Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Severe / High Alert Virus infection on my computer


  • This topic is locked This topic is locked
19 replies to this topic

#1 charliehorse

charliehorse

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 13 August 2009 - 09:03 PM

Can someone please help me to clean the viruses off my computer.

I really don't know how to get my anti-virus protection to work again. Since a couple of hours ago I am getting a lot of error messages.

Malware Bytes can't fix it. Defender can't fix it. McAfee can't fix it. SpyBoy S&D can't fix it.


thank you, Charles

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 AM

Posted 13 August 2009 - 09:46 PM

Hello and welcome..
Please post your infected MBAM log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Now let's check for rootkits.
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 charliehorse

charliehorse
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 13 August 2009 - 10:49 PM

MBAM log indicates removal of the problems....but they continue to persist. MBAM lists 22 problems in quaratined and deleted, but they are STILL in my machine.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.40
Database version: 2618
Windows 5.1.2600 Service Pack 3

8/13/2009 8:22:50 PM
mbam-log-2009-08-13 (20-22-50).txt

Scan type: Quick Scan
Objects scanned: 106782
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bobby\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\figaro.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bobby\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.






Here is the Sophos log:


Sophos Anti-Rootkit Version 1.5.0 2009 Sophos Plc
Started logging on 8/13/2009 at 21:04:00 PM
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Error: Identification system failed.
Hidden: process C:\WINDOWS\system32\braviax.exe
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SAM
Hidden: registry item \HKEY_LOCAL_MACHINE\SECURITY
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE
Hidden: registry item \HKEY_USERS\.DEFAULT
Hidden: registry item \HKEY_USERS\S-1-5-18
Hidden: registry item \HKEY_USERS\S-1-5-18_Classes
Hidden: registry item \HKEY_USERS\S-1-5-19
Hidden: registry item \HKEY_USERS\S-1-5-19_Classes
Hidden: registry item \HKEY_USERS\S-1-5-20
Hidden: registry item \HKEY_USERS\S-1-5-20_Classes
Hidden: registry item \HKEY_USERS\S-1-5-21-3752200638-408136642-4136389770-1005
Hidden: registry item \HKEY_USERS\S-1-5-21-3752200638-408136642-4136389770-1005_Classes
Hidden: registry item \HKEY_USERS\S-1-5-21-3752200638-408136642-4136389770-1008
Hidden: registry item \HKEY_USERS\S-1-5-21-3752200638-408136642-4136389770-1008_Classes
Hidden: registry item \HKEY_USERS\S-1-5-21-3752200638-408136642-4136389770-500
Hidden: registry item \HKEY_USERS\S-1-5-21-3752200638-408136642-4136389770-500_Classes
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\drivers\458cbce0.sys
Hidden: file C:\Documents and Settings\LocalService\Application Data\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\DB8BE8C8BAC2B76389C8870C7C614D5D2498B3BB\.name
Stopped logging on 8/13/2009 at 21:42:30 PM


Mcafee and MBAM are both noting Braviax as a problem that cannot be removed from my computer, amongst the others.

What should I do now to get rid of those files that cannot be removed? CAN they be removed? (*sigh*)

charlie

Edited by charliehorse, 14 August 2009 - 01:29 AM.


#4 charliehorse

charliehorse
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 13 August 2009 - 11:42 PM

...and NOW I have no more SpyBot S&D... GRRRR!!

#5 charliehorse

charliehorse
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 14 August 2009 - 01:00 AM

SSDT-HOOK.

What is this, and how can I delete it?

charles

Edited by charliehorse, 14 August 2009 - 01:40 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 AM

Posted 14 August 2009 - 01:45 PM

Hello where is that HOOK file from I don't see it in the log?

Rerun Sophos and kill this.
C:\WINDOWS\system32\drivers\458cbce0.sys

Let's use MBAM's FileAssassin feature.
C:\WINDOWS\system32\braviax.exe

Open MBAM again.Click the More Tools tab and then the Run Tool button
Now browse to the file(s) we want to remove using the drop down box next to Look in: at the top.
Locate the file(s), click Open.
You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to disastrous problems with your operating system.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 14 August 2009 - 01:47 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 charliehorse

charliehorse
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 14 August 2009 - 01:56 PM

Sophos won't let me kill anything, it indicates that the files are not removable

should I go ahead with file assassin?





Hello where is that HOOK file from I don't see it in the log?

Rerun Sophos and kill this.
C:\WINDOWS\system32\drivers\458cbce0.sys

Let's use MBAM's FileAssassin feature.
C:\WINDOWS\system32\braviax.exe

Open MBAM again.Click the More Tools tab and then the Run Tool button
Now browse to the file(s) we want to remove using the drop down box next to Look in: at the top.
Locate the file(s), click Open.
You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to disastrous problems with your operating system.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



#8 charliehorse

charliehorse
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 14 August 2009 - 02:00 PM

Will be back in a minute after I reboot

the hook appears as a virus when McAfee scans:


c:\windows\services.exe


It also finds a virus:

c:\windows\system32\drivers\458cbce0.sys

Edited by charliehorse, 14 August 2009 - 02:01 PM.


