Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91982 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Problem with Win32/renos.n


  • This topic is locked This topic is locked
7 replies to this topic

#1 gimmick

gimmick

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 30 September 2009 - 12:35 PM

Hi, I found this forum when searching Internet for solution to my problem! Since yesterday suddenly I get constant warnings from Windows Defender about Trojan:win32/renos.n and the alert level is high. I click "remove all" and Defenders works few seconds but then in an hour or so, the same message pops up again. I have run a full system scan with Defender and my F Prot Antivirus program but they say the system is clean. I followed your guidelines for new members, I run and attached the files to this post (attach.txt only as attachment, DDS.txt and RootRepeal.txt are in this text) I understand renos.n is spying on logins etc. and now I am afraid to log in to my bank or use credit card online which I use daily. Any help would be highly appreciated. Kim DDS (Ver_09-06-26.01) - NTFSx86 Run by Kim Wist at 21:41:58,41 on ke 30.09.2009 Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_11 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.2102 [GMT 3:00] AV: F-PROT Antivirus for Windows *On-access scanning disabled* (Outdated) {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\atiesrxx.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Program Files\Creative\Shared Files\CTAudSvc.exe C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\atieclxx.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\System32\Ctxfihlp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe C:\Windows\system32\taskeng.exe C:\Windows\SYSTEM32\CTXFISPI.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\WUDFHost.exe C:\Windows\System32\mobsync.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\wuauclt.exe C:\Windows\system32\vssvc.exe C:\Windows\System32\svchost.exe -k swprv C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\taskeng.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Kim Wist\Desktop\dds.scr C:\Windows\system32\conime.exe C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = www.mbnet.fi/ uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe" uRun: [AdobeBridge] "c:\program files\adobe\adobe bridge cs4\Bridge.exe" -stealth mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [F-PROT Antivirus Tray application] c:\program files\frisk software\f-prot antivirus for windows\FProtTray.exe mRun: [CTxfiHlp] CTXFIHLP.EXE mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Software4u-UpdateServer] c:\program files\software4u\registry cleanup 2008\Software4u.UpdateServer.exe mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: Muutavalikkoa - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html IE: RF Työkalupalkki - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm IE: Tallenna lomakkeet - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html IE: Täytä lomakkeet - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm IE: {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235408705107 DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab ================= FIREFOX =================== FF - ProfilePath - c:\users\kimwis~1\appdata\roaming\mozilla\firefox\profiles\03152zjq.default\ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask"); ============= SERVICES / DRIVERS =============== R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [2009-8-31 682840] R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2009-2-24 150568] R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-4-29 176128] R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\frisk software\f-prot antivirus for windows\FPAVServer.exe [2009-8-27 75424] R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-2-24 171032] R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-2-24 1324056] R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-2-24 72728] R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2009-2-23 