Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/Rootkit.Gen Trojan


  • Please log in to reply
12 replies to this topic

#1 PHSangre

PHSangre

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 05 June 2009 - 10:17 AM

Hi. I've been reading some posts in your forums now and while some information are useful, I would like to request for a more personalized help.

My computer is plagued with a trojan for a while. Avira lists it as TR/Rootkit.Gen Trojan and TR/Inject.aapx Trojan, while my Malawarebytes Ant-Malware cannot find anything on full scan. Here are my log files from Avira and MBAM:


*********************************************************

AVIRA:



Avira AntiVir Personal
Report file date: Friday, June 05, 2009 22:22

Scanning for 1454100 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: CELESTE

Version information:
BUILD.DAT : 8.2.0.353 17048 Bytes 5/15/2009 12:02:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 16:21:28
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 15:56:42
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 20:44:20
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 15:58:54
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 19:30:38
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 00:43:24
ANTIVIR2.VDF : 7.1.4.38 2692096 Bytes 5/29/2009 19:22:32
ANTIVIR3.VDF : 7.1.4.60 189952 Bytes 6/5/2009 23:20:12
Engineversion : 8.2.0.180
AEVDF.DLL : 8.1.1.1 106868 Bytes 5/21/2009 00:44:26
AESCRIPT.DLL : 8.1.2.0 389497 Bytes 5/21/2009 00:44:24
AESCN.DLL : 8.1.2.3 127347 Bytes 5/21/2009 00:44:20
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 21:58:40
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/29/2009 04:27:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 5/21/2009 00:44:08
AEHEUR.DLL : 8.1.0.129 1761655 Bytes 5/21/2009 00:44:06
AEHELP.DLL : 8.1.2.2 119158 Bytes 5/21/2009 00:43:44
AEGEN.DLL : 8.1.1.44 348532 Bytes 5/21/2009 00:43:42
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 18:05:58
AECORE.DLL : 8.1.6.12 180599 Bytes 5/29/2009 04:27:02
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 18:05:58
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 16:40:06
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 17:28:02
AVREP.DLL : 8.0.0.3 155688 Bytes 5/21/2009 00:43:30
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 19:26:42
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 16:29:24
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 20:27:50
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 01:28:04
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 20:49:42
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 20:05:12
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 21:48:08
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 21:34:38

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, June 05, 2009 22:22

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'mplayerc.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'RegistryBooster.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmiapsrv.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'WDFMGR.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'NVSVC32.EXE' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'BTWDINS.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'AVGUARD.EXE' - '1' Module(s) have been scanned
Scan process 'MemCheck.exe' - '1' Module(s) have been scanned
Scan process 'RtkBtMnt.exe' - '1' Module(s) have been scanned
Scan process 'BTTray.exe' - '1' Module(s) have been scanned
Scan process 'Acer.Empowering.Framework.Launcher.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'E_S4I3T1.EXE' - '1' Module(s) have been scanned
Scan process 'ElkCtrl.exe' - '1' Module(s) have been scanned
Scan process 'CameraAssistant.exe' - '1' Module(s) have been scanned
Scan process 'LVCOMSX.EXE' - '1' Module(s) have been scanned
Scan process 'QtZgAcer.EXE' - '1' Module(s) have been scanned
Scan process 'ePower_DMC.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'ePresentation.exe' - '1' Module(s) have been scanned
Scan process 'eDSloader.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'LVPrcSrv.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
54 processes with 54 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '87' files ).


Starting the file scan:

Begin scan in 'C:\' <ACER>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\system volume information\_restore{2B69204D-2D51-40B9-94E5-89DFCE5DB2B4}\RP62\A0019414.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4a5a04d7.qua'!
C:\system volume information\_restore{2B69204D-2D51-40B9-94E5-89DFCE5DB2B4}\RP62\A0019420.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4b7ed5b8.qua'!
C:\system volume information\_restore{2B69204D-2D51-40B9-94E5-89DFCE5DB2B4}\RP63\A0019489.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4a5a04d8.qua'!
C:\system volume information\_restore{2B69204D-2D51-40B9-94E5-89DFCE5DB2B4}\RP72\A0020336.exe
[DETECTION] Is the TR/Inject.aapx Trojan
[NOTE] The file was moved to '4a5a04e8.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\CatRoots.exe.vir
[DETECTION] Is the TR/Inject.aapx Trojan
[NOTE] The file was moved to '4a9e052b.qua'!


