Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91813 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] "c:\winnt\system32\comres.dll is infec


  • This topic is locked This topic is locked
45 replies to this topic

#1 Step_By_Step

Step_By_Step

    Authentic Member

  • Authentic Member
  • PipPip
  • 66 posts

Posted 27 September 2009 - 09:23 PM

Dell Precision 340 Workstation
_______________________________________
Windows 2000 Professional
5.00.2195
Service Pack 4
_______________________________________
Mozilla FireFox
Version: 3.5.3
_______________________________________
Internet Explorer
Version: 6.0.2800.1106
_______________________________________
ESET NOD32 Antivirus 4.0.417.0
_______________________________________
SUPERAntiSpyware
_______________________________________
Malwarebytes' Anti-Malware
_______________________________________
SysInspector by ESET
_______________________________________
Avenger
_______________________________________
GMER
_______________________________________
ComboFix Result:
c:\winnt\system32\comres.dll is infected!
_______________________________________
SpywareBlaster
version 4.2
______________________________________________________________
After re-starting SpywareBlaster I repeatedly notice under "SpywareBlaster Protection Status" on the "Restricted Sites" line the following message..........
"1 items have protection disabled".
The item is as follows:
ITEM NAME: AntiMalwareGuard
ADDRESS: antimalwareguard.com
This is happening despite the fact that I (earlier) in the same day already clicked on "Enable all protection" link in SpywareBlaster.
1) Why is this occurring?
2) What can I do to solve this problem?
3) Is this related to the following message that I keep seeing after running ComboFix as in the ComboFix Log:
"c:\winnt\system32\comres.dll . . . is infected!!"
4) Is this related to the messages that I receive after running Avenger?
"Error: file "C:\WINNT\system32\CF15096.exe" not found!
Deletion of file "C:\WINNT\system32\CF15096.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINNT\system32\CF25469.exe" not found!
Deletion of file "C:\WINNT\system32\CF25469.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINNT\system32\CF9828.exe" not found!
Deletion of file "C:\WINNT\system32\CF9828.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINNT\system32\CF6762.exe" not found!
Deletion of file "C:\WINNT\system32\CF6762.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINNT\system32\CF9462.exe" not found!
Deletion of file "C:\WINNT\system32\CF9462.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist"

5) Is this related to the following results that I receive after opening GMER:
TYPE: "Service"
Name: "C:\WINNT\system32\clipsrv.exe? (*** hidden ***)"
Value: "(MANUAL)" ClipSrv
-------------------------------------------------------------------------
TYPE: "Service"
Name: "C:\WINNT\system32\MSTask.exe? (*** hidden ***)"
Value: "(AUTO)" Schedule
PS. GMER typically highlights the above results in RED.


________________________________________
ESET NOD32 antivirus repeatedly detects and quarantines the following:
Object name: “C:\DOCUME~1\v\LOCALS~1\Temp\Av-test.txt”
Reason: “Eicar test file”

Object name: “C:\DOCUME~1\v\LOCALS~1\Temp\_avast4_unp97524786.tmp
Reason: “Probably a variant of Win32/Agent trojan

Object name: “C:\DOCUME~1\v\LOCALS~1\Temp\VSOLB1U6.01M
Reason: “Win32/PowerReg application”

1) Why does this thing keep coming back?
2) How can I permanently fix this problem?
_______________________________________________________________________

GMER Results:
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit quick scan 2009-09-27 17:58:26
Windows 5.0.2195 Service Pack 4
Running: 0xt9fcyh.exe; Driver: C:\DOCUME~1\v\LOCALS~1\Temp\pfxiipob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- Processes - GMER 1.0.15 ----

