Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit infection


  • This topic is locked This topic is locked
34 replies to this topic

#16 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:19 PM

Posted 06 February 2012 - 05:43 PM

How the machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


BC AdBot (Login to Remove)

 


#17 Benjy54

Benjy54
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 06 February 2012 - 06:38 PM

Hi,

I would say it is still a bit flaky, but I have been wiating to see what your response was from my last posting and logs. I will do a normal restart with everything enabled and see how we go.

Benjy54

#18 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:19 PM

Posted 06 February 2012 - 10:57 PM

Ok let me know

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#19 Benjy54

Benjy54
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 07 February 2012 - 05:44 AM

Hi fireman4it,

Well seems to be a bit better, however i am just going to run malwarebytes again to see if the temp folder files have reappeared. Last night I ran Combofix with the AVG and comodo firewall disabled. Sadly combofix still reports that rootkit.zeroaccess has been found and that it would take some time to remove. This morning computer frozen again. No logs produced.

alwarebytes shows clear:

Malwarebytes Anti-Malware (PRO) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.06.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
John :: INSPIRON [administrator]

Protection: Enabled

07/02/2012 10:30:12
mbam-log-2012-02-07 (10-30-12).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207482
Time elapsed: 10 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


What if anything should i do now?

Benjy54

#20 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:19 PM

Posted 07 February 2012 - 11:05 AM

Why did you run Combofix again?


Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#21 Benjy54

Benjy54
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 07 February 2012 - 04:20 PM

Hi,

Find pasted both logs as requested.

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-07 20:43:26
-----------------------------
20:43:26.953 OS Version: Windows 5.1.2600 Service Pack 3
20:43:26.953 Number of processors: 1 586 0xD08
20:43:26.953 ComputerName: INSPIRON UserName: John
20:43:41.906 Initialize success
20:45:29.328 AVAST engine defs: 12020701
20:45:57.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:45:57.578 Disk 0 Vendor: FUJITSU_MHV2060AH 00000096 Size: 57231MB BusType: 3
20:45:57.593 Disk 0 MBR read successfully
20:45:57.593 Disk 0 MBR scan
20:45:57.687 Disk 0 Windows XP default MBR code
20:45:57.687 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 78 MB offset 63
20:45:57.718 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 54078 MB offset 160650
20:45:57.750 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3074 MB offset 110912760
20:45:57.765 Disk 0 scanning sectors +117210240
20:45:57.812 Disk 0 scanning C:\WINDOWS\system32\drivers
20:46:20.546 Service scanning
20:46:22.187 Modules scanning
20:46:30.703 Disk 0 trace - called modules:
20:46:30.718 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
20:46:30.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ab87ab8]
20:46:30.734 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8abfd930]
20:46:31.656 AVAST engine scan C:\WINDOWS
20:46:38.750 AVAST engine scan C:\WINDOWS\system32
20:51:52.937 AVAST engine scan C:\WINDOWS\system32\drivers
20:52:19.406 AVAST engine scan C:\Documents and Settings\John
21:03:00.062 AVAST engine scan C:\Documents and Settings\All Users
21:04:22.218 Scan finished successfully
21:14:42.765 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\John\Desktop\MBR.dat"
21:14:42.765 The log file has been saved successfully to "C:\Documents and Settings\John\Desktop\asw2MBR.txt"



MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000004

Kernel Drivers (total 152):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA0D8000 BC.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 intelide.sys
0xB9F4A000 pcmcia.sys
0xBA0E8000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0F8000 VolSnap.sys
0xB9F13000 atapi.sys
0xBA108000 disk.sys
0xBA118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EF3000 fltmgr.sys
0xB9EE1000 sr.sys
0xBA128000 PxHelp20.sys
0xB9ECA000 KSecDD.sys
0xB9EB7000 WudfPf.sys
0xB9E2A000 Ntfs.sys
0xB9E14000 inspect.sys
0xB9DE7000 \WINDOWS\System32\DRIVERS\NDIS.SYS
0xBA338000 \WINDOWS\System32\DRIVERS\TDI.SYS
0xB9D55000 timntr.sys
0xB9C9F000 tdrpm273.sys
0xB9C77000 snapman.sys
0xBA340000 pssnap.sys
0xB9C5D000 Mup.sys
0xBA348000 avgrkx86.sys
0xBA4C4000 AVGIDSEH.Sys
0xBA278000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9B1C000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB8C55000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB8C41000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA380000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8C1D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA388000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8C0C000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xB8BF9000 \SystemRoot\system32\DRIVERS\ubohci.sys
0xB8BE3000 \SystemRoot\system32\DRIVERS\UB1394.SYS
0xBA288000 \SystemRoot\system32\DRIVERS\risdptsk.sys
0xB89C5000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xB8992000 \SystemRoot\system32\drivers\vinyl97.sys
0xB896E000 \SystemRoot\system32\drivers\portcls.sys
0xBA298000 \SystemRoot\system32\drivers\drmk.sys
0xB894B000 \SystemRoot\system32\drivers\ks.sys
0xB883F000 \SystemRoot\system32\DRIVERS\smserial.sys
0xBA390000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA2F8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA398000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA3A0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA764000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9B14000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8828000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8817000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA308000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3A8000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3B0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA148000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5F6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB87B9000 \SystemRoot\system32\DRIVERS\update.sys
0xB9711000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA188000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB908B000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5FE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB9B68000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xB516E000 \SystemRoot\System32\DRIVERS\cmdguard.sys
0xB5133000 \SystemRoot\System32\Drivers\pwd_2k.SYS
0xB9B24000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6EA000 \SystemRoot\System32\Drivers\Null.SYS
0xBA634000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA368000 \SystemRoot\System32\drivers\vga.sys
0xBA636000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA638000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB50CD000 \SystemRoot\System32\Drivers\cdudf_xp.SYS
0xB5098000 \SystemRoot\System32\Drivers\DVDVRRdr_xp.SYS
0xBA370000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA378000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB5055000 \SystemRoot\System32\Drivers\UDFReadr.SYS
0xB54C2000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xBA3B8000 \SystemRoot\system32\DRIVERS\kl2.sys
0xB4FF3000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB4F9A000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA3D0000 \SystemRoot\System32\DRIVERS\cmdhlp.sys
0xB4F53000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xB4F2D000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB4EDD000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB9B64000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB4EBB000 \SystemRoot\System32\drivers\afd.sys
0xBA258000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB4E96000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xBA3E8000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB4E6B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA700000 \SystemRoot\System32\Drivers\PQNTDrv.SYS
0xBA420000 \SystemRoot\system32\ckldrv.sys
