Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Root Kit infection


  • Please log in to reply
11 replies to this topic

#1 wazndude77

wazndude77

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 08 July 2009 - 04:58 PM

Hi, I ran Root Repeal and it seems to have detected many things...But I'm kinda stuck there. I do not understand what anything in the report says, hopefully someone is willing to take a look at it. I'll post it when asked to. (The reason I checked for rootkits is that I have a badly infected machine and I wanted to scan for every possible trace of virus/malware)

Edited by wazndude77, 08 July 2009 - 04:59 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 08 July 2009 - 05:25 PM

Post the log please.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 wazndude77

wazndude77
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 08 July 2009 - 06:26 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/08 17:50
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF7600000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: Afc.sys
Image Path: C:\WINDOWS\system32\drivers\Afc.sys
Address: 0xF7927000 Size: 32768 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF6B61000 Size: 138496 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF7592000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: aujasnkj.sys
Image Path: C:\DOCUME~1\Admin\LOCALS~1\Temp\aujasnkj.sys
Address: 0xF62F8000 Size: 81664 File Visible: No Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7B6D000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7A5F000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF77FF000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF76EF000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF768F000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF767F000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF75AA000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF7B53000 Size: 5888 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6AAE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B87000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF6CC0000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBD000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7D60000 Size: 4096 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF7572000 Size: 129792 File Visible: - Signed: -
Status: -

Name: framebuf.dll
Image Path: C:\WINDOWS\System32\framebuf.dll
Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7B69000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF75D0000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF770F000 Size: 40960 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF771F000 Size: 52480 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF76DF000 Size: 42112 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF6B83000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF6C52000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF764F000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7957000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7B4F000 Size: 8192 File Visible: - Signed: -
Status: -

Name: klim5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\klim5.sys
Address: 0xF772F000 Size: 40960 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF6EDB000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7549000 Size: 92288 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF794F000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF765F000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF6AC6000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF79F7000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msfwhlpr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
Address: 0xF6C65000 Size: 107136 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF776F000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF7B13000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7462000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF747C000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF7AF3000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xF6782000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF6E1B000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF779F000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF77DF000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF6BA9000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7A07000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF74A9000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7D9F000 Size: 2944 File Visible: - Signed: -
Status: -

Name: NVENETFD.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Address: 0xF77CF000 Size: 34048 File Visible: - Signed: -
Status: -

Name: nvnetbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Address: 0xF7AE7000 Size: 12928 File Visible: - Signed: -
Status: -

Name: NVNRM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Address: 0xF6E69000 Size: 303104 File Visible: - Signed: -
Status: -

Name: NVSNPU.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS
Address: 0xF6E32000 Size: 225280 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF78D7000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF75EF000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7C17000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF78CF000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF6E0A000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF798F000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF76AF000 Size: 35712 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF7AD7000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF773F000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF774F000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF775F000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF799F000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF6B36000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7B71000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF6DDA000 Size: 196224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF76FF000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6D5C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF7560000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xF65B4000 Size: 333952 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7B5B000 Size: 4352 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF6BF9000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF797F000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF777F000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF6D7C000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7B5F000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF791F000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF778F000 Size: 59520 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF7917000 Size: 17152 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF6EFE000 Size: 147456 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF79E7000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS
Address: 0xF6CA0000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF766F000 Size: 52352 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7A47000 Size: 20480 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7B51000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xF7536000 Size: 77568 File Visible: - Signed: -
Status: -

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 08 July 2009 - 06:46 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 wazndude77

wazndude77
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 08 July 2009 - 07:20 PM

Alright I did as you said after my computer mysteriously restarted. However before I ran MBAM I scanned for rootkits with GMER and noticed a few things that I didn't see in the Root Repeal log such as

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACljgfollfnlfjyfi.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACcocailruhxcucnl.dll

((Wonder if that means anything)

anyway here is the log.