Process hidden process (*** hidden *** ) 0
Process System (*** hidden *** ) 8
Process SMSS.EXE (*** hidden *** ) 148
Process CSRSS.EXE (*** hidden *** ) 172
Process WINLOGON.EXE (*** hidden *** ) 192
Process SERVICES.EXE (*** hidden *** ) 220
Process LSASS.EXE (*** hidden *** ) 232
Process svchost.exe (*** hidden *** ) 408
Process spoolsv.exe (*** hidden *** ) 432
Process DkService.exe (*** hidden *** ) 460
Process ekrn.exe (*** hidden *** ) 476
Process svchost.exe (*** hidden *** ) 492
Process firefox.exe (*** hidden *** ) 508
Process jqs.exe (*** hidden *** ) 544
Process nvsvc32.exe (*** hidden *** ) 580
Process regsvc.exe (*** hidden *** ) 616
Process stisvc.exe (*** hidden *** ) 664
Process WinMgmt.exe (*** hidden *** ) 772
Process mspmspsv.exe (*** hidden *** ) 800
Process svchost.exe (*** hidden *** ) 816
Process svchost.exe (*** hidden *** ) 828
Process explorer.exe (*** hidden *** ) 1120
Process WINWORD.EXE (*** hidden *** ) 1184
Process 0xt9fcyh.exe (*** hidden *** ) 1216
Process jusched.exe (*** hidden *** ) 1244
Process egui.exe (*** hidden *** ) 1248
Process robotaskbaricon (*** hidden *** ) 1260

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\clipsrv.exe? (*** hidden *** ) [DISABLED] ClipSrv <-- ROOTKIT !!!
Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) Schedule <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

____________________________________________________________
Program: SpywareBlaster
Version: 4.2
Restricted Site Protection\Customize the Block List:
ITEM NAME: ADDRESS:
AntiMalwareGuard antimalwareguard.com

____________________________________________________________
c:\winnt\system32\comres.dll is infected!

c:\winnt\system32\clipsrv.exe?

c:\winnt\system32\MSTask.exe?
_____________________________________________________________
Is my system infected with a Root Kit(s) or Trojan(s) or what?
Please provide me with Step By Step instructions that any Novice Computer User Can Easily Follow in order to stop these problems from re-occuring.
Thank you.

    Advertisements

Register to Remove


#2 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 01 October 2009 - 11:54 AM

Hi Step_By_Step,

:welcome:

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

You've got alot of questions there. I'm not sure I can answer them at this time. I think we need to start at ground zero here.

First off, you will find posted around this forum maybe a hundred times (and probably thousands of times at other forums) Do Not run ComboFix unassisted. Avenger carries the same warning as well as Gmer many places. These are three of the most powerful tools out there. Very handy for cleaning system, equally effective at turning your computer into a door stop.

That being said, I'd like to see the log from ComboFix.

Please:
  • Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
  • Click on Explore
  • Click on Local Disk (C:) in the left-hand window pane
  • Look for ComboFix.txt in the right-hand window pane and right click on it
  • Put your cursor (arrow) on Open With
  • Move your cursor to the new menu that opens and click on Choose Program...
  • Click on Notepad

When file opens, Copy/Paste text here

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#3 Step_By_Step

Step_By_Step

    Authentic Member

  • Authentic Member
  • PipPip
  • 66 posts

Posted 01 October 2009 - 02:29 PM

Hi Tomk:
Thank you for your reply.
I'm using Windows 2000 Professional.
You wrote to click on "Start" and then to..........................
"Click on Explore".

There is no "Explore" button in that area of the operating system.
What now?

#4 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 01 October 2009 - 02:48 PM

Step_By_Step, Maneuver any way you can to find the file ComboFix.txt in your root drive.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#5 Step_By_Step

Step_By_Step

    Authentic Member

  • Authentic Member
  • PipPip
  • 66 posts

Posted 01 October 2009 - 04:53 PM

ComboFix 09-10-01.01 - v 10/01/2009 18:44.22.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1535.932 [GMT -4:00]
Running from: c:\documents and settings\v\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))
.

