Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing rootkit


  • This topic is locked This topic is locked
21 replies to this topic

#1 Flowerpoddess

Flowerpoddess

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 22 September 2009 - 03:27 AM

I downloaded a couple bad programs I suppose, they show up as Virus or Malware on my AVG Virus scanner. However, these clearly state that they're viruses and I'd like to remove them.

"\\?\globalroot\systemroot\system32\gasfkyqvpttpdw.dll";"Virus identified Packed.Hidden";"Moved to Virus Vault"
"C:\Downloads\ony03O7k_adobe.all.products.v1.02.keymaker.only-core.rar:\Adobe.All.Products.v1.02.Keymaker.Only-CORE\cr-ani12.zip";"Virus identified Win32/Virut.Z";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\gasfkyqvpttpdw.dll";"Virus identified Packed.Hidden";"Moved to Virus Vault"
"C:\Downloads\Adobe.All.Products.v1.02.Keymaker.Only-CORE\keygen.exe";"Virus identified Win32/Virut.Z";"Moved to Virus Vault"
"C:\Downloads\Adobe.All.Products.v1.02.Keymaker.Only-CORE\cr-ani12.zip:\keygen.exe";"Virus identified Win32/Virut.Z";"Moved to Virus Vault"
"C:\Downloads\Adobe.All.Products.v1.02.Keymaker.Only-CORE\cr-ani12.zip";"Virus identified Win32/Virut.Z";"Moved to Virus Vault"
"C:\Downloads\ony03O7k_adobe.all.products.v1.02.keymaker.only-core.rar:\Adobe.All.Products.v1.02.Keymaker.Only-CORE\cr-ani12.zip:\keygen.exe";"Virus identified Win32/Virut.Z";"Moved to Virus Vault"
"C:\Downloads\ony03O7k_adobe.all.products.v1.02.keymaker.only-core.rar";"Virus identified Win32/Virut.Z";"Moved to Virus Vault"
"C:\Program Files\Internet Explorer\iexplore.exe (476)";"Virus identified Packed.Hidden";""
"C:\Program Files\Java\jre6\bin\java.exe (3396)";"Virus identified Packed.Hidden";""

And, I'm getting this error everytime I start Firefox or it stays running.

jqsnotify.exe - Entry Point Not Found
The procedure entry point ??_V@YAXPAX@Z could not be located in the dynamic link library msvcrt.dll

I could not open Firefox at all but after installing Comodo or maybe the reset of good registry was set, although it didn't let me save them so I'm not sure why the error did not pop out the last time I tried to open Firefox.

I managed to get RootReapel and it appears that I have a rootkit. I have either no access or limited access to the internet on that computer so I'm burning everything from the laptop to the PC. I can't reformat as I don't have another drive to hold all my documents furthermore I'm not sure what an F drive is for, it was made with two partitions, how will reformatting effect that?

For now, I'd like this removed. Please refer to my thread here:
http://www.bleepingcomputer.com/forums/top...ml#entry1433645

Thank you!
Flowerpoddess

Edited by Flowerpoddess, 22 September 2009 - 03:30 AM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:32 AM

Posted 22 September 2009 - 10:17 AM

Hello my name is Sempai and welcome to Bleeping Computer.

*We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.



We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Flowerpoddess

Flowerpoddess
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 23 September 2009 - 04:14 PM

Hello Sempai,

Here is the information that was required. My computer is not letting me burn any files to CD so getting this information on here was selective choice of my computer. My USB can't be read nor can the CD drive with writable CD. I have a question, I have two partitions, a C drive and F drive, if I transfer my files that I want to the F drive and format C drive, would all my F drive files be safe? I'm seriously considering this once my computer stables enough, since I'm unable to open windows and it hangs for several minutes.


DDS (Ver_09-07-30.01) - NTFSx86 MINIMAL
Run by Windows at 2:36:15.40 on Thu 09/24/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.991.759 [GMT 8:00]

AV: COMODO Antivirus *On-access scanning enabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Windows.WINDOWS-FC6C9DA\Desktop\dds.pif
C:\Documents and Settings\Windows.WINDOWS-FC6C9DA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfre1.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - No File
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfre1.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfre1.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [PopRock] c:\docume~1\window~1.win\locals~1\temp\b.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [VTPreset] VTPreset.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll/206
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\windows.windows-fc6c9da\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258}
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8}
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537}
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565}
DPF: {5D6F45B3-9043-443D-A792-115447494D24}
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6}
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8}
DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: Antiwpa - antiwpa.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\window~1.win\applic~1\mozilla\firefox\profiles\u6r224yi.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\windows.windows-fc6c9da\application data\mozilla\firefox\profiles\u6r224yi.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-3 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-26 335240]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-9-10 27784]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-26 108552]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-9-21 132168]
S1 synsend;synsend;\??\c:\windows\system32\drivers\synsenddrv.sys --> c:\windows\system32\drivers\synsenddrv.sys [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-26 297752]
S2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-9-21 715392]
S2 gupdate1c9bc62c6087b12;Google Update Service (gupdate1c9bc62c6087b12);c:\program files\google\update\GoogleUpdate.exe [2009-4-14 133104]
S2 ojqur;ojqur;c:\windows\system32\drivers\yxpvtjjzkcnwyf.sys [2009-9-19 81280]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-19 1029456]