0xB4DFB000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA1B8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB4DA7000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0xB9B40000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB907B000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA460000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB9B3C000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB6614000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB4569000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5BC000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB4F19000 \SystemRoot\System32\drivers\Dxapi.sys
0xB45F5000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA75E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF065000 \SystemRoot\System32\ati2cqag.dll
0xBF0FE000 \SystemRoot\System32\atikvmag.dll
0xBF182000 \SystemRoot\System32\atiok3x2.dll
0xBF1CD000 \SystemRoot\System32\ati3duag.dll
0xBF572000 \SystemRoot\System32\ativvaxx.dll
0xBF9C6000 \SystemRoot\System32\ATMFD.DLL
0xB2309000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xB2235000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB2209000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xB2034000 \SystemRoot\system32\drivers\wdmaud.sys
0xB904B000 \SystemRoot\system32\drivers\sysaudio.sys
0xB2129000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0xB1EFA000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB1D51000 \SystemRoot\System32\Drivers\HTTP.sys
0xB1C31000 \SystemRoot\system32\DRIVERS\srv.sys
0xB1C21000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB1BF5000 \SystemRoot\system32\DRIVERS\ubsbm.sys
0xB1BA9000 \SystemRoot\system32\DRIVERS\ubumapi.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0xB16E9000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0xBA488000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB1676000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xB1586000 \SystemRoot\system32\DRIVERS\afcdp.sys
0xB1A21000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xB10A0000 \??\C:\DOCUME~1\John\LOCALS~1\Temp\aswMBR.sys
0xADBFD000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 61):
0 System Idle Process
4 System
1004 C:\WINDOWS\system32\smss.exe
1088 C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
1120 C:\Program Files\AVG\AVG2012\avgcsrvx.exe
1316 csrss.exe
1360 C:\WINDOWS\system32\winlogon.exe
1408 C:\WINDOWS\system32\services.exe
1420 C:\WINDOWS\system32\lsass.exe
1604 C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
1640 C:\WINDOWS\system32\ati2evxx.exe
1660 C:\WINDOWS\system32\svchost.exe
1740 svchost.exe
1824 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
1848 C:\WINDOWS\system32\svchost.exe
1928 C:\WINDOWS\system32\ati2evxx.exe
1956 C:\WINDOWS\system32\svchost.exe
424 C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
540 C:\WINDOWS\explorer.exe
764 svchost.exe
944 C:\WINDOWS\system32\svchost.exe
972 C:\WINDOWS\system32\spoolsv.exe
1300 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
1688 C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
2052 C:\Program Files\AVG\AVG2012\avgwdsvc.exe
2100 C:\WINDOWS\system32\Crypserv.exe
2120 C:\Program Files\Intel\WiFi\bin\EvtEng.exe
2392 C:\Program Files\Google\Update\GoogleUpdate.exe
2468 C:\WINDOWS\system32\svchost.exe
2488 C:\WINDOWS\system32\imapi.exe
2520 C:\WINDOWS\system32\lxducoms.exe
2664 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
2800 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2820 C:\Program Files\OO Software\Defrag\oodag.exe
2960 C:\Program Files\Macrium\Reflect\ReflectService.exe
3028 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
3092 svchost.exe
3276 C:\WINDOWS\system32\searchindexer.exe
3464 C:\Program Files\AVG\AVG2012\avgnsx.exe
3696 C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
4028 alg.exe
4080 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
4092 C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
368 C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
352 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
428 C:\Program Files\AVG\AVG2012\avgtray.exe
376 wmiprvse.exe
520 C:\WINDOWS\system32\ctfmon.exe
744 C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe
2872 C:\WINDOWS\system32\wbem\unsecapp.exe
3104 wmiprvse.exe
2812 C:\WINDOWS\system32\svchost.exe
4608 C:\WINDOWS\system32\dllhost.exe
6016 msdtc.exe
5732 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
1308 C:\PROGRA~1\Microsoft Office\OFFICE11\WINWORD.EXE
5560 C:\Program Files\AVG\AVG2012\avgcsrvx.exe
5628 C:\Program Files\Mozilla Firefox\firefox.exe
3872 C:\WINDOWS\system32\searchprotocolhost.exe
3268 searchfilterhost.exe
532 C:\Documents and Settings\John\desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`04e71400 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHV2060AH, Rev: 00000096