2009-10-01 22:43 . 2009-10-01 22:43 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_300.dat
2009-09-30 04:47 . 2009-09-30 04:47 -------- d-----w- c:\documents and settings\v\Application Data\Media Player Classic
2009-09-30 04:46 . 2009-09-30 04:46 -------- d-----w- c:\program files\Real_Player_Alternative
2009-09-30 04:46 . 2009-09-30 04:46 -------- d-----w- c:\documents and settings\v\Local Settings\Application Data\Real
2009-09-28 20:42 . 2009-09-28 20:42 -------- d-----w- c:\program files\Trend Micro
2009-09-28 01:20 . 2009-09-28 01:20 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_1fc.dat
2009-09-13 20:09 . 2009-09-13 20:09 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\ESET
2009-09-11 11:26 . 2009-09-11 11:26 96408 ----a-w- c:\winnt\system32\drivers\epfwtdir.sys
2009-09-11 11:23 . 2009-09-11 11:23 108792 ----a-w- c:\winnt\system32\drivers\ehdrv.sys
2009-09-11 11:17 . 2009-09-11 11:17 116008 ----a-w- c:\winnt\system32\drivers\eamon.sys
2009-09-04 02:58 . 2009-09-04 02:58 -------- d-----w- c:\documents and settings\v\Local Settings\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 20:06 . 2008-06-04 04:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-01 20:06 . 2008-06-04 04:24 -------- d-----w- c:\program files\SpywareBlaster
2009-09-29 20:53 . 2008-06-04 01:58 -------- d-----w- c:\program files\Eset
2009-09-29 19:00 . 2008-06-06 22:30 88968 ----a-w- c:\documents and settings\v\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-27 02:53 . 2009-04-02 19:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-15 06:06 . 2009-04-03 20:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-13 22:32 . 2008-10-15 00:06 -------- d-----w- c:\documents and settings\v\Application Data\LimeWire
2009-09-10 18:54 . 2009-04-02 19:13 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-04-02 19:13 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-09-09 20:58 . 2008-06-04 07:45 -------- d-----w- c:\program files\Java
2009-08-05 05:04 . 2009-08-05 05:04 90164 ----a-w- c:\winnt\system32\atl.dll
2009-07-27 11:27 . 2001-05-08 12:00 81168 ----a-w- c:\winnt\system32\fontsub.dll
2009-07-27 11:27 . 2001-05-08 12:00 165136 ----a-w- c:\winnt\system32\t2embed.dll
2009-07-25 09:23 . 2008-12-05 20:48 411368 ----a-w- c:\winnt\system32\deploytk.dll
2009-07-13 13:13 . 2008-06-04 02:59 78608 ----a-w- c:\winnt\system32\avifil32.dll
2009-07-10 16:49 . 2002-08-29 11:06 601088 ----a-w- c:\winnt\system32\INETCOMM.DLL
2009-07-10 16:49 . 2002-08-29 11:06 47616 ----a-w- c:\winnt\system32\INETRES.DLL
2009-07-10 16:49 . 2002-08-29 11:06 229376 ----a-w- c:\winnt\system32\MSOEACCT.DLL
2009-07-10 16:49 . 2002-08-29 11:06 91136 ----a-w- c:\winnt\system32\MSOERT2.DLL
2009-07-10 16:47 . 2002-08-29 11:14 44032 ----a-w- c:\winnt\system32\MSIDENT.DLL
.

((((((((((((((((((((((((((((( SnapShot@2009-09-24_04.20.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-29 20:53 . 2009-09-29 20:53 10134 c:\winnt\Installer\{EFA800BF-C5C8-46D1-B49D-13920D05417C}\callmsi.exe
+ 2009-09-30 04:46 . 1998-05-12 18:36 5632 c:\winnt\system32\pndx5032.dll
+ 2009-09-30 04:46 . 1998-03-26 02:57 6656 c:\winnt\system32\pndx5016.dll
+ 2009-09-30 04:46 . 2008-09-10 19:56 185920 c:\winnt\system32\rmoc3260.dll
+ 2009-09-30 04:46 . 2001-06-22 23:31 278528 c:\winnt\system32\pncrt.dll
+ 2008-06-03 21:04 . 2009-09-29 18:54 356160 c:\winnt\system32\FNTCACHE.DAT
+ 2009-09-29 20:53 . 2009-09-29 20:53 101480 c:\winnt\Installer\{EFA800BF-C5C8-46D1-B49D-13920D05417C}\egui.exe
+ 2009-09-29 20:53 . 2009-09-29 20:53 1130496 c:\winnt\Installer\70511.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-09-29 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"NeroCheck"="c:\winnt\system32\NeroCheck.exe" [2003-07-13 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2002-07-16 372736]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-15 06:06 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

