Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix hangs @ D.D.S. part (after appr. 50 #'s)


  • This topic is locked This topic is locked
80 replies to this topic

#1 devnullius

devnullius

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 29 November 2011 - 06:30 AM

Prelude here: http://www.bleepingcomputer.com/forums/topic429557.html .

Complete log set here: http://www.zumodrive.com/share/f48zM2Y0Ym .

In short: D.D.S. is not working, also I have huge problems with slow start of computer. So slow, it even makes the startup sound crackle. Especially HDD activities seem to slow my laptop dooooown :(

Thank you for your help, given & future :)

Devnullius

Attached Files


Edited by devnullius, 29 November 2011 - 09:08 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 04 December 2011 - 06:35 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/429834 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 AM

Posted 04 December 2011 - 02:37 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

I need more information.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please post the logs for my review.

#4 devnullius

devnullius
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 04 December 2011 - 05:07 PM

(Just finishing loooong scan - I'll read previous reply in detail next... First, my own experiences, and the new log file cannot be attached directly to the forum - I'll upload the file (as zip archive) to my zumodrive-share http://www.zumodrive.com/share/f48zM2Y0Ym ).

Nothing has changed.

DDS still does not work.

AnVir Taskmanager (http://dottech.org/freebies/7292/dottech-exclusive-free-anvir-task-manager/) did not show anything suspicious.

I normally always use Avast Antivirus, but the last few months I'm experiencing stability problems with it :/ My friend's laptop is no exception. I've been using Avast for ages, I'm still sad and have not found a good rebound antivirus ; )

I've seen, without telling you guys, a true sign for hidden active rootkit: I always have task manager open. When I look in the process list, I see (especially after startup) Idle times of >90% (even 95% and higer...). It is true that my programs aren't doing much, BUT when I look at the CPU graph, I see my first core on a high cpu usages (kernel mode). Say, 60% approx.?

Concerning the sound stuttering, I once battled with that problem before (http://www.sevenforums.com/sound-audio/26494-does-anyone-actually-have-sound-stuttering-fix-5.html). Without checking up with this link, I remembered it had 'something' to do with network. And I recently installed spotflux free vpn client (USA). So I removed that program with Your Uninstaller! It did not fix anything. Removing all network adapters that weren't hardware related (LAN/WIFI), did not solve anything. So I system restored back...

Removing HDD driver in Device Manager and rebooting did not help either.

I'll first check the previous reply, but I'm really start to think some root-kit is pulling my leg :( After that, I'll re-install LAN/WIFI with official Dell D420's drivers. According to GMER logs, I should also re-install User Profile Hyve Cleanup. I'll do that, in time, too...

Thank you for your attention, starting to appreciate this forum more and more...

Peace!

Devnullius

EDIT: aswMBR log & dat uploaded to zumo-share.
EDIT: TDSSKiller logs uploaded to Zumodrive. 5 suspicious files skipped.

Edited by devnullius, 04 December 2011 - 06:40 PM.


#5 devnullius

devnullius
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 04 December 2011 - 06:24 PM

Skipped by TDSSkiller

cercsr6
Cercsr6.sys with description DELL CERC SATA1.5/6ch Miniport Driver is a driver file from company Adaptec, Inc. belonging to product Dell RAID Controller

SCDEmu
PowerISO Virtual Drive - scdemu - PowerISO Computing, Inc. ... Scdemu.sys with description PowerISO Virtual Drive is a driver file from company PowerISO
(sorry? ;p)

sp_prot
Our database contains single file for filename sp_prot.sys. This file belongs to product System Protect and was developed by company Xacti. This file has description System Protect Driver. This file contains driver. You can find it in the Drivers section of the System Explorer.
(SOURCE: http://systemexplorer.net/db/sp_prot.sys.html)

tap0901
Tap0901.sys with description TAP-Win32 Virtual Network Driver is a driver file from company The OpenVPN Project belonging to product TAP-Win32 Virtual Network Driver.
(SOURCE: http://www.runscanner.net/lib/tap0901.sys.html)

UnlockerDriver5
COPY: Across all ThreatExpert reports, the file "unlockerdriver5.sys" has never been identified as a threat.

Or, in short: nothing there according to Kaspersky, yet again. Curious what my old love avast is gonna teach us :s

Sigh, what we gonna do now? :(

Devvie

Edited by devnullius, 04 December 2011 - 06:41 PM.


#6 devnullius

devnullius
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 04 December 2011 - 06:43 PM

ALL LOGS POSTED, AS REQUESTED, HERE: http://www.zumodrive.com/share/f48zM2Y0Ym .

No space on forum!