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#22 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:19 PM

Posted 07 February 2012 - 05:05 PM

Hello,

I'm Not seeing any malware on your machine. Lets run a couple of windows internal tools.


1.
We need to check your hard disk for errors.

To check the volume for errors:
  • Click start and then My Computer.
  • Right click the drive C and select Properties.
  • Under Tools tab press Check Now...
  • Put a check mark in both items and press start.
  • If you get a message click Yes to schedule the disk check and click OK and then restart your computer to start the disk check. Please be patient and let the system run. In some cases it might take a couple of hours and you don't have to sit there the whole time.
*NOTE: This scan could take along time to complete, but let it finish.


2.
  • Goto Start>Run
    Your will now see a Command Window.
  • Type in sfc /scannow in the command window and press enter.
  • Note the space between the c and the /
  • If any files require replacing SFC will replace them. You may be asked to insert your WindowsXp disc for this process to continue. This can be done with a borrowed Disc if you don't have one.
  • Be patient because the scan may take some time.
  • Allow the scan to run and when completed, reboot the system.


3.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, type 1 (SCAN) then Enter
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

Things to include in your next reply::
Roguekiller log
How is your machine running now?

Edited by fireman4it, 07 February 2012 - 05:06 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#23 Benjy54

Benjy54
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 07 February 2012 - 07:12 PM

Hi,

Ran chkdsk, no errors, bad sectors etc.

Could not run sfc /scannow as kept getting failure to read from CD. Tried different disks including original. More information showed either different OS then the one installed or CD-ROM not functioning.

Ran roguekiller and it produced report below:

RogueKiller V7.0.3 [02/06/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: John [Admin rights]
Mode: Scan -- Date : 02/08/2012 00:02:20

Bad processes: 0

Registry Entries: 3
[] HKLM\[...]\Windows : () -> ACCESS DENIED
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[] HKLM\[...]\Windows : () -> ACCESS DENIED

Particular Files / Folders:

Driver: [LOADED]

Infection :

HOSTS File:
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
[...]


MBR Check:

+++++ PhysicalDrive0: FUJITSU MHV2060AH +++++
--- User ---
[MBR] ea5ef86e70d507b0dae54ea233033f45
[BSP] ae203e84dcb456630d870d8f3155a2b5 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 160650 | Size: 54078 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 110912760 | Size: 3074 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



What shall I do about restoring the system files using SFC /scannow?

Exactly what was meant by "Close all the running processes" in para3 step 2?
Ran the scan anyway.

Pooter is running fine now, guess we might be nearly there.



Benjy54

Benjy54

#24 Benjy54

Benjy54
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 07 February 2012 - 07:44 PM

Hi,

Found out my CD-ROM is playing up now. Will try to rectify this and then retry SFC /scannow.

#25 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:19 PM

Posted 07 February 2012 - 08:25 PM

Hello,


1.
  • Re-run Roguekiller
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, click (Delete)
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again


2.
  • Re-run Roguekiller
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, click (HOSTSFIX)
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#26 Benjy54

Benjy54
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 08 February 2012 - 05:16 AM

Hi Hitman4it,

I wanted to be sure to do the right thing and tell you what I have with roguekiller before I do anything.

Opened roguekiller, no prompt appeared to do anything. The delete button was enabled and was about to select that, but a popup came up saying this version was out of date. Selected ok and it took me to the website to download latest version. That now done and installed. Ran it and again no prompts to do anything, but this time the delete button was greyed out. Was just going to run the hostfix, but decided I better check with you first.

Can you explain what the instruction means to


Close all the running processes

Will get my CD-ROM drivers sorted and run sfc /scannow in the meantime.

Benjy54

#27 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:19 PM

Posted 08 February 2012 - 02:57 PM

Hello,

Yes go ahead and run Hostfix. :thumbup2:

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#28 Benjy54

Benjy54
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 08 February 2012 - 05:24 PM

Hi,

Ran Roguekiller results below.

RogueKiller V7.0.4 [02/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: John [Admin rights]
Mode: HOSTSFix -- Date : 02/08/2012 22:10:53

Bad processes: 3
[SUSP PATH] MatsBoot.exe -- C:\WINDOWS\TEMP\RunBoot-Temp_.9d5a28ff-59e5-4f92-94cb-08e80939c733\MatsBoot.exe -> KILLED [TermProc]
[SUSP PATH] MATSWiz.exe -- C:\Documents and Settings\John\Local Settings\Temp\MATS-Temp\CABoyjxsiqh.0e1\MATSWiz.exe -> KILLED [TermProc]
[SUSP PATH] MATSHost.exe -- C:\Documents and Settings\John\Local Settings\Temp\MATS-Temp\CABoyjxsiqh.0e1\matshost.exe -> KILLED [TermProc]

Driver: [LOADED]

HOSTS File:
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
[...]


