Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring Virus and "Specific Module could not be found"


  • Please log in to reply
8 replies to this topic

#1 nhanster

nhanster

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 27 April 2009 - 02:21 PM

Hi,

So first of all, each time that I started my window, two message pop up on my screen, "Error loading c:\windows\system32\roloropo.dll. Specific module could not be found. And the other message is the exact same except it could not find nisoboli.dll.

This event began to happen when I ran Hijackthis. I ran the program and then posted the log onto the Hijackthis website, which automatically analyzed it for me to tell me which files are unsafe. Using Hijackthis, I deleted some files and that was considered unsafe/bad according to the analyzed list that the Hijack website came up with. After I did that, the error messages began to keep appearing each time I startup
So my question is how can I get rid of this message and is this because of some virus???


A second problem is that my Super Anti-spyware keep finding virus each day even though i had scan and deleted those files the day before already. I also noticed some of the same virus keep reappearing on SAS. I don't know what to do.

Any help would be greatly appreciated!


HEre is the SAS log w/ quickscan.








SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/27/2009 at 12:08 PM

Application Version : 4.15.1000

Core Rules Database Version : 3864
Trace Rules Database Version: 1815

Scan type : Quick Scan
Total Scan Time : 00:20:45

Memory items scanned : 459
Memory threats detected : 1
Registry items scanned : 416
Registry threats detected : 15
File items scanned : 17781
File threats detected : 6

Trojan.Smitfraud Variant-Gen/Bensorty
C:\WINDOWS\SYSTEM32\SJG9S8GUIGJS.DLL
C:\WINDOWS\SYSTEM32\SJG9S8GUIGJS.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2BA40A2-74F0-42BD-F434-12345A2C8953}
HKCR\CLSID\{B2BA40A2-74F0-42BD-F434-12345A2C8953}
HKCR\CLSID\{B2BA40A2-74F0-42BD-F434-12345A2C8953}
HKCR\CLSID\{B2BA40A2-74F0-42BD-F434-12345A2C8953}#ThreadingModel
HKCR\CLSID\{B2BA40A2-74F0-42BD-F434-12345A2C8953}\InProcServer32
HKCR\CLSID\{B2BA40A2-74F0-42BD-F434-12345A2C8953}\InProcServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{B2BA40A2-74F0-42BD-F434-12345A2C8953}

Trojan.Agent/Gen-SpamTool
[] C:\TEMP\CJ2RJEF4SD.EXE
C:\TEMP\CJ2RJEF4SD.EXE
[Windows Resurections] C:\TEMP\CJ2RJEF4SD.EXE
[] C:\TEMP\CJ2RJEF4SD.EXE
[Windows Resurections] C:\TEMP\CJ2RJEF4SD.EXE

Trojan.Agent/Gen-FakeAlert
[Diagnostic Manager] C:\TEMP\2466954000.EXE
C:\TEMP\2466954000.EXE
[Diagnostic Manager] C:\TEMP\2466954000.EXE

Adware.Tracking Cookie
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@microsoftwga.112.2o7[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@ad.yieldmanager[2].txt

Trojan.Downloader-Gen/Temp
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run#Windows Resurections [ C:\TEMP\cj2rjef4sd.exe ]
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run#Windows Resurections [ C:\TEMP\cj2rjef4sd.exe ]

Trojan.Dropper/Sys-NV
C:\WINDOWS\SYSTEM32\NVRSK.DLL

Edited by nhanster, 27 April 2009 - 05:59 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:33 PM

Posted 28 April 2009 - 01:04 PM

It's not unusual to receive such an error when "booting up" after using anti-virus and other security scanning tools to remove a malware infection.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to a malware file that was set to run at startup in the registry but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry still remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this. Vista users refer to this link.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
If you're going to keep and use Autoruns, be sure to read:HijackThis is an advanced enumerator (similar in some respects to a registry editor) that is used to display certain areas of the Windows registry where the majority of malware reside. HijackThis will scan these areas of your system and then create a log to help diagnose the presence of undetected malware in known hiding places. Using HijackThis requires advanced knowledge about the Windows Operating System. Most of the log entries are required to run a computer and removing essential ones can potentially cause serious damage such as loss of Internet connectivity or problems with your operating system which could preventing it from starting. HijackThis relies on trained experts to interpret the log entries and investigate them in order to determine what needs to be fixed.

