Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clicking on google links leads me to ebay and other sites


  • Please log in to reply
24 replies to this topic

#1 ashoka149

ashoka149

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:57 PM

Posted 24 July 2009 - 05:13 AM

Hi friends

Please help.
Last couple of days having the following problems:

Norton internet security seems fine on booting up but a few minutes later tells me that advanced protection is switched off. Full virus scan quits after a few minutes with nothing found. Norton removal tool does not remove the product unless in safe mode but when reinstalled same problem starts after a few minutes.

When I click on some google links somethings takes over called ? oneclick and redirects to other web pages like ebay or some spurious looking antivirus product which tries to down load unless I close the browser immediately.

Malware bytes found nothing. This was after ATF cleaner used. I attach a log below. I use XP home with SP3 and athlon 4400 processor. Help please.

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

22/07/2009 14:16:56
mbam-log-2009-07-22 (14-16-52).txt

Scan type: Quick Scan
Objects scanned: 119795
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> No action taken.

BC AdBot (Login to Remove)

 


#2 ashoka149

ashoka149
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:57 PM

Posted 24 July 2009 - 06:14 AM

I have run Malware bytes in safe mode and removed all the malware that it has found. A repeat scan has come up clear log file attached below.

I have found in system 32 folder a file called

geyekrgqmwgmkc.dll. Is this a virus? Help please.

alwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

24/07/2009 11:44:54
mbam-log-2009-07-24 (11-44-54).txt

Scan type: Quick Scan
Objects scanned: 119175
Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#3 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:57 PM

Posted 24 July 2009 - 07:42 AM

You are showing a backdoor bot being present.

This malware may steal personal information from your computer and can monitor traffic as you surf. If you do on-line banking. shopping, or other financial transactions, you need to contact your bank to monitor your account -and- change all passwords immediately. I also recommend changing the password on your router - if applicable.

Malwarebytes is actually stronger in Normal mode.

C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

This can be fixed by selecting the item to be removed. Here are the instructions I give...

On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

I would follow that with Dr.Web

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 ashoka149

ashoka149
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:57 PM

Posted 24 July 2009 - 10:24 AM

Hi

Thanks for the response.

Ran the mbam full scan in normal mode. Found several effected files. Clicked on remove after choosing all. Asked to reboot which I did. Attached mbam log file below.

Dr Web scan in safe mode did not seem to run.

I got the initial screen clicked OK to start scan. Got a green screen asking me to donload 30 day trial version. Clicked on the X in the corner to exit and then nothing happened. Tried this several times. Did exactly the same.

Malwarebytes' Anti-Malware 1.39
Database version: 2492
Windows 5.1.2600 Service Pack 3

24/07/2009 16:00:55
mbam-log-2009-07-24 (16-00-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 440124
Time elapsed: 1 hour(s), 5 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrgqmwgmkc.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrgqmwgmkc.dll (Trojan.TDSS) -> No action taken.
c:\program files\321studios\Platinum\mlcom.ax (Backdoor.Bot) -> No action taken.
c:\program files\321studios\Platinum\mpeg2dmx.ax (Backdoor.Bot) -> No action taken.
c:\program files\321studios\Platinum\mpgdec.ax (Backdoor.Bot) -> No action taken.

#5 ashoka149

ashoka149
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:57 PM

Posted 24 July 2009 - 02:52 PM

Hi

I have just run a superantispyware full scan in safe mode.Did not pick up any viruses. But symptoms still the same.

Help!!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/24/2009 at 07:49 PM

Application Version : 4.26.1006

Core Rules Database Version : 4015
Trace Rules Database Version: 1955

Scan type : Complete Scan
Total Scan Time : 03:10:22

Memory items scanned : 298
Memory threats detected : 0
Registry items scanned : 9120
Registry threats detected : 0
File items scanned : 302640
File threats detected : 0

#6 ashoka149

ashoka149
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:57 PM

Posted 24 July 2009 - 04:58 PM

hi

I have run another mbam full scan and this time found only 2 infections. Tried removal and reboot. Then ran a mbam quick scan but the 2 infections are still there. I have attached the log files below.