=============== Created Last 30 ================

2009-09-21 16:19 272 a------- c:\windows\system32\drivers\sfi.dat
2009-09-21 16:06 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Comodo
2009-09-21 16:06 179,792 a------- c:\windows\system32\guard32.dll
2009-09-21 16:06 132,168 a------- c:\windows\system32\drivers\cmdguard.sys
2009-09-21 16:06 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-09-21 16:06 <DIR> --d----- c:\program files\COMODO
2009-09-21 05:03 5,632 a----r-- c:\windows\system32\antiwpa.dll
2009-09-21 04:57 5,632 a----r-- c:\windows\system32\antiwpa.dll_1B08E
2009-09-21 00:19 10,752 a------- c:\windows\DCEBoot.exe
2009-09-19 19:02 33,354 a------- c:\windows\system32\drivers\str.sys
2009-09-19 19:02 81,280 a------- c:\windows\system32\drivers\yxpvtjjzkcnwyf.sys
2009-09-18 23:00 224,772 a------- c:\windows\system32\msxml71.dll
2009-09-18 22:55 <DIR> --d----- C:\spoolerlogs

==================== Find3M ====================

2009-08-29 08:21 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-29 08:21 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 00:31 34 a------- c:\documents and settings\windows.windows-fc6c9da\jagex_runescape_preferences.dat
2009-08-05 17:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-28 20:28 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-18 02:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-06-30 00:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-30 00:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-30 00:12 17,408 -------- c:\windows\system32\corpol.dll

============= FINISH: 2:38:52.89 ===============

Flowerpoddess

Attached Files


Edited by Flowerpoddess, 23 September 2009 - 04:15 PM.


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:32 AM

Posted 25 September 2009 - 08:34 AM

Hello,

Your log show some signs of VIRUT. In order to verify this, we need to send some files to Jotti.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time. (Please scan at least 3 of the files below):

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\svchost.exe


Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/




~Semp :(

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Flowerpoddess

Flowerpoddess
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 26 September 2009 - 03:33 AM

Semp,

Thank you for the reply. I've ran the scan using Jotti after adjusting the settings on Windows on the hidden files. I've ran check on all the files listed, they all turned turned up negative, nothing was found.

Please address my previous question:
I have a question, I have two partitions, a C drive and F drive, if I transfer my files that I want to the F drive and format C drive, would all my F drive files be safe?

Flowerpoddess

Edited by Flowerpoddess, 26 September 2009 - 03:48 AM.


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:32 AM

Posted 26 September 2009 - 05:01 AM

Hi,

I have a question, I have two partitions, a C drive and F drive, if I transfer my files that I want to the F drive and format C drive, would all my F drive files be safe?

Sorry I forgot to answer your question on my previous post.

If your 100% sure that your F drive is clean from any infection, you can save some documents on it and they will be safe.

Do not backup any programs/applications/installers like .exe, .scr, .htm, .html, .xml, .zip/.rar files...
The reason for this is because these files may be infected also. If you replace them after the re installation of OS, it will surely reinfect you again.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Flowerpoddess

Flowerpoddess
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 26 September 2009 - 09:22 AM

Hello,

Thank you for the reply. I'm not sure if my F drive is infected. I might have programs files that I might need installed, but it's best not to install them again I suppose?

I keep getting a popup stating

Windows - No Disk
There is no disk in the drive. Please insert a disk into drive ???????????????????.
With options such as, "Cancel", "Try Again" and "Continue"

Flowerpoddess

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:32 AM

Posted 26 September 2009 - 06:33 PM

Hi,

I'm not sure if my F drive is infected. I might have programs files that I might need installed, but it's best not to install them again I suppose?


Yes you are right do not install any programs from your infected computer because the possibility of getting reinfected is high. Also it's a good idea if you will wipe your F drive as well since your not sure if it is infected or not. If you need to install any of your important programs, it's better to obtain a new copy from the developers site.


I keep getting a popup stating

Windows - No Disk
There is no disk in the drive. Please insert a disk into drive ???????????????????.
With options such as, "Cancel", "Try Again" and "Continue"
I'm not sure if he's referring to windows installation disk.

Are you already trying to reformat? Is this a windows installation disk? Below are some guides on how to install Windows XP.

Install Windows XP

How to install or upgrade to Windows XP



~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Flowerpoddess

Flowerpoddess
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 26 September 2009 - 11:37 PM

Hello,

Thank you for the information. I was asking about re-installation, but I don't think it's an option now, since I have several documents worth of information on the drive that I cannot wipe out.