Online HijackThis analyzers work in a similar manner but rely on the user's ability to interpret the results and determine what needs to be fixed. However, they often provide misleading and/or questionable results. In my experience, they DO NOT always identify all the malware or all the files properly. They sometimes list legitimate files as bad and bad files as legitimate. They sometimes show entries with no file (file missing) as bad when that is not always the case. Although these sites are open to the public, the user needs to know what they are doing and how to research the displayed log entries before using the original HijackThis application to fix anything.

If you do not have advanced knowledge about computers or training in malware investigation, you should NOT fix anything with these analyzers without consulting a expert as to what to fix. Using this tool incorrectly could adversely impact your system.

Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 nhanster

nhanster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 29 April 2009 - 12:35 AM

Thank you!
My first problem is solved, the error messages doesn't appear on startup anymore.

But now, I have this annoyning popup ad virus. A advertisement webpage will suddenly appear out of no where o.O

Here is the MBAM w/ quick scan like you requested.


Malwarebytes' Anti-Malware 1.36
Database version: 2056
Windows 6.0.6001 Service Pack 1

4/28/2009 10:31:28 PM
mbam-log-2009-04-28 (22-31-28).txt

Scan type: Quick Scan
Objects scanned: 74315
Time elapsed: 3 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\o675.o675mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\o675.o675mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b3fa56cf-b3f9-4328-9802-cfaacea86646} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b3fa56cf-b3f9-4328-9802-cfaacea86646} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\TEMP\kjsfh3jfokdf3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\TEMP\nncdndfdfg48.exe (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\Windows\t55ft2692f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\System32\dll32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\instsp2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\xptfh.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\pdtivk.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\msncache.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\azton.mt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\kakijigu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\hadabuda.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ruhegozi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:33 PM

Posted 29 April 2009 - 07:50 AM

Now rescan again with Malwarebytes Anti-Malware but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

IMPORTANT NOTE: One or more of the identified infections (comsa32.sys) was related to a rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Edited by quietman7, 29 April 2009 - 07:52 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 nhanster

nhanster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 30 April 2009 - 01:31 AM

is there a way to check the rootkits on my computer? or is it all gone?


Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 6.0.6001 Service Pack 1

4/29/2009 11:30:01 PM
mbam-log-2009-04-29 (23-30-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 191741
Time elapsed: 1 hour(s), 5 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Administrator\Downloads\setupxv.exe (Rogue.Installer) -> Quarantined and deleted successfully.

#6 nhanster

nhanster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 30 April 2009 - 02:21 AM

I also have a log of RootRepeal.
Does anything seem abnormal to you??
Thanks




ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/30 00:19
Program Version: Version 1.2.3.0
Windows Version: Windows Vista SP1
==================================================

Hidden/Locked Files
-------------------
Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3b31bf1c-3291-11de-88d0-00e0b8e82b3c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a3fcf086-3550-11de-8f4c-00e0b8e82b3c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{e0154ffc-3481-11de-b17a-00e0b8e82b3c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{fd5cc123-3544-11de-bb6b-00e0b8e82b3c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ff0abafd-32a4-11de-b128-00e0b8e82b3c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\inf\setupapi.app.log
Status: Size mismatch (API: 49066919, Raw: 49061893)

Path: C:\Program Files\Camera Assistant Software for Gateway\Help\Help_02_F.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Windows Media Player\Network Sharing\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wfp\wfpdiag.etl
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7658964504b9f3b6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6000.16830_none_29a6eeebde589a97\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6000.21023_none_2a3e34a2f76b9db7\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6001.18226_none_2b9dff39db71a7a1\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6001.22389_none_2be9bd5af4bd3b16\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Program Files\CyberLink\LabelPrint\Language\Enu\Readme.htm
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\Program Files\Microsoft Office\Templates\12\MseNewFileItems\HTMLPAGE.HTM
Status: Allocation size mismatch (API: 4096, Raw: 704)

Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Locked to the Windows API!

