78 replies to this topic

[musicshouldbefree101]

Recently I've been noticing issues with my computer. It first happened when I got an alert that my Windows firewall was disabled. So I enabled it. After that, I opened up malwarebytes and updated it. I did a scan and it came up negative. I then opened avg and did an update. Then I did a scan on it. It took about 2 hours or so but it also came up negative.


I know something is up b/c I have popup killer on my computer and I can hear windows being killed in the background ever so often. This never happened before. I then tried hijack this, but it would open start for a second then close. I tried opening it again but it gave me an alert that I don't have permission. I then tried to reopen malwarebytes to run another scan but it would not run. I went to the c: directory to rename it. Then I tried again. It opened for a second, then close, like what happened with the hijackthis program.

I started another topic earlier which is less specific, and if possible, could an admin close it. This is a more detail description of my issue. Thank you for your help.

[SpySentinel]

Hi musicshouldbefree101, Welcome to Malwarebytes


Please download ComboFix from
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[musicshouldbefree101]

Hi,

I rename combofix before it downloaded to combo-fix. then i put it on my infected computer. i disabled avg and proceeded to run combo-fix. it loaded up and gave me the green status bar after that it stopped and nothing else happen.

[SpySentinel]

Hi,

Please navigate to C:\ComboFix and there should be a log, please post it.

[musicshouldbefree101]

There is nothing there. When I ran combofix, the green progress bar came up, all my desktop icons flashed once and that was it. I went to that directory and there was no log file.

[SpySentinel]

The infection you have is preventing CF from running.


Please download this tool by sUBs, and save it to your desktop.

• Close any applications that you have open, as your computer will be rebooted
  
• Double click +++.exe to run the tool
  
• When it has run it will reboot your computer, you may then delete the tool

Then please delete the ComboFix on your desktop then:


Please download ComboFix from
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[musicshouldbefree101]

Hi spysentinel,

I just wanted to say thanks for taking the time to help. I d/l +++ and transferred it the the infected computer. I double clicked on the icon and it said it may need to restart my computer. It, however, did not. It then said that my computer is not infected. But I know it is b/c I can't access any scans and I can hear pop up windows being killed by my pop up killer.

Well, anyway, I also redownloaded combo-fix. I changed the name before d/l and then tried to run it. The same thing happen. It would not run. I'm not sure what to do.

[SpySentinel]

Yes the Not being infected message is a know issue.


Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google....rotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

• Click on the Log tab.
  
• In the Write to log box select all items.
  
• Click on the Create Log button on the bottom right.
  
• After a few seconds a new Window should appear.
  
• Make sure Scan all drives is selected and click on the Start button.
  
• When it is complete a new Window will appear to indicate that the scan is finished.
  
• The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

[musicshouldbefree101]

I downloaded it and ran it. Below is the log file.

SysProt AntiRootkit v1.0.1.0
by swatkat

********************************************************************************
**********
********************************************************************************
**********

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 564
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 636
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 660
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 708
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 720
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 872
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 996
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1124
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1256
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1496
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1572
Hidden: No
Window Visible: Yes

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 1652
Hidden: No
Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PID: 1792
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 1840
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 2016
Hidden: No
Window Visible: No

Name: C:\DOCUME~1\DAVEHU~1\LOCALS~1\temp\a.exe
PID: 276
Hidden: No
Window Visible: No

Name: C:\WINDOWS\msa.exe
PID: 480
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 604
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 780
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 884
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1092
Hidden: No
Window Visible: No

Name: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
PID: 1316
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 1492
Hidden: No
Window Visible: No

Name: C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe
PID: 1608
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\nvsvc32.exe
PID: 1752
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 424
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
PID: 448
Hidden: No
Window Visible: No

Name: C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
PID: 496
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 624
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\java.exe
PID: 2228
Hidden: No
Window Visible: No

Name: C:\Program Files\PopUp Killer\PopUpKiller.exe
PID: 3240
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\AVG\AVG8\avgtray.exe
PID: 3252
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 3804
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 3732
Hidden: No
Window Visible: No

Name: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
PID: 444
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Dave Huynh\Desktop\SysProt.exe
PID: 3552
Hidden: No
Window Visible: Yes

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 3964
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 216
Hidden: No
Window Visible: No

