Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Advanced Virus Remover" proble


  • Please log in to reply
7 replies to this topic

#1 jgolyadkin

jgolyadkin

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 16 July 2009 - 03:05 PM

Hi so one of the computers at my office was recently infected with the 'Advanced Virus Remover' virus, I found plenty of information online and eventually resorted to reformatting my harddrive and reinstalling my copy of Windows XP. This seemed to work fine and I have done scans with malwarebytes, Windows Defender and AVG, all returning results that my system is clean. But as soon as I connect to the internet I immediately have AVG popping up finding malicious software and then my computer has the old symptoms where Task Manager is disabled, regedit is disabled, you cannot see hidden files, etc. I don't know what to do because it's within minutes of reconnecting to the internet. Now it appears to be hitting a different computer in the office, and I'm doing all of my work from a linux box now.

Edited by jgolyadkin, 16 July 2009 - 03:11 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:24 AM

Posted 16 July 2009 - 03:13 PM

Hello and welcome. I am moving this to the Am I Infected forum from XP for a scan or two.

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 jgolyadkin

jgolyadkin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 16 July 2009 - 03:21 PM

Ok I did step one 11 threats found. Here is the scan log:
Malwarebytes' Anti-Malware 1.39
Database version: 2443
Windows 5.1.2600 Service Pack 2
7/16/2009 4:19:18 PM
mbam-log-2009-07-16 (16-19-18).txt
Scan type: Quick Scan
Objects scanned: 74129
Time elapsed: 1 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\errigh.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\LYM\local settings\Temp\301484143mmx.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\documents and settings\LYM\local settings\Temp\3927882770.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\LYM\local settings\Temp\a.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\LYM\local settings\Temp\c.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\LYM\local settings\Temp\install.48349.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\LYM\local settings\Temp\install.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\LYM\local settings\Temp\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\LYM\local settings\Temp\IXP000.TMP\mshost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.


I'm rebooting now, then I'll do root repeal

#4 jgolyadkin

jgolyadkin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 16 July 2009 - 03:44 PM

Hello so I followed the rest, when I opened rootrepeal I received an error message saying "could not read boot sector. try adjusting the disk access level in the options dialog." But it seemed to run anyway.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/16 16:35
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: b484e004.sys
Image Path: C:\WINDOWS\System32\drivers\b484e004.sys
Address: 0xF6B92000 Size: 66304 File Visible: No Signed: -
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6B2B000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A50000 Size: 8192 File Visible: No Signed: -
Status: -
Name: qIegm.sys
Image Path: C:\WINDOWS\system32\drivers\qIegm.sys
Address: 0xF6DCF000 Size: 61440 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF411E000 Size: 49152 File Visible: No Signed: -
Status: -
Stealth Objects
-------------------
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: winlogon.exe (PID: 640) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: services.exe (PID: 684) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: lsass.exe (PID: 696) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrlkmpjxwp.dll]
Process: svchost.exe (PID: 852) Address: 0x00650000 Address: 53248
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: svchost.exe (PID: 852) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: svchost.exe (PID: 948) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: MsMpEng.exe (PID: 1068) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: svchost.exe (PID: 1124) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: svchost.exe (PID: 1192) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: svchost.exe (PID: 1404) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: Explorer.EXE (PID: 1464) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: AAWService.exe (PID: 1636) Address: 0x003e0000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: spoolsv.exe (PID: 1720) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: avgtray.exe (PID: 1968) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: MSASCui.exe (PID: 1984) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: avgwdsvc.exe (PID: 300) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: avgemc.exe (PID: 892) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: avgrsx.exe (PID: 1032) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: avgcsrvx.exe (PID: 1324) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: unsecapp.exe (PID: 1832) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: wmiprvse.exe (PID: 2184) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: iexplore.exe (PID: 2376) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: AAWTray.exe (PID: 2808) Address: 0x10000000 Address: 32768
Object: Hidden Module [Name: geyekrornotpxori.tmpll]
Process: avgnsx.exe (PID: 212) Address: 0x10000000 Address: 32768
==EOF==

That's the report, but now my computer has frozen to a blue screen with a KERNEL_STACK_INPAGE_ERROR and I'm going to have to restart.

#5 jgolyadkin

jgolyadkin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 16 July 2009 - 03:47 PM

Oh yes, and after rootrepeal finished an error came up "could not read system registry! Please contact Author" and the Windows defender came up with a severe alert "Trojan:Win32/winwebsec" which I had removed. Then the screen went blue after I emailed myself the log and posted it on here

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:24 AM

Posted 16 July 2009 - 06:20 PM

A nasty infection we will need a HiJackThis log.
You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 jgolyadkin

jgolyadkin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 16 July 2009 - 07:24 PM

after a couple of hours with microsoft support I seemed to have it cleared up, but if it rears it's head agin in the next day I'll start that topic like you said.

Thanks

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:24 AM

Posted 16 July 2009 - 08:18 PM

Thank you for the reply :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users