Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
5 replies to this topic

#1 Blairw44


  • Members
  • 2 posts
  • Local time:12:07 PM

Posted 05 August 2009 - 03:18 PM

My name is Blair, I am a computer tech at a computer repair shop in Vermont. I have been a long time reader of your forums and have found it to be an invaluable source for information mostly malware related. Malwarebytes, Combofix, smitfraudfix and other tools have been life savers and i greatly appreciate everything that you guys do. However recently we had a computer brought in by one of our customers with GREEN AV. Which has shown to be a total pain. I have killed the .exe's, tried to manually remove files left in temp folders, looking for registry entries only after trying Malwarebytes, updated in safe mode. I have ran combofix in safe mode after the recovery console is installed. I have use the smitfraudfix tool, trends rootkitbuster, superanitspyware, and even put spyware doctor on and tried to see if it would clean of this nasty malware, but it wants users to purchase to disinfect..in my opinion malwarebytes and combofix is far superior in terms of interface and actually resolving issues. This GREENAV will not come off, maybe because it is new and the folks at malwarebytes havent updated it wo remove this threat? Now I am on here asking for your professional help, I hope you have seen or resolved this issue with other people. I will be happy to post hijack this logs or anything else needed. Thank you for help and everything in the past.


Edit: Moved topic from HijackThis Logs and Virus/Trojan/Spyware/Malware Removal to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)


#2 garmanma


    Computer Masochist

  • Members
  • 27,809 posts
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:12:07 PM

Posted 05 August 2009 - 09:56 PM

Update mbam and run a FULL scan
Please post the results
Scan with Dr Web CureIt

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Please download RootRepeal.zip and save it to your Desktop.
alternate download link 1
alternate download link 2
  • Unzip the file on your Desktop or create a new folder on the hard drive called RootRepeal (C:\RootRepeal) and extract it there.
    (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Disconnect from the Internet as your system will be unprotected while using this tool.
  • Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
    This will ensure more accurate results and avoid common issues that may cause false detections.
  • Click this link to see a list of such programs and how to disable them.
  • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
  • When the program opens, click the Report tab at the bottom, then click the Scan button.
  • In the Select Scan, dialog which asks What do you want to include in the scan?, check all the boxes.
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click OK.
  • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
  • The scan can take some time to finish. Do not use the computer while the scan is running.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as rootrepeal.txt to your desktop.
  • A copy of the report with the date (i.e. RootRepeal report 07-30-09 (17-35-54).txt) is also saved to the root of your system drive (usually C:\).
  • Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
  • Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "[color=blue]safe mode".
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Blairw44

  • Topic Starter

  • Members
  • 2 posts
  • Local time:12:07 PM

Posted 07 August 2009 - 11:57 AM

Thank You for Your response. I ran a full scan with MBAM, here is the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2560
Windows 5.1.2600 Service Pack 2 (Safe Mode)

8/7/2009 12:48:20 PM
mbam-log-2009-08-07 (12-48-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 244415
Time elapsed: 1 hour(s), 15 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I ran a full scan of DR.Web CureIT unfortunatley i had a tech of mine close out the program before i could copy the log. The program skipped right over greenav.exe and quarantined smitfraudfix, and 4 others that were processkill.exe, shutdown.exe, and restart.exe (part of smitfraud?) I apologize i couldn't get the log and was quite pee'd off myself. If really necessary i will run i again for the six hours to get you it. Here is the log from Rootrepeal and that is here:

ROOTREPEAL AD, 2007-2009
Scan Start Time: 2009/08/07 11:17
Program Version: Version
Windows Version: Windows XP SP2

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF72A6000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BE1000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6B9E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
Path: c:\documents and settings\julia\my documents\my music\julia's itunes library\itunes music\mikey dread\arkology disc 2\02 dread at the controls.m4a
Status: Allocation size mismatch (API: 3014656, Raw: 42221246509613056)

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf75ab514

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf759a282

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf759a474

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf75abd00

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf75abfb8

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf75aa3fa

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf75ac422

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf75ab7d8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf7599f32


Thanks again! -Blair

Edited by Blairw44, 07 August 2009 - 12:02 PM.

#4 garmanma


    Computer Masochist

  • Members
  • 27,809 posts
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:12:07 PM

Posted 07 August 2009 - 08:25 PM

From what I see and what you have already done, I suggest you submit a DDS / HJT log

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 o0luigi0o


  • Members
  • 21 posts
  • Local time:12:07 PM

Posted 09 August 2009 - 01:25 PM

This is the same problem I had. Search the forum for Green AV and read my post. Are you on vista or xp? The computer I cleaned was vista.

Edited by o0luigi0o, 09 August 2009 - 01:26 PM.

#6 Jon_R


  • Members
  • 3 posts
  • Gender:Male
  • Location:Bryan, Ohio
  • Local time:11:07 AM

Posted 08 September 2009 - 02:21 PM

I've also seen this nasty little fake virus program.
Ive been suscessfull at removing it using Systernals ERD Commander 2005 to delete the autorun that is hidden and then the registry key.

I then run combofix and sdfix and mal-ware byte to clean up the leftover mess.

if that doesnt work try making a UBCD4win cd with combofix on it. that has also helped me in the past.

Direct Link Technician

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users