Malwarebytes' Anti-Malware 1.39
Database version: 2492
Windows 5.1.2600 Service Pack 3

24/07/2009 22:42:26
mbam-log-2009-07-24 (22-42-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 440075
Time elapsed: 1 hour(s), 6 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrgqmwgmkc.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrgqmwgmkc.dll (Trojan.TDSS) -> No action taken.


Malwarebytes' Anti-Malware 1.39
Database version: 2492
Windows 5.1.2600 Service Pack 3

24/07/2009 22:52:04
mbam-log-2009-07-24 (22-52-01).txt

Scan type: Quick Scan
Objects scanned: 121502
Time elapsed: 3 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrgqmwgmkc.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrgqmwgmkc.dll (Trojan.TDSS) -> No action taken.


Any other suggestions? Dr web cure it scan does not run in boot mode or normal mode. Help please.

#7 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:57 PM

Posted 24 July 2009 - 06:29 PM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 ashoka149

ashoka149
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:57 PM

Posted 25 July 2009 - 07:10 AM

Hi Rigel

I ran the sophos antirootkit as suggested.Log file attached.

Norton antivirus seems ok so far.

I got a warning message at the start: unable to load raw registry hive SYSTEM. Registry scan may not be supported on this version of windows.

Is this something I need to address?

Many thanks for your help. Much appreciated.

I will run another mambam scan for good measure and attach log file once completed for good measure.

I note that you use commodo pro antivirus yourself. Is this better than Norton? Thanks for any advise.

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 25/07/2009 at 09:51:09
User "ashoka acharya" on computer "YOUR-52F45BF7AC"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Warning: Unable to load raw registry hive SYSTEM.
Registry scan may not be supported on this version of Windows.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\drivers\dtscsi.sys
Hidden: file C:\WINDOWS\system32\geyekrlog.dat
Hidden: file C:\WINDOWS\system32\geyekrkvjmryqi.dat
Hidden: file C:\WINDOWS\system32\drivers\geyekrkkypltdl.sys
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Hidden: file C:\WINDOWS\system32\geyekrgqmwgmkc.dll
Hidden: file C:\WINDOWS\system32\geyekrsaplaknr.dat
Hidden: file C:\WINDOWS\system32\geyekrgbmpqanu.dll
Hidden: file C:\Documents and Settings\ashoka acharya\Local Settings\temp\geyekr000
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fb\000002bd\cltLMS1.dat
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fb\000002bd\cltLMS2.dat
Hidden: file C:\Documents and Settings\ashoka acharya\My Documents\My Music\Lionel Richie - Full Discography (1982 - 2006)\2003 - The Definitive Collection (Compilation Album)\Lionel Richie - The Definitive Collection CD1 - 17 - To Love A Woman (Feat. Enrique Iglesias).mp3
Info: Starting disk scan of I: (FAT).
Info: Starting disk scan of J: (NTFS).
Stopped logging on 25/07/2009 at 11:01:42


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 25/07/2009 at 11:45:17
User "ashoka acharya" on computer "YOUR-52F45BF7AC"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Warning: Unable to load raw registry hive SYSTEM.
Registry scan may not be supported on this version of Windows.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fb\000002bd\cltLMS1.dat
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fb\000002bd\cltLMS2.dat
Stopped logging on 25/07/2009 at 12:54:58

#9 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:57 PM

Posted 25 July 2009 - 09:45 AM

One thing you should know:

You have been infected by a nasty rootkit {TDSS Variant}. This rootkit may steal personal information from your computer and can monitor traffic as you surf. If you do on-line banking. shopping, or other financial transactions, you need to contact your bank to monitor your account -and- change all passwords immediately. I also recommend changing the password on your router - if applicable. Do to the nature of rootkits, some members elect to reformat their computer, verses trying to clean it. If you wish to do that, please let me know.

