Author Topic: Unable to remove virus  (Read 29120 times)

0 Members and 1 Guest are viewing this topic.

fergusbrett

  • Guest
Re: Unable to remove virus
« Reply #15 on: August 18, 2009, 07:51:22 PM »

fergusbrett

  • Guest
Re: Unable to remove virus
« Reply #16 on: August 18, 2009, 07:59:07 PM »
Here's the malware log

Malwarebytes' Anti-Malware 1.40
Database version: 2616
Windows 5.1.2600 Service Pack 2 (Safe Mode)

18/08/2009 18:57:50
mbam-log-2009-08-18 (18-57-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 164488
Time elapsed: 40 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pc_antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pc antispyware 2010 (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\data (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT (Rogue.PC_Antispyware2010) -> No action taken.

Files Infected:
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.Multiple) -> No action taken.
C:\Avenger\_scui.cpl (Rogue.HomeAntiVirus) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\PJQOZLCM\Install[1].exe (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.AntiVirusPro2009) -> No action taken.
C:\Program Files\PC_Antispyware2010\Uninstall.exe (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\wscui.cpl (Rogue.HomeAntiVirus) -> No action taken.
C:\System Volume Information\_restore{E0FB2674-B7A1-4288-A016-D54A04472150}\RP1\A0004060.sys (Trojan.KillAV) -> No action taken.
C:\System Volume Information\_restore{E0FB2674-B7A1-4288-A016-D54A04472150}\RP1\A0004064.sys (Trojan.KillAV) -> No action taken.
C:\System Volume Information\_restore{E0FB2674-B7A1-4288-A016-D54A04472150}\RP1\A0004065.sys (Trojan.KillAV) -> No action taken.
C:\WINDOWS\system32\wisdstr.exe (Rogue.PC_Antispyware2010) -> No action taken.
C:\WINDOWS\system32\_scui.cpl (Rogue.HomeAntiVirus) -> No action taken.
C:\WINDOWS\system32\dllcache\beep.sys (Trojan.KillAV) -> No action taken.
C:\WINDOWS\system32\dllcache\figaro.sys (Trojan.KillAV) -> No action taken.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> No action taken.
C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.cfg (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\data\daily.cvd (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.PC_Antispyware2010) -> No action taken.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\BN7.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\BN8.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> No action taken.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 88142
  • No support PMs thanks
Re: Unable to remove virus
« Reply #17 on: August 18, 2009, 08:18:52 PM »
We meant the one that was in the system32 folder where it shouldn't be we wanted you to upload it to virustotal first for confirmation and to post the link to the results.

This is the one and it is still reported in HJT:
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

So you need to fix this entry though you should first hace scanned it atr VT and given the results.

The RootRepeal log is still unreadable once you have completed the scan, select save as and that should just give a plain text file and not use special characters.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.9.6082 (build 23.9.8494.792) UI 1.0.781/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

micky77

  • Guest
Re: Unable to remove virus
« Reply #18 on: August 18, 2009, 08:25:36 PM »
Also you seem to running everything in safe mode, is that out of necessity or choice.That could explain the garbled rootrepeal log

fergusbrett

  • Guest
Re: Unable to remove virus
« Reply #19 on: August 19, 2009, 07:52:00 PM »
Ya Im running safe mode out of necessity as I cannot boot windows normally. Here's the details of the root repeal, will probably take at least two posts:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2009/08/18 18:47
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP2
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF77C7000   Size: 187776   File Visible: -   Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000   Size: 2180992   File Visible: -   Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF724B000   Size: 138496   File Visible: -   Signed: -
Status: -

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xF7946000   Size: 41664   File Visible: -   Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF7759000   Size: 95360   File Visible: -   Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF7C2E000   Size: 16384   File Visible: -   Signed: -
Status: -