********************************************************************************
**********
********************************************************************************
**********
Kernel Modules:
Module Name: \systemroot\system32\drivers\SKYNETrsblnsrr.sys
Service Name: SKYNETiemlwerx
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \systemroot\system32\drivers\UACbxrmwcylkn.sys
Service Name: UACd.sys
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \??\C:\Documents and Settings\Dave Huynh\Desktop\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: F6B5A000
Module End: F6B65000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806FF000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806FF000
Module End: 8071FD00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7A61000
Module End: F7A63000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7971000
Module End: F7974000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F7512000
Module End: F7540000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7A63000
Module End: F7A65000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7501000
Module End: F7512000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7561000
Module End: F756B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7B29000
Module End: F7B2A000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F77E1000
Module End: F77E8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F7571000
Module End: F757C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F74E2000
Module End: F7501000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F77E9000
Module End: F77EE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F7581000
Module End: F758E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F74CA000
Module End: F74E2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F7591000
Module End: F759A000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F75A1000
Module End: F75AE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F74AA000
Module End: F74CA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F7498000
Module End: F74AA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F75B1000
Module End: F75BA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F7481000
Module End: F7498000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F73F4000
Module End: F7481000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F73C7000
Module End: F73F4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F73AD000
Module End: F73C7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: F75C1000
Module End: F75CC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F7731000
Module End: F773A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: F70CE000
Module End: F7203000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F70BA000
Module End: F70CE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F78D1000
Module End: F78D7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F7096000
Module End: F70BA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F78D9000
Module End: F78E1000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys
Service Name: HSFHWBS2
Module Base: F7064000
Module End: F7096000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ks.sys
Service Name: ---
Module Base: F7041000
Module End: F7064000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_DP.sys
Service Name: HSF_DP
Module Base: F6F3D000
Module End: F7041000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys
Service Name: winachsf
Module Base: F6EA2000
Module End: F6F3D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F78E1000
Module End: F78E9000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\e1000325.sys
Service Name: E1000
Module Base: F6E84000
Module End: F6EA2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F7741000
Module End: F774E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F78F1000
Module End: F78F7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F7751000
Module End: F7761000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F7A19000
Module End: F7A1D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F6E70000
Module End: F6E84000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F7761000
Module End: F7771000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\pwd_2k.SYS
Service Name: pwd_2k
Module Base: F6E51000
Module End: F6E70000
Hidden: No

Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F7771000
Module End: F777B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\smwdm.sys
Service Name: smwdm
Module Base: F6DC3000
Module End: F6E51000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F6D9F000
Module End: F6DC3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F7781000
Module End: F7790000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aeaudio.sys
Service Name: aeaudio
Module Base: F7A87000
Module End: F7A89000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7BFE000
Module End: F7BFF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F7791000
Module End: F779E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F7A1D000
Module End: F7A20000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F6D88000
Module End: F6D9F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F77A1000
Module End: F77AC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F77B1000
Module End: F77BD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F78F9000
Module End: F78FE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F6D77000
Module End: F6D88000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F77C1000
Module End: F77CA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7901000
Module End: F7906000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F7909000
Module End: F790E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F77D1000
Module End: F77DB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F7911000
Module End: F7917000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7A89000
Module End: F7A8B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: F5F7A000
Module End: F5FD8000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F7A2D000
Module End: F7A31000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\dvd_2K.SYS
Service Name: dvd_2K
Module Base: F7919000
Module End: F791E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F75E1000
Module End: F75EB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F75F1000
Module End: F7600000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7A91000
Module End: F7A93000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: F7921000
Module End: F7926000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS
Service Name: Cdr4_xp
Module Base: F7B33000
Module End: F7B34000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS
Service Name: Cdralw2k
Module Base: F7B2D000
Module End: F7B2E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F7A93000
Module End: F7A95000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7B2F000
Module End: F7B30000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F7931000
Module End: F7937000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7A95000
Module End: F7A97000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7A97000
Module End: F7A99000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS
Service Name: cdudf_xp
Module Base: ECD27000
Module End: ECD62000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F7939000
Module End: F793E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F7941000
Module End: F7949000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\hidusb.sys
Service Name: hidusb
Module Base: F7207000
Module End: F720A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F7621000
Module End: F762A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F7949000
Module End: F7950000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS
Service Name: UdfReadr_xp
Module Base: ECCA8000
Module End: ECCDB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F7203000
Module End: F7206000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: ECC5B000
Module End: ECC6E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: ECC02000
Module End: ECC5B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgtdix.sys
Service Name: AvgTdiX
Module Base: ECBE9000
Module End: ECC02000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: ECBC1000
Module End: ECBE9000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: ECB9F000
Module End: ECBC1000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F7631000
Module End: F763A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: ECB74000
Module End: ECB9F000
Hidden: No

Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
Service Name: OMCI
Module Base: F79F9000
Module End: F79FD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: ECB04000
Module End: ECB74000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Service Name: mfehidk
Module Base: ECAD1000
Module End: ECB04000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: ECAAB000
Module End: ECAD1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F7681000
Module End: F768C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F7691000
Module End: F769A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: F7951000
Module End: F7958000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: F7959000
Module End: F7960000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: F7A09000
Module End: F7A0C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: F7961000
Module End: F7967000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: ECA5A000
Module End: ECAAB000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: ECA0E000
Module End: ECA32000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EC9F6000
Module End: ECA0E000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7AB3000
Module End: F7AB5000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F5F5E000
Module End: F5F61000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F7801000
Module End: F7806000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7B87000
Module End: F7B88000
Hidden: No

Module Name: \systemroot\win32k.sys:1
Service Name: ---
Module Base: F7841000
Module End: F7846000
Hidden: Yes

Module Name: \systemroot\win32k.sys:2
Service Name: ---
Module Base: ECDC2000
Module End: ECDD1000
Hidden: Yes

Module Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: EC4A7000
Module End: EC4AB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: EB902000
Module End: EB917000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: EBB27000
Module End: EBB36000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: EB8B4000
Module End: EB8DF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: EB6EF000
Module End: EB71C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F7B21000
Module End: F7B23000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: EB6CF000
Module End: EB6D2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: EB55D000
Module End: EB5AF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: F6D36000
Module End: F6D77000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F78E9000
Module End: F78F0000
Hidden: No

********************************************************************************
**********
********************************************************************************
**********
No SSDT Hooks found

********************************************************************************
**********
********************************************************************************
**********
Kernel Hooks:
Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 86D09C7A
Module Name: _unknown_

Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 86CFA9DA
Module Name: _unknown_

Hooked Function: PsGetProcessWin32WindowStation
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_

Hooked Function: PsGetProcessJob
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_

Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 86ECC852
Module Name: _unknown_

Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 86CFA7CA
Module Name: _unknown_

********************************************************************************
**********
********************************************************************************
**********
No IRP Hooks found

********************************************************************************
**********
********************************************************************************
**********
Ports:
Local Address: DAVE.EARTHLINK.NET:1104
Remote Address: 78.46.213.91:HTTPS
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: SYN_SENT

Local Address: DAVE.EARTHLINK.NET:1103
Remote Address: 216.240.157.130:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: SYN_SENT

Local Address: DAVE.EARTHLINK.NET:1090
Remote Address: 8.17.64.86:HTTP
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: DAVE.EARTHLINK.NET:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: DAVE:32000
Remote Address: LOCALHOST:31000
Type: TCP
Process: C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe
State: ESTABLISHED

Local Address: DAVE:32000
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe
State: LISTENING

Local Address: DAVE:31000
Remote Address: LOCALHOST:32000
Type: TCP
Process: C:\WINDOWS\system32\java.exe
State: ESTABLISHED

Local Address: DAVE:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: DAVE:18080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: DAVE:13128
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: DAVE:10080
Remote Address: LOCALHOST:1102
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: DAVE:10080
Remote Address: LOCALHOST:1089
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: ESTABLISHED

Local Address: DAVE:10080
Remote Address: LOCALHOST:1086
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1084
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1082
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1078
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1076
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1074
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1072
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1070
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1068
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1066
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1064
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1060
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1058
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1056
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1054
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1052
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1049
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1044
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1040
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1038
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: LOCALHOST:1036
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:10080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
State: LISTENING

Local Address: DAVE:9481
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\java.exe
State: LISTENING

Local Address: DAVE:8888
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\java.exe
State: LISTENING

Local Address: DAVE:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: DAVE:2323
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\java.exe
State: LISTENING

Local Address: DAVE:1102
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\Documents and Settings\Dave Huynh\Desktop\SysProt.exe
State: ESTABLISHED