We continue:

Rerun Sophos ARK and delete the following files:
  • Hidden: file C:\WINDOWS\system32\geyekrlog.dat
  • Hidden: file C:\WINDOWS\system32\geyekrkvjmryqi.dat
  • Hidden: file C:\WINDOWS\system32\drivers\geyekrkkypltdl.sys
  • Hidden: file C:\WINDOWS\system32\geyekrgqmwgmkc.dll
  • Hidden: file C:\WINDOWS\system32\geyekrsaplaknr.dat
  • Hidden: file C:\WINDOWS\system32\geyekrgbmpqanu.dll
  • Hidden: file C:\Documents and Settings\ashoka acharya\Local Settings\temp\geyekr000


Then please update and rerun Malwarebytes. Post the fresh log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 ashoka149

ashoka149
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:57 PM

Posted 25 July 2009 - 01:35 PM

thanks

I do not use the computer for banking. So will try to clean it first if thats OK.

I have run a second Sophos scan and deleted the files mentioned. Log file attached above.

I have also run a new mbam full scan and a trojan was identified and deleted. This took just under 2 hours. Log file attached below.

I am running a other full scan with MBAM. This is taking much longer. Is this because system restore has now restarted or does it mean more infection? I suppose I should wait for the result of this new mbam scan.

Malwarebytes' Anti-Malware 1.39
Database version: 2492
Windows 5.1.2600 Service Pack 3

25/07/2009 15:25:48
mbam-log-2009-07-25 (15-25-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 439238
Time elapsed: 1 hour(s), 59 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{fad31253-1c6f-4667-9d3b-0b60ecc5d88d}\RP49\A0033129.dll (Trojan.TDSS) -> No action taken.

#11 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:57 PM

Posted 25 July 2009 - 06:45 PM

Let's do some basic clean up and we will continue with SAS. When the MBAM scan completes, please post the log.

Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
**************************************************************
Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#12 ashoka149

ashoka149
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:57 PM

Posted 26 July 2009 - 01:11 PM

Hi

Problems.

Since my last post, I found mambam scn going very slow. So I came back to the blleping com web page and as there was not yet your reply I had a look around at a few posts wchih looked like similar problems. I downloaded a file called GMER and did a scan to see if any root missed root kits were there. It found a whole lot of them including registry keys.

I have attached the log file from this scan.

I suspect tis may be related to the error message that Sophos gave me about SYSTEM file not being accessible etc.

Since this morning I can get on the web but cant log into the Bleeping computers web page so had to wait till my son came an am using his laptop to send this message.

