Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan that i cannot remove


  • Please log in to reply
17 replies to this topic

#1 abezdjian

abezdjian

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 03 August 2009 - 01:23 PM

Hello,

I am trying to remove some kind of trojan from my pc its been a while now. I follow alot of threads on this site, and i did scan with several scanners.
Here is my latest MBAM scan:

Malwarebytes' Anti-Malware 1.39
Database version: 2550
Windows 5.1.2600 Service Pack 2

03/08/2009 1:48:56 PM
mbam-log-2009-08-03 (13-48-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 228147
Time elapsed: 45 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\msxm192z.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msxmlhpr (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msxm192z.dll (Trojan.Agent) -> Delete on reboot.


Whenever i restart my pc and scan it back i do get the same virus in the system32 area. Any suggestions????

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:02 PM

Posted 03 August 2009 - 02:50 PM

Hello just checking if you ran that scan in Normal mode and rebooted afterward,as that would be good.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all six boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 abezdjian

abezdjian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 03 August 2009 - 11:14 PM

I will do the scan in your suggestion right now.

Here is a scan i did using Super Antispyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/03/2009 at 05:46 PM

Application Version : 4.26.1002

Core Rules Database Version : 4034
Trace Rules Database Version: 1974

Scan type : Complete Scan
Total Scan Time : 03:12:18

Memory items scanned : 248
Memory threats detected : 0
Registry items scanned : 5072
Registry threats detected : 0
File items scanned : 95611
File threats detected : 0

#4 abezdjian

abezdjian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 03 August 2009 - 11:36 PM

HERE IS THE SCAN TO CHECK FOR ROOTKITS:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/04 00:15
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA39F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B3C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA21F000 Size: 49152 File Visible: No Signed: -
Status: -

Name: UAClrtwstbbnaijabv.sys
Image Path: C:\WINDOWS\system32\drivers\UAClrtwstbbnaijabv.sys
Address: 0xAA59E000 Size: 77824 File Visible: - Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\vsfoceadjgbrqt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfoceiwsvkltm.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfocejgkyrnmn.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfoceqjglbwqv.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClmcbodgdijngjru.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClradedqfwllxory.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACntninssljfukfkv.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpfwhjnwqlugwbky.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACrxekwnqltmnnlrw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwcmyssuahfcvbhq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\vsfocepyjwiuoqhc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UAClrtwstbbnaijabv.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACxngwujbiqjlrjix.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\vsfoceyurvdlal.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Alex\DoctorWeb\Quarantine\UACipwnmkfupugtrik.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Alex\DoctorWeb\Quarantine\UAClradedqfwllxor0.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Alex\DoctorWeb\Quarantine\UAClradedqfwllxory.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Alex\Local Settings\Temp\UAC418f.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Alex\Local Settings\Temp\UAC9265.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Alex\Local Settings\Temp\UACa633.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Alex\Local Settings\Temp\UACba83.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\A9N0NYV2\UACA8RH31WCAY0SGYZCAPLAFU0CA85LW14CA6GTHARCAYTRRWVCA7UDYJMCAKXKKJCCAK9WKXJCAM8E3Y7CAGMBA8SCAMAHZ8ICA1PDVJCCAJS052LCAGZ6XNWCANO4585CARKQLFKCAX6K313.jpg
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: services.exe (PID: 676) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: lsass.exe (PID: 688) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceqjglbwqv.dll]
Process: svchost.exe (PID: 876) Address: 0x00ac0000 Size: 49152

