Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm infected - and spyware is not helping!


  • Please log in to reply
21 replies to this topic

#1 Endee

Endee

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin, USA
  • Local time:03:13 AM

Posted 21 April 2009 - 01:21 AM

Help – I’m infected! That’s what I get for letting Norton expire. Whatever malicious junk this is that I have on my system now, it won’t even allow me to get to Norton’s website anymore (in fact, I don’t seem to be able to access ANY “legitimate” websites – I'm either redirected to suspicious-looking ones or told that the "link appears to be broken"!).

I have run Spybot (which I already had on my system) and Malwarebytes (which I had to download using another computer) multiple times over the last 24 hours, and each time, the scans show somewhat different findings. Usually Spybot says it could only get rid of some of it and will try to get the rest at re-boot – but then after re-boot when I next scan, I see that that darn “rest” is still there, along with some new stuff for good measure! Some of the reappearing names I keep noticing when I scan include Win32.Agent.pz, wsnpoem, Virtumonde, and PWS.LDPinchlE, among others.

I googled some of these and that’s how I ended up in these forums. Here, I saw that chances are I will have to run SDFix and/or ComboFix and was tempted to try following the instructions given to others – but then saw that I may screw something up worse if I’m not 100% sure of what I’m doing!

Can anyone help me “kill the wicked witch”? By the way, I’m running Windows XP. Thanks a million in advance!

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:13 AM

Posted 21 April 2009 - 08:52 AM

Hi endee

Please post the latest log you have for Malwarebytes.

Also run this program.

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#3 Endee

Endee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin, USA
  • Local time:03:13 AM

Posted 21 April 2009 - 04:42 PM

Hi rigel, you’re a gem for answering, thank you!

My latest log for Malwarebytes came up clean! I would like to be thrilled but I guess I am somewhat suspicious of this result. I will post the log below my message, along with the log for RootRepeal, which I also ran as you directed. What do you think?

I wonder if the clean Malwarebytes scan has anything to do with the fact that I disconnected the Internet from the infected machine before the last couple of rounds of scanning. Now I’m afraid to connect to the Internet (I’m writing to you from my other computer now), and I’m also afraid to reboot. I’m thinking of downloading Norton onto my non-infected computer and transferring it via USB stick to the infected one before proceeding with anything – would that make any sense?

Here is the (apparently clean) last log for Malwarebytes, followed by the log for RootRepeal. Humbly awaiting your advice… THANK YOU!!

---------------------------------------

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/21/2009 8:49:22 AM
mbam-log-2009-04-21 (08-49-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 171367
Time elapsed: 47 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-------------------------------------

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/21 16:01
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF529A000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BBE000 Size: 8192 File Visible: No
Status: -

Name: ovfsthxtxjwxumo.sys
Image Path: C:\WINDOWS\system32\drivers\ovfsthxtxjwxumo.sys
Address: 0xF56C1000 Size: 180224 File Visible: -
Status: Hidden from Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF371C000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\ovfsthxhdhlkdgw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ovfsthxqoehtprw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ovfsthxrxoduifm.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ovfsthxuyvvmlxb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ovfsthxwbivmprf.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
Status: Size mismatch (API: 182656, Raw: 182912)

Path: C:\Program Files\Real\RealPlayer\playrlic.html
Status: Allocation size mismatch (API: 57344, Raw: 53248)

Path: C:\WINDOWS\system32\dllcache\ndis.sys
Status: Size mismatch (API: 182656, Raw: 213120)

Path: C:\WINDOWS\system32\drivers\32a3bf2c.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\ndis.sys
Status: Size mismatch (API: 182656, Raw: 213120)

Path: C:\WINDOWS\system32\drivers\symndis.sys
Status: Size mismatch (API: 182656, Raw: 37424)