"Windows - No Disk
There is no disk in the drive. Please insert a disk into drive ???????????????????.
With options such as, "Cancel", "Try Again" and "Continue"


But, I'm getting the above error popping up for no reason, like while I'm using the internet or simply at the desktop, it pops out with that error. I have left it open because if I close it appears again in less than four seconds. And, another one might pop up saying there is fatal error with Iexplorer.exe.

And another pop-up that states:

"Windows - No Disk
Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c
Cancel Try Again Continue"


Please assist in removing the problem.

Comodo Antivirus auto ran it's own scan without an update and it found one threat "C:\Windows\Temp\ehiwtvlqxd.exe" Threat name: Heur.Packed. Unknown. I'm sure it'll find a lot more if my virus definition file was up to date.

I have kept my computer on for days now, I'm afraid if I turn it out I won't have connection to the internet like I previously had trouble with connecting, so I'm hoping this problem is solved as quickly as possible.

Thanks!
Flowerpoddess

Edited by Flowerpoddess, 26 September 2009 - 11:45 PM.


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:32 AM

Posted 27 September 2009 - 08:30 AM

Hi,

Since you want us to help you clean your computer problems, I want to discuss with you first some important issues before we proceed.


1. You are using a cracked windows and due to the nature of your pc's infections, we will be using some automated powerful tools that will removed a lot of infections in your computer, including the program you used to crack windows. Because of this, I want you to understand that neither I nor the author of the tools that we will be using are responsible if your computer will become inoperative during the cleaning process.



2. One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.


3. Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case BitComet 1.09).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



+++++++++++++++++++++++

Now, let's start with the cleaning process:


1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either COMODO Antivirus or AVG Anti-Virus Free.

Important note: It is important to run the removal tool after you uninstall the AV that you wish to remove.
AVG removal tool --> HERE
COMODO removal procedure --> HERE




2. Download this tool to desktop: http://www2.gmer.net/mbr/mbr.exe
  • First, copy/paste (not cut and paste) the mbr.exe that you saved on the Desktop to C:\WINDOWS folder.
  • Second, go to Start > Run > then copy/paste the text below > Press Enter

    mbr -f

  • Third, a logfile (mbr.log) will be created on your screen (or find it at C:\Windows\mbr.log), Please post that log when you reply.

3. Download Combofix from any of the links below but rename it to cfscan before saving it to your desktop.

Link 1
Link 2

  • Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 Flowerpoddess

Flowerpoddess
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 27 September 2009 - 02:21 PM

Semp,

Thank you for the reply, I have yet to read the entire post but where you stated the system might be inoperative which would mean, I'd lose access to important documents and pictures and I don't want that to happen.

Is there anything you can suggest, if I don't have a physical hard drive. Any reliable place where I can upload folders of files?

Thank you very much!!
Flowerpoddess

Edited by Flowerpoddess, 27 September 2009 - 02:21 PM.


#12 Flowerpoddess

Flowerpoddess
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 27 September 2009 - 09:45 PM

Quick question: I'm asking this for my other PC, the Norton internet security expired so I'm looking into getting AVG but AVG does not have a firewall so I know you mentioned that I should only have antivirus on my system and one of them running but because AVG does not have an firewall, would it be okay to use AVG for anti-virus and download Comodo firewall as a standalone?

Does Comodo work fine on it's own?

Thanks!
Flowerpoddess

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:32 AM

Posted 28 September 2009 - 06:09 AM

Hi,

Is there anything you can suggest, if I don't have a physical hard drive. Any reliable place where I can upload folders of files?

If you can't burn all your documents to a DVD disk, you can always upload them using online file storage:

would it be okay to use AVG for anti-virus and download Comodo firewall as a standalone?

Does Comodo work fine on it's own?

You can use AVG with Comodo firewall and yes Comodo works fine. Just make sure not to include the antivirus program and Askbar during installation.

But I personally recommend Sunbelt Personal Firewall.
Two good antivirus programs free for non-commercial home use that I also recommend are Avast! and Antivir.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 Flowerpoddess

Flowerpoddess
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 28 September 2009 - 12:05 PM

Semp,

Thank you for your reply and recommendations.

I see that Sunbelt is only a free trial. I downloaded Comodo but just like my PC, my laptop cannot download the update and is stuck at 30%. I'm going to uninstall it and consider AVG like my desktop or Avast!. How do I remove Norton Internet Security the way AVG and Comodo is removed?

I have uploaded my files to iDrive but I'm not sure how reliable it is. I'll look into RapidShare.

Thank you
Flowerpoddess

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:32 AM

Posted 28 September 2009 - 05:23 PM

I see that Sunbelt is only a free trial

The Sunbelt Kerio Personal Firewall will keep on working after the first 30 days, only in a more limited mode, but free.

How do I remove Norton Internet Security the way AVG and Comodo is removed?

You can download and run the Norton removal tool HERE.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users