Malwarebytes' Anti-Malware 1.38
Database version: 2397
Windows 5.1.2600 Service Pack 3

2009-07-08 8:18:48 PM
mbam-log-2009-07-08 (20-18-48).txt

Scan type: Quick Scan
Objects scanned: 129159
Time elapsed: 10 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 08 July 2009 - 07:28 PM

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACljgfollfnlfjyfi.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACcocailruhxcucnl.dll

These look like leftovers of an infection in the registry.

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 wazndude77

wazndude77
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 08 July 2009 - 10:12 PM

Before we take a look at the log, I would like to point out somethings i just noticed/realized/would like to ask about
1. During my last infection, randomly generated .dll were being created in my systems32 folder all starting with the letter Z...they went undetected by all the anti malware and antivirus...Now i noticed one of them in there still (Zipfldr.dll and a couple registry keys: zonedoff.reg & zonedon.reg) and I'm wondering if there is a way to detect if it's potentially harmful or not...there is also a weird text document I haven't noticed before (Ymjmsi.log) containing stuff like

MSI © (F8:38) [22:50:58:421]: Client-side and UI is none or basic: Running entire install on the server.
MSI © (F8:38) [22:50:58:421]: Grabbed execution mutex.
MSI © (F8:38) [22:51:00:375]: Cloaking enabled.
MSI © (F8:38) [22:51:00:375]: Attempting to enable all disabled priveleges before calling Install on Server
MSI © (F8:38) [22:51:00:390]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (EC:68) [22:51:00:593]: Grabbed execution mutex.
MSI (s) (EC:5C) [22:51:00:593]: Resetting cached policy values
MSI (s) (EC:5C) [22:51:00:593]: Machine policy value 'Debug' is 0
MSI (s) (EC:5C) [22:51:00:593]: ******* RunEngine:


I might not understand what any of this is, it might not even be harmful at all, but I just want to be 100% sure that the infection is never coming back.

And about the Leftovers from the previous infection, is it safe to just leave them like that? or should i get rid of them somehow?

Back on topic: here is the log you wanted.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/08/2009 at 10:48 PM

Application Version : 4.26.1006

Core Rules Database Version : 3981
Trace Rules Database Version: 1921

Scan type : Complete Scan
Total Scan Time : 01:48:46

Memory items scanned : 223
Memory threats detected : 0
Registry items scanned : 6421
Registry threats detected : 9
File items scanned : 72141
File threats detected : 145