#9 charliehorse

charliehorse
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 14 August 2009 - 02:13 PM

boopme:

I only use firefox, but on rebooting, McAfee shows that IE5 temporary internet files are infected; and there are A LOT of infections in those temporary internet files, but I opened IE and cleaned the files out, and they still show up.



On rebooting Defender found and removed:

Trojan downloader:win32/Renos
PWS:win32/Dauros.A




Will run MBAM quick scan again

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 AM

Posted 14 August 2009 - 02:39 PM

Ok remove the one with file assassin.. the othe is the same one i wanted sophos to get..
Let's do two other scans. Still want the MBAM log too.

Run part 1 of S!Ri's SmitfraudFix

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 charliehorse

charliehorse
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 14 August 2009 - 02:41 PM

Updated MBAM to version 2626.

Ran MBAM quick scan. It found 22 problems, which I checked for deletion.


Here's the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2626
Windows 5.1.2600 Service Pack 3

8/14/2009 1:23:32 PM
mbam-log-2009-08-14 (13-23-32).txt

Scan type: Quick Scan
Objects scanned: 107709
Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\WINDOWS\system32\msword98.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Bobby\msword98.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msword98.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bobby\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN12.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bobby\Local Settings\Temp\BN1A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv041250109698.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv621250008288.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bobby\Start Menu\Programs\Startup\ikowin32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.








Rebooted.

Ran MBAM again, now it is finding only 6 problems in the "Extra and Heuristics Scan".

Here's the log:



Malwarebytes' Anti-Malware 1.40
Database version: 2626
Windows 5.1.2600 Service Pack 3

8/14/2009 1:39:12 PM
mbam-log-2009-08-14 (13-39-12).txt

Scan type: Quick Scan
Objects scanned: 107092
Time elapsed: 8 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\BN1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.

#12 charliehorse

charliehorse
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 14 August 2009 - 02:50 PM

SmitFraud Report:



SmitFraudFix v2.423

Scan done at 13:46:32.17, Fri 08/14/2009
Run from C:\Documents and Settings\Bobby\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Creative\MediaSource5\CTDetctu.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bobby\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Windows Defender\MpCmdRun.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Bobby


C:\DOCUME~1\Bobby\LOCALS~1\Temp


C:\Documents and Settings\Bobby\Application Data


Start Menu


C:\DOCUME~1\Bobby\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:/Program%20Files/CASIO/Photo%20Loader/Image%20Library/20070706/CIMG2158.JPG"
"SubscribedURL"="file:///C:/Program%20Files/CASIO/Photo%20Loader/Image%20Library/20070706/CIMG2158.JPG"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Intel® 82566DC Gigabit Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 66.112.177.4
DNS Server Search Order: 66.112.177.5

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0DF70B61-9B8A-4C63-9531-EA4BA7153006}: DhcpNameServer=66.112.177.4 66.112.177.5
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0DF70B61-9B8A-4C63-9531-EA4BA7153006}: DhcpNameServer=66.112.177.4 66.112.177.5
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0DF70B61-9B8A-4C63-9531-EA4BA7153006}: DhcpNameServer=66.112.177.4 66.112.177.5
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.112.177.4 66.112.177.5
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.112.177.4 66.112.177.5
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=66.112.177.4 66.112.177.5


Scanning for wininet.dll infection


End

#13 charliehorse

charliehorse
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 14 August 2009 - 02:58 PM

Root Repeal Report:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/14 13:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iastor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
Address: 0xAFF78000 Size: 749568 File Visible: No Signed: -
Status: -

Name: herspo.sys
Image Path: herspo.sys
Address: 0xBA0A8000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB87B6000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\rapport.txt
Status: Size mismatch (API: 6002, Raw: 5096)

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\desktop may 2 2009\for the original psych tape\finley.mp4:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: c:\windows\temp\sqlite_jd5etwqq4iyaw2k
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_pfbckmtaeknxr29
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_unsakw1wvlax1dc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_ucmpfvsaxpxzwkk
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_gg9fdtsqdavgal6
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_hy6hapfjbdbdhrk
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_lwhtzlj0dflmwya
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_y6frqppqhe4q4rs
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\System32\drivers\81437124.sys" at address 0xb36f4715

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\drivers\81437124.sys" at address 0xb36f2705

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\drivers\81437124.sys" at address 0xb36f27c5

Stealth Objects
-------------------
Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 2444) Address: 0x01000000 Size: 20480

Hidden Services
-------------------
Service Name: 81437124
Image Path: C:\WINDOWS\System32\drivers\81437124.sys

==EOF==

#14 charliehorse

charliehorse
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 14 August 2009 - 03:02 PM

I see boopme and EMN7 are with me.


The SSDT-HOOK that's causing grief is: Generic Rootkit.f!rootkit (Trojan)




The other problem file seems to be: c:\windows\system32\drivers\81437124.sys


boopme, should I file assassin the file in the drivers folder?



If you have any ideas of how to correct these problems, I'll be very grateful.


thanks folks!

Edited by charliehorse, 14 August 2009 - 03:47 PM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 AM

Posted 14 August 2009 - 04:12 PM

My dear Mr horse ,lol.. It appears there is a hidden service preventing us from getting at this. I see it.. I think it's safer to go thru HJT than risk pulling it here.
You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users