Path: C:\WINDOWS\system32\drivers\ovfsthxtxjwxumo.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\ServicePackFiles\i386\ipp_0002.asp
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\WINDOWS\ServicePackFiles\i386\toobusy.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\WINDOWS\ServicePackFiles\i386\activerr.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\WINDOWS\Web\printers\ipp_0002.asp
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Documents and Settings\Nicole\Local Settings\Temp\ovfsthxbchwmsyxeg.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Nicole\Local Settings\Temp\ovfsthxbvtaplpfdi.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Nicole\Local Settings\Temp\ovfsthxexyysbdmxh.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c01wa8.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c02im28.htm
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c08ve21.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c09pa23.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c10ch20.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c14we14.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c17sa3.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c18pr16.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c13ty24.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\db_108.htm
Status: Allocation size mismatch (API: 24576, Raw: 20480)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\HelpSearchfrm.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\qrc_win3.htm
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\Program Files\Jasc Software Inc\Image Expert 2000\DellStudio\launch.html
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\Program Files\Yahoo!\Companion\Data\dlg_catb.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Yahoo!\Companion\Data\dlg_cotb.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\WINDOWS\system32\oobe\actsetup\activerr.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\WINDOWS\system32\oobe\error\toobusy.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\WINDOWS\system32\wbem\Logs\wbemess.log
Status: Size mismatch (API: 53707, Raw: 52363)

Path: C:\WINDOWS\$xpsp1hfm$\Q329170\symbols\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\WINDOWS\$xpsp1hfm$\Q329834\symbols\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\WINDOWS\$xpsp1hfm$\Q810577\symbols\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2009-04-21_Log.ALUSchedulerSvc.LiveUpdate
Status: Size mismatch (API: 119031, Raw: 118415)

Path: C:\Program Files\Real\RealPlayer\DataCache\Login\welcome.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\WINDOWS\PCHEALTH\HELPCTR\System\errors\notfound.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\Review.html
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS0DB156A0-D8E0-40d1-A8FE-155D401E100A.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS1ABEB45F-BA46-4913-A7E1-ACA6A974FE76.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS26240DA8-2896-4976-8BBD-5A5CDF2DBB65.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS32EEDD33-2F54-4848-9BBE-3E01F5BB2375.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS4B49EA85-530D-4820-8F46-FE0120FC591A.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS4C63D590-2C39-4ad9-9B3B-87558B53E8AD.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS01D0DD7E-72C5-4bd7-98A5-61B6703E2874.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS677DDFC2-618B-4128-A6A7-7BBF8B4B5FA8.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS7101B368-E344-4a9a-9917-ACB09777A127.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS728F554C-96AE-467c-94C3-61592E343AEC.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS7705371C-01C6-41df-8F29-EC17BE90A303.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS953DEDAB-D5AC-491a-AC5A-9EA68DE93712.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS9A8AD2CD-C75D-4a96-A8C8-64125FC6B103.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS9CA99867-575D-4438-A010-FEC8F2CEBEE7.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WSA839D6AB-2E30-4c71-A779-CE4F8D964115.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WSB7B5F563-E2FA-4c9f-A9FD-590A22F508E7.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WSC887FFE1-8857-4be1-BB81-BC32DE2AD7FC.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WSD73A2CCE-18C6-4885-A567-3FF67DB23AF8.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WSEAA79063-1DAD-4317-AB33-5A68D623207D.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WSF19D4446-A439-4adc-B9ED-E11325487E28.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\quickenw\INET\COMMON\PNF\afford\styles.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\quickenw\INET\COMMON\PNF\QUICKEN\01.HTM
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\Program Files\quickenw\INET\COMMON\PNF\QUICKEN\01B1.HTM
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\quickenw\INET\COMMON\PNF\QUICKEN\11b2.htm
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys
Status: Size mismatch (API: 182656, Raw: 8544)

Path: C:\Program Files\Common Files\Adobe\Help\en_US\Adobe Reader\8.0\index_16.html
Status: Allocation size mismatch (API: 40960, Raw: 36864)

Path: C:\Program Files\Common Files\Adobe\Help\en_US\Adobe Reader\8.0\index_4.html
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Documents and Settings\Hugo\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Nicole\Application Data\Macromedia\Flash Player\#SharedObjects\TDRT6NM2\void.snocap.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Nicole\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Stealth Objects
-------------------
Object: Hidden Module [Name: ovfsthxqoehtprw.dll]
Process: svchost.exe (PID: 1144) Address: 0x10000000 Size: 73728

Object: Hidden Module [Name: ovfsthxuyvvmlxb.dll]
Process: Explorer.EXE (PID: 212) Address: 0x10000000 Size: 24576