Resetted HOSTS:
127.0.0.1 localhost

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt


Still having problems with my CD drive no matter what I try the drivers load but then I have the error meassage that the drivers may be missing or corrupt.

Not sure why this is happening have ran MS online troubleshooter but getting nowhere fast.

I note that in explorer there is a combofix icon that when selected seems to show a copy of C:. Is the computer having trouble allocating a drive letter to the CD-ROM because of this?

Should I uninstall combofix?

May of course be totally unrelated. But until then i cannot run scf /scannow to fix the system files.

Benjy54

#29 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:19 PM

Posted 08 February 2012 - 09:01 PM

Hello,


Combofix has nothing to do with Your CD-rom not working. My guess would be that the malware either corrupted the files system or or CD-rom just happens to be going bad at the same time.



Please download DeFogger to your desktop.
1.
Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Enable button to enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


2.
  • Please go to start -> Run.
  • Copy and paste the bold line in the run-box and click OK:

    cmd /c dir /a/s/b C:\QooBox >log.txt & log.txt
  • A text file opens up, copy and paste the content to your reply.


3.
Do you have to optical disk drives? A DVD and CD drive? if so try to use the DVD drive and run sfc/scannow. If it still don't work go ahead and run sfc/scannow without the disc this will gives us an idea if something is messed up.

Edited by fireman4it, 08 February 2012 - 09:06 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#30 Benjy54

Benjy54
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 09 February 2012 - 04:14 AM

Hi,

Managed to run the SFC /scannow last night. Using microsoft fixit I managed to get the CD drive working whilst I ran the scannow. I did get a messeage to restart windows during the MS fix but chose to ignore that as I knew, as i was proved later, when you do a restart the cd drive does not work. Same error driver could not be loaded or corrupt error 39.

Anyway the upshot is that sfc /scannow completed and it did access the CD to install the files it needed.

When I go to run defogger I have two options, Disable and Re-enable, with a message to say to only Re-enable when told to do so by some really great bloke like yourself :P
I chose to just close the dialogue box rather than do either choice, I hope i did right.

Qoobox report below.

C:\QooBox\BackEnv
C:\QooBox\LastRun
C:\QooBox\Quarantine
C:\QooBox\Test
C:\QooBox\TestC
C:\QooBox\BackEnv\AppData.folder.dat
C:\QooBox\BackEnv\Cache.folder.dat
C:\QooBox\BackEnv\Cookies.folder.dat
C:\QooBox\BackEnv\Desktop.folder.dat
C:\QooBox\BackEnv\Favorites.folder.dat
C:\QooBox\BackEnv\History.folder.dat
C:\QooBox\BackEnv\LocalAppData.folder.dat
C:\QooBox\BackEnv\LocalSettings.folder.dat
C:\QooBox\BackEnv\Music.folder.dat
C:\QooBox\BackEnv\NetHood.folder.dat
C:\QooBox\BackEnv\Personal.folder.dat
C:\QooBox\BackEnv\Pictures.folder.dat
C:\QooBox\BackEnv\PrintHood.folder.dat
C:\QooBox\BackEnv\Profiles.Folder.dat
C:\QooBox\BackEnv\Profiles.Folder.folder.dat
C:\QooBox\BackEnv\Programs.folder.dat
C:\QooBox\BackEnv\Recent.folder.dat
C:\QooBox\BackEnv\SendTo.folder.dat
C:\QooBox\BackEnv\SetPath.bat
C:\QooBox\BackEnv\StartMenu.folder.dat
C:\QooBox\BackEnv\StartUp.folder.dat
C:\QooBox\BackEnv\SysPath.dat
C:\QooBox\BackEnv\Templates.folder.dat
C:\QooBox\BackEnv\VikPev00
C:\QooBox\LastRun\Gateway
C:\QooBox\Quarantine\C
C:\QooBox\Quarantine\catchme.log
C:\QooBox\Quarantine\Registry_backups

Cheers Benjy54




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users