End of the scan: Friday, June 05, 2009 22:55
Used time: 32:54 Minute(s)

The scan has been done completely.

15174 Scanning directories
220162 Files were scanned
5 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
5 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
220155 Files not concerned
6938 Archives were scanned
2 Warnings
5 Notes

*********************************************************

MBAM:

Malwarebytes' Anti-Malware 1.36
Database version: 2156
Windows 5.1.2600 Service Pack 2

6/5/2009 10:22:24 PM
mbam-log-2009-06-05 (22-22-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 192158
Time elapsed: 32 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

************************************************


Much help is appreciated. Thank you very much!

BC AdBot (Login to Remove)

 


#2 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 05 June 2009 - 03:56 PM

Moved from HJT to a more appropriate forum. TW

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 05 June 2009 - 04:05 PM

Hello, please run thes next and post the logs,,

Next run ATF and SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Now run part 1 of S!Ri's SmitfraudFix

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 PHSangre

PHSangre
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 06 June 2009 - 08:52 AM

Thank you very much for the quick reply!

As per your instructions, I ran ATF Cleaner, SuperAntiSpyware and part 1 of S!R!'s SmitfraudFix. Here are the log files of the last two programs:


*************************************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/06/2009 at 09:32 PM

Application Version : 4.26.1004

Core Rules Database Version : 3927
Trace Rules Database Version: 1871

Scan type : Complete Scan
Total Scan Time : 03:18:09

Memory items scanned : 206
Memory threats detected : 0
Registry items scanned : 4431
Registry threats detected : 0
File items scanned : 98693
File threats detected : 0



**************************************************************************


SmitFraudFix v2.419

Scan done at 21:40:17.81, Sat 06/06/2009
Run from C:\Documents and Settings\Cel\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\Cel\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Documents and Settings\Cel\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Cel


C:\DOCUME~1\Cel\LOCALS~1\Temp


C:\Documents and Settings\Cel\Application Data


Start Menu


C:\DOCUME~1\CEL\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS



Scanning for wininet.dll infection


End



******************************************************************************

Please advise me on the next step. Thanks again!

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:39 AM

Posted 06 June 2009 - 09:18 AM

This looks good. Are you having any more malware symptoms?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 PHSangre

PHSangre
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 07 June 2009 - 08:18 PM

Hi again. Not really, just that Avira keps detecting them as trojans, which is bothersome. I use my computer with headsets on so the Avira alarm jolts me everytime. Are these trojans false-positives, and if so, how can I make Avira stop detecting them as such? Thanks again!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:39 AM

Posted 07 June 2009 - 08:39 PM

Let's see if there may be a rootkit on the driver.
Rootkit scanning
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 PHSangre

PHSangre
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 08 June 2009 - 09:45 AM

Thanks again for the additional instructions. I ran GMER both in the safe and normal mode (in case I haven't done either one correctly). Here are the log files:


********************************************************************************
SAFE MODE:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-08 22:11:01
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cedc7b19
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cee509ef
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016cedc7b19
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016cee509ef

---- EOF - GMER 1.0.15 ----



*****************************************************************************


NORMAL MODE:


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-08 22:26:18
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT BAFED9EC ZwCreateThread
SSDT BAFED9D8 ZwOpenProcess
SSDT BAFED9DD ZwOpenThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB74E5DF0]
SSDT BAFED9E2 ZwWriteVirtualMemory

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[828] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002E40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\Explorer.EXE[828] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\Explorer.EXE[828] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\Explorer.EXE[828] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wbem\unsecapp.exe[2328] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002E40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wbem\unsecapp.exe[2328] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wbem\unsecapp.exe[2328] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wbem\unsecapp.exe[2328] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wscntfy.exe[2724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002E40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wscntfy.exe[2724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wscntfy.exe[2724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wscntfy.exe[2724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Documents and Settings\Cel\Desktop\gmer.exe[2936] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002E40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Documents and Settings\Cel\Desktop\gmer.exe[2936] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Documents and Settings\Cel\Desktop\gmer.exe[2936] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Documents and Settings\Cel\Desktop\gmer.exe[2936] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wuauclt.exe[3704] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002E40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wuauclt.exe[3704] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wuauclt.exe[3704] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wuauclt.exe[3704] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cedc7b19
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cee509ef
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016cedc7b19
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016cee509ef

---- EOF - GMER 1.0.15 ----


********************************************************************************

Is there already a working diagnosis, or is more workup needed? :D Thanks again for the help. Really appreciate it.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:39 AM

Posted 08 June 2009 - 12:02 PM

Hi, Well run Avira and post the log of infections,please as It may have cleaned them.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 PHSangre

PHSangre
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 08 June 2009 - 09:36 PM

I did a complete scan with Avira as you instructed, and it comes up clean!