36864] R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-2-23 79360] S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-2-24 171032] S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-2-24 1324056] S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-2-24 72728] =============== Created Last 30 ================ 2009-09-30 21:39 <DIR> --d----- c:\users\kim wist\regBackup 2009-09-30 20:52 <DIR> --d----- c:\program files\Microsoft 2009-09-30 20:52 <DIR> --d----- c:\program files\Windows Live SkyDrive 2009-09-30 20:51 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition 2009-09-30 20:46 <DIR> --d----- c:\program files\common files\Windows Live 2009-09-30 19:22 <DIR> --d----- c:\program files\Enigma Software Group 2009-09-30 11:53 12,218 a------- c:\windows\system32\msdx92.dll 2009-09-30 11:53 <DIR> --d----- c:\programdata\Software4u 2009-09-30 11:53 <DIR> --d----- c:\progra~2\Software4u 2009-09-30 11:53 <DIR> --d----- c:\users\kimwis~1\appdata\roaming\Software4u 2009-09-29 17:11 158,208 a------- c:\windows\msa.exe 2009-09-29 16:40 <DIR> --d----- C:\cygwin 2009-09-29 16:39 <DIR> --d----- c:\users\kimwis~1\appdata\roaming\e 2009-09-29 11:00 <DIR> --d----- c:\program files\iPod 2009-09-29 11:00 <DIR> --d----- c:\program files\iTunes 2009-09-27 13:22 <DIR> --d----- c:\programdata\FLEXnet 2009-09-27 13:12 <DIR> --d----- c:\program files\common files\Macrovision Shared 2009-09-20 12:15 23 a------- c:\windows\SWFDecompiler.INI 2009-09-20 12:15 <DIR> --d----- c:\program files\common files\SourceTec 2009-09-20 12:15 <DIR> --d----- c:\program files\SourceTec 2009-09-19 21:29 106,496 a------- c:\windows\system32\TwnLib20.dll 2009-09-19 21:29 1,568,768 -------- c:\windows\system32\ImagX7.dll 2009-09-19 21:29 476,320 -------- c:\windows\system32\ImagXpr7.dll 2009-09-19 21:29 471,040 -------- c:\windows\system32\ImagXRA7.dll 2009-09-19 21:29 364,544 -------- c:\windows\system32\TwnLib4.dll 2009-09-19 21:29 262,144 -------- c:\windows\system32\ImagXR7.dll 2009-09-19 21:29 38,912 -------- c:\windows\system32\picn20.dll 2009-09-19 21:29 155,648 a------- c:\windows\system32\NeroCheck.exe 2009-09-19 20:42 <DIR> --d----- c:\programdata\DVD Shrink 2009-09-19 20:42 <DIR> --d----- c:\program files\DVD Shrink 2009-09-17 15:59 <DIR> --d----- c:\program files\Macromedia 2009-09-17 12:12 54,760 a------- c:\windows\system32\BMXStateBkp-{00000005-00000000-00000002-00001102-00000005-00311102}.rfx 2009-09-17 12:12 54,760 a------- c:\windows\system32\BMXState-{00000005-00000000-00000002-00001102-00000005-00311102}.rfx 2009-09-17 12:12 1,080 a------- c:\windows\system32\settingsbkup.sfm 2009-09-17 12:12 1,080 a------- c:\windows\system32\settings.sfm 2009-09-17 12:12 788 a------- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000005-00311102}.rfx 2009-09-17 12:11 <DIR> --d----- c:\windows\system32\vi-VN 2009-09-17 12:11 <DIR> --d----- c:\windows\system32\eu-ES 2009-09-17 12:11 <DIR> --d----- c:\windows\system32\ca-ES 2009-09-17 11:47 <DIR> --d----- c:\windows\system32\EventProviders 2009-09-17 10:04 1,362,944 a------- c:\windows\system32\wbem\cimwin32.dll 2009-09-15 12:10 107,368 a------- c:\windows\system32\GEARAspi.dll 2009-09-15 12:10 26,600 a------- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-09-15 12:10 <DIR> --d----- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-15 12:10 <DIR> --d----- c:\progra~2\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-15 12:10 <DIR> --d----- c:\program files\Bonjour 2009-09-15 12:09 <DIR> --d----- c:\programdata\Apple Computer 2009-09-13 00:30 <DIR> --d----- c:\windows\CheckSur 2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx 2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts 2009-09-02 22:11 28,672 a------- c:\windows\system32\Apphlpdm.dll 2009-09-02 22:11 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll 2009-09-01 14:04 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE 2009-09-01 10:56 <DIR> --d----- c:\windows\system32\xlive ==================== Find3M ==================== 2009-09-27 14:04 73,312 a------- c:\windows\system32\drivers\adfs.sys 2009-09-17 15:59 86,016 a------- c:\windows\inf\infstrng.dat 2009-09-17 