Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Safety Center - System Antivirus Pro - Rootkit


  • This topic is locked This topic is locked
50 replies to this topic

#16 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 24 September 2009 - 05:45 AM

Ok...

I downloaded Inherit, burned it to a CD, copied it to the desktop where Combo-fix.exe is. I ran it as you asked, and got the "Finished" message and clicked ok. Then I ran "Combo-fix.exe /killall" and combofix began to run, I got the status bar, and it completed but said that there was a program open and it couldn't create all the files, which I suspect was the "System Safety" program that I mentioned in my last post. It suggested that I restart and close all programs and run it again. I restarted, and it still won't start in normal mode, or a GUI safemode. So i went back into Safe Mode with command prompt.

I logged in as administrator, but the files were saved on my user desktop, not admin desktop, so I tried to change directories to the "Josh" desktop, but when I did "cd Josh" I was told access is denied.

So I restarted thinking that I could just log on as Josh when I got back to the log in page for the command prompt safe mode.

But now it won't start in command prompt mode, or any other mode. It just goes into an endless rebooting loop asking me which mode I want to try to boot into (Safe Mode, w/ Networking, or w/Command Prompt, Last known good config, or start Windows normally)

Ok... is it time to start the recovery console? Everytime I feel like we're making progress, I think I slip up on a step. Thank you for your patience.

BC AdBot (Login to Remove)

 


#17 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:50 AM

Posted 24 September 2009 - 09:42 AM

Hi, sarcasmic :(

I believe the Trojan has left you with no option, but to reformat and reinstall.

Lets try to disable the rootkit service and file throughout the Recovery Console.
  • Configure the computer to start from the CD-ROM or DVD-ROM drive. For information about how to do this, see your computer documentation, or contact your computer manufacturer.
  • Insert the Windows XP installation CD into your CD-ROM or DVD-ROM drive, and then restart your computer.
  • When you receive the "Press any key to boot from CD" message, press a key to start your computer from the Windows XP CD-ROM.
  • You will be prompted with the following options:

    A. To setup Windows XP, press Enter.
    B. To repair Windows XP installation using recovery console, press R.

    Choose the option, "To repair the Windows XP installation using recovery console", press R. If an Administrator Password have been established, you will be prompted to type it in. If no Administrator Password exists, just press ENTER.

  • You will be presented with the following:


    Microsoft Windows® Recovery Console

    The Recovery Console provides system repair and recovery functionality.
    Type EXIT to quit the Recovery Console and restart the computer.

    1: C:\WINDOWS

    Which Windows Installation would you like to log onto
    (To cancel, press ENTER)?

  • Press the number 1 on your keyboard and hit Enter.
  • At the command prompt, type the following commands and press Enter:

    MAP Note the Letter assigned to your CD_ROM, then type the following and press Enter:
    Expand X:\i386\eventlog.dl_ C:\WINDOWS\system32\eventlog.dll Replace the X with the letter assigned to your CD_ROM
    Expand X:\i386\Explorer.ex_ C:\WINDOWS\Explorer.exe Replace the X with the letter assigned to your CD_ROM
    Disable UACd.sys
    Disable rotcxnmevxenq

    cd system32
    cd drivers
    Del C:\WINDOWS\system32\drivers\rotscxtjlhaiiy.sys
    Del C:\WINDOWS\system32\drivers\UACuxqunfhbqg.sys

    Exit
Type Exit and press Enter. Take the CD out of the drive and let the computer restart.

If that does not allow you to logon into Windows, all we can try to do is to restore your registry to either a Combofix checkpoint, if available, or to the original registry.

Let me know how it goes.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#18 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 24 September 2009 - 05:02 PM

[*]At the command prompt, type the following commands and press Enter:

MAP Note the Letter assigned to your CD_ROM, then type the following and press Enter:
Expand X:\i386\eventlog.dl_ C:\WINDOWS\system32\eventlog.dll Replace the X with the letter assigned to your CD_ROM
Expand X:\i386\Explorer.ex_ C:\WINDOWS\Explorer.exe Replace the X with the letter assigned to your CD_ROM
Disable UACd.sys
Disable rotcxnmevxenq

cd system32
cd drivers
Del C:\WINDOWS\system32\drivers\rotscxtjlhaiiy.sys
Del C:\WINDOWS\system32\drivers\UACuxqunfhbqg.sys

Exit
[/list]Type Exit and press Enter. Take the CD out of the drive and let the computer restart.


Before I screw anything up again, two questions

1. Should Disable rotcxnmevxenq actually be rotcxnmevxenq.sys?
2. Should I try to use the burned XP CD with SP3 or my original XP pre-SP1 disc (which is what this was installed from)?

Thank you!

