Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by antivirus 2010


  • Please log in to reply
19 replies to this topic

#1 saltyhnter

saltyhnter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 11 October 2009 - 09:00 PM

HELP, I had been hit by the antivirus 2010 and used MalwareBytes ANTI-Malware to try and clean,,,now getting redirects which install more stuff,,,,need help,,,not touching anything until someone directs me what to do,....Ned your help badly...

BC AdBot (Login to Remove)

 


#2 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 11 October 2009 - 09:07 PM

Hello saltyhnter
can you please post the latest log from mbam for someone to look at.

Regards


D_N_M

#3 saltyhnter

saltyhnter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 11 October 2009 - 09:29 PM

Here ya go,,,thanks for the quick response

Malwarebytes' Anti-Malware 1.41
Database version: 2944
Windows 5.1.2600 Service Pack 2

10/11/2009 9:07:46 PM
mbam-log-2009-10-11 (21-07-46).txt

Scan type: Quick Scan
Objects scanned: 100794
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 8
Registry Data Items Infected: 6
Folders Infected: 4
Files Infected: 26

Memory Processes Infected:
C:\Documents and Settings\kmiller\Application Data\seres.exe (Rogue.AntiVirusPro) -> Unloaded process successfully.
C:\Documents and Settings\kmiller\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Unloaded process successfully.

Memory Modules Infected:
C:\Documents and Settings\kmiller\ntuser.dll (Trojan.Opachki) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus pro 2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mserv (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\data (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\kmiller\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\kmiller\ntuser.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\kmiller\Application Data\lizkavd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\kmiller\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\kmiller\Local Settings\Temporary Internet Files\Content.IE5\C5QFO1MJ\Install[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.cfg (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\AVEngn.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\htmlayout.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\pthreadVC2.dll (Rogue.AntiVirusPro2010) -> Delete on reboot.
C:\Program Files\AntivirusPro_2010\Uninstall.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\wscui.cpl (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\data\daily.cvd (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\kmiller\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\kmiller\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\kmiller\Application Data\seres.exe (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\kmiller\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\kmiller\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\kmiller\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\kmiller\Desktop\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\kmiller\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

#4 saltyhnter

saltyhnter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 11 October 2009 - 09:36 PM

If I go to google after cleaning,,,and type in any search,,,,including yahoo,,,,then any hyperlink has this in it,,,,

I wont click on it,,,,just right click to get properties.....if I clicked something it gets infected with more so not clicking

hxxp://livefeedinc.com/?do=rphp&sub=35.../www.yahoo.com/

Edited by boopme, 12 October 2009 - 09:53 AM.
Neutralized link~~boopme


#5 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 12 October 2009 - 09:17 AM

Hello saltyhnter
good job on the mbam log :thumbsup:
But your log shows you still have service pack 2 for windows? :trumpet:
is there any reason you have not yet upgraded to service pack 3?
when was the last time you have updated windows? :flowers:
Please update windows and mbam re-run a scan with mbam and post a new log.

Regards

D_N_M

#6 saltyhnter

saltyhnter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 12 October 2009 - 09:24 AM

ok,,,,back to you shortly....

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:19 AM

Posted 12 October 2009 - 09:57 AM

Hello, it may be better to first be syre the PC is clean as it may inhibit the SP3 update.
Did you reboot normally after that last MBAM scan?

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 saltyhnter

saltyhnter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 14 October 2009 - 07:42 PM

OK,,,sorry, had to work the last few nights,,,,ran all as you said and it appears to be clean,,,,here are the log files,,,,
I upgraded all the updates,,,,,,

the first log is from running it from your first request

Then went into safe mode, and did exactly as you said,,,,went thru all the steps,,,,seems the browser is now cleaned up,,,,but I will let you tell me.

First scan

Malwarebytes' Anti-Malware 1.41
Database version: 2944
Windows 5.1.2600 Service Pack 3

10/12/2009 8:32:05 PM
mbam-log-2009-10-12 (20-31-48).txt

Scan type: Quick Scan
Objects scanned: 101969
Time elapsed: 5 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\kmiller\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\kmiller\ntuser.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService\ntuser.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\kmiller\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\kmiller\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.