Name: bcmwl5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Address: 0xF74BB000   Size: 604928   File Visible: -   Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7C26000   Size: 12288   File Visible: -   Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF79F6000   Size: 63744   File Visible: -   Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF78A6000   Size: 49536   File Visible: -   Signed: -
Status: -

Name: cercsr6.sys
Image Path: cercsr6.sys
Address: 0xF7AA6000   Size: 29120   File Visible: -   Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7856000   Size: 53248   File Visible: -   Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF7C2A000   Size: 9344   File Visible: -   Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7846000   Size: 36352   File Visible: -   Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7771000   Size: 153344   File Visible: -   Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF7D1C000   Size: 5888   File Visible: -   Signed: -
Status: -

Name: drvmcdb.sys
Image Path: drvmcdb.sys
Address: 0xF76FB000   Size: 85952   File Visible: -   Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF70A8000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D44000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF73A4000   Size: 12288   File Visible: -   Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C1000   Size: 73728   File Visible: -   Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7E51000   Size: 4096   File Visible: -   Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF7722000   Size: 124800   File Visible: -   Signed: -
Status: -

Name: framebuf.dll
Image Path: C:\WINDOWS\System32\framebuf.dll
Address: 0xBFF50000   Size: 12288   File Visible: -   Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7D34000   Size: 7936   File Visible: -   Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7797000   Size: 125056   File Visible: -   Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF78C6000   Size: 40960   File Visible: -   Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EC000   Size: 131968   File Visible: -   Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xF7572000   Size: 155648   File Visible: -   Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF7976000   Size: 36864   File Visible: -   Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF7BFE000   Size: 28672   File Visible: -   Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF7404000   Size: 9600   File Visible: -   Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7886000   Size: 52736   File Visible: -   Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7896000   Size: 41856   File Visible: -   Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF7D1A000   Size: 5504   File Visible: -   Signed: -
Status: -

Name: Ip6Fw.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
Address: 0xF7BC6000   Size: 29056   File Visible: -   Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF72CC000   Size: 134912   File Visible: -   Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF7345000   Size: 74752   File Visible: -   Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF7816000   Size: 35840   File Visible: -   Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7ADE000   Size: 24576   File Visible: -   Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xF7CFA000   Size: 14848   File Visible: -   Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7D16000   Size: 8192   File Visible: -   Signed: -
Status: -


fergusbrett

  • Guest
Re: Unable to remove virus
« Reply #20 on: August 19, 2009, 07:52:55 PM »
Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF7469000   Size: 143360   File Visible: -   Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF76E4000   Size: 92032   File Visible: -   Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF7AD6000   Size: 23040   File Visible: -   Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7826000   Size: 42240   File Visible: -   Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF7110000   Size: 451456   File Visible: -   Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF7B8E000   Size: 19072   File Visible: -   Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF7906000   Size: 35072   File Visible: -   Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF7CEA000   Size: 15488   File Visible: -   Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF75F1000   Size: 107904   File Visible: -   Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF760C000   Size: 182912   File Visible: -   Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF7CC6000   Size: 9600   File Visible: -   Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xF6BC0000   Size: 12928   File Visible: -   Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF7452000   Size: 91776   File Visible: -   Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7926000   Size: 38016   File Visible: -   Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF7956000   Size: 34560   File Visible: -   Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF72A4000   Size: 162816   File Visible: -   Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7B9E000   Size: 30848   File Visible: -   Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0x86E86000   Size: 574592   File Visible: -   Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000   Size: 2180992   File Visible: -   Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7EB8000   Size: 2944   File Visible: -   Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF7A9E000   Size: 18688   File Visible: -   Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF77B6000   Size: 68224   File Visible: -   Signed: -
Status: -

