I think I have the ANTISPY PROTECTOR 2009 Viruse

Here is a copy of my ROOTREPEAL REPORT

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/21 20:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8113000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7AA3000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF7943000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7d8948e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7d89484

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7d89493

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7d8949d

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7d894a2

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7d89470

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7d89475

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7d894ac

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7d894a7

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7d89498

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7d8947f

==EOF==

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be "four eyes and two brains" but responses may be somewhat delayed so please be patient!!!!

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

Are you able to run DDS?

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

I will review your logs and post instructions forthcoming.
Regards,
~t

Hello,
Lets get started!!
Please follow my instructions closely. Also please note: we are not clean till I tell you so. Looks can be deceiving!

Please do this.....

Download and run Win32kDiag:

• Download Win32kDiag from any of the following locations and save it to your Desktop.
  • Download Win32kDiag (Win32kDiag.exe) - #1
  • Download Win32kDiag (Win32kDiag.exe) - #2
  • Download Win32kDiag (Win32kDiag.exe) - #3
• Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
• When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
• Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Next......


Download and run a batch file (peek.bat):

• Download peek.bat from the download link below and save it to your Desktop.
  • Download peek.bat
• Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
• Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.

==========

With your next post please provide:

* Win32kDiag.txt
* Log.txt

Kind regards,
~t

I was unable to run the DDS scan, as per directed.

So I have not continued to the next post or steps.

Hi,

I was unable to run the DDS scan

As expected.
This helps confirm my suspicion as to the nature of your infection.

Thanks for the info.

==========

Please do this.....

Download and run Win32kDiag:

• Download Win32kDiag from any of the following locations and save it to your Desktop.
  • Download Win32kDiag (Win32kDiag.exe) - #1
  • Download Win32kDiag (Win32kDiag.exe) - #2
  • Download Win32kDiag (Win32kDiag.exe) - #3
• Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
• When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
• Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Next......


Download and run a batch file (peek.bat):

• Download peek.bat from the download link below and save it to your Desktop.
  • Download peek.bat
• Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
• Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.

==========

With your next post please provide:

* Win32kDiag.txt
* Log.txt

Kind regards,
~t

Here's the first Scan

Here is the second log

Well done!

Please do this...

Follow all the steps in the order outlined and in completion. Let me know if you run into any problems. Again....looks are deceiving. You are not clean until I tell you so.

==========

Please copy and paste all logs directly into your reply unless I direct you otherwise. It is easier for me to review them that way.

==========

Step 1

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

==========

Step 2

Please do this:

• Click on the Start button, then click on Run...
• In the empty "Open:" box provided, type cmd and press Enter
  • This will launch a Command Prompt window (looks like DOS).
• Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
  copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
• In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
• Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
  NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
• Exit the Command Prompt window.

==========

Step 3

Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
  

  Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

• In the avenger window, click the Paste Script from Clipboard, button.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply.

==========

Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

==========

With your next post please provide:

* Win32kDiag.txt
* Avenger.txt
* Combofix.txt
* How is your computer running now?

Kind regards,
~t

I got as far as the end of the Avenger Proccess, and but could not continue with the ComboFix step, because I cannot uninstall one of my Anti-Virus programs (AVG). ComboFix warns not to run it if an A/V program is running.

I ran all my programs and internet browsers, and all are working normally, but I still heed your warning that things may not be as they seem. I will continue to try and resolve the AVG problem, so that I can then proceed with the finale steps.

Hi there,
I need you to stop attaching your logs please. Please copy and paste them directly into your post. I also need to see the Avenger log please. It can be found @ "C:\avenger.txt". This is important!

==========

Please also note.....

We might not have yet successfully inactivated that Rootkit. This will be readily evident when we run the fix below. If it is still active then Combofix will not run. Please alert me if that is the result and I will guide you!!

==========

Please do this....

Disable AVG. Follow the instructions here.

==========

Next....

Delete Combofix from you desktop. Right click and select Delete.

==========

Finally.......

Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

==========

With your next post please provide:

* Remember to Copy and Paste all logs directly into your reply. I provided an example below.
* Avenger.txt (This is important!!)
* Combofix.txt
* How is your computer running

Kind regards,
~t

---------------------------------------------------------------------------------

Example of log Copy and Paste
Volume in drive C has no label.
Volume Serial Number is A016-5057

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 06:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Directory of C:\WINDOWS\system32\dllcache

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
12 File(s) 2,582,528 bytes
0 Dir(s) 182,056,300,544 bytes free

Hello,
It has been 2 days since I last posted instructions. Do you still desire assistance? If we do not receive a reply soon we will close this thread.
Kind regards,
~t

I still cannot get rid of the Avg even after manually deleting traces of it. There customer service will not help because its the free verson of AVG. But what you and I did has taken care of the problems I had and in fack my computer is acting like when it was new.

I am a disabled veteran and I live on a very fixed income, but if you are not offended I could send you $10 for your fine help.

Thanks
Robert

Hi there,

First...

I am a disabled veteran

Thank you for dedicating yourself to the protection and freedom of others!!!!!!

Next...

I still cannot get rid of the Avg even after manually deleting traces of it.

You did not need to remove AVG I only wanted you to temporarily disable it and follow my instructions from my previous post. Nevertheless I will repost new instructions for you that include an uninstaller for AVG leftovers. You will need to reinstall an antivirus or you will become reinfected. I will post instructions for a new free AV.

Also...

But what you and I did has taken care of the problems I had and in fack my computer is acting like when it was new.

Looks are deceiving. Stick with my recommendation and I will alert you when you really are clear of infection.

Finally...
I do this because I enjoy helping others. Thanks for the $$ offer but please keep it for yourself.

==========

Please do this.....

Run the AVG Uninstaller

==========

Next....

Delete Combofix from you desktop. Right click and select Delete.

==========

And this.......

Download and Run ComboFix (by sUBs)

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

==========

Finally.....

I don't see an Anti Virus Program running on your machine

• Download and install an antivirus program, and make sure that you keep it updated
  New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
  Two good antivirus programs free for non-commercial home use are Avast! and Antivir
  Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

- Please run a scan now with your newly installed Antivirus program and post a log of the results! -

==========

I also need to see the Avenger log please. It can be found @ "C:\avenger.txt". This is important!

==========

With your next post please provide:

* Remember to Copy and Paste all logs directly into your reply.
* Combofix.txt
* New installed Antivirus log
* Avenger.txt (This is important!!)
* How is your computer running

Kind regards,
~t

I've tried that and then some but nothing works, can we run Combo Fix anyway?

Hi,
You have run the AVG uninstaller that I provided you a link for?

If so then go ahead and follow all of my instructions I have listed in exactly the order I posted. If you get a warning that AVG is installed when you run Combofix you can proceed regardless!!

Thanks,
~t