Adware.Tracking Cookie
C:\Documents and Settings\Admin\Cookies\admin@bridge1.admarketplace[1].txt
C:\Documents and Settings\Admin\Cookies\admin@poolsupplyworld.122.2o7[1].txt
C:\Documents and Settings\Admin\Cookies\admin@lynxtrack[1].txt
C:\Documents and Settings\Admin\Cookies\admin@adserve.brandgivewaycentre[2].txt
C:\Documents and Settings\Admin\Cookies\admin@bizrate[2].txt
C:\Documents and Settings\Admin\Cookies\admin@adlegend[1].txt
C:\Documents and Settings\Admin\Cookies\admin@rotator.adjuggler[1].txt
C:\Documents and Settings\Admin\Cookies\admin@advertising[2].txt
C:\Documents and Settings\Admin\Cookies\admin@socialmedia[2].txt
C:\Documents and Settings\Admin\Cookies\admin@atdmt[1].txt
C:\Documents and Settings\Admin\Cookies\admin@fmimedia.infusionsoft[2].txt
C:\Documents and Settings\Admin\Cookies\admin@shopica[2].txt
C:\Documents and Settings\Admin\Cookies\admin@media6degrees[2].txt
C:\Documents and Settings\Admin\Cookies\admin@247realmedia[1].txt
C:\Documents and Settings\Admin\Cookies\admin@media.adrevolver[1].txt
C:\Documents and Settings\Admin\Cookies\admin@doubleclick[2].txt
C:\Documents and Settings\Admin\Cookies\admin@questionmarket[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.nexon[2].txt
C:\Documents and Settings\Admin\Cookies\admin@admarketplace[1].txt
C:\Documents and Settings\Admin\Cookies\admin@overture[2].txt
C:\Documents and Settings\Admin\Cookies\admin@serving-sys[2].txt
C:\Documents and Settings\Admin\Cookies\admin@oasn04.247realmedia[1].txt
C:\Documents and Settings\Admin\Cookies\admin@www.shopica[1].txt
C:\Documents and Settings\Admin\Cookies\admin@112.2o7[1].txt
C:\Documents and Settings\Admin\Cookies\admin@fastclick[2].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.pointroll[1].txt
C:\Documents and Settings\Admin\Cookies\admin@2o7[2].txt
C:\Documents and Settings\Admin\Cookies\admin@mediaplex[1].txt
C:\Documents and Settings\Admin\Cookies\admin@mediatraffic[1].txt
C:\Documents and Settings\Admin\Cookies\admin@tribalfusion[2].txt
C:\Documents and Settings\Admin\Cookies\admin@network.realmedia[2].txt
C:\Documents and Settings\Admin\Cookies\admin@findlinksonline[2].txt
C:\Documents and Settings\Admin\Cookies\admin@msnservices.112.2o7[1].txt
C:\Documents and Settings\Admin\Cookies\admin@insightexpressai[1].txt
C:\Documents and Settings\Admin\Cookies\admin@msnportal.112.2o7[1].txt
C:\Documents and Settings\Admin\Cookies\admin@realmedia[2].txt
C:\Documents and Settings\Admin\Cookies\admin@bs.serving-sys[1].txt
C:\Documents and Settings\Admin\Cookies\admin@ad.yieldmanager[2].txt
C:\Documents and Settings\Admin\Cookies\admin@apmebf[2].txt
C:\Documents and Settings\Admin\Cookies\admin@specificmedia[2].txt
C:\Documents and Settings\Admin\Cookies\admin@cgm.adbureau[2].txt
C:\Documents and Settings\Admin\Cookies\admin@ads.bridgetrack[2].txt
C:\Documents and Settings\Admin\Cookies\admin@specificclick[2].txt
C:\Documents and Settings\Admin\Cookies\admin@revenue[2].txt
C:\Documents and Settings\Admin\Cookies\admin@media.fastclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@247realmedia[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@2o7[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@a1.interclick[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@accelerize.directtrack[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@adbrite[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@adopt.specificclick[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@ads.admanage[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@ads.admaxasia[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@ads.cartoonnetwork[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@ads.cnn[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@ads.pointroll[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@adtech[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@advertising[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@aff.primaryads[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@at.atwola[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@atdmt[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@bizrate[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@bs.serving-sys[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@cms.trafficmp[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@content.yieldmanager.edgesuite[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@crackle[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@directtrack[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@himedia.individuad[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@imediablast[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@imrworldwide[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@insightexpressai[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@interclick[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@media.mtvnservices[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@pro-market[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@questionmarket[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@realmedia[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@revenue[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@revsci[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@serving-sys[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@specificclick[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@specificmedia[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@stats.adbrite[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@tacoda[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@toseeka[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@tracking.gajmp[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@trafficmp[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@tribalfusion[2].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@www.crackle[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@www.googleadservices[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@www.toseeka[1].txt
C:\Documents and Settings\Admin_2\Cookies\admin_2@xiti[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.zanox[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adbrite[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adecn[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adinterax[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adrevolver[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.cnn[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.lucidmedia[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.pointroll[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.veoh[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adtech[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adultadworld[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adultfriendfinder[1].txt
C:\Documents and Settings\Guest\Cookies\guest@advertising[2].txt
C:\Documents and Settings\Guest\Cookies\guest@atdmt[1].txt
C:\Documents and Settings\Guest\Cookies\guest@azjmp[1].txt
C:\Documents and Settings\Guest\Cookies\guest@bs.serving-sys[2].txt
C:\Documents and Settings\Guest\Cookies\guest@cgm.adbureau[1].txt
C:\Documents and Settings\Guest\Cookies\guest@clickarrows[1].txt
C:\Documents and Settings\Guest\Cookies\guest@clicks.adengage[2].txt
C:\Documents and Settings\Guest\Cookies\guest@clickthrough.kanoodle[1].txt
C:\Documents and Settings\Guest\Cookies\guest@content.yieldmanager[1].txt
C:\Documents and Settings\Guest\Cookies\guest@content.yieldmanager[3].txt
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@dynamic.media.adrevolver[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ehg-rfa.hitbox[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ehg-veohnetworksinc.hitbox[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ehg.hitbox[2].txt
C:\Documents and Settings\Guest\Cookies\guest@googleads.g.doubleclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@hitbox[2].txt
C:\Documents and Settings\Guest\Cookies\guest@imrworldwide[2].txt
C:\Documents and Settings\Guest\Cookies\guest@insightexpressai[1].txt
C:\Documents and Settings\Guest\Cookies\guest@media.adrevolver[1].txt
C:\Documents and Settings\Guest\Cookies\guest@media6degrees[2].txt
C:\Documents and Settings\Guest\Cookies\guest@mediaplex[2].txt
C:\Documents and Settings\Guest\Cookies\guest@myroitracking[1].txt
C:\Documents and Settings\Guest\Cookies\guest@popularscreensavers[1].txt
C:\Documents and Settings\Guest\Cookies\guest@questionmarket[2].txt
C:\Documents and Settings\Guest\Cookies\guest@revsci[1].txt
C:\Documents and Settings\Guest\Cookies\guest@richmedia.yahoo[1].txt
C:\Documents and Settings\Guest\Cookies\guest@serving-sys[1].txt
C:\Documents and Settings\Guest\Cookies\guest@serw.clicksor[1].txt
C:\Documents and Settings\Guest\Cookies\guest@statcounter[2].txt
C:\Documents and Settings\Guest\Cookies\guest@statse.webtrendslive[1].txt
C:\Documents and Settings\Guest\Cookies\guest@tradedoubler[1].txt
C:\Documents and Settings\Guest\Cookies\guest@trafficmp[2].txt
C:\Documents and Settings\Guest\Cookies\guest@tribalfusion[1].txt
C:\Documents and Settings\Guest\Cookies\guest@veohnetwork.122.2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.popularscreensavers[1].txt
C:\Documents and Settings\Guest\Cookies\guest@xiti[1].txt
C:\Documents and Settings\Guest\Cookies\guest@yourmedia[1].txt