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: svchost.exe (PID: 876) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: svchost.exe (PID: 1028) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: svchost.exe (PID: 1132) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: svchost.exe (PID: 1224) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: svchost.exe (PID: 1368) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: AAWService.exe (PID: 1460) Address: 0x00e00000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: spoolsv.exe (PID: 1580) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: Explorer.EXE (PID: 1840) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: ctfmon.exe (PID: 1856) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: AppleMobileDeviceService.exe (PID: 1956) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: dlcgcoms.exe (PID: 1988) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: MDM.EXE (PID: 112) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: svchost.exe (PID: 160) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: hkcmd.exe (PID: 848) Address: 0x00990000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: igfxpers.exe (PID: 936) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: jusched.exe (PID: 952) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: stsystra.exe (PID: 1088) Address: 0x00960000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: issch.exe (PID: 1160) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: DLACTRLW.EXE (PID: 1192) Address: 0x00a20000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: AAWTray.exe (PID: 1340) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: QTTask.exe (PID: 1412) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: iTunesHelper.exe (PID: 1432) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: msnmsgr.exe (PID: 1280) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: DSAgnt.exe (PID: 1684) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: DLG.exe (PID: 1896) Address: 0x00ec0000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: iPodService.exe (PID: 2632) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: svchost.exe (PID: 2944) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: unsecapp.exe (PID: 2980) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: wmiprvse.exe (PID: 3216) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: RootRepeal.exe (PID: 680) Address: 0x10000000 Size: 28672

Hidden Services
-------------------
Service Name: TDSSserv.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSmqlt.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UAClrtwstbbnaijabv.sys

Service Name: vsfoceujwqbard
Image Path: C:\WINDOWS\system32\drivers\vsfoceyurvdlal.sys

==EOF==

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:02 PM

Posted 04 August 2009 - 09:48 AM

Do you still have DRWeb installed?

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UAClradedqfwllxory.dll
C:\WINDOWS\system32\UACntninssljfukfkv.dll
C:\WINDOWS\system32\UACrxekwnqltmnnlrw.dll
C:\WINDOWS\system32\UACwcmyssuahfcvbhq.dll
C:\WINDOWS\system32\drivers\UAClrtwstbbnaijabv.sys
C:\WINDOWS\system32\drivers\UACxngwujbiqjlrjix.sys
C:\Documents and Settings\Alex\DoctorWeb\Quarantine\UACipwnmkfupugtrik.dll
C:\Documents and Settings\Alex\DoctorWeb\Quarantine\UAClradedqfwllxor0.dll
C:\Documents and Settings\Alex\DoctorWeb\Quarantine\UAClradedqfwllxory.dll

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.


Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 abezdjian

abezdjian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 04 August 2009 - 11:26 PM

I DID HAVE DRWEB INSTALLED OF THE PC BEFORE, I HAD USED IT TO SCAN SEVRAL TIMES MY PC. TRYING TO FOLLOW FROM OTHER THREADS.

NOW I *WIPE FILES* THE MENTIONED ONES FROM ON TOP. I UPDATED MBAM AND DID A NEW QUICK SCAN HERE IT IS:

Malwarebytes' Anti-Malware 1.40
Database version: 2561
Windows 5.1.2600 Service Pack 2

05/08/2009 12:26:12 AM
mbam-log-2009-08-05 (00-26-12).txt

Scan type: Quick Scan
Objects scanned: 117626
Time elapsed: 7 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UAClradedqfwllxory.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACntninssljfukfkv.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACrxekwnqltmnnlrw.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACwcmyssuahfcvbhq.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UAClrtwstbbnaijabv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACxngwujbiqjlrjix.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:02 PM

Posted 05 August 2009 - 09:45 AM

Ok that was good,we got the opened rootkits off.. Now you can run DrWeb again.. Update it first and post that log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 abezdjian

abezdjian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 05 August 2009 - 02:43 PM

DrWeb was installed updated

It only found one virus and deleted it :

vsfoceadjgbrqt.dll;C:\WINDOWS\system32;BackDoor.Tdss.333;Deleted.;

Whats the next step boopme ????