******************************************
second log

Malwarebytes' Anti-Malware 1.41
Database version: 2944
Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/13/2009 6:40:44 PM
mbam-log-2009-10-13 (18-40-13).txt

Scan type: Quick Scan
Objects scanned: 100307
Time elapsed: 11 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\kmiller\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\kmiller\ntuser.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\kmiller\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\kmiller\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.


****************************************************


third log file
Malwarebytes' Anti-Malware 1.41
Database version: 2944
Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/13/2009 8:33:47 PM
full scan mbam-log-2009-10-13 (20-33-32).txt

Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 297646
Time elapsed: 1 hour(s), 24 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



I m hoping,,,,I am a network engineer so you dont have to worry about being too technical with me,,,usually
I have been able to handle stuff like this,,,but this one kicked my but...

Thanks :thumbsup:
Kevin

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:19 AM

Posted 14 October 2009 - 09:27 PM

OK that looks good. Did you run the ATf and SAS tools also. Did SAS find anything?
How is the PC running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 saltyhnter

saltyhnter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 18 October 2009 - 05:13 PM

Hi,
Thanks, I ran both, and it appeared to be totally cleaned until today it started a new program pretty much
on its own,,,,,,antivirus police, I just opened a browser today, and it went haywire, its been running clean
for a week, and was running clean before today. This one disabled the taskmanager, I was able to follow
some of the instructions you had in the cleaning article, I tried the reg fix for taskmanager, it said file infect, and it
wouldnt allow any windows processes, I got it to boot to safe mode where i went thru the processes again of what you
told me, and it found 110 infected items in memory, registry and files, I cleaned again and its rebooting now, so i will let you know.

Could this have had a time bomb in a file somewhere,,,,it seems ironic 1 week to the day, and I havnt used this computer for anything.

Kevin

#11 saltyhnter

saltyhnter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 18 October 2009 - 05:21 PM

Lets add to that, Task manager is still disabled, when I ping, it gives me a wierd character, and then pings a strange DNS name,,,,,so still infected....

OK,,,guess I need to take guidance some more.....what do you need from me,,,,it broke malware bytes, deleted the mbam.exe, so I ran the install program again, its running malware bytes. From there guess I need your direction.

Sorry I wasnt back sooner, but I was off working on a huge system I am building for my office.

Kevin

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:19 AM

Posted 18 October 2009 - 08:58 PM

I think we picked up some rootkits..

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 saltyhnter

saltyhnter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 20 October 2009 - 08:10 PM

OK,,,,
Here it is,,,,the report is below, it appears the http is broken in the IE,,,,,I have a program I run for DYN DNS and it is failing also with the following error

Unable to refresh host list. WinHttpSendRequest failed

Also the ping utility appears to be intercepted but it appears to resolve the name,,,man, this is nasty

If I ping I get this weird character

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\kmiller>ping www.msn.com

Pinging us.port.msn.com.nsatc.net [] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for :
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\kmiller>ping www.google.com

Pinging www.l.google.com [] with 32 bytes of data: <<<<<<SEE STRANGE CHARACTER

Reply from 74.125.91.147: bytes=32 time=54ms TTL=242
Reply from 74.125.91.147: bytes=32 time=55ms TTL=242
Reply from 74.125.91.147: bytes=32 time=55ms TTL=242
Reply from 74.125.91.147: bytes=32 time=56ms TTL=242

Ping statistics for :
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 54ms, Maximum = 56ms, Average = 55ms

C:\Documents and Settings\kmiller>


***************************************
OK,,,,here is my report from the rootrepeal...good luck


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/19 22:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB79B2000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79C7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7992000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb7aa70b0

Stealth Objects
-------------------
Object: Hidden Handle [Index: 300, Type: Event]
Process: TeaTimer.exe (PID: 3636) Address: 0x89d50288 Size: -

==EOF==

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:19 AM

Posted 21 October 2009 - 02:44 PM

I think we shopuld run 2 more tools.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Drweb-cureit
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 saltyhnter

saltyhnter
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 22 October 2009 - 08:26 PM

OK,,,,Thank you for being patient,,,,its been a long week,,,,,huge project I am on.

Alright, did all you said, ran Dr web, found some junk, had me restore the hosts file, which
would explain the internet stuff. When I rebooted it hung, trying to boot to floppy drive,
not sure why, it just kept clicking the drive time and again, anyhow,,,had to start to go to
safe mode, got the screen said start windows normally, and it booted. Just wanted to let
you know that in case you saw any importance. It found some files on my other drives, which
are service files, tools and such from cisco,,,but here is the report file, I havnt done anything,
tried to go on the internet or otherwise. Waiting til you look it over.