Object: Hidden Code [ETHREAD: 0x86ae4648]
Process: System Address: 0x86abd470 Size: -

Hidden Services
-------------------
Service Name: 32a3bf2c
Image Path: C:\WINDOWS\System32\drivers\32a3bf2c.sys

Service Name: ovfsthxlqtymotp
Image Path: C:\WINDOWS\system32\drivers\ovfsthxtxjwxumo.sys

#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:13 AM

Posted 21 April 2009 - 08:14 PM

Pardon the delay in response. I have a question about a couple of the files detected and I want to be sure they are safe to remove.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#5 Endee

Endee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin, USA
  • Local time:03:13 AM

Posted 22 April 2009 - 12:02 AM

Please take your time! I have another computer to work from in the meantime - and greatly appreciate that you are kind enough to be so thorough!

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:13 AM

Posted 22 April 2009 - 12:02 PM

Our next step...

1st - update Malwarebytes. Do not run it yet...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

  • Path: C:\WINDOWS\system32\ovfsthxhdhlkdgw.dll
  • Path: C:\WINDOWS\system32\ovfsthxqoehtprw.dll
  • Path: C:\WINDOWS\system32\ovfsthxrxoduifm.dat
  • Path: C:\WINDOWS\system32\ovfsthxuyvvmlxb.dll
  • Path: C:\WINDOWS\system32\ovfsthxwbivmprf.dat
  • Path: C:\WINDOWS\system32\drivers\ovfsthxtxjwxumo.sys
  • Path: C:\Documents and Settings\Nicole\Local Settings\Temp\ovfsthxbchwmsyxeg.tmp
  • Path: C:\Documents and Settings\Nicole\Local Settings\Temp\ovfsthxbvtaplpfdi.tmp
  • Path: C:\Documents and Settings\Nicole\Local Settings\Temp\ovfsthxexyysbdmxh.tmp

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only then immediately reboot the computer.

Rerun Malwarebytes in full mode. - Let me know if you need any help with these steps.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#7 Endee

Endee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin, USA
  • Local time:03:13 AM

Posted 23 April 2009 - 12:09 AM

Hi rigel,

OK, here’s what I did, step for step:

To update Malwarebytes, I initially thought I was supposed to re-download it, so I first uninstalled it (which called for a subsequent restart) and then redownloaded the “setup” via the non-infected computer and transferred it by USB-stick to the infected one (was still afraid to go online).

By the way, at restart for the last couple of days I get an error message saying “The program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it.”. It wants me to click OK but actually goes away on its own if I wait long enough (as I found out while trying to type what it said for you here).

Then upon re-uploading Malwarebytes, I saw that the program actually wanted to go online in order to update itself (and the uninstall-reinstall had apparently been in vain). Since I now thought it must download itself updates from somewhere other than the base version which I had just downloaded, I figured I had better go back online with the infected computer after all. So I plugged in the Internet, opened Malwarebytes and tried to update (without running the scan).

At that moment, I was deluged with a series of black windows (probably at least 20) opening one on top of the other, with I forget what exactly, but “svchost” included in the title bar at the top. Then things froze up momentarily and then I got a blue screen telling me that Windows had shut down to save me from all hell breaking loose (not quite verbatim), and I should restart my computer. So I did, and unplugged the Internet again.

With the new Malwarebytes installed, but not really sure whether it had “updated” itself, and too chicken to go online again, I re-ran Rootrepeal and wiped the files exactly as you indicated. I then rebooted as per your instructions. Again, upon start-up I got the error message that “The program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it.” – which again, went away on its own after a minute.

Then I tried to open Malwarebytes. Instead I got a window with “vbAccelerator SGrid II Control” in the title bar, which said Run-time error ‘0’ below, and bid me click OK. I did. Then I got another window, which said “Malwarebytes’ Anti-Malware” in the title bar and “Run-time error ‘440’: Automation error” below, and again bid me click OK. I did. It went away, and nothing else happened.

I tried opening Malwarebytes several times and this same series of events happened each time.

(AAAAAaaaaargh!!!!) What now?