*****************************************************************

Avira AntiVir Personal
Report file date: Tuesday, June 09, 2009 09:27

Scanning for 1457764 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: CELESTE

Version information:
BUILD.DAT : 8.2.0.353 17048 Bytes 5/15/2009 12:02:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 16:21:28
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 15:56:42
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 20:44:20
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 15:58:54
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 19:30:38
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 00:43:24
ANTIVIR2.VDF : 7.1.4.38 2692096 Bytes 5/29/2009 19:22:32
ANTIVIR3.VDF : 7.1.4.66 237568 Bytes 6/7/2009 16:12:00
Engineversion : 8.2.0.180
AEVDF.DLL : 8.1.1.1 106868 Bytes 5/21/2009 00:44:26
AESCRIPT.DLL : 8.1.2.0 389497 Bytes 5/21/2009 00:44:24
AESCN.DLL : 8.1.2.3 127347 Bytes 5/21/2009 00:44:20
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 21:58:40
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/29/2009 04:27:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 5/21/2009 00:44:08
AEHEUR.DLL : 8.1.0.129 1761655 Bytes 5/21/2009 00:44:06
AEHELP.DLL : 8.1.2.2 119158 Bytes 5/21/2009 00:43:44
AEGEN.DLL : 8.1.1.44 348532 Bytes 5/21/2009 00:43:42
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 18:05:58
AECORE.DLL : 8.1.6.12 180599 Bytes 5/29/2009 04:27:02
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 18:05:58
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 16:40:06
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 17:28:02
AVREP.DLL : 8.0.0.3 155688 Bytes 5/21/2009 00:43:30
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 19:26:42
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 16:29:24
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 20:27:50
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 01:28:04
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 20:49:42
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 20:05:12
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 21:48:08
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 21:34:38

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, June 09, 2009 09:27

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'wlcomm.exe' - '1' Module(s) have been scanned
Scan process 'YahooMessenger.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmiapsrv.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'BTWDINS.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'AVGUARD.EXE' - '1' Module(s) have been scanned
Scan process 'MemCheck.exe' - '1' Module(s) have been scanned
Scan process 'RtkBtMnt.exe' - '1' Module(s) have been scanned
Scan process 'BTTray.exe' - '1' Module(s) have been scanned
Scan process 'Acer.Empowering.Framework.Launcher.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'E_S4I3T1.EXE' - '1' Module(s) have been scanned
Scan process 'ElkCtrl.exe' - '1' Module(s) have been scanned
Scan process 'CameraAssistant.exe' - '1' Module(s) have been scanned
Scan process 'LVCOMSX.EXE' - '1' Module(s) have been scanned
Scan process 'QtZgAcer.EXE' - '1' Module(s) have been scanned
Scan process 'ePower_DMC.exe' - '1' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '1' Module(s) have been scanned
Scan process 'ePresentation.exe' - '1' Module(s) have been scanned
Scan process 'eDSloader.exe' - '1' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'LVPrcSrv.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
57 processes with 57 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '88' files ).


Starting the file scan:

Begin scan in 'C:\' <ACER>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\hiberfil.sys
[WARNING] The file could not be opened!


End of the scan: Tuesday, June 09, 2009 09:51
Used time: 24:02 Minute(s)

The scan has been done completely.

15173 Scanning directories
218269 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
218267 Files not concerned
6952 Archives were scanned
2 Warnings
0 Notes


******************************************************************

I have said this ad nauseum, and I say it again: Thank you very much for the help. You people are the best. :thumbsup:

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:39 AM

Posted 08 June 2009 - 09:57 PM

This looks good now! You're welcome too :thumbsup: If there are no furthur issues here then...


Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 PHSangre

PHSangre
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 08 June 2009 - 10:55 PM

I've created a new restore point and did the Disk Cleanup as per your instructions.

Thanks (again!) and more power to all of you kind people. :thumbsup:

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:39 AM

Posted 08 June 2009 - 11:03 PM

You're most welcome and thank you, please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users