Local Address: DAVE:1089
Remote Address: LOCALHOST:10080
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: DAVE:1062
Remote Address: LOCALHOST:10080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:1042
Remote Address: LOCALHOST:10080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: DAVE:3261
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
State: LISTENING

Local Address: DAVE:3260
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
State: LISTENING

Local Address: DAVE:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: DAVE:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: DAVE.EARTHLINK.NET:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: DAVE.EARTHLINK.NET:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAVE.EARTHLINK.NET:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: DAVE.EARTHLINK.NET:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: DAVE.EARTHLINK.NET:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAVE:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAVE:1100
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: DAVE:1094
Remote Address: NA
Type: UDP
Process: C:\DOCUME~1\DAVEHU~1\LOCALS~1\temp\a.exe
State: NA

Local Address: DAVE:1051
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\msa.exe
State: NA

Local Address: DAVE:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: DAVE:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAVE:64153
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAVE:58974
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: DAVE:57095
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: DAVE:8473
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\java.exe
State: NA

Local Address: DAVE:5353
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\java.exe
State: NA

Local Address: DAVE:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: DAVE:1028
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: DAVE:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: DAVE:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

********************************************************************************
**********
********************************************************************************
**********
Hidden files/folders:
Object: C:\Documents and Settings\Dave Huynh\Local Settings\temp\UAC11be.tmp
Status: Hidden

Object: C:\Documents and Settings\Dave Huynh\Local Settings\Temporary Internet Files\Content.IE5\FRMK4L5J\st[9]
Status: Hidden

Object: C:\Program Files\Alcohol Soft\Alcohol 120\Plugins\Helper\UACHlper.exe
Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}
Status: Access denied

Object: C:\WINDOWS\system32\drivers\SKYNETrsblnsrr.sys
Status: Hidden

Object: C:\WINDOWS\system32\drivers\UACbxrmwcylkn.sys
Status: Hidden

Object: C:\WINDOWS\system32\SKYNETaanpewbp.dll
Status: Hidden

Object: C:\WINDOWS\system32\SKYNETboequxov.dll
Status: Hidden

Object: C:\WINDOWS\system32\SKYNETfmnmpxep.dat
Status: Hidden

Object: C:\WINDOWS\system32\SKYNETyxthtidw.dat
Status: Hidden

Object: C:\WINDOWS\system32\UACatdljceifo.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACbepcfualqb.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACidoobypfdv.dll
Status: Hidden

Object: C:\WINDOWS\system32\uacinit.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACmetlabwqqh.dat
Status: Hidden

Object: C:\WINDOWS\system32\UACmrxdulqeec.db
Status: Hidden

Object: C:\WINDOWS\system32\UACtklrmhwwkr.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACxextiffvdy.dll
Status: Hidden

Object: C:\WINDOWS\Temp\UAC5474.tmp
Status: Hidden

[SpySentinel]

Step #1


Run SysProt AntiRootkit again

• Click on the Kernel Modules Tab
  
• Then one at a time, highlight the following entries and choose Disable
  

  \systemroot\system32\drivers\UACbxrmwcylkn.sys

• Then exit SysProt AntiRootkit

Step #2

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

Quote

@echo off
copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll
Exit

3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

4. Double click fixes.bat.




Step #3

We need to execute an Avenger2 script
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

• Please download The Avenger2 by SwanDog46.
  
• Unzip avenger.exe to your desktop.
  
• Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
  

  Files to move:
  c:\scecli.dll | C:\WINDOWS\system32\scecli.dll

• Now start The Avenger2 by double clicking avenger.exe on your desktop.
  
• Read the prompt that appears, and press OK.
  
• Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  
• Press the "Execute" button.
  
• You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
  Note: It is possible that Avenger will reboot your system TWICE.
  
• Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #4

Now try running ComboFix and Malwarebytes, then post the logs here.

[musicshouldbefree101]

Step 1. And I found two files

\systemroot\system32\drivers\SKYNETrsblnsrr.sys SKYNETiemlwerx Yes
\systemroot\system32\drivers\UACdaeointkmc.sys UACd.sys Yes

I highlighted both and clicked disabled and then closed it. (but for some reason would always reappear on reboot.)


Step 2.

I opened notepad and copy the following in it -

@echo off
copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll
Exit

I renamed it "fixes.bat" and then double-clicked on it.