#8 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:13 AM

Posted 23 April 2009 - 07:01 AM

See if you can uninstall Malwarebytes and then redownload and reinstall it.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#9 Endee

Endee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin, USA
  • Local time:03:13 AM

Posted 23 April 2009 - 09:10 AM

OK, I tried to uninstall Malwarebytes via the Control Panel and “Add or Remove Programs”, but it was (strangely) not in the list of installed programs anymore. (Yesterday, when I uninstalled it the first time, it had been listed and I uninstalled it without problems.) So I just tried rebooting to see if the Control Panel would then detect it. It still does not, although there is a desktop shortcut for it and it’s also listed in the Start menu. I also checked and there is a folder for it under C:\Program Files named "Malwarebytes’ Anti-Malware"; this folder contains various items and is not empty.

What now? How do I uninstall? Or should I just follow through with the new download (again via USB-stick) and hope it overwrites whatever remnants of the old program are there?

#10 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:13 AM

Posted 23 April 2009 - 11:20 AM

Let's try this...

Run Rootrepeal again and post a new log. Upon completion, we will look at the log to see if any action needs to be taken with rootrepeal. Once we know that, install Malwarebytes and run a scan.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#11 Endee

Endee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin, USA
  • Local time:03:13 AM

Posted 23 April 2009 - 12:05 PM

OK, here's the Rootrepeal log. Although most of it is Chinese to me, that last line sure looks suspiciously familiar!

By the way, when you answer could you please also specify whether I should be trying to download and update Malwarebytes directly from the Internet using the infected machine? I'm still nervous to try to connect to the Internet with it but don't know whether I really should be nervous about this or not. Transferring the files via USB-stick is of course time-consuming... if there's any risk involved in connecting via Internet, I of course want to use USB instead; but if it's not necessary, I'd rather not waste my time...

Thanks and here's the log.


ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/23 11:34
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5349000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BBA000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF394B000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
Status: Size mismatch (API: 182656, Raw: 182912)

Path: C:\Program Files\Microsoft Money\Calcs\html_tabs.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\WINDOWS\system32\dllcache\ndis.sys
Status: Size mismatch (API: 182656, Raw: 213120)

Path: C:\WINDOWS\system32\drivers\32a3bf2c.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\ndis.sys
Status: Size mismatch (API: 182656, Raw: 213120)

Path: C:\WINDOWS\system32\drivers\symndis.sys
Status: Size mismatch (API: 182656, Raw: 37424)

Path: C:\WINDOWS\ServicePackFiles\i386\ipp_0014.asp
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\WINDOWS\ServicePackFiles\i386\username.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\WINDOWS\ServicePackFiles\i386\xptht19w.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\WINDOWS\ServicePackFiles\i386\xptht36w.htm
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\WINDOWS\Web\printers\ipp_0014.asp
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c01wa43.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c01wa47.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c01wa7.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c04cc12.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c05ct15.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c06se12.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c10ch21.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c11la26.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c11la31.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c11la47.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c13ty20.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c14we41.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c14we66.htm
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\c16op56.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\db_106.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\db_113.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\HelpIX11.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Photoshop 6.0\Help\HelpIX18.htm
Status: Allocation size mismatch (API: 20480, Raw: 16384)

Path: C:\Program Files\Jasc Software Inc\Image Expert 2000\QuickTours\getshockwave.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Microsoft Office\Office10\Broadcast\PBCAST0.HTM
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\WINDOWS\system32\oobe\setup\username.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\WINDOWS\system32\wbem\Logs\wbemess.log
Status: Size mismatch (API: 12168, Raw: 9126)

Path: C:\WINDOWS\Help\Tours\htmlTour\footer.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\WINDOWS\Help\Tours\htmlTour\start_windows.htm
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\WINDOWS\$xpsp1hfm$\Q329170\symbols\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\WINDOWS\$xpsp1hfm$\Q329834\symbols\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\WINDOWS\$xpsp1hfm$\Q810577\symbols\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Program Files\Real\RealPlayer\DataCache\GetMedia\main.html
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\WINDOWS\PCHEALTH\HELPCTR\System\blurbs\keywordhelp.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\sysRemoteInfo.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\pss_getting_worldwide_help.htm
Status: Allocation size mismatch (API: 36864, Raw: 32768)

Path: C:\My things\for Others\for Dad\Scholarship at Central HS\HTM Docs + files\2008_Wintersteen_files\pubmaster001.htm
Status: Allocation size mismatch (API: 40960, Raw: 36864)