R1 ehdrv;ehdrv;c:\winnt\system32\drivers\ehdrv.sys [9/11/2009 7:23 AM 108792]
R1 epfwtdir;epfwtdir;c:\winnt\system32\drivers\epfwtdir.sys [9/11/2009 7:26 AM 96408]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 3:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 3:07 PM 74480]
R2 ekrn;ESET Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [9/11/2009 7:24 AM 735960]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [6/3/2008 5:05 PM 61712]
R3 FA311;Netgear FA311 NDIS 5.0 Miniport Driver;c:\winnt\system32\drivers\FA311ND5.SYS [2/28/2000 1:09 AM 21728]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 3:07 PM 7408]
S3 esiasdrv;esiasdrv;\??\c:\docume~1\v\LOCALS~1\Temp\esiasdrv.sys --> c:\docume~1\v\LOCALS~1\Temp\esiasdrv.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - MBAMSwissArmy
.
Contents of the 'Scheduled Tasks' folder

2009-07-25 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\v\Application Data\Mozilla\Firefox\Profiles\jzbmtgoq.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\Real_Player_Alternative\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\Real_Player_Alternative\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-01 18:49
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(192)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1452)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\SHDOCVW.DLL
.
Completion time: 2009-10-01 18:50
ComboFix-quarantined-files.txt 2009-10-01 22:50
ComboFix2.txt 2009-09-29 02:30
ComboFix3.txt 2009-09-27 23:43
ComboFix4.txt 2009-09-27 00:36
ComboFix5.txt 2009-10-01 22:43

Pre-Run: 31,754,309,632 bytes free
Post-Run: 31,749,799,936 bytes free

143 --- E O F --- 2009-09-08 23:13

#6 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 01 October 2009 - 05:30 PM

Step_By_Step,

Sorry. I'm not doing very well being clear. I didn't mean for you to run ComboFix a couple more times. I wanted the log from when you had ran it earlier. It has been ran 22 times, 5 times in the last 3 days and twice today. It tells me very little at this point.

Let's try something different. I believe both of these tools will run on Windows 2000 but am not positive. If either one tells you something like "Wrong Operating system", just back out. I'd like to run both so if the first one balks, then go ahead and run the second one before notifying me.

Download Rooter.exe to your desktop

  • Then doubleclick it to start the tool
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

  • We Need to check for Rootkits with RootRepeal
    • Download RootRepeal from one of the following locations and save it to your desktop.
    • Open Posted Image on your desktop.
    • Click the Posted Image tab.
    • Click the Posted Image button.
    • In the Select Scan dialog, check
      Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.

Copy/paste the log (that you've previously saved to your desktop) from RootRepeal onto your post.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#7 Step_By_Step

Step_By_Step

    Authentic Member

  • Authentic Member
  • PipPip
  • 66 posts

Posted 02 October 2009 - 01:35 PM

Hi Tomk,
Here's the Rooter.exe text report:

