe).

Dr. Web Cure It 04-14-09 log:
VNCHooks.dll;C:\Program Files\CrossLoop;Program.RemoteAdmin;Incurable.Moved.;
winvnc.exe;C:\Program Files\CrossLoop;Program.RemoteAdmin;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
Process.exe;C:\_SDFix\apps;Tool.Prockill;Incurable.Moved.;

======

Malwarebytes' Anti-Malware 1.36
Database version: 1981
Windows 5.1.2600 Service Pack 3

4/14/2009 9:25:03 AM
mbam-log-2009-04-14 (09-25-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 175319
Time elapsed: 1 hour(s), 9 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati64si (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN20.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN23.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Thanks,
Leah

#13 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 AM

Posted 14 April 2009 - 05:52 PM

Leah,

We need to kill whatever is regenerating your infection. Let's try RootRepeal. It will show us if you have a rootkit present.

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#14 lmlevy

lmlevy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 15 April 2009 - 06:18 AM

Here's what RootRepeal found:

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/15 07:02
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF25C0000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7DE9000 Size: 8192 File Visible: No
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF7DF3000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0014000 Size: 45056 File Visible: No
Status: -

Name: zswzpq.sys
Image Path: zswzpq.sys
Address: 0xF7861000 Size: 61440 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\WindowsUpdate.log
Status: Size mismatch (API: 2075313, Raw: 2069146)

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.4036.72621283
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.4036.72621283
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Leah\Desktop\Inbox\Dell Desktop\eBay Scott Scheel - ADVANCED MARKET ANALYSYS - set (item 330057268212 end time Dec-09-06 113817 PST)_files\eBay Scott Scheel - ADVANCED MARKET ANALYSYS - set (item 330057268212 end time Dec-09-06 113817 PST).htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Leah\My Documents\MHK Immigration Law\Haghighatjoo NIW\Green Card\Green Card Application Articles\U.S. Senate Committee on Foreign Relations - Testimony\Iran's Political and Nuclear Ambitions and U.S. Policy Options - Karim Sadjadpour.pdf
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x866790a8

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x864eb1a8

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x86548248

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86792868

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x865861a8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x86532428

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf2a06350

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x86542d20

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x864e71a8

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x864f81a8

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8654ece8

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8638c830

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x86543a30

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x864bd0d8

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x86586458

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8654a640

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x864d50d8

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x865d70d8

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8657fc90

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf2a06580

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86387830

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x864ec1a8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf271edf0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x864cd0d8

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8649e058

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x864a6998

Stealth Objects
-------------------
Object: Hidden Module [Name: System.Runtime.Remoting.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x04b60000 Size: 307200

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Application.UpdateService.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x00a00000 Size: 36864

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x00c40000 Size: 28672

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x00e00000 Size: 61440

Object: Hidden Module [Name: Intuit.Spc.Esd.Client.Common.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x00e40000 Size: 86016

Object: Hidden Module [Name: Intuit.Spc.Esd.Core.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x00ea0000 Size: 258048

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x00ef0000 Size: 36864

Object: Hidden Module [Name: Intuit.Spc.Foundations.Primary.Logging.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x00f10000 Size: 53248

Object: Hidden Module [Name: Intuit.Spc.Foundations.Primary.ExceptionHandling.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x00fd0000 Size: 77824

Object: Hidden Module [Name: Intuit.Spc.Foundations.Portability.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x03020000 Size: 471040

Object: Hidden Module [Name: System.configuration.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x03240000 Size: 438272

Object: Hidden Module [Name: Intuit.Spc.Foundations.Primary.Config.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x031a0000 Size: 86016

Object: Hidden Module [Name: System.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x034e0000 Size: 3158016

Object: Hidden Module [Name: System.XML.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x032b0000 Size: 2060288

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Api.Net.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x03d10000 Size: 421888

Object: Hidden Module [Name: System.Data.SQLite.DLL]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x03f60000 Size: 778240

Object: Hidden Module [Name: Intuit.Spc.Esd.Client.BusinessLogic.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x03f20000 Size: 143360

Object: Hidden Module [Name: Intuit.Spc.Esd.Client.DataAccess.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x03ec0000 Size: 135168

Object: Hidden Module [Name: System.Data.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x04030000 Size: 2961408

Object: Hidden Module [Name: System.Transactions.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x04360000 Size: 270336

Object: Hidden Module [Name: Intuit.Spc.Map.Reporter.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x04480000 Size: 479232

Object: Hidden Module [Name: System.EnterpriseServices.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x04610000 Size: 266240

Object: Hidden Module [Name: Intuit.Spc.Esd.Core.XmlSerializers.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x049c0000 Size: 208896

Object: Hidden Module [Name: System.Windows.Forms.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x04dc0000 Size: 5033984

Object: Hidden Module [Name: System.Drawing.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x05390000 Size: 634880

Object: Hidden Module [Name: Intuit.Spc.Map.WindowsFirewallUtilities.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x05540000 Size: 1077248

Object: Hidden Module [Name: System.Web.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x05be0000 Size: 5255168

Object: Hidden Module [Name: System.ServiceProcess.dll]
Process: IntuitUpdateService.exe (PID: 828) Address: 0x056b0000 Size: 126976

Object: Hidden Module [Name: TvsuServiceCommon.dll]
Process: SUService.exe (PID: 1980) Address: 0x00c10000 Size: 69632

#15 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:23 AM

Posted 16 April 2009 - 09:01 PM

I can't find the key on this one.

I recommend that we move to the HJT forum and let the HJT techs take over. They have advanced tools that can only be used in that forum.

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Best wishes - you are in good hands...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users