Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probable Virus


  • Please log in to reply
7 replies to this topic

#1 trevosejay

trevosejay

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 23 September 2009 - 12:00 PM

I have a laptop running xp sp3, and AVG software. I plugged in my USB drive to get some school material off of it that I had done the previous day. AVG went nuts as soon as I plugged in the USB drive. It supposedly removed a bunch of malicious files and cleaned/quarantined them. Figuring that AVG had taken care of the problem, as it had before, I continued on my merry way. I double clicked the Firefox shortcut and nothing happened. Weird. So I tried again; same result, nothing happened. Still weird. So i figured that I would try IE, even though it was an old version and I never use it. Same result as firefox, absolutely nothing. Well, I must have picked something up that AVG did not spot. Next step is HiJack This, right? So I open HiJack and there is no option to run a scan and save a logfile, strange. So I run the scan anyway, and it immediately closes. When I tried to open it again, Windows replied that I did not have permission to run access the file. Tried to run it as an admin, as I'm the owner of the computer and an admin, but my password was not recognized. Safe mode time for another virus scan. I ran a command line scan from AVG, and there were several files that were locked and could not be scanned. I don't have the report that was saved, as I don't want to reconnect that computer to my network again. I'm writing this from my netbook, which runs UBUNTU 9.04. I'm at my wits end here. Normally if something gets by AVG I can take care of it, but this is a real stumper. Please help.


Thanks,
Trevosejay

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:38 PM

Posted 24 September 2009 - 08:22 PM

You picked up the new rootkit out there


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 trevosejay

trevosejay
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 27 September 2009 - 03:43 PM

can I run this application off of a clean thumb drive? As I cannot get either one of my browsers to open and cannot download anything? But I can download from another source and copy onto the thumb drive.

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:38 PM

Posted 27 September 2009 - 08:15 PM

Yes

Also on the computer that you are going to download from, run this with your flash drive attached
We don't want it to spread

Please download
Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 trevosejay

trevosejay
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 02 October 2009 - 01:37 PM

So the rootkit repeal won't work on my windows desktop, which is apparently healthy. And when I tried to download flash disinfector.exe, avg went nuts. Thanks. Any other suggestions

This is not sarcastic in any way. Really, I'm at my wit's end here.

Edited by trevosejay, 02 October 2009 - 01:38 PM.


#6 trevosejay

trevosejay
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 02 October 2009 - 01:45 PM

after chancing it, I copied Rootkit Repeal onto a flash drive and ran it on my infected laptop, as tatertot.scr. It worked.

here is the report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/02 14:43
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8EC6000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADC2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: tatertot.scr.sys
Image Path: C:\WINDOWS\system32\drivers\tatertot.scr.sys
Address: 0xA82B3000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xBAC10000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xBA988000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xbaba98a0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xbaba98d0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xbaba9980

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xbaba9a20

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xbaba9ac0

Shadow SSDT
-------------------
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xbaba9440

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xbaba93b0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xbaba93f0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" at address 0xbaba9330

==EOF==

#7 trevosejay

trevosejay
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 02 October 2009 - 02:03 PM

also, I am able to run HiJack this off of the Thumb drive. But it will not stay open after it scans, nor will it save a logfile.

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:38 PM

Posted 02 October 2009 - 08:18 PM

If you would have read the green print on Flash Disinfector, you would have seen that what AVG saw was a false positive

Turn off AVG when running this scan


-- Vista users can refer to these instructions to open a command prompt.

Alternatively you can do this:

Please download peek.bat and save it to your Desktop. Double-click on peek.bat to run it. A black Command Prompt window will appear indicating the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates in your next reply.

If you encounter a problem downloading or getting peek.bat to run, go to Posted Image > Run..., and in the open box, type: Notepad
  • Click OK.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
  • Go to File > Save As, click the drop-down box to change the Save As Type to *All Files and save it as "peek.bat" on your desktop.
  • Double-click peek.bat to run the script.
  • A window will open and close quickly, this is normal.
  • A file called log.txt should be created on your Desktop.
  • Open that file and copy/paste the contents in your next reply.
-- Vista users, users can refer to these instructions to Run a Batch File as an Administrator.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users