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 2000 . (5.0.2195) Service Pack 4
[32_bits] - x86 Family 15 Model 2 Stepping 4, GenuineIntel
.
Error OpenService (wscsvc) : 1060
[SharedAccess] RUNNING (state:4)
.
Internet Explorer 6.0.2800.1106
Mozilla Firefox 3.5.3 (en-US)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:37 Go - Free:29 Go )
D:\ [Fixed-NTFS] .. ( Total:37 Go - Free:24 Go )
E:\ [CD_Rom]
F:\ [CD_Rom]
.
Scan : 15:32.07
Path : C:\Documents and Settings\v\Desktop\Rooter.exe
User : v ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (8)
______ \SystemRoot\System32\smss.exe (148)
______ \??\C:\WINNT\system32\csrss.exe (172)
______ \??\C:\WINNT\system32\winlogon.exe (192)
______ C:\WINNT\system32\services.exe (220)
______ C:\WINNT\system32\lsass.exe (232)
______ C:\WINNT\system32\svchost.exe (408)
______ C:\WINNT\system32\spoolsv.exe (432)
______ C:\Program Files\Executive Software\Diskeeper\DkService.exe (460)
______ ekrn.exe (476)
______ C:\WINNT\System32\svchost.exe (492)
______ C:\Program Files\Java\jre6\bin\jqs.exe (544)
______ C:\WINNT\System32\nvsvc32.exe (576)
______ C:\WINNT\system32\regsvc.exe (616)
______ C:\WINNT\system32\stisvc.exe (656)
______ C:\WINNT\System32\WBEM\WinMgmt.exe (768)
______ C:\WINNT\system32\mspmspsv.exe (796)
______ C:\WINNT\system32\svchost.exe (812)
______ C:\WINNT\system32\svchost.exe (824)
______ C:\WINNT\Explorer.EXE (1104)
______ C:\Program Files\Java\jre6\bin\jusched.exe (1204)
______ C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (1244)
______ C:\Program Files\Mozilla Firefox\firefox.exe (496)
______ C:\Documents and Settings\v\Desktop\Rooter.exe (1280)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
----------------------\\ Scheduled Tasks
.
C:\WINNT\Tasks\AppleSoftwareUpdate.job
C:\WINNT\Tasks\desktop.ini
C:\WINNT\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\DOCUME~1\v\Favorites\Bookmarks for dorse\INFORMATION TECHNOLOGIES\-.--[ cracking 4 all ]--.. [Anonymized-proxy29].url
C:\DOCUME~1\v\Favorites\COMPUTING HARDWARE\Crackspider.net! Search cracks, serial numbers, keygens and patches for appz and games.url
C:\DOCUME~1\v\Favorites\COMPUTING SOFTWARE\crackfound.com - daily updated underground search engine.url
C:\DOCUME~1\v\Favorites\COMPUTING SOFTWARE\Download Trojanhunter v3.50 crack, keygen or serial.url
C:\DOCUME~1\v\Favorites\COMPUTING HARDWARE\Crackspider.net! Search cracks, serial numbers, keygens and patches for appz and games.url
C:\DOCUME~1\v\Favorites\COMPUTING SOFTWARE\Download Trojanhunter v3.50 crack, keygen or serial.url
C:\DOCUME~1\v\Favorites\Bookmarks for dorse\INFORMATION TECHNOLOGIES\-.--[ cracking 4 all ]--.. [Anonymized-proxy29].url
C:\DOCUME~1\v\Favorites\COMPUTING HARDWARE\Crackspider.net! Search cracks, serial numbers, keygens and patches for appz and games.url
C:\DOCUME~1\v\Favorites\COMPUTING SOFTWARE\crackfound.com - daily updated underground search engine.url
C:\DOCUME~1\v\Favorites\COMPUTING SOFTWARE\Download Trojanhunter v3.50 crack, keygen or serial.url
C:\DOCUME~1\v\Favorites\COMPUTING HARDWARE\Crackspider.net! Search cracks, serial numbers, keygens and patches for appz and games.url
C:\DOCUME~1\v\Favorites\COMPUTING SOFTWARE\Download Trojanhunter v3.50 crack, keygen or serial.url
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 15:32.18
.
C:\Rooter$\Rooter_1.txt - (02/10/2009 | 15:32.18).c

#8 Step_By_Step

Step_By_Step

    Authentic Member

  • Authentic Member
  • PipPip
  • 66 posts

Posted 02 October 2009 - 01:44 PM

Hi Tomk,
Here's the RootRepeal report
There was apparently no opportunity for me to follow step 3 of your instructions: "Check the box for your main system drive (Usually C:), and press Ok."