Path: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\HowTo\ENU\Secure01.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Adobe\Acrobat 7.0\Acrobat\HowTo\ENU\HowTo04.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Gateway Games\Polar Bowler\media\help\en\help.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\Program Files\Gateway Games\Polar Bowler\media\help\es\sysreqs.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Gateway Games\Polar Bowler\media\help\fr\gamemenu.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Gateway Games\Polar Bowler\media\help\it\sysreqs.htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\Gateway Games\Polar Bowler\media\help\sv\gettingstarted.htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: C:\ProgramData\WildTangent\Gateway Game Console\UI\htdocs2\de\home.html
Status: Allocation size mismatch (API: 28672, Raw: 24576)

Path: C:\ProgramData\WildTangent\Gateway Game Console\UI\htdocs2\es\home.html
Status: Allocation size mismatch (API: 28672, Raw: 24576)

Path: C:\ProgramData\WildTangent\Gateway Game Console\UI\htdocs2\zh\Help.html
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\ProgramData\WildTangent\Gateway Game Console\UI\htdocs2\zh-cn\AboutWildCoins.html
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\ProgramData\WildTangent\Gateway Game Console\UI\htdocs2\zh-cn\Help.html
Status: Allocation size mismatch (API: 16384, Raw: 12288)

Path: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.177.gthr
Status: Invisible to the Windows API!

Path: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.182.Crwl
Status: Visible to the Windows API, but not on disk.

Path: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.182.gthr
Status: Visible to the Windows API, but not on disk.

Path: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy39.gthr
Status: Size mismatch (API: 364806, Raw: 338528)

Path: C:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\on0npt64.default\Cache\_CACHE_001_
Status: Allocation size mismatch (API: 458752, Raw: 274432)

Path: C:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\on0npt64.default\Cache\_CACHE_002_
Status: Allocation size mismatch (API: 327680, Raw: 151552)

Path: C:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\on0npt64.default\Cache\_CACHE_003_
Status: Allocation size mismatch (API: 917504, Raw: 602112)

Path: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.ci
Status: Visible to the Windows API, but not on disk.

Path: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.dir
Status: Visible to the Windows API, but not on disk.

Path: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid
Status: Visible to the Windows API, but not on disk.

Path: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VNTQ7BKR\search[1].htm
Status: Allocation size mismatch (API: 12288, Raw: 8192)

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:33 PM

Posted 30 April 2009 - 06:54 AM

is there a way to check the rootkits on my computer? or is it all gone?

There are no shortcuts or guarantees when it comes to malware removal, especially when dealing with rootkits. MBAM uses a proprietary low level driver (similar to some ARK detectors) to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. SAS offers technology to deal with rootkit infections as well.

If you're unsure how to use a particular Anti-rootkit (ARK) tool, then you should not be using it. Some ARKs are intended for advanced users or to be used under the guidance of an expert as they are powerful and can be misused with disastrous results. There are many free ARK tools but some require a certain level of expertise and investigative ability to use. These are a few of the easier ARKS for novice users:Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

How is your computer running now? Are there any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 nhanster

nhanster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 01 May 2009 - 12:46 AM

Hii,

Any sign? no, the computer is acting fine. not slow, no pop up ads or anything yet.

Reports...kinda..


I installed AVG free anti-virus 8.5 because my PC didn't have an anti-virus program yet.
Once installed, the AVG's resident shield started going berserk!!
It started finding thousands (litterally) of infected files/programs. Half of the program are common programs like notepad, adobe, window media player, etc.
The resident shield is listing all of the infection as "Infection from Win32/virut"
I haven't deleted any of the file that it told me. JUst waiting for u to tell me to what to do next.


Are all of these files corrupted? should I reformat?
Thanks for you help!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:33 PM

Posted 01 May 2009 - 07:15 AM

The resident shield is listing all of the infection as "Infection from Win32/virut"

Virut (Virtob) is a polymorphic file infector with IRCBot functionality which infects .exe, .scr and script files (.PHP, .ASP, and .HTML), downloads more malicious files to your system, and opens a back door that compromises your computer. When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut
This kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:Should you decide not to follow that advice, you can try the AVG Win32/Virut Remover. It was last updated in August 2008 and is not always effective for the reasons I indicated above. Follow the instructions exactly as specified and pay close attention to the instructions including the note on administrator rights.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users