#19 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:50 AM

Posted 24 September 2009 - 06:07 PM

You are disabling the service, not the file:

--- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\drivers\rotscxtjlhaiiy.sys (*** hidden *** ) [SYSTEM] rotcxnmevxenq
<-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACuxqunfhbqg.sys (*** hidden *** ) [SYSTEM] UACd.sys
<-- ROOTKIT!!!


Blue = File
Red = Service

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#20 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 24 September 2009 - 07:46 PM

Expand X:\i386\eventlog.dl_ C:\WINDOWS\system32\eventlog.dll Replace the X with the letter assigned to your CD_ROM
Expand X:\i386\Explorer.ex_ C:\WINDOWS\Explorer.exe Replace the X with the letter assigned to your CD_ROM


After typing each of these commands I got the message "Unable to create file eventlog.dll. 0 file(s) expanded" and also "Unable to create file explorer.exe. 0 files expanded"

Whenever I typed MAP, it told me that my E:\ was the CD-ROM drive. But last night, whenever I was copying files, the F:\ was my CD-ROM drive. E:\ is my second partition on the HDD when everything was working correctly.

Should I try these commands again from "expand F:\ ..."

#21 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:50 AM

Posted 24 September 2009 - 09:48 PM

Expand X:\i386\eventlog.dl_ C:\WINDOWS\system32\eventlog.dll Replace the X with the letter assigned to your CD_ROM
Expand X:\i386\Explorer.ex_ C:\WINDOWS\Explorer.exe Replace the X with the letter assigned to your CD_ROM


After typing each of these commands I got the message "Unable to create file eventlog.dll. 0 file(s) expanded" and also "Unable to create file explorer.exe. 0 files expanded"

Whenever I typed MAP, it told me that my E:\ was the CD-ROM drive. But last night, whenever I was copying files, the F:\ was my CD-ROM drive. E:\ is my second partition on the HDD when everything was working correctly.

Should I try these commands again from "expand F:\ ..."

You can confirm that by switching drives. For example:

Type E: and press Enter. That should switch you to the E:\ drive. Type Dir and press Enter. You will see the contents of the drive. The installation CD should have an i386 folder. Type cd E:\i386. That should switch you to the E:\i386 folder. Type Dir and press Enter. You will see the contents of the i386 folder. both, the eventlog.dl_ and the Explorer.ex_ will be present.

Type C: and press Enter to return to the C: drive. Lets add some commands to the set. Remember, do this at the C:\Windows prompt:


Ren C:\Windows\Explorer.exe Explorer.old
Ren C:\WINDOWS\system32\eventlog.dll eventlog.old

Expand X:\i386\eventlog.dl_ C:\WINDOWS\system32\eventlog.dll Replace the X with the letter assigned to your CD_ROM
Expand X:\i386\Explorer.ex_ C:\WINDOWS\Explorer.exe Replace the X with the letter assigned to your CD_ROM

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#22 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 24 September 2009 - 10:17 PM

Ok, same problem. I did verify that it was e: using the method you listed. I still got the message "Unable to create file eventlog.dll" and same for explorer.exe.

I checked the windows drive to see that Explorer.exe was changed to Explorer.old. When I checked the System32 folder though, eventlog.dll was no longer there, and neither was eventlog.old


I did not try any of the other commands since these first two did not work.

Thanks again. I appreciate all the effort you've put into this.

#23 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:50 AM

Posted 24 September 2009 - 10:35 PM

Replace the Expand command for the following, starting at the C:\Windows prompt:

Copy C:\WINDOWS\ServicePackFiles\i386\explorer.exe
cd System32
Copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#24 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 24 September 2009 - 10:45 PM

Ok, I feel like we're making progress now.

The command Disable UACd.sys worked.

The command Disable rotcxnmevxenq says that the "registry entry for the rotcxnmevxenq service cannot be located. Check that the name of the service is specified correctly."

I didn't go any further down the list.

#25 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:50 AM

Posted 25 September 2009 - 03:20 AM

Ok, I feel like we're making progress now.

The command Disable UACd.sys worked.

The command Disable rotcxnmevxenq says that the "registry entry for the rotcxnmevxenq service cannot be located. Check that the name of the service is specified correctly."

I didn't go any further down the list.

Keep on going. The strategy against this virus is timing. If you allow it to spread, there will no option but to reformat.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#26 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 25 September 2009 - 06:02 AM

Ok, when I got up this morning, I found that the computer had BSOD'ed, IRQ_NOT_LESS_OR_EQUAL, so I had no choice but to restart. I have been getting this BSOD a lot while trying to install windows onto a new harddrive.


Regardless, after restarting I verified that the files we copied were still there, then continued down the list.

I was able to delete rotscxtjlhaiiy.sys I assume, since after typing it I wasn't given an error.

When I went to delete the other driver, the UAC driver, I got the error that it could not be found.