Thanks again

mazileve.exe;C:\WINDOWS\system32;Trojan.Fakealert.5811;Deleted.;
buxuhto.exe;C:\;Trojan.DownLoad.47337;Deleted.;
vyiy.exe;C:\;Trojan.Fakealert.5811;Deleted.;
RegUBP2b-kmiller.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
SZPro5.msi/stream003\STOPzillaExe;C:\Documents and Settings\kmiller\Local Settings\Temp\STOPzilla!\SZPro5.msi/stream003;Trojan.Fakealert.4602;;
stream003;C:\Documents and Settings\kmiller\Local Settings\Temp\STOPzilla!;Archive contains infected objects;;
SZPro5.msi;C:\Documents and Settings\kmiller\Local Settings\Temp\STOPzilla!;Archive contains infected objects;Moved.;
G6FTPSrv.exe;C:\Program Files\G6 FTP Server;Program.BpFTP.3;Moved.;
neacsysguard.exe;C:\Program Files\olmrte;Trojan.Fakealert.4943;Deleted.;
gayusomi.exe\sisa.exe;C:\WINDOWS\system32\gayusomi.exe;Trojan.Fakealert.5465;;
gayusomi.exe;C:\WINDOWS\system32;Archive contains infected objects;Moved.;
vncviewer.exe;G:\CCVP School\Audio Folder\SHARE_SHARE_CISCO\CCIEVOICE\Cisco\CallManagerInstallationCrackForUnsupportedServers\makemcs\C\utils;Program.RemoteAdmin;Moved.;
vncviewer.exe;G:\CCVP School\Audio Folder\SHARE_SHARE_CISCO\Cisco\CallManagerInstallationCrackForUnsupportedServers\makemcs\C\utils\VNC\vnc_x;Program.RemoteAdmin;Moved.;
vncviewer.exe;G:\CCVP School\CCIE Folder\CCIEVOICE\Cisco\CallManagerInstallationCrackForUnsupportedServers\makemcs\C\utils\VNC\vnc_x86_win32\;Program.RemoteAdmin;Moved.;
vncviewer.exe;G:\CCVP School\CCIE Folder\Cisco\CallManagerInstallationCrackForUnsupportedServers\makemcs\C\utils\VNC\vnc_x86_win32\vncviewer;Program.RemoteAdmin;Moved.;
win-OS-Upgrade-K9.2000-4-4a-sr3a.exe/win-OS-Upgrade-K9.2000-4-x-Common.exe/RealVNC4.1.2.exe/vnc-4_1_2-x86_win32.exe\data005;G:\CCVP School\CCM upgrade Procedure_Tools413_423\win-OS-Upgrade-K9.2000-4-4a-sr3a.exe/win-OS-Upgrade-K9.2000-4-x-Common.exe/Re;Program.RemoteAdmin.51;;
\vnc-4_1_2-x86_win32.exe;G:\CCVP School\CCM upgrade Procedure_Tools413_423;Archive contains infected objects;;
\RealVNC4.1.2.exe;G:\CCVP School\CCM upgrade Procedure_Tools413_423;Archive contains infected objects;;
\win-OS-Upgrade-K9.2000-4-x-Common.exe;G:\CCVP School\CCM upgrade Procedure_Tools413_423;Archive contains infected objects;;
win-OS-Upgrade-K9.2000-4-4a-sr3a.exe;G:\CCVP School\CCM upgrade Procedure_Tools413_423;Archive contains infected objects;Moved.;
vnc-4_1_2-x86_win32.exe\data005;G:\CCVP School\CCM upgrade Procedure_Tools413_423\win-OS-Upgrade-K9.2000-4-4a.exe/files\Utils\VNC\vnc-4_1_2-x86_win32.exe;Program.RemoteAdmin.51;;
\files\Utils\VNC\vnc-4_1_2-x86_win32.exe;G:\CCVP School\CCM upgrade Procedure_Tools413_423\win-OS-Upgrade-K9.2000-4-4a.exe/files\Utils\VNC;Archive contains infected objects;;
win-OS-Upgrade-K9.2000-4-4a.exe;G:\CCVP School\CCM upgrade Procedure_Tools413_423;Archive contains infected objects;Moved.;
vnc-4.0-x86_win32.exe\data002;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade\win-OS-Upgrade-K9.2000-2-7.exe/files\Utils\VNC\vnc-4.0-x86_win32.exe;Program.RemoteAdmin;;