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:02 PM

Posted 05 August 2009 - 03:27 PM

Ok very good here. Let's recheck as this needs to br gone.
Run RootRepeal

Update and rerun Mbam..Post 2 logs ,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 abezdjian

abezdjian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 06 August 2009 - 09:53 AM

Malwarebytes' Anti-Malware 1.40
Database version: 2568
Windows 5.1.2600 Service Pack 2

06/08/2009 10:52:04 AM
mbam-log-2009-08-06 (10-52-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 218183
Time elapsed: 40 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/05 23:01
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA2D2000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B9E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: dwshd.sys
Image Path: dwshd.sys
Address: 0xF736E000 Size: 183424 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA94F4000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 51
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\vsfoceadjgbrqt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfoceiwsvkltm.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfocejgkyrnmn.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfoceqjglbwqv.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\vsfocenxbvpdvpym.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\vsfocesqrxoohqwx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\vsfoceyurvdlal.sys
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: vsfoceqjglbwqv.dll]
Process: svchost.exe (PID: 868) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: svchost.exe (PID: 976) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: svchost.exe (PID: 1100) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: svchost.exe (PID: 1188) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: svchost.exe (PID: 1368) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: AAWService.exe (PID: 1456) Address: 0x00e00000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: spoolsv.exe (PID: 1552) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: AppleMobileDeviceService.exe (PID: 1704) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: dlcgcoms.exe (PID: 1884) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: MDM.EXE (PID: 1968) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: Explorer.EXE (PID: 128) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: svchost.exe (PID: 268) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: ctfmon.exe (PID: 276) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: hkcmd.exe (PID: 112) Address: 0x00990000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: igfxpers.exe (PID: 568) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: jusched.exe (PID: 576) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: stsystra.exe (PID: 600) Address: 0x00960000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: issch.exe (PID: 612) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: DLACTRLW.EXE (PID: 756) Address: 0x00a20000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: AAWTray.exe (PID: 1152) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: QTTask.exe (PID: 1260) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: iTunesHelper.exe (PID: 1268) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: msnmsgr.exe (PID: 1284) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: DSAgnt.exe (PID: 1308) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: DLG.exe (PID: 1676) Address: 0x00ec0000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: unsecapp.exe (PID: 2392) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: iPodService.exe (PID: 2468) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: wmiprvse.exe (PID: 2664) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: svchost.exe (PID: 3068) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: iexplore.exe (PID: 2828) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceadjgbrqt.dll]
Process: RootRepeal.exe (PID: 2256) Address: 0x10000000 Size: 28672

Hidden Services
-------------------
Service Name: TDSSserv.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSmqlt.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UAClrtwstbbnaijabv.sys

Service Name: vsfoceujwqbard
Image Path: C:\WINDOWS\system32\drivers\vsfoceyurvdlal.sys

==EOF==


LOOOKS GOOD?????

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:02 PM

Posted 06 August 2009 - 10:26 AM

No,,,,Rats the MBR Rootkit is back. Let's confirm..

Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.

Edited by boopme, 06 August 2009 - 10:27 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 abezdjian

abezdjian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 06 August 2009 - 03:55 PM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully
BIOS signateure not found
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully
BIOS signateure not found

#13 abezdjian

abezdjian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 08 August 2009 - 12:24 AM

Any suggestion on the next step???????

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:02 PM

Posted 08 August 2009 - 09:07 AM

Hello, sorry fell aslleep :thumbsup:
Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\vsfoceadjgbrqt.dll
C:\WINDOWS\system32\vsfoceqjglbwqv.dll
C:\WINDOWS\system32\drivers\vsfoceyurvdlal.sys
C:\WINDOWS\system32\drivers\TDSSmqlt.sys
C:\WINDOWS\system32\drivers\UAClrtwstbbnaijabv.sys


Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 abezdjian

abezdjian
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 08 August 2009 - 01:42 PM

I did delete the mentioned files by "wipe file" and i continued with the scan with mbam


Malwarebytes' Anti-Malware 1.40
Database version: 2580
Windows 5.1.2600 Service Pack 2

08/08/2009 2:40:11 PM
mbam-log-2009-08-08 (14-40-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 221395
Time elapsed: 58 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users