I typed Exit, restarted, and was able to log back into ordinary Safe Mode, but not Safe Mode with networking or starting windows Normally.

After getting Windows to load, the desktop is working like it hasn't in weeks. I didn't want to waste this opportunity, so I ran dds.scr (successfully for the first time)

I burned the two .txt's to a cd. I'm no sure if that was a great idea. Here is the log:


DDS (Ver_09-07-30.01) - NTFSx86 MINIMAL
Run by Josh at 6:40:31.85 on Fri 09/25/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.369 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Josh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://search.msn.com
mSearch Page = hxxp://www.google.com
mStart Page = about:blank
mSearch Bar = about:blank
uSearchURL,(Default) = about:blank
BHO: {00812475-e4d1-4cf0-90c4-fb2899dd688b} - c:\windows\system32\Audio3.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: : {6180c051-3446-439c-9725-3dddc16ce688} - c:\windows\temp\~128.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: BHO: {bc36f9fb-688e-4f8d-8622-55d30a28a08f} - c:\windows\system32\iehelper.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRunOnce: [<NO NAME>]
mRunOnce: [GrpConv] grpconv -o
mRunOnce: [SafetyCenter] c:\program files\safetycenter\start.exe
dRun: [inixs] c:\windows\system32\minix32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: aol.com\free
Trusted Zone: delta.com\dlnet
DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {B6B644B8-6C76-471F-8843-2F08CCAF777E} = 205.152.37.23,205.152.144.23
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {c569b8da-d929-4c57-9add-c071c13c1fad} - c:\windows\sa22.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\josh\applic~1\mozilla\firefox\profiles\nwouwwf2.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\josh\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
S2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
S2 SvcProc;System Startup Service ;c:\windows\svcproc.exe --> c:\windows\svcproc.exe [?]
S3 {79007602-0CDB-4405-9DBF-1257BB3226EE};{79007602-0CDB-4405-9DBF-1257BB3226EE};\systemroot\win32k.sys:2 --> \systemroot\win32k.sys:2 [?]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [2004-11-24 55999]
S3 el985nd5;3Com Gigabit Ethernet Server NIC (SX/TX);c:\windows\system32\drivers\el985n51.sys [2004-11-24 455199]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090710.003\naveng.sys [2009-7-10 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090710.003\navex15.sys [2009-7-10 876144]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-8-2 173392]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-8-2 1267024]

=============== Created Last 30 ================

2009-09-24 06:30 20,992 a------- c:\windows\system32\rotscxieqiixim.dll
2009-09-24 06:30 44,544 a------- c:\windows\system32\rotscxkorxegew.dll
2009-09-24 01:01 3,542 a------- c:\windows\system32\rotscxapfqpfxm.dat
2009-09-24 00:31 288,768 a------- C:\qzfxle4f.exe
2009-09-23 06:04 288,768 a------- C:\t5e5o6qm.exe
2009-09-22 22:23 43 a------- c:\windows\system32\rotscxatkyijnk.dat
2009-09-22 21:02 388,608 a------- c:\windows\system32\cmd.execf
2009-09-18 22:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\17590154
2009-09-18 22:20 <DIR> --d----- c:\program files\SafetyCenter
2009-09-18 22:20 2,198 a------- C:\oWVmF4dt.bat
2009-09-18 22:20 117,760 a------- c:\windows\system32\Audio3.dll
2009-09-17 21:10 345,088 a------- c:\windows\system32\desot.exe
2009-09-17 21:10 86 a------- c:\windows\system32\sonhelp.htm
2009-09-17 21:09 <DIR> --d----- c:\program files\Windows Police Pro
2009-09-17 21:09 29,696 a------- c:\windows\system32\UACcvpqlqqved.dll
2009-09-17 21:09 19,968 a------- c:\windows\system32\UACkmukdwlakd.dll
2009-09-17 21:09 1,390,820 a------- c:\windows\system32\UACwpkfbdfond.db
2009-09-17 21:09 6,985 a------- c:\windows\system32\uacinit.dll
2009-09-17 21:09 217 a------- c:\windows\system32\UACmtftlovrpw.dat
2009-09-17 21:09 74,752 a------- c:\windows\system32\UACdltocxmqwr.dll
2009-09-17 21:08 2,560 a------- c:\windows\syssvc.exe
2009-09-17 21:08 12,032 a------- c:\windows\system32\iehelper.dll
2009-09-17 21:07 26,624 a------- c:\windows\system32\UACxvvcgooogp.dll
2009-09-17 21:07 <DIR> --d----- C:\spoolerlogs
2009-09-17 21:04 19,456 -------- c:\windows\system32\rotscxarwdydyx.dll
2009-09-17 20:59 160,768 a------- c:\windows\msa.exe
2009-09-17 20:59 20,992 a------- c:\windows\system32\rotscxbuhtaswn.dll
2009-09-17 20:59 99,977 a------- c:\windows\system32\rotscxrwtxueov.dat
2009-09-17 20:59 44,544 a------- c:\windows\system32\rotscxqbimrmpj.dll
2009-09-17 20:59 0 a------- c:\windows\win32k.sys
2009-09-17 20:59 <DIR> --d----- c:\program files\jgfkdm
2009-09-17 20:58 36,864 a------- c:\windows\system32\net.net
2009-09-17 20:47 991,347 a------- c:\windows\system32\xa.tmp
2009-09-16 18:30 <DIR> --d----- c:\program files\collln

