Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware!! TRojans!


  • This topic is locked This topic is locked
32 replies to this topic

#16 Roseannjohn

Roseannjohn
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 09 August 2009 - 03:49 PM

report from rootrepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/09 15:44
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\scecli.dll
Status: Locked to the Windows API!

Path: c:\windows\temp\sqlite_elsvcmjoz3k6akc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_jw05ynkt8skpkc6
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_dvexjberkmlczks
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\sfi.dat
Status: Locked to the Windows API!

Path: \\?\C:\Program Files\COMODO\COMODO Internet Security\Quarantine\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\RootRepeal.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\RootRepeal.exe.info
Status: Invisible to the Windows API!

BC AdBot (Login to Remove)

 


#17 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:08 PM

Posted 09 August 2009 - 03:56 PM

Comodo did quarentine parts of RootRepeal. Could you please un quarentine them and run another scan as it may have crippled RootRepeal
Computer Pro

#18 Roseannjohn

Roseannjohn
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 09 August 2009 - 03:57 PM

these are the files from when i was using the anti-rootkit yesterday:

COMODO Internet Security Logs
Table : Antivirus Logs
Date Created : 8/9/2009 3:53:46 PM
Log Scope : Last 30 Days
Records count : 66
Date/Time Action Location Malware Name Status
8/8/2009 9:48:11 PM Detect C:\Documents and Settings\Rose\Local Settings\temp\UAC2a04.tmp TrojWare.Win32.TDSS.alrd@35477687 Success
8/8/2009 9:48:19 PM Remove C:\Documents and Settings\Rose\Local Settings\temp\UAC2a04.tmp TrojWare.Win32.TDSS.alrd@35477687 Success
8/8/2009 9:59:35 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP233\A0146996.exe Application.Win32.NirCmd.~A@6740009 Success
8/8/2009 9:59:44 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP233\A0146996.exe Application.Win32.NirCmd.~A@6740009 Success
8/8/2009 10:06:10 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP233\A0146993.dll UnclassifiedMalware@8417164 Success
8/8/2009 10:06:18 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP233\A0146993.dll UnclassifiedMalware@8417164 Success
8/8/2009 10:07:41 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP233\A0146994.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 10:07:48 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP233\A0146994.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 10:07:52 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP233\A0146995.exe TrojWare.Win32.Trojan.Agent.Gen@12471695 Success
8/8/2009 10:07:59 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP233\A0146995.exe TrojWare.Win32.Trojan.Agent.Gen@12471695 Success
8/8/2009 10:11:55 PM Detect C:\Documents and Settings\Rose\Local Settings\temp\xpre.tmp TrojWare.Win32.Antavmu.cmm@34914523 Success
8/8/2009 10:12:02 PM Remove C:\Documents and Settings\Rose\Local Settings\temp\xpre.tmp TrojWare.Win32.Antavmu.cmm@34914523 Success
8/8/2009 10:13:02 PM Detect C:\Documents and Settings\Rose\Local Settings\temp\rasvsnet.tmp TrojWare.Win32.TrojanClicker.VBiframe.xi@34914522 Success
8/8/2009 10:13:09 PM Remove C:\Documents and Settings\Rose\Local Settings\temp\rasvsnet.tmp TrojWare.Win32.TrojanClicker.VBiframe.xi@34914522 Success
8/8/2009 10:13:23 PM Detect C:\Documents and Settings\Rose\Local Settings\temp\UAC2acf.tmp UnclassifiedMalware@30742089 Success
8/8/2009 10:13:27 PM Remove C:\Documents and Settings\Rose\Local Settings\temp\UAC2acf.tmp UnclassifiedMalware@30742089 Success
8/8/2009 10:14:45 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP230\A0145726.sys UnclassifiedMalware@35484973 Success
8/8/2009 10:14:49 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP230\A0145726.sys UnclassifiedMalware@35484973 Success
8/8/2009 10:33:55 PM Detect C:\i386\pxhpinst.exe Heur.Suspicious@25647371 Success
8/8/2009 10:34:01 PM Remove C:\i386\pxhpinst.exe Heur.Suspicious@25647371 Success
8/8/2009 11:42:10 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP228\A0144434.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:42:20 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP228\A0144434.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:42:31 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP228\A0144486.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:42:35 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP228\A0144486.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:42:42 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP228\A0144484.dll UnclassifiedMalware@8417164 Success
8/8/2009 11:42:50 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP228\A0144484.dll UnclassifiedMalware@8417164 Success
8/8/2009 11:42:55 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0145575.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:42:58 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0145575.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:43:04 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0145573.dll UnclassifiedMalware@8417164 Success
8/8/2009 11:43:07 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0145573.dll UnclassifiedMalware@8417164 Success
8/8/2009 11:43:08 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP228\A0144501.pif Application.Win32.Nircmd.~@16774100 Success
8/8/2009 11:43:12 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP228\A0144501.pif Application.Win32.Nircmd.~@16774100 Success
8/8/2009 11:43:17 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0145646.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:43:20 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0145646.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:43:24 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0145644.dll UnclassifiedMalware@8417164 Success
8/8/2009 11:43:27 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0145644.dll UnclassifiedMalware@8417164 Success
8/8/2009 11:43:28 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0145590.pif Application.Win32.Nircmd.~@16774100 Success
8/8/2009 11:43:30 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0145590.pif Application.Win32.Nircmd.~@16774100 Success
8/8/2009 11:43:33 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP230\A0145811.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:43:35 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP230\A0145811.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:43:40 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP230\A0145809.dll UnclassifiedMalware@8417164 Success
8/8/2009 11:43:42 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP230\A0145809.dll UnclassifiedMalware@8417164 Success
8/8/2009 11:43:43 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0145661.pif Application.Win32.Nircmd.~@16774100 Success
8/8/2009 11:43:44 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0145661.pif Application.Win32.Nircmd.~@16774100 Success
8/8/2009 11:43:49 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0145913.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:43:56 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0145913.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:44:08 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0145911.dll UnclassifiedMalware@8417164 Success
8/8/2009 11:44:13 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP230\A0145757.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:44:13 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0145911.dll UnclassifiedMalware@8417164 Success
8/8/2009 11:44:15 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP230\A0145757.exe ApplicUnsaf.Win32.Hide.~AB@5325787 Success
8/8/2009 11:44:24 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP230\A0145826.pif Application.Win32.Nircmd.~@16774100 Success
8/8/2009 11:44:35 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP230\A0145826.pif Application.Win32.Nircmd.~@16774100 Success
8/8/2009 11:44:59 PM Detect C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0145928.pif Application.Win32.Nircmd.~@16774100 Success
8/8/2009 11:45:03 PM Remove C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP231\A0145928.pif Application.Win32.Nircmd.~@16774100 Success
8/8/2009 11:45:05 PM Detect C:\32788R22FWJFW\NirCmd.cfexe Application.Win32.Nircmd.~@16774100 Success
8/8/2009 11:45:08 PM Remove C:\32788R22FWJFW\NirCmd.cfexe Application.Win32.Nircmd.~@16774100 Success
8/8/2009 11:45:33 PM Detect C:\32788R22FWJFW\n.pif Application.Win32.Nircmd.~@16774100 Success
8/8/2009 11:45:38 PM Remove C:\32788R22FWJFW\n.pif Application.Win32.Nircmd.~@16774100 Success
8/9/2009 2:54:34 PM Detect C:\Documents and Settings\Rose\Local Settings\temp\Rar$EX01.875\RootRepeal.exe Heur.Suspicious@37244193 Success
8/9/2009 2:54:59 PM Quarantine C:\Documents and Settings\Rose\Local Settings\temp\Rar$EX01.875\RootRepeal.exe Heur.Suspicious@37244193 Success
8/9/2009 2:55:13 PM Detect C:\Documents and Settings\Rose\Local Settings\temp\Rar$EX05.906\RootRepeal.exe Heur.Suspicious@37244193 Success
8/9/2009 2:55:20 PM Ignore C:\Documents and Settings\Rose\Local Settings\temp\Rar$EX05.906\RootRepeal.exe Heur.Suspicious@37244193 Success
8/9/2009 2:55:20 PM Detect C:\Documents and Settings\Rose\Local Settings\temp\Rar$EX05.906\RootRepeal.exe Heur.Suspicious@37244193 Success
8/9/2009 2:55:24 PM Ignore C:\Documents and Settings\Rose\Local Settings\temp\Rar$EX05.906\RootRepeal.exe Heur.Suspicious@37244193 Success
8/9/2009 2:55:28 PM Detect C:\Documents and Settings\Rose\Local Settings\temp\Rar$EX05.906\RootRepeal.exe Heur.Suspicious@37244193 Success
8/9/2009 2:55:33 PM Ignore C:\Documents and Settings\Rose\Local Settings\temp\Rar$EX05.906\RootRepeal.exe Heur.Suspicious@37244193 Success
End of The Report