Name: PCIIde.sys
Image Path: PCIIde.sys
Address: 0xF7DDE000   Size: 3328   File Visible: -   Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\Drivers\PCIIDEX.SYS
Address: 0xF7A96000   Size: 28672   File Visible: -   Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000   Size: 2180992   File Visible: -   Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF7441000   Size: 69120   File Visible: -   Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF7B26000   Size: 17792   File Visible: -   Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF7866000   Size: 35712   File Visible: -   Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF75AC000   Size: 8832   File Visible: -   Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF78D6000   Size: 51328   File Visible: -   Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF78E6000   Size: 41472   File Visible: -   Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF78F6000   Size: 48384   File Visible: -   Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF7B36000   Size: 16512   File Visible: -   Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000   Size: 2180992   File Visible: -   Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF717F000   Size: 176512   File Visible: -   Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7D38000   Size: 4224   File Visible: -   Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF7410000   Size: 196864   File Visible: -   Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF78B6000   Size: 57472   File Visible: -   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6715000   Size: 49152   File Visible: No   Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF7741000   Size: 98304   File Visible: -   Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF7710000   Size: 73472   File Visible: -   Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xF69D5000   Size: 336256   File Visible: -   Signed: -
Status: -

Name: sscdbhk5.sys
Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys
Address: 0xF7D24000   Size: 5568   File Visible: -   Signed: -
Status: -

Name: ssrtln.sys
Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys
Address: 0xF7B76000   Size: 23488   File Visible: -   Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7D2A000   Size: 4352   File Visible: -   Signed: -
Status: -

Name: SynTP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xF748C000   Size: 191872   File Visible: -   Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF72ED000   Size: 359040   File Visible: -   Signed: -
Status: -

Name: tcpip6.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip6.sys
Address: 0xF726D000   Size: 223616   File Visible: -   Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF7B16000   Size: 20480   File Visible: -   Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF7916000   Size: 40704   File Visible: -   Signed: -
Status: -

Name: tunmp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tunmp.sys
Address: 0xF7CAA000   Size: 12416   File Visible: -   Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF73B4000   Size: 209408   File Visible: -   Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF7BDE000   Size: 31616   File Visible: -   Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7D20000   Size: 8192   File Visible: -   Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF7AC6000   Size: 26624   File Visible: -   Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF7936000   Size: 57600   File Visible: -   Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF754F000   Size: 143360   File Visible: -   Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF7ABE000   Size: 20480   File Visible: -   Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7B7E000   Size: 20992   File Visible: -   Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS
Address: 0xF7378000   Size: 81920   File Visible: -   Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7836000   Size: 52352   File Visible: -   Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7C1E000   Size: 20480   File Visible: -   Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000   Size: 1839104   File Visible: -   Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000   Size: 1839104   File Visible: -   Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7D18000   Size: 8192   File Visible: -   Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000   Size: 2180992   File Visible: -   Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xF76D1000   Size: 77568   File Visible: -   Signed: -
Status: -


fergusbrett

  • Guest
Re: Unable to remove virus
« Reply #21 on: August 19, 2009, 09:16:16 PM »
Weirdly, I'm not getting any regedit.exe file appearing in my system32 folder. I've checked hidden files to ensure it is not in the background and no luck.
When I do a search for "regedit" I get a number of results but none in that folder (mostly in c:windows). Should I just fix the entry?
I've attached a screenshot of the search..

micky77

  • Guest
Re: Unable to remove virus
« Reply #22 on: August 19, 2009, 09:23:20 PM »
When you ran Rootrepeal,did you click ' report ' > 'scan' tick all boxes > 'ok' > C drive > 'ok'

« Last Edit: August 19, 2009, 09:25:46 PM by micky77 »

YoKenny

  • Guest
Re: Unable to remove virus
« Reply #23 on: August 19, 2009, 10:04:35 PM »
Isn't it funny when people find their system infected and they are still running Windows SP2 when SP3 has been available for over a year that contains many Critical Security fixes and even performance enhancements.