Are there any other rootkit removal tools. Many thanks for your help so far.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-26 12:28:21
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8AB6D648 ZwAlertResumeThread
SSDT 8AB6DB60 ZwAlertThread
SSDT 89910868 ZwAllocateVirtualMemory
SSDT 8AB76100 ZwAssignProcessToJobObject
SSDT 8ABB8E70 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0x9C93E040]
SSDT 898B8970 ZwCreateMutant
SSDT 8988C9B0 ZwCreateSymbolicLinkObject
SSDT 898EF6D8 ZwCreateThread
SSDT 8AB76530 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0x9C93E2C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9C93E820]
SSDT 899597A0 ZwDuplicateObject
SSDT 899097E8 ZwFreeVirtualMemory
SSDT 8AB76A70 ZwImpersonateAnonymousToken
SSDT 8AB76B70 ZwImpersonateThread
SSDT 8ABB1298 ZwLoadDriver
SSDT 895C18F8 ZwMapViewOfSection
SSDT 8AB76910 ZwOpenEvent
SSDT 89902768 ZwOpenProcess
SSDT 8AB77F70 ZwOpenProcessToken
SSDT 8AB76748 ZwOpenSection
SSDT 89959970 ZwOpenThread
SSDT 898A57B0 ZwProtectVirtualMemory
SSDT 8AB61EF0 ZwResumeThread
SSDT 8AB6DF70 ZwSetContextThread
SSDT 8989D760 ZwSetInformationProcess
SSDT 8AB765F8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9C93EA70]
SSDT 8AB76848 ZwSuspendProcess
SSDT 8AB6DC50 ZwSuspendThread
SSDT 8AB6E3E0 ZwTerminateProcess
SSDT 8AB6DE10 ZwTerminateThread
SSDT 8AB77750 ZwUnmapViewOfSection
SSDT 898A1670 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CC8 80504564 4 Bytes CALL 129AE1FC
.text ntkrnlpa.exe!ZwCallbackReturn + 2D10 805045AC 4 Bytes CALL FED9D648
.text ntkrnlpa.exe!ZwCallbackReturn + 2FA0 8050483C 4 Bytes JMP C0F49C93
? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[364] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)
.text C:\Program Files\Webroot\Washer\WasherSvc.exe[1688] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0008ED99 C:\Program Files\Webroot\Washer\WasherSvc.exe (Window Washer Engine/Webroot Software, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\nvatabus \Device\00000096 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\nvatabus \Device\00000097 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvatabus \Device\00000099 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvatabus \Device\NvAta0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvatabus \Device\NvAta1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \Driver\nvatabus \Device\NvAta2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device 932B3D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service system32\drivers\geyekrkkypltdl.sys (*** hidden *** ) [SYSTEM] geyekrdnhkaigw <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x83 0xCE 0x42 0xFB ...
Reg HKLM\SYSTEM\ControlSet002\Services\ForcewareWebInterface\Parameters@ConfigArgs -D?SSL?
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x83 0xCE 0x42 0xFB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDC 0x65 0x06 0x90 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7E 0x5E 0x0D 0xD4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x40 0x19 0xC0 0xCB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x40 0x19 0xC0 0xCB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x40 0x19 0xC0 0xCB ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute ?????6???????????????????????????????????? ????????????e??????,??????A???????o???v?????????????????????????????????????????????????????e??????$??????x?????e?{??????????????????????? ???????%????????????????????????????????????????????????B??????:????hOWS??LocalSystem?????PNP_TDI?r????????????????????????????????o?gSt??????????????????????????????????????????????????????Tcpip??ste????`?? ???0??????? ??????????????p?????R?????????????????RpcSs?????????0????????????e??????Z???????????h??????????*?*?*??????????????t????????????1??t????????????t?????????????????????n?????????????t??????????12-3-2008????????????????????????????????????m??????????????????????????????????ATI T200 Unified AVStream Driver?S????Z???????????h?????RpcSs??pip??? ??????????????????Audio Stub Driver???Symantec Heuristics Driver???????????????????????e??????????????t???????????????????????????????????????? ?????????????LDM??????????????o??????????????????????????????????????????????e??????h?????????????????? ???????2?????5?2??? ? ? ??system3
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw@imagepath \systemroot\system32\drivers\geyekrkkypltdl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\main@aid 10034
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrkkypltdl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\modules@geyekrcmd.dll \systemroot\system32\geyekrgbmpqanu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\modules@geyekrlog.dat \systemroot\system32\geyekrkvjmryqi.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\modules@geyekrwsp.dll \systemroot\system32\geyekrgqmwgmkc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrdnhkaigw\modules@geyekr.dat \systemroot\system32\geyekrsaplaknr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8C 0x4A 0x8C 0x1B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x83 0xCE 0x42 0xFB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDC 0x65 0x06 0x90 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4D 0x09 0xC0 0xC3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x40 0x19 0xC0 0xCB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x40 0x19 0xC0 0xCB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x40 0x19 0xC0 0xCB ...
Reg HKLM\SYSTEM\ControlSet005\Control\Session Manager@BootExecute ????????Processor??????????????????????????? ???????????????ntfs????????????? .?????????????????System????????X?? ?????????????? ????????????????? ??????????e??ntfs??????????????????????????????????N???????????D?????ACPI\PNP0100?*PNP0100???????Null??????X?? ??????????NVIDIA?F?F??Null????????????????nvatabus?2??ACPI\PNP0000?*PNP0000???????{4D36E97D-E325-11CE-BFC1-08002BE10318}???????????????8???8??? ????????????????????????????$???????????????s?????????????????????????????? ????????????????????????????"??????????f???????? ???????????r????????????????????????????????? ???!???????????????????????????????????????? D????????????????????????????? ???????????????????????? ???????????????????????????????????????0??????????????????????????????????? ??????????????????? ????"?????X???????????????? .???????????????????X??%??????????NVTCP???Keyboard?3??ParVdm????????????????N???????????D????????? ?????????????????4????????g????nvatabus?2????@????????????????n????ossrv???? .???????????????????4??????4?g?4??MSIServer???{4D
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw@imagepath \systemroot\system32\drivers\geyekrkkypltdl.sys
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\main
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\main@aid 10034
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\main@sid 0
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\main\delete
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\main\injector
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\main\tasks
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\modules
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrkkypltdl.sys
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\modules@geyekrcmd.dll \systemroot\system32\geyekrgbmpqanu.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\modules@geyekrlog.dat \systemroot\system32\geyekrkvjmryqi.dat
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\modules@geyekrwsp.dll \systemroot\system32\geyekrgqmwgmkc.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrdnhkaigw\modules@geyekr.dat \systemroot\system32\geyekrsaplaknr.dat
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8C 0x4A 0x8C 0x1B ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x83 0xCE 0x42 0xFB ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDC 0x65 0x06 0x90 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4D 0x09 0xC0 0xC3 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x40 0x19 0xC0 0xCB ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x40 0x19 0xC0 0xCB ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x40 0x19 0xC0 0xCB ...