Devnullius

EDIT:
aswMBR will CRASH when I run a full C:\ scan!
Error report:
avast! Antirootkit
Error signature
AppName: aswmbr.exe
Mod/Ver: 5.1.2600.6055
AppVer: 0.9.8.986
Offset: 00010cd0
ModName: ntdll.dll

The contents of the technical details, I cannot copy paste :|

Edited by devnullius, 05 December 2011 - 07:30 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 AM

Posted 05 December 2011 - 09:42 AM

Lets take a look at your hard disk partition
Let see if we will find a hidden one.

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

To do print screen follow these steps:

* Press Alt and Print Screen button on your keyboard
* Open Paint program
* From the menu choose Edit then Paste
* Now save the picture and attach it here for me to review.

#8 devnullius

devnullius
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 05 December 2011 - 10:31 AM

I checked disk administrator - no hidden partitions (or free space).

Sigh :s And thank you! :)

Devnullius

EDIT: Put new log on zumo-share, aswMBR scan on C:\ in safe mode WITHOUT "Trace disk IO calls".
Now, I'll repeat the test WITH Trace option on, also in Safe mode. I'll repost results.

Edited by devnullius, 05 December 2011 - 11:37 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 AM

Posted 05 December 2011 - 11:37 AM

Execute this when you can.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    consrv.dll
    winsrv.dll
    
    :regfind
    consrv
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
===

#10 devnullius

devnullius
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 05 December 2011 - 12:24 PM

What you thinking, Lassie? ; -)

sfc /scannow on previous attempts turned out ok?

SystemLook log pasted below.

Avast with IO monitoring crashes in safe mode when I do a complete scan on C:.

Grmbl.

Devvie

EDIT: SystemLook results:
SystemLook 30.07.11 by jpshortstuff
Log created at 19:17 on 05/12/2011 by Gebruiker's
Administrator - Elevation successful

========== filefind ==========

Searching for "consrv.dll"
No files found.

Searching for "winsrv.dll"
C:\WINDOWS\$hf_mig$\KB2507938\SP3QFE\winsrv.dll --a---- 293376 bytes [11:02 26/04/2011] [11:02 26/04/2011] F52D3C601CF618479F9AD43B07599BED
C:\WINDOWS\$hf_mig$\KB2567680\SP3QFE\winsrv.dll --a---- 293376 bytes [17:43 20/06/2011] [17:43 20/06/2011] 3C733ABE4F13206414F670F86C5F79D8
C:\WINDOWS\$NtServicePackUninstall$\winsrv.dll --a--c- 290816 bytes [16:02 20/10/2011] [10:00 04/08/2004] 442D0EAD5534E4ADCF6D4469043C82C0
C:\WINDOWS\ServicePackFiles\i386\winsrv.dll -----c- 293376 bytes [15:29 20/10/2011] [00:12 14/04/2008] 1618F36D4F7F6CCCEB3EE44BA95BE85C
C:\WINDOWS\system32\winsrv.dll --a---- 293376 bytes [10:00 04/08/2004] [17:44 20/06/2011] 95CF3446911A6E25EE4086DF8A45B2AA
C:\WINDOWS\system32\dllcache\winsrv.dll --a--c- 293376 bytes [10:00 04/08/2004] [17:44 20/06/2011] 95CF3446911A6E25EE4086DF8A45B2AA

========== regfind ==========

Searching for "consrv"
No data found.

-= EOF =-

Edited by devnullius, 05 December 2011 - 08:22 PM.


#11 devnullius

devnullius
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 05 December 2011 - 08:11 PM

Downloaded SysInternals's Rootkit Revealer.

Ran a scan, guess what :(

It crashed, with Send error report to Microsoft. I don't know what kind of nasty bleep is hidden within this install, but... ; (

The thing is, I found another computer from another friend (Windows 7 x86 Enterprise this time). She had a complaint about slow Chrome browsing. It turned out to be slow opening a new tab (CPU to 50% a 52%) OR slow searching from address bar. I ran combofix on that computer, and guess what... It hangs too :s She also has the same / "a" warez version of HDD Sentinel. I'll repost in 2 days about her computer... I first will further investigate THIS matter, learning from it when I go along :s

I'll EDIT the log of RootKit Revealer in a moment below - the part that didn't crash (as many others do :( ).

Peace!

Devnullius

EDIT: and I have to admit, in retrospect, I cannot guarantee (as opposed to claimed in my original post) that NO registry cleaning took place (TU 2010 on both computers, auto-maintenance turned on). Just in case...

EDIT: the STRANGEST sheit :(
When I try to save a log-file with sysinternals.com Rootkit Revealer, the program either crashes, or saves the log file BUT HIDDEN FROM API (I've seen this turn up 1 in the scan). From within RKR, I can see my created log files with the scan results, BUT in explorer - they are not there... Hidden from API? I guess so.