vnc-4.0-x86_win32.exe\data003;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade\win-OS-Upgrade-K9.2000-2-7.exe/files\Utils\VNC\vnc-4.0-x86_win32.exe;Program.RemoteAdmin;;
vnc-4.0-x86_win32.exe\data004;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade\win-OS-Upgrade-K9.2000-2-7.exe/files\Utils\VNC\vnc-4.0-x86_win32.exe;Program.RemoteAdmin;;
vnc-4.0-x86_win32.exe\data006;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade\win-OS-Upgrade-K9.2000-2-7.exe/files\Utils\VNC\vnc-4.0-x86_win32.exe;Program.RemoteAdmin;;
\files\Utils\VNC\vnc-4.0-x86_win32.exe;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade\win-OS-Upgrade-K9.2000-2-7.exe/files\Utils\VNC;Archive contains infected objects;;
win-OS-Upgrade-K9.2000-2-7.exe;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade;Archive contains infected objects;Moved.;
win-OS-Upgrade-K9.2000-4-4a-sr3a.exe/win-OS-Upgrade-K9.2000-4-x-Common.exe/RealVNC4.1.2.exe/vnc-4_1_2-x86_win32.exe\data005;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade\cm_upgrades\win-OS-Upgrade-K9.2000-4-4a-sr3a.exe/win-OS-Upgrade-K9.2000-4-x-Co;Program.RemoteAdmin.51;;
\vnc-4_1_2-x86_win32.exe;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade\cm_upgrades;Archive contains infected objects;;
\RealVNC4.1.2.exe;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade\cm_upgrades;Archive contains infected objects;;
\win-OS-Upgrade-K9.2000-4-x-Common.exe;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade\cm_upgrades;Archive contains infected objects;;
win-OS-Upgrade-K9.2000-4-4a-sr3a.exe;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade\cm_upgrades;Archive contains infected objects;Moved.;
vnc-4_1_2-x86_win32.exe\data005;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade\cm_upgrades\win-OS-Upgrade-K9.2000-4-4a.exe/files\Utils\VNC\vnc-4_1_2-x86_win3;Program.RemoteAdmin.51;;
\files\Utils\VNC\vnc-4_1_2-x86_win32.exe;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade\cm_upgrades\win-OS-Upgrade-K9.2000-4-4a.exe/files\Utils\VNC;Archive contains infected objects;;
win-OS-Upgrade-K9.2000-4-4a.exe;G:\Cisco CM_Unity Folder\Call Manager OS Upgrade\cm_upgrades;Archive contains infected objects;Moved.;
autofs-4.1.3-186.i386.rpm/autofs-4.1.3-186/gziped.gz\./usr/lib/autofs/lookup_userhome.so;G:\Cisco CM_Unity Folder\CallManager Images from cisco\E911 server\RedHat\RPMS\autofs-4.1.3-186.i386.rpm/autofs-4.1.3-186/gzipe;Modification of Win95.Dedo.1286;;
gziped.gz;G:\Cisco CM_Unity Folder\CallManager Images from cisco\E911 server\RedHat\RPMS;Archive contains infected objects;;
autofs-4.1.3-186;G:\Cisco CM_Unity Folder\CallManager Images from cisco\E911 server\RedHat\RPMS;Archive contains infected objects;;
autofs-4.1.3-186.i386.rpm;G:\Cisco CM_Unity Folder\CallManager Images from cisco\E911 server\RedHat\RPMS;Archive contains infected objects;Moved.;
tightvnc-1.2.9-setup.exe\data002;G:\Downloaded programs\tightvnc-1.2.9-setup.exe;Program.RemoteAdmin;;
tightvnc-1.2.9-setup.exe\data003;G:\Downloaded programs\tightvnc-1.2.9-setup.exe;Program.RemoteAdmin;;
tightvnc-1.2.9-setup.exe;G:\Downloaded programs;Archive contains infected objects;Moved.;