#13 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:57 PM

Posted 26 July 2009 - 03:43 PM

Please try Sophos ARK instead. It is much more user friendly.

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#14 ashoka149

ashoka149
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:57 PM

Posted 28 July 2009 - 03:56 PM

Hi

I ran a sophos root kit scan as suggested but continue to have the same warning message as mentioned in my earlier post.
I tried to run root kit repeal scan as suggested on your website. it seemed to run for about fifteen minutes after the word "initializing" appeared in a white rectangle. It then seemed to crash as there was no further flickering on the computer light. when I re-booted and ran a sophos root kit scan the earlier warning message had disappeared!
I ran a full super anti-spy scan after clearing the temp files with the attribune software. I attach the log file. nothing appears to have been found.
i ran a full mbam scan today and again it was clear.
a gmer scan also did not show the previous root kit.

currently the computer seems to be working ok. the norton anti-virus is again up and running. the only problem is that when i access the internet links on google, the page seems to crash for several sites, including bleeping computer.
i'd be grateful for any further advice on how to proceed.
Malwarebytes' Anti-Malware 1.39
Database version: 2510
Windows 5.1.2600 Service Pack 3

28/07/2009 09:24:03
mbam-log-2009-07-28 (09-24-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 439024
Time elapsed: 14 hour(s), 44 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 28/07/2009 at 10:09:19
User "ashoka acharya" on computer "YOUR-52F45BF7AC"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fb\000002bd\cltLMS1.dat
Hidden: file C:\Documents and Settings\All Users\Application Data\Norton\00000082\000000fb\000002bd\cltLMS2.dat
Hidden: file C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
Hidden: file C:\Program Files\DivX\DivX Web Player\npdivx32.dll
Hidden: file C:\Program Files\Microsoft Games\Microsoft Flight Simulator X\SimObjects\AeroFace.exe
Hidden: file C:\Program Files\321Studios\DVD X Rescue\DVDXWriter.WRT
Hidden: file C:\Program Files\321Studios\DVD X Rescue\DVDXRes.dll
Hidden: file C:\Program Files\321Studios\DVD X Rescue\DVDXWriter.dll
Hidden: file C:\Program Files\Adobe\Adobe Premiere Elements 7.0\Browser\opera.dll
Hidden: file C:\Program Files\Nuance\NaturallySpeaking10\Program\natspeak.exe
Info: Starting disk scan of I: (FAT).
Info: Starting disk scan of J: (NTFS).
Stopped logging on 28/07/2009 at 12:26:11


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/27/2009 at 05:57 AM

Application Version : 4.26.1006

Core Rules Database Version : 4015
Trace Rules Database Version: 1955

Scan type : Complete Scan
Total Scan Time : 03:40:38

Memory items scanned : 274
Memory threats detected : 0
Registry items scanned : 9117
Registry threats detected : 0
File items scanned : 321044
File threats detected : 0

#15 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:57 PM

Posted 28 July 2009 - 06:31 PM

This time you look clean. BleepingComputer does have a problem though. It looks like we are having a denial of Service Attack against us. The server that resolves DNS entries is being overrun with requests. That is what caused the site not to open correctly. One more scan then done:

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users