micky77

  • Guest
Re: Unable to remove virus
« Reply #24 on: August 19, 2009, 10:15:59 PM »
Isn't it funny when people find their system infected and they are still running Windows SP2 .
Your theory with SP3 is ridiculous. People get infected for obvious reasons. Having SP2 is way down the list.Your input is not helpful and snidey

fergusbrett

  • Guest
Re: Unable to remove virus
« Reply #25 on: August 20, 2009, 12:09:53 AM »
I hadn't! Here's the results after following your instructions

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2009/08/19 22:59
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF70A8000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D48000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6AF8000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\perflib_perfdata_24c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\fergus brett\local settings\temp\perflib_perfdata_2a0.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Fergus Brett\Local Settings\Application Data\Mozilla\Firefox\Profiles\3nd9tlup.default\Cache\2FA9F436d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Fergus Brett\Local Settings\Application Data\Mozilla\Firefox\Profiles\3nd9tlup.default\Cache\F6A840F6d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Fergus Brett\Local Settings\Application Data\Mozilla\Firefox\Profiles\3nd9tlup.default\Cache\FAB4475Fd01
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 1384)   Address: 0x01000000   Size: 20480

==EOF==

YoKenny

  • Guest
Re: Unable to remove virus
« Reply #26 on: August 20, 2009, 02:32:51 AM »
Isn't it funny when people find their system infected and they are still running Windows SP2 .
Your theory with SP3 is ridiculous. People get infected for obvious reasons. Having SP2 is way down the list.Your input is not helpful and snidey
I was trying to be helpful

micky77

  • Guest
Re: Unable to remove virus
« Reply #27 on: August 20, 2009, 09:33:33 AM »
Well the rootrepeal log has some odd entries in hidden/locked files. I think what I would do now is fix the regedit entry with HJT.C:\WINDOWS\system32\regedit.exe This can be reversed if necessary. Then try MBAM again and fix any findings.
Then see if there is any improvement. I also think you should try something else.I was going to suggest Combofix, but I am not too familiar with it,and it could go wrong.
So you could try Avira rescue disc. See here http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130
Sorry we are not making much headway
« Last Edit: August 20, 2009, 09:47:35 AM by micky77 »

micky77

  • Guest
Re: Unable to remove virus
« Reply #28 on: August 20, 2009, 07:51:24 PM »
I notice in your last HJT log, 3 entries that i asked to fix , either returned, or were not fixed

C:\WINDOWS\system32\braviax.exe

O4 - HKLM\..\Run: [PC Antispyware 2010] "C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe" /hide

O4 - HKUS\S-1-5-18\..\Run: [braviax] (User 'SYSTEM')

Did you definately 'fix' them using HJT ?

Also Avast should be able to now detect braviax, from today http://forum.avast.com/index.php?topic=47798.msg403133#msg403133

So run HJT again fix the regedit entry any any entries that have returned.
Then MalwareBytes
I have read another forum, someone reporting the same as you http://myantispyware.com/forum/post11187.html
So please try SDfix as well, and post the log ( its not as complicated as it looks )
http://www.bleepingcomputer.com/forums/topic131299.html
« Last Edit: August 20, 2009, 08:15:55 PM by micky77 »

fergusbrett

  • Guest
Re: Unable to remove virus
« Reply #29 on: August 20, 2009, 08:37:53 PM »
One of these entries does not seem to appear in the list, even though it does appear in the logfile? This one:
O4 - HKUS\S-1-5-18\..\Run: [braviax] (User 'SYSTEM')
The others seem to return, with the possible exception of the malware 2010 one which I may have missed. Also the regedit.exe file returns (possibly after reboot).
I'm running an avast virus scan now, it is unable to move to chest (due to being in safe mode perhaps?) so I am deleting the viruses it finds altogether...
I ran malware and fixed the findings, it gave me a warning that some had not been fixed and would only be fixed on reboot so I rebooted in safe mode and am scanning again. (So far only 3 infected items found this time, as opposed to 51 that I fixed before reboot).