EVEN further... When I tried to created screenshots, mspaint would respond with an error. I put all screenshots on my zumo-share!!! I created them after multiple attempts :s

Also, I'll paste (if I figure out how) the log files below. Scan results ARE visible using the uploaded screenshots!! Log files do not appear when using attrib command.

What did I stumble upon? : ((

EDIT: scan results (log) for RKR, copy paste only. File is visible from within RKR (which created it). When I use Save dialogue from RKR, I right-click to open the NOW visible log files. Saving it with Notepad (which opens the hidden files just fine) under a different name does not make the new file visible. It stays hidden from API, I guess :s

---


HKU\S-1-5-21-1957994488-854245398-1801674531-1003\console_combofixbackup 29-10-2011 23:22 0 bytes Security mismatch.
HKU\S-1-5-21-1957994488-854245398-1801674531-1003\console_combofixbackup\Snelkoppeling naar Cleanup!.bat 29-10-2011 23:22 0 bytes Security mismatch.
HKU\S-1-5-21-1957994488-854245398-1801674531-1003\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\URL 31-10-2011 19:09 73 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 27-9-2011 11:36 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 27-9-2011 11:36 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN 30-11-2011 22:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\CertMapping 30-11-2011 22:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client 30-11-2011 22:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Listener 30-11-2011 22:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin 30-11-2011 22:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service 30-11-2011 22:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WinRS 30-11-2011 22:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WinRS\CustomRemoteShell 30-11-2011 22:14 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 30-11-2011 22:13 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 30-11-2011 22:13 0 bytes Security mismatch.
C:\Documents and Settings\Gebruiker's\Cookies\7SP80G56.txt 6-12-2011 2:49 93 bytes Hidden from Windows API.
C:\Documents and Settings\Gebruiker's\Cookies\NQ8U4MMV.txt 6-12-2011 2:48 92 bytes Hidden from Windows API.
C:\Documents and Settings\Gebruiker's\Cookies\XP8IXT3G.txt 6-12-2011 2:47 93 bytes Visible in Windows API, but not in MFT or directory index.

---

REMARK about Swearware, it is OK (http://www.bleepingcomputer.com/forums/topic237130.html).

Edited by devnullius, 05 December 2011 - 09:19 PM.


#12 devnullius

devnullius
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 06 December 2011 - 05:21 AM

I also ran a scan with Sophos Anti-Rootkit.

It found 2 unknown hidden files: 1 mbr in Combofix's folder, and the other one as follows:

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Documents and Settings\Gebruiker's\Local Settings\Temp\ZQTQLRGM.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

I ran cleanup to remove both files, and I'll reboot my compu now :)

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 AM

Posted 06 December 2011 - 08:47 AM

Keep me posted.

#14 devnullius

devnullius
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 06 December 2011 - 10:32 AM

Keep me posted.


:)

Sophos Anti-Rootkit log is clean after the reboot WITH THE FIRST (after-reboot) SCAN.

A second scan (after reboot) with SAR again found many hidden files, all belonging to regular installed programs. A couple of txt cookies were found too.

F-Secure Blacklight did not find anything.

Trend Micro RootkitBuster Beta found many problems, but seems to be unable to repair them. A reboot is still required...!

McAfee Stinger found nothing wrong, including for MBR.

Still, inspired by http://www.computerworld.com/s/article/9218062/Microsoft_clarifies_MBR_rootkit_removal_advice & http://www.briteccomputers.co.uk/forum/virustrojanspywaremalware/how-to-remove-bootsector-virus-trojanwin32popureb-e/ I'll first go ahead and replace all MBR info. All this sheit is getting stranger & stranger.... ; p

IceSword program did not start, gave an error. Unknown why. (Initialize failed.)

I UPLOADED MORE LOGS & SCREENSHOTS FOR these PROGRAMS, TO NEW FOLDER (zumo) "RootKit Revealer logs and Screenshots (Sysinternals') (Dec. 06th, '011)"

Devvie

Edited by devnullius, 06 December 2011 - 05:31 PM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:41 AM

Posted 06 December 2011 - 02:19 PM

I understand if you are frustrated but we must work carefully. If we delete a partition that is required you computer will be good to use as a door stop.

Please execute this.

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB)
Windows XP Recovery Console rc.iso

Create a bootable CD, 1 for Gparted and 1 for the Windows XP Recovery Console, from the ISO images. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

Posted Image
You should be here...
Press ENTER

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Posted Image
Choose your language and press ENTER. English is default [33]

Posted Image
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
Posted Image

Need to see a print screen of this last image.

To do print screen follow these steps:

* Press Alt and Print Screen button on your keyboard
* Open Paint program
* From the menu choose Edit then Paste
* Now save the picture and attach it here for me to review.

Please try to attached the picture to your next post.
You may have to delete the ones you attached on previous posts in this forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users