==================== Find3M ====================

2008-02-07 23:16 87,608 a------- c:\docume~1\josh\applic~1\inst.exe
2008-02-07 23:16 47,360 a------- c:\docume~1\josh\applic~1\pcouffin.sys

============= FINISH: 6:40:52.12 ===============

#27 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:50 AM

Posted 25 September 2009 - 10:19 AM

Hi, sarcasmic :(

From what I understand you have a GUI interface. If that is the case lets do this manually:

Set Explorer to view Hidden Files and Folders:
  • Right-click your Start button and go to "Explore".
  • Select Tools from the menu
  • Select Folder Options
  • Select the View tab
  • Click on Show all Files and Folders
  • Remove the checkmark from Hide extensions for known file types
  • Remove the checkmark from Hide protected operating System files
  • Select Apply to All Folders | Yes | Apply | OK.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

c:\program files\collln
c:\program files\safetycenter
c:\documents and settings\All Users\Application Data\17590154
c:\program files\Windows Police Pro
c:\program files\jgfkdm


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

c:\windows\system32\minix32.exe
c:\windows\sa22.dll
c:\windows\svcproc.exe
c:\windows\system32\rotscxieqiixim.dll
c:\windows\system32\rotscxkorxegew.dll
c:\windows\system32\rotscxapfqpfxm.dat
c:\windows\system32\rotscxatkyijnk.dat
C:\oWVmF4dt.bat
c:\windows\system32\desot.exe
c:\windows\system32\UACcvpqlqqved.dll
c:\windows\system32\UACkmukdwlakd.dll
c:\windows\system32\UACwpkfbdfond.db
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmtftlovrpw.dat
c:\windows\system32\UACdltocxmqwr.dll
c:\windows\syssvc.exe
c:\windows\system32\iehelper.dll
c:\windows\system32\UACxvvcgooogp.dll
c:\windows\msa.exe
c:\windows\system32\rotscxbuhtaswn.dll
c:\windows\system32\rotscxrwtxueov.dat
c:\windows\system32\rotscxqbimrmpj.dll
c:\windows\win32k.sys
c:\windows\system32\net.net
c:\windows\system32\xa.tmp


Go to Start -> run, type CMD and click Ok. That should take you to a command prompt. At the prompt tye the following and press Enter after each line:

SC DELETE SvcProc
SC DELETE {79007602-0CDB-4405-9DBF-1257BB3226EE}
EXIT


I believe there is a chance to recover. After the above, restart and attempt to run Combofix.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#28 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 25 September 2009 - 04:34 PM

Ok, I was able to delete all the folders requested

For the files, I was not able to locate and delete the following files:

c:\windows\system32\minix32.exe
c:\windows\sa22.dll
c:\windows\svcproc.exe


Also, there was an additional file that looked suspicious that I thought should be deleted, but I haven't yet as it wasn't on your list:

c:\windows\system32\rotscxarwdydyx.dll


I was able to delete the services you requested in the CMD prompt.

I will wait to run Combo-fix until I know whether to delete that other rouge file.

Thank you so much for your help. I feel like the finish line has to be right around the corner.

#29 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:50 AM

Posted 25 September 2009 - 05:06 PM

You bet. Can you run Combofix now?

Edited by JSntgRvr, 25 September 2009 - 05:08 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#30 sarcasmic

sarcasmic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 25 September 2009 - 06:18 PM

Combofix is saying that my antivirus is still running.

How do i disable it? I went into Configure File System Auto-Protect, and unchecked the "Enable Auto-Protect" box
I did the same for "Internet E-mail Auto-Protect"

I restarted Symantec to make sure that the changes took effect, then closed it again.

The Warning!! I get from Combo-fix says:

antivirus: Symantec Antivirus Corporate Edition

The above real time scanner(s) are still active but comboFix shall continue to run. Kindly note that this is at your own risk

Any thoughts?

The process that are currently running in the task manager are:

cmd.execf
taskmgr.exe
EXPLORER.exe
NirCmd.cfxxe
svchost.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
System
System Idle Process SYSTEM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users