Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

almost for sure infected


  • Please log in to reply
6 replies to this topic

#1 Padraigh

Padraigh

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 18 August 2009 - 06:32 AM

WinXp SP3
AMD Athlon 64
1.8 Ghz
1 Gig RAM
Winfast/Foxconn755fxk8AA MBoard
IE 8

using MalwareBytes, SuperAntiSpyware, regular cleaning with ATFCleaner, or CC cleaner was using Dr. Web CureIt but something weird was going on with trying to update it so not so much now.

okay so, this time start/all programs/accessories is missing, that's never happened to me before, was getting some blue screen errors but i thought I cleared that up...it's at least not happening anymore, the main dent in my ego came when my itunes became "corrupted or unusable" very depressing. might be a seperate issue. idk. please help. I try to handle my own stuff most times cuz I know you guys are busy as all hell but I could use a crutch for sure this time. thanks in advance, really.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:35 AM

Posted 20 August 2009 - 07:54 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Padraigh

Padraigh
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 21 August 2009 - 05:05 PM

all done. thanks for getting back to me by the way. Here's the log:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/21 10:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF4C6D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79B0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: dxehlnw.sys
Image Path: dxehlnw.sys
Address: 0xF7490000 Size: 61440 File Visible: No Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF79D2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9BA5000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\RootRepeal report 08-21-09 (10-16-40).txt
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{DAC7AF24-AA46-40AC-B61B-0017904AF33A}\RP36\change.log.7
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\febreze tastes good\local settings\temp\etilqs_ueqvkunruye9kop8g9pp
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\febreze tastes good\Local Settings\Apps\2.0\TVN9W4X0.8VK\A1VH6QX5.KBD\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\febreze tastes good\Local Settings\Apps\2.0\TVN9W4X0.8VK\A1VH6QX5.KBD\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

==EOF==


looking forward to the next step.

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:35 AM

Posted 21 August 2009 - 06:50 PM

Please run Root Repeal one more time and select Files only

Edited by garmanma, 21 August 2009 - 06:51 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Padraigh

Padraigh
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 22 August 2009 - 03:23 PM

okay so I ran it again, selecting "files" only and then selecting :C on the "select drives" prompt. here's the log:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/22 13:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\_restore{DAC7AF24-AA46-40AC-B61B-0017904AF33A}\RP36\change.log.7
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\febreze tastes good\local settings\temp\etilqs_fs38dyzgv2tsb6lj3hyc
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\documents and settings\febreze tastes good\local settings\temp\etilqs_xsudgzkc8l1ofstjwxcz
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\febreze tastes good\Local Settings\Apps\2.0\TVN9W4X0.8VK\A1VH6QX5.KBD\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\febreze tastes good\Local Settings\Apps\2.0\TVN9W4X0.8VK\A1VH6QX5.KBD\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

==EOF==

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:35 AM

Posted 22 August 2009 - 07:14 PM

Something in that scan just isn't right
We've been notified of a new stubborn rootkit that's almost impossible to get a handle on
I'm going to recommend you proceed with submitting a HJT / DDS log

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 Padraigh

Padraigh
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 24 August 2009 - 02:04 AM

thanks Mark, super appreciate it. you guys are all really awesome ppl for the help you offer. I'll get right on it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users