Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Life After "Advanced Virus Remover"


  • Please log in to reply
20 replies to this topic

#1 drb930

drb930

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:91406
  • Local time:09:50 PM

Posted 24 August 2009 - 08:41 PM

Help, what do i do now?
I got most of my computer back by piecing out the "Advanced Virus Removal" program.
Problem is i should have used the great program i found on here called Malwarebytes first?
I did run Malwarebytes and got most of my desktop back, except there is a weird shadow behind my Icons.
Problem is i can not run Check Disc, Defragmenter, Windows Restore, Windows Safe Mode, and the computer will not even Reformat. I tried to just dump the whole hard drive, but it wont read the to the disc?
There is still some part of the Virus running in the background.
Any help would be greatly appreciated!

Help!
Thanks,
Dave

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:50 PM

Posted 24 August 2009 - 08:45 PM

Hi Dave.
Your MBAM scans came back clean? Please post the last log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.



We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 drb930

drb930
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:91406
  • Local time:09:50 PM

Posted 24 August 2009 - 08:55 PM

Here is the report-ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/24 18:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB68F1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA64E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2EC7000 Size: 49152 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: kbiwkmlkypbqxr.dll]
Process: svchost.exe (PID: 1104) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: kbiwkmtymxgwnp.dll]
Process: Explorer.EXE (PID: 2340) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: kbiwkmtymxgwnp.dll]
Process: firefox.exe (PID: 2896) Address: 0x007e0000 Size: 32768

Hidden Services
-------------------
Service Name: kbiwkmvppfmpqj
Image Path: C:\WINDOWS\system32\drivers\kbiwkmxurrtrfu.sys

==EOF==

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:50 PM

Posted 24 August 2009 - 08:58 PM

Hello you now have 3 topics in this forum started on the same issue . You have a reply from quietman7 here...
http://www.bleepingcomputer.com/forums/ind...p;#entry1396814
That you have not followed on. I will be deleting this thread hijack as it is wasting peoples time and also the 2nd thread with a reply.


EDIT; you other guys will be getting moved out also just to clean up the OP's thread.. thanks and I apologise.

Edited by boopme, 24 August 2009 - 09:02 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 drb930

drb930
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:91406
  • Local time:09:50 PM

Posted 24 August 2009 - 08:58 PM

and the Malware Log-

Malwarebytes' Anti-Malware 1.40
Database version: 2689
Windows 5.1.2600 Service Pack 2

8/24/2009 11:09:51 AM
mbam-log-2009-08-24 (11-09-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 169784
Time elapsed: 21 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5BASN7WP\exe[1].exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GDQJ2R4Z\firewall[1].dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#6 drb930

drb930
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:91406
  • Local time:09:50 PM

Posted 24 August 2009 - 09:00 PM

Sorry-
This is actually the last log that i ran today-

Malwarebytes' Anti-Malware 1.40
Database version: 2691
Windows 5.1.2600 Service Pack 2

8/24/2009 2:21:48 PM
mbam-log-2009-08-24 (14-21-48).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 169854
Time elapsed: 22 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:50 PM

Posted 24 August 2009 - 09:03 PM

Hi,please rerun Rootrepeal and this timr select ONLY the Files tab please.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 drb930

drb930
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:91406
  • Local time:09:50 PM

Posted 24 August 2009 - 09:18 PM

Here it is-

Thanks,
Dave

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/24 19:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmlkypbqxr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmqujotenq.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmtymxgwnp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\kbiwkmxurrtrfu.sys
Status: Invisible to the Windows API!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:50 PM

Posted 24 August 2009 - 09:25 PM

Ok that's what we needed.

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\drivers\kbiwkmxurrtrfu.sys


Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 drb930

drb930
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:91406
  • Local time:09:50 PM

Posted 24 August 2009 - 10:21 PM

Here is the Log File-
Malwarebytes' Anti-Malware 1.40
Database version: 2692
Windows 5.1.2600 Service Pack 2

8/24/2009 8:09:09 PM
mbam-log-2009-08-24 (20-09-09).txt

Scan type: Quick Scan
Objects scanned: 107706
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Getting a lot of error messages now about that file not being a valid file and check against the disc included with the computer.
Still will not chkdsk, restore, ect. Also the color behind my icons on the desktop are still there?

Thanks,
Dave

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:50 PM

Posted 24 August 2009 - 10:30 PM

Ok, rats... Looks like we need to use stronger tools...
You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 drb930

drb930
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:91406
  • Local time:09:50 PM

Posted 24 August 2009 - 10:38 PM

Okay, but i did that last night at 0300.
But i will do it again as the computer is better that it was.
I had not run the Malwarebytes at that time.
Question, should i start a "New" thread?

Thanks,
Dave

#13 Straythe

Straythe

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:50 PM

Posted 24 August 2009 - 10:46 PM

drb930: Yes, they want a new thread started in the HJT forum which is here:

http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Good luck - Straythe (not a staff member)
***"When you surround an enemy, leave an outlet free [...] to make him believe there is a road to safety, and thus prevent his fighting with the courage of despair." Sun Tzu ***

#14 drb930

drb930
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:91406
  • Local time:09:50 PM

Posted 24 August 2009 - 10:59 PM

Straythe,

Is there any way that i can get this thing to reformat and just wipe the hard drive?
I have backed up all the info that i need, seems like it would be easier.
Has not been done since i bought this new in 2007.

Thanks,
Dave

#15 Straythe

Straythe

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:50 PM

Posted 24 August 2009 - 11:14 PM

<-- not a staff member, not a staff member, not a staff member! (just making sure)

Well, DaChew had a quote in another thread (which I can't find now while SAS is running on my infected machine ; ) which basically said, The malware writers want a long drawn-out fight so the infected machine stays connected to the net and spawning. A clean wipe and reinstall is NOT what they want. Also, some of these rootkits are extremely difficult to remove and the computer may never be completely trustworthy again.

Don't take my advice too strongly, because I'm just a watcher here, albeit by this point I've read a hundred or so threads with other people's battles. But it looks like a reformat is always the safest way to go, and it's up to you whether you can live with it or not.

But be darn sure that your backed-up data is clean before you do anything unrecoverable! They suggest some tools, like Flash-Disinfector for removable drives, and maybe use the heavy-duty online scanners like Kaspersky's on your backup. It would be terrible to go through all that and then re-load the infection from the backups.

As to how you'd actually access your drive to wipe and reformat it... I don't think I'm qualified to advise. I can guess, but I'd rather a staff member come in and give good instruction.

Good luck - Straythe
***"When you surround an enemy, leave an outlet free [...] to make him believe there is a road to safety, and thus prevent his fighting with the courage of despair." Sun Tzu ***




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users