Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG Scan


  • Please log in to reply
4 replies to this topic

#1 Shade the Wolf

Shade the Wolf

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:By my computer
  • Local time:09:09 AM

Posted 13 February 2014 - 06:14 PM

Okay, so after clicking around to try to download a flash animation, I accidentally install some spyware stuff (Blame FileTube). I use the PC Decrapifier to remove it, and decide to run an AVG scan just to be save. Rootkits come back infected. "Okay", I thought, and I clicked "remove all". Aaaaand it comes back with "Cannot remove. Data is invalid". I run another scan, rootkits come back infected, I try to remove, same error on all of them.

 

I can't remember the names of the infected files off the top of my head, but they all started with IPR. Any ideas?



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:09 AM

Posted 13 February 2014 - 06:35 PM

Hi -

Do you still have a copy of that scan result with infections showing ?

If not, please run this scan (below) and post the results back

 

Please download Malwarebytes' Anti-Rootkit MBAR and "Save it to your Desktop". <= Important
• Be sure to print out and follow the instructions provided on that same page for performing a scan.
• Caution: This is a beta version so also read the disclaimer and back up all your data before using.

• When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.

• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

• If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.

• Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
• Copy and paste the contents of these two log files in your next reply.



#3 Shade the Wolf

Shade the Wolf
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:By my computer
  • Local time:09:09 AM

Posted 13 February 2014 - 06:53 PM

Yeah, here's the report, if that's what you mean.

 

 

"";"IRP hook, C:\Windows\system32\DRIVERS\mouclass.sys IRP_MJ_READ -> EagleX64.sys +0x14CC0, C:\Windows\system32\drivers\EagleX64.sys";"Infected"
"";"IRP hook, C:\Windows\system32\DRIVERS\mouclass.sys IRP_MJ_PNP -> EagleX64.sys +0x14F80, C:\Windows\system32\drivers\EagleX64.sys";"Infected"
"";"IRP hook, C:\Windows\system32\DRIVERS\kbdclass.sys IRP_MJ_READ -> EagleX64.sys +0x131C0, C:\Windows\system32\drivers\EagleX64.sys";"Infected"
"";"IRP hook, C:\Windows\system32\DRIVERS\kbdclass.sys IRP_MJ_PNP -> EagleX64.sys +0x134D0, C:\Windows\system32\drivers\EagleX64.sys";"Infected"
"";"Hidden application, Idle";"Infected"
 

 

I ran GMER (another thread on AVG's website had it) and a scan result came back with the line "Unknown MBR code." Is that related?

 

EDIT: Here's the result of the previous scan too, if you need it.

 

 

"";"IRP hook, C:\Windows\system32\DRIVERS\mouclass.sys IRP_MJ_READ -> EagleX64.sys +0x14CC0, C:\Windows\system32\drivers\EagleX64.sys";"Infected"
"";"IRP hook, C:\Windows\system32\DRIVERS\mouclass.sys IRP_MJ_PNP -> EagleX64.sys +0x14F80, C:\Windows\system32\drivers\EagleX64.sys";"Infected"
"";"IRP hook, C:\Windows\system32\DRIVERS\kbdclass.sys IRP_MJ_READ -> EagleX64.sys +0x131C0, C:\Windows\system32\drivers\EagleX64.sys";"Infected"
"";"IRP hook, C:\Windows\system32\DRIVERS\kbdclass.sys IRP_MJ_PNP -> EagleX64.sys +0x134D0, C:\Windows\system32\drivers\EagleX64.sys";"Infected"
 

 

Though it's the same infection, just without the last "hidden application" thing. I just thought it would help.


Edited by Shade the Wolf, 13 February 2014 - 06:56 PM.


#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:09 AM

Posted 13 February 2014 - 07:16 PM

Hi -

I just went to AVG site and a few others to check the infection.

All I can find is that you "May" have paused it with the scan, but often it is not fixed unless much stronger tools are used.

I would treat it as severe and request you to post to the Experts only.

 

Since you have those logs, please do not run the program I listed.

 

Please Fully read and follow the instructions in the Preparation Guide starting at Step 6.

NOTE  - If you cannot complete a step, then skip it and continue with the next.

 

When you have done that, start a new topic and post the required logs to  Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT Here, for assistance by the Malware Response Team Experts.

 

Start a new topic, give it a relevant title and post your 2 requested DDS logs along with a brief description of your problem, (That part you have just posted here)
 

After doing this, please reply back in this thread with a link to the new topic so we can closed this one. 

 

If HelpBot responds to your topic, please follw his Step #1 so the team will be notified.



#5 Shade the Wolf

Shade the Wolf
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:By my computer
  • Local time:09:09 AM

Posted 13 February 2014 - 07:42 PM

http://www.bleepingcomputer.com/forums/t/524250/avg-scan-ipr-rootkits-and-a-hidden-application/ here's the link to the post.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users