Rogue.Component/Trace
HKLM\Software\Microsoft\80E589DA
HKLM\Software\Microsoft\80E589DA#80e589da
HKLM\Software\Microsoft\80E589DA#rid
HKLM\Software\Microsoft\80E589DA#aid
HKLM\Software\Microsoft\80E589DA#Version
HKLM\Software\Microsoft\80E589DA#80e5245a
HKLM\Software\Microsoft\80E589DA#80e54dbf
HKU\S-1-5-21-220523388-1647877149-725345543-1003\Software\Microsoft\FIAS4051
HKU\S-1-5-21-220523388-1647877149-725345543-1003\Software\Microsoft\FIAS4057

Trojan.Agent/Gen-PEC
C:\COMBO.EXE\PEV.EXE

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 08 July 2009 - 10:16 PM

Upload this Zipfldr.dll file at Jotti for analysis. Post back what it finds.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 wazndude77

wazndude77
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 08 July 2009 - 10:21 PM

It found nothing. Thank goodness. If we're done with cleaning all my malware and viruses, I have One last problem: RunDll32...randomly and oftenly pops up into my task manager and slows down my computer. From what I've read, it's not supposed to do that...unless there's something wrong with it. I checked my Prefetch folder and there is 10 copies of it. Normal? or no?

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 08 July 2009 - 10:29 PM

Use Process Explorer to find out which .DLL file is running underneath rundll32.exe.

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 wazndude77

wazndude77
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 08 July 2009 - 10:44 PM

I can see that it has appeared again...I'm not sure what im supposed to be looking at but I do see it

Posted Image

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 PM

Posted 08 July 2009 - 10:50 PM

From what I could find, this relates to the NVIDIA Media Center Library. As such you might want to try reinstalling your video driver.

How to update a Windows hardware driver
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users