ftpsetup.exe\data002;G:\Downloaded programs\Stuff from Jus\apps\bulletproof ftp with crack\ftpsetup.exe;Program.BpFTP.3;;
ftpsetup.exe;G:\Downloaded programs\Stuff from Jus\apps\bulletproof ftp with crack;Archive contains infected objects;Moved.;
vnc-4_1_2-x86_win32.exe\data005;G:\Downloaded programs\VNC Serv_Vie\vnc-4_1_2-x86_win32.exe;Program.RemoteAdmin.51;;
vnc-4_1_2-x86_win32.exe;G:\Downloaded programs\VNC Serv_Vie;Archive contains infected objects;Moved.;
vnc-4_1_2-x86_win32.exe\data005;G:\Files from IBM\Daily Computer Files\Downloaded Programs\vnc-4_1_2-x86_win32.exe;Program.RemoteAdmin.51;;
vnc-4_1_2-x86_win32.exe;G:\Files from IBM\Daily Computer Files\Downloaded Programs;Archive contains infected objects;Moved.;
ftpsetup.exe\data002;G:\Files from IBM\Work folder\bulletproof ftp with crack\ftpsetup.exe;Program.BpFTP.3;;
ftpsetup.exe;G:\Files from IBM\Work folder\bulletproof ftp with crack;Archive contains infected objects;Moved.;
vncviewer.exe;G:\Network Tools\RealVNC\VNC4;Program.RemoteAdmin;Moved.;
Win-Spy Eval Setup.exe\4.ima;G:\Packard Bell\My Download Files\Win-Spy Eval Setup.exe;Modification of BackDoor.Chick;;
Win-Spy Eval Setup.exe;G:\Packard Bell\My Download Files;Archive contains infected objects;Moved.;
Win-Spy Setup.exe\4.ima;G:\Packard Bell\My Download Files\Win-Spy Setup.exe;Modification of BackDoor.Chick;;
Win-Spy Setup.exe;G:\Packard Bell\My Download Files;Archive contains infected objects;Moved.;
vnc-4_1-x86_win32.exe\data003;G:\System Backups\Sys Recovery Bedroom10-01-06\My Documents\computer setup\Downloaded programs\vnc-4_1-x86_win32.exe;Program.RemoteAdmin;;
vnc-4_1-x86_win32.exe\data005;G:\System Backups\Sys Recovery Bedroom10-01-06\My Documents\computer setup\Downloaded programs\vnc-4_1-x86_win32.exe;Program.RemoteAdmin;;
vnc-4_1-x86_win32.exe;G:\System Backups\Sys Recovery Bedroom10-01-06\My Documents\computer setup\Downloaded programs;Archive contains infected objects;Moved.;
RealVNC4.1.2.exe/vnc-4_1_2-x86_win32.exe\data005;G:\Work Tickets\Grappone Upgrade\win-OS-Upgrade-K9.2000-4-5a.exe/files\SUPPORT\Win2000.sp\RealVNC4.1.2.exe/vnc-4_1_2-x86_win32.;Program.RemoteAdmin.51;;
\vnc-4_1_2-x86_win32.exe;G:\Work Tickets\Grappone Upgrade\win-OS-Upgrade-K9.2000-4-5a.exe/files\SUPPORT\Win2000.sp;Archive contains infected objects;;
\files\SUPPORT\Win2000.sp\RealVNC4.1.2.exe;G:\Work Tickets\Grappone Upgrade\win-OS-Upgrade-K9.2000-4-5a.exe/files\SUPPORT\Win2000.sp;Archive contains infected objects;;
vnc-4_1_2-x86_win32.exe\data005;G:\Work Tickets\Grappone Upgrade\win-OS-Upgrade-K9.2000-4-5a.exe/files\Utils\VNC\vnc-4_1_2-x86_win32.exe;Program.RemoteAdmin.51;;
\files\Utils\VNC\vnc-4_1_2-x86_win32.exe;G:\Work Tickets\Grappone Upgrade\win-OS-Upgrade-K9.2000-4-5a.exe/files\Utils\VNC;Archive contains infected objects;;
win-OS-Upgrade-K9.2000-4-5a.exe;G:\Work Tickets\Grappone Upgrade;Archive contains infected objects;Moved.;



Let me know if there is other things you need...

Thanks for all your help, these viruses are nasty.
Kevin




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users