15:59 86,016 a------- c:\windows\inf\infstor.dat 2009-09-17 15:59 51,200 a------- c:\windows\inf\infpub.dat 2009-09-17 12:11 665,600 a------- c:\windows\inf\drvindex.dat 2009-09-17 12:10 444,952 a------- c:\windows\system32\wrap_oal.dll 2009-09-17 12:10 109,080 a------- c:\windows\system32\OpenAL32.dll 2009-08-29 05:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll 2009-08-29 05:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll 2009-08-29 05:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll 2009-08-29 05:30 542,720 a------- c:\windows\apppatch\AcLayers.dll 2009-08-27 16:25 682,840 a------- c:\windows\system32\drivers\FStopW.sys 2009-08-14 19:27 904,776 a------- c:\windows\system32\drivers\tcpip.sys 2009-08-14 18:53 17,920 a------- c:\windows\system32\netevent.dll 2009-08-14 16:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE 2009-08-14 16:49 17,920 a------- c:\windows\system32\ROUTE.EXE 2009-08-14 16:49 11,264 a------- c:\windows\system32\MRINFO.EXE 2009-08-14 16:49 27,136 a------- c:\windows\system32\NETSTAT.EXE 2009-08-14 16:49 19,968 a------- c:\windows\system32\ARP.EXE 2009-08-14 16:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE 2009-08-14 16:49 10,240 a------- c:\windows\system32\finger.exe 2009-08-14 16:48 30,720 a------- c:\windows\system32\drivers\tcpipreg.sys 2009-08-14 16:48 105,984 a------- c:\windows\system32\netiohlp.dll 2009-08-07 19:51 15,308,424 a------- c:\windows\system32\xlive.dll 2009-08-07 19:51 13,642,888 a------- c:\windows\system32\xlivefnt.dll 2009-07-22 00:52 915,456 a------- c:\windows\system32\wininet.dll 2009-07-22 00:47 109,056 a------- c:\windows\system32\iesysprep.dll 2009-07-22 00:47 71,680 a------- c:\windows\system32\iesetup.dll 2009-07-21 23:13 133,632 a------- c:\windows\system32\ieUnatt.exe 2009-07-17 16:54 71,680 a------- c:\windows\system32\atl.dll 2009-07-15 15:40 8,147,456 a------- c:\windows\system32\wmploc.DLL 2009-07-15 15:39 313,344 a------- c:\windows\system32\wmpdxm.dll 2009-07-15 15:39 4,096 a------- c:\windows\system32\dxmasf.dll 2009-07-15 15:39 7,680 a------- c:\windows\system32\spwmp.dll 2009-07-11 22:01 513,536 a------- c:\windows\system32\wlansvc.dll 2009-07-11 22:01 302,592 a------- c:\windows\system32\wlansec.dll 2009-07-11 22:01 293,376 a------- c:\windows\system32\wlanmsm.dll 2009-07-11 22:01 65,024 a------- c:\windows\system32\wlanapi.dll 2009-07-11 20:03 127,488 a------- c:\windows\system32\L2SecHC.dll 2009-07-10 12:15 306,544 a------- c:\windows\WLXPGSS.SCR 2009-02-25 20:13 174 a--sh--- c:\program files\desktop.ini 2006-11-02 15:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 15:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 15:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 15:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat 2006-06-24 09:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe 2009-06-11 14:52 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat 2009-06-11 14:52 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 2009-06-11 14:52 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat 2009-06-11 14:52 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat 2009-02-26 00:11 16,384 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat 2009-02-26 00:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009022520090226\index.dat ============= FINISH: 21:42:42,05 =============== ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/09/30 21:46 Program Version: Version 1.3.5.0 Windows Version: Windows Vista SP2 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\Windows\System32\Drivers\dump_atapi.sys Address: 0x955C3000 Size: 32768 File Visible: No Signed: - Status: - Name: dump_dumpata.sys Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys Address: 0x955B8000 Size: 45056 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\Windows\system32\drivers\rootrepeal.sys Address: 0xA0190000 Size: 49152 File Visible: No Signed: - Status: - Processes ------------------- Path: System PID: 4 Status: Locked to the Windows API! Path: C:\Windows\System32\audiodg.exe PID: 1228 Status: Locked to the Windows API! ==EOF==