Path: C:\Documents and Settings\Nicole\Local Settings\Temporary Internet Files\Content.IE5\DKI9BUR3\index[6].htm
Status: Allocation size mismatch (API: 49152, Raw: 45056)

Path: C:\Documents and Settings\Nicole\Local Settings\Temporary Internet Files\Content.IE5\DKI9BUR3\xtrk[1].php
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Documents and Settings\Nicole\Local Settings\Temporary Internet Files\Content.IE5\RKRF4TM0\xtrk[1].php
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS23BCDC6F-BC2E-489b-8D36-D875B917293B.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS675A7196-68DC-405f-AA3B-1FE9D2F2E288.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS500B1437-8713-43ea-87D2-C029BC4D95DB.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS913EF9D4-6D87-4858-AB2E-9AB7CD3B33AB.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS97FC333F-2B50-4664-A4C7-418BBD7EA061.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\quickenw\INET\COMMON\PNF\allocate\update.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\quickenw\INET\COMMON\PNF\funding\whatif.htm
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\Program Files\quickenw\INET\COMMON\PNF\home\dpayment.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\quickenw\INET\COMMON\PNF\QUICKEN\17.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\quickenw\INET\COMMON\PNF\QUICKEN\27.htm
Status: Allocation size mismatch (API: 24576, Raw: 20480)

Path: C:\Program Files\quickenw\INET\COMMON\PNF\retire\25.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Money\10.0\Webcache\bdgtwlcm.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Money\10.0\Webcache\privacy.htm
Status: Allocation size mismatch (API: 24576, Raw: 20480)

Path: C:\Documents and Settings\All Users\Application Data\Microsoft\Money\10.0\Webcache\ltwelco2.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys
Status: Size mismatch (API: 182656, Raw: 8544)

Path: C:\Program Files\Common Files\Adobe\Help\en_US\Adobe Reader\8.0\index_12.html
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\Program Files\Common Files\Adobe\Help\en_US\Adobe Reader\8.0\WS363EFBC7-3751-462a-8A5A-BE0BACFBF7F7.html
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Common Files\Adobe\Help\en_US\Adobe Reader\8.0\WS58a04a822e3e50102bd615109794195ff-7d38.html
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\RCMoreInfo.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Common\rcmoreinfo.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Documents and Settings\Hugo\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Nicole\Application Data\Macromedia\Flash Player\#SharedObjects\TDRT6NM2\void.snocap.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Nicole\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x86c457a8]
Process: System Address: 0x86dad470 Size: -

Hidden Services
-------------------
Service Name: 32a3bf2c
Image Path: C:\WINDOWS\System32\drivers\32a3bf2c.sys

Service Name: ovfsthxlqtymotp
Image Path: C:\WINDOWS\system32\drivers\ovfsthxtxjwxumo.sys

#12 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:13 AM

Posted 23 April 2009 - 03:07 PM

Minor change of thought. Please submit the following file to Jotti's malware scan.

C:\WINDOWS\system32\drivers\32a3bf2c.sys

Please post the results. Thanks!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#13 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:13 AM

Posted 23 April 2009 - 03:12 PM

Pardon the double post - We have many members who are forced to connect just because they had no other way to get the program. Let's see what happens from Jotti and take it from there. If the file is bad, we will wipe it and then try to connect and download/update Malwarebytes from that computer. We can disconnect during the scan.

But yes, you are right. The file is there. Rootrepeal will help make it removable.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#14 Endee

Endee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin, USA
  • Local time:03:13 AM

Posted 23 April 2009 - 03:58 PM

OK, I reconnected to the Internet from the infected computer. I was able to come to bleepingcomputer.com (which I did without logging in), and then to this thread, but when I clicked on your link to jotti, I received the same error page as has been the case recently: "Oops! This link appears broken." This error page is made to look like a Google-generated page - which I would venture to say it is NOT. I tried just typing in the jotti address into the address bar, but am taken to the same suspicious-looking error page.

Next?

#15 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:13 AM

Posted 23 April 2009 - 08:51 PM

Welcome back Endee,

Please submit the file to this location: Malware Channel An expert will review it and let me know the outcome. For now, we need to continue our battle. Sorry, but it looks like we are going to be using the flash drive again...

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users