#19 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:08 PM

Posted 09 August 2009 - 03:59 PM

Please try to scan with malarebytes now
Computer Pro

#20 Roseannjohn

Roseannjohn
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 09 August 2009 - 04:01 PM

when i try to run rootrepeal again, the same error message comes up and comodo asks me if i want to quarantine "heur.suspicious@37244193"

#21 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:08 PM

Posted 09 August 2009 - 04:03 PM

Please do not quarentine. Tell it not to quarentine. The reason that it is saying that is because the virus scanner detects the malware definitions in the RootRepeal file, and it does not know the difference between good or bad malware, but don't worry, the file is clean. Please tell it not to quarentine
Computer Pro

#22 Roseannjohn

Roseannjohn
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 09 August 2009 - 04:04 PM

i choose the option "ignore". is that right?

#23 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:08 PM

Posted 09 August 2009 - 04:08 PM

That is correct.
Computer Pro

#24 Roseannjohn

Roseannjohn
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 09 August 2009 - 04:19 PM

alright....

so i exited the comodo program to try to run rootrepeal...now, when it is unzipping, a message comes up from WinRAR saying:

Cannot execute "C:\DOCUME~1\Rose\LOCALS~1\Temp\Rar$EX01.141\RootRepeal.exe"

HELP!!!

#25 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:08 PM

Posted 09 August 2009 - 04:22 PM

Try to just unzip it with Windows (not WinRAR)
Computer Pro

#26 Roseannjohn

Roseannjohn
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 09 August 2009 - 04:29 PM

yea....not working

#27 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:08 PM

Posted 09 August 2009 - 04:41 PM

Then please delete the copy of RootRepeal you have, and then download a fresh copy
Computer Pro

#28 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:08 PM

Posted 09 August 2009 - 05:04 PM

Hello, Please turn Comodo Off and try rootrepeal again.( The new copy)

Edited by boopme, 09 August 2009 - 05:05 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#29 Roseannjohn

Roseannjohn
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 09 August 2009 - 06:02 PM

still comes up with the same message

"Cannot execute "C:\DOCUME~1\Rose\LOCALS~1\Temp\Rar$EX00.907\RootRepeal.exe"

tried it three times

#30 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:08 PM

Posted 09 August 2009 - 06:58 PM

Please try to extract and execute in Safe Mode
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users