Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
1 reply to this topic

#1 aguy24069


  • Members
  • 3 posts
  • Local time:04:09 PM

Posted 17 August 2009 - 08:19 AM

Hey.. Well I found my way here, which is not good, but am glad you guys are here.
Ok , heres whats going on. picked Win32.TDSS.rtk found by spybot search and destroy. Spybot forum directed me here. After some research,

1. ran Smitfraude first in normal mode, then in safe mode.
2 ran combofix, with avg truned off and spybot turned off

it appeared at first, all was good again, but no ....

ran combo fix several times it kept finding a file called catchme.dll

Also after running combofix cant run chkdsk - says volume is unaccesible
Looking at network connection in the system tray shows contsatnt activity

I ran XP setup disk and did the console/ listsrvs and it showed catchme as a manual process, I then disabled catchme from the console but things are still not right, slow sluggish. Also have something on here by Pure Networks, dont have any idea what it is .... something for wireless or hard wired network connection ?

avg found the following:

Aug 14 2009

"C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir";"Trojan horse Clicker.AATG";"Moved to Virus Vault"

Aug 12 2009

"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETpyjelpky.sys.vir";"Trojan horse Rootkit-Pakes.L";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETiwlaockx.dll.vir";"Trojan horse Rootkit-Pakes.L";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETlkojmxoe.dll.vir";"Trojan horse Rootkit-Pakes.L";"Moved to Virus Vault"
"C:\System Volume Information\_restore{CE34424A-169A-4B69-BC1D-0A8B05EBEE92}\RP0\A0000001.sys";"Trojan horse Rootkit-Pakes.L";"Moved to Virus Vault"
"C:\System Volume Information\_restore{CE34424A-169A-4B69-BC1D-0A8B05EBEE92}\RP0\A0000002.dll";"Trojan horse Rootkit-Pakes.L";"Moved to Virus Vault"
"C:\System Volume Information\_restore{CE34424A-169A-4B69-BC1D-0A8B05EBEE92}\RP0\A0000003.dll";"Trojan horse Rootkit-Pakes.L";"Moved to Virus Vault"

Aug 09 2009

"HKU\S-1-5-21-1957994488-963894560-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Advanced Virus Remover";"Found registry key with reference to infected file C:\Program Files\AdvancedVirusRemover\PAVRM.exe";"Moved to Virus Vault"

"C:\Program Files\AdvancedVirusRemover\PAVRM.exe";"Trojan horse SHeur2.AVEV";"Moved to Virus Vault"
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\72X720PT\install[1].exe";"Trojan horse SHeur2.AVJL";"Moved to Virus Vault"
"C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RATIJ807\Z[1].exe";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"C:\WINDOWS\Temp\rdl1C93.tmp.exe";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\29C9ILK7\SetupAdvancedVirusRemover[1].exe";"Trojan horse SHeur2.AVEV";"Moved to Virus Vault"

BC AdBot (Login to Remove)


#2 Elise


    Bleepin' Blonde

  • Malware Study Hall Admin
  • 61,446 posts
  • Gender:Female
  • Location:Romania
  • Local time:10:09 PM

Posted 17 August 2009 - 12:48 PM

Hello and :thumbsup: to BleepingComputer!

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

We need to check for rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Edited by elise025, 17 August 2009 - 12:49 PM.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


Malware analyst @ Emsisoft



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users