Please note: There was an error code displayed in RootRepeal after the scan apparently completed.
It read as follows: "RootRepeal Error: DeviceIoControl Error! Error Code = 0x0"

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/02 15:41
Program Version: Version 1.3.5.0
Windows Version: Windows 2000 SP4
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xBE97A000 Size: 90112 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xF6A39000 Size: 4096 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINNT\system32\drivers\rootrepeal.sys
Address: 0xB9AAF000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
ServiceTable Hooked [0x80480a20]!

#: 018 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x88b9f8a0

#: 053 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x88b9c9f0

#: 055 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x88b9c7b0

#: 106 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x88b9ecb0

#: 111 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x88b9f0d0

#: 215 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x88b9c8c0

#: 221 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x88b9f4f0

#: 224 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xbea630b0

#: 225 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x88b9f310

Hidden Services
-------------------
Service Name: ControlSet001
Image Path: C:\WINNT\system32\drivers\ControlSet001.sys

Service Name: ControlSet002
Image Path: C:\WINNT\system32\drivers\ControlSet002.sys

Service Name: Creative Tech
Image Path: C:\WINNT\system32\drivers\Creative Tech.sys

Service Name: MountedDevices
Image Path: C:\WINNT\system32\drivers\MountedDevices.sys

Service Name: Select
Image Path: C:\WINNT\system32\drivers\Select.sys

Service Name: Setup
Image Path: C:\WINNT\system32\drivers\Setup.sys

==EOF==

Edited by Step_By_Step, 02 October 2009 - 01:57 PM.


#9 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 02 October 2009 - 03:22 PM

Step_By_Step,

You will need to have your Operating system disk handy for this.

Click start, then run.

In the run box, put sfc /scannow (be sure to include the space)

Let it run and let me know how it goes.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#10 Step_By_Step

Step_By_Step

    Authentic Member

  • Authentic Member
  • PipPip
  • 66 posts

Posted 02 October 2009 - 03:32 PM

Hi Tomk: Thank you for the timely reply. I ran System File Checker.............I guess it went Ok.

    Advertisements

Register to Remove


#11 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 02 October 2009 - 03:35 PM

Step_By_Step,

It found no file errors? That's good but I expected it to replace comres.dll.

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

Then let's see if we can get an online scan. Be prepared. This will take hours.


Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#12 Step_By_Step

Step_By_Step

    Authentic Member

  • Authentic Member
  • PipPip
  • 66 posts

Posted 02 October 2009 - 04:36 PM

Hi Tomk:
As you may recall (See post 1) I already had "Malwarebytes' Anti-Malware". I ran it again (hoping that the latest updates would help) and the results follow:


Malwarebytes' Anti-Malware 1.41
Database version: 2896
Windows 5.0.2195 Service Pack 4

10/2/2009 6:40:07 PM
mbam-log-2009-10-02 (18-40-07).txt

Scan type: Quick Scan
Objects scanned: 79909
Time elapsed: 2 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Step_By_Step, 02 October 2009 - 04:41 PM.


#13 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 04 October 2009 - 10:04 PM

Step_By_Step, How about Kaspersky?

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#14 Step_By_Step

Step_By_Step

    Authentic Member

  • Authentic Member
  • PipPip
  • 66 posts

Posted 05 October 2009 - 02:22 PM

Hi Tomk: Sorry, I forgot to post the following: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Saturday, October 3, 2009 Operating system: Microsoft Windows 2000 Professional Service Pack 4 (build 2195) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Saturday, October 03, 2009 07:56:51 Records in database: 2896194 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ Scan statistics: Objects scanned: 91627 Threats found: 0 Infected objects found: 0 Suspicious objects found: 0 Scan duration: 01:40:15 No threats found. Scanned area is clean. Selected area has been scanned.

#15 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,150 posts

Posted 05 October 2009 - 07:08 PM

Step_By_Step,

I'm just not seeing any malware.

Let's try this:

Download HostsXpert v4.3 and unzip it to your computer, somewhere where you can find it.
  • Double click on HostsXpert.exe to launch the program.
  • Click on Restore MS Hosts File to restore your Hosts file to its default condition.
  • Click on Make ReadOnly to secure it against further infection.
  • Exit the program.
Visit the Website for more information.

Then give it a test drive and describe your current symptoms.

Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users