Attached Files


Edited by gimmick, 30 September 2009 - 12:57 PM.

    Advertisements

Register to Remove


#2 gimmick

gimmick

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 01 October 2009 - 02:39 AM

This case seems to be resolved and I get no more warnings from Defender. I went to Microsoft Defender site and found an 10mb update file for Windows Defender. Microsoft recommended this packet against recent threats. I installed the packet, run Defender and it found the infections and removed them successfully. The weird thing is, I have Defender set to run every day and monitor constantly and also to update itself every day... Anyway here is the log from Defender of the files it removed: Resources: file: C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job file: C:\Windows\System32\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627} file: C:\Windows\msa.exe->(UPX) taskscheduler: C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job taskscheduler: C:\Windows\System32\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627} containerfile: C:\Windows\msa.exe If there are any further actions I need to take, I would appreciate any help. Thanks Kim

#3 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 03 October 2009 - 09:21 PM

Hi,

Please run the following scans ti make sure there are no remnants

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

**Vista users - right click on the IE icon and run as administrator

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


In your next reply please include
  • MBAM Log
  • Kaspersky report

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#4 gimmick

gimmick

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 06 October 2009 - 09:19 AM

Here are the scan results from both Malwarebyte and Kaspersky. The Kaspersky report is HTML file and added as attachent. Some infections were found, but I don't know if they are bad or harmeless, one surprising infected mp3 file found with Kaspersky... One thing is strange; I have Perfect Optimizer which I use to clean up my system from time to time, both Win Defender and Mawarebyte thinks it's a high risk malware and delete it in scan... It is a purchased program and when looking into this problem I found a site from Internet that stated the program is clean. It would be nice to know what is the case with that program. Malwarebytes' Anti-Malware 1.41 Database version: 2914 Windows 6.0.6002 Service Pack 2 6.10.2009 15:07:32 mbam-log-2009-10-06 (15-07-32).txt Scan type: Quick Scan Objects scanned: 86205 Time elapsed: 3 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\.pox (Rogue.FixTool) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\pofile (Rogue.FixTool) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PerfectOptimizer.exe (Rogue.PerfectOptimzier) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Miracle (PUP.PerfectOptimizer) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Attached Files



#5 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 06 October 2009 - 09:50 AM

Hi,

Generally when malwarebytes label a program as "rogue" it means they have done extensive testing of the product and in their estimation it doesn't live up to it's claims. That doesn't necessarily make it a 'bad' program in itself, but I have read more complaints about the program than decent reviews, so you should make up your own mind as to whether you wish to keep this program or not. Reinstall it from the disk if you wish.

I would delete the mp3 file found to be infected by Kaspersky.

Please do the following:

Press Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "D:\Laulujutut\Netistä\rehab amy whinhouse sexy girl has shaking orgasm during sex.mp3"

Next:

your Java needs updating

Go to Start > Control Panel > Java > Update Tab > Update Now

The rest of you log appears clean.

You can delete the DDS and RootRepeal logs from your desktop. Keep MalwareBytes, it is a good program to have, update it frequently and run it.

delete any remaining logs from your desktop.


NEXT

set new restore point:

  • Close and save any documents that you may have open.
  • Open up the Start Menu and right-click on "Computer", and then select "Properties"
  • This will take you into the System area of Control Panel. Click on the "Advanced system settings" on the left hand side.
  • Now select the "System Protection" tab to get to the System Restore section.
  • Click the "Create" button to create a new restore point. You'll be prompted for a name, and you might want to give it a useful name that you'll be able to easily identify later.
  • Click the Create button, and then the system will create the restore point.
  • When it's all finished, you'll get a message saying it's completed successfully.
  • You will now have a new restore point

Then remove all previous Restore Points
  • Click Start Menu > Run > copy and paste
  • cleanmgr into the run box
  • At the top, click on the More Options tab, under System Restore and Shadow Copies group,
  • Click the Clean up button,
  • Vista will ask you if you’re sure, click on Yes button.
  • When finished, click on Cancel button to exit.


NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE
  • For Firefox, I highly recommend this add-on to keep your PC even more secure.
    • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Please read these useful guides How did I get infected in the first place?
  • PC Safety and Security--What Do I Need?[/b]
  • miekiemoes' Prevention topic.


Thank you for your patience, and performing all of the procedures requested.

Please respond to this thread one more time so we can mark this thread as resolved.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#6 gimmick

gimmick

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 07 October 2009 - 02:40 PM

A big thanks for this thorough explanation and help :notworthy: I did all that was asked and I'm a lot better off now. Nice to have someone selflessy doing this very important work.

#7 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 07 October 2009 - 02:47 PM

You are more than welcome stay safe :wavey: ~CB

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#8 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 07 October 2009 - 02:49 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users