Step 3.

I downloaded avenger and copy the following text -

Files to move:
c:\scecli.dll | C:\WINDOWS\system32\scecli.dll

I double clicked on avenger and copy the above text in the box and clicked execute.

Below is the following log I received.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Tue Aug 11 18:05:33 2009

18:05:33: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Step 4.

I ran combo fix again and again nothing happened. I know somewhere down the line I probably did something wrong, I just don't know what. I could not run malawarebytes.

[SpySentinel]

The problem is these two:

C:\WINDOWS\system32\drivers\SKYNETrsblnsrr.sys
C:\WINDOWS\system32\drivers\UACbxrmwcylkn.sys

• Download RootRepeal from the following location and save it to your desktop.
  
  • Zip Mirrors (Recommended)
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
    
    
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
• Extract RootRepeal.exe from the archive.
  
• Open on your desktop.
  
• Click the tab.
  
• Click the button.
  
• Check all seven boxes:
  
• Push Ok
  
• Check the box for your main system drive (Usually C:), and press Ok.
  
• Allow RootRepeal to run a scan of your system. This may take some time.
  
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

[musicshouldbefree101]

I got to step 8 and it started to scan and then closed on me. I tried to reopen it, and I got the following message - "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

[SpySentinel]

Lets try removing this manually



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::
C:\Documents and Settings\Dave Huynh\Local Settings\temp\UAC11be.tmp
C:\Program Files\Alcohol Soft\Alcohol 120\Plugins\Helper\UACHlper.exe
C:\WINDOWS\system32\drivers\SKYNETrsblnsrr.sys
C:\WINDOWS\system32\drivers\UACbxrmwcylkn.sys
C:\WINDOWS\system32\SKYNETaanpewbp.dll
C:\WINDOWS\system32\SKYNETboequxov.dll
C:\WINDOWS\system32\SKYNETfmnmpxep.dat
C:\WINDOWS\system32\SKYNETyxthtidw.dat
C:\WINDOWS\system32\UACatdljceifo.dll
C:\WINDOWS\system32\UACbepcfualqb.dll
C:\WINDOWS\system32\UACidoobypfdv.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UACmetlabwqqh.dat
C:\WINDOWS\system32\UACmrxdulqeec.db
C:\WINDOWS\system32\UACtklrmhwwkr.dll
C:\WINDOWS\system32\UACxextiffvdy.dll
C:\WINDOWS\Temp\UAC5474.tmp
C:\DOCUME~1\DAVEHU~1\LOCALS~1\temp\a.exe

Driver::
SKYNETiemlwerx
UACd.sys

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[musicshouldbefree101]

I copied the following text below the dotted line in notepad and renamed it CFScript.txt


I then put it on the infected computer and drag it over the combo-fix icon. The green status bar loaded and all the icons flashed once. There was nothing else.



--------------------------------
File::
C:\Documents and Settings\Dave Huynh\Local Settings\temp\UAC11be.tmp
C:\Program Files\Alcohol Soft\Alcohol 120\Plugins\Helper\UACHlper.exe
C:\WINDOWS\system32\drivers\SKYNETrsblnsrr.sys
C:\WINDOWS\system32\drivers\UACbxrmwcylkn.sys
C:\WINDOWS\system32\SKYNETaanpewbp.dll
C:\WINDOWS\system32\SKYNETboequxov.dll
C:\WINDOWS\system32\SKYNETfmnmpxep.dat
C:\WINDOWS\system32\SKYNETyxthtidw.dat
C:\WINDOWS\system32\UACatdljceifo.dll
C:\WINDOWS\system32\UACbepcfualqb.dll
C:\WINDOWS\system32\UACidoobypfdv.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UACmetlabwqqh.dat
C:\WINDOWS\system32\UACmrxdulqeec.db
C:\WINDOWS\system32\UACtklrmhwwkr.dll
C:\WINDOWS\system32\UACxextiffvdy.dll
C:\WINDOWS\Temp\UAC5474.tmp
C:\DOCUME~1\DAVEHU~1\LOCALS~1\temp\a.exe

Driver::
SKYNETiemlwerx
UACd.sys

[SpySentinel]

We need to check if there is a good copy of scecli.dll.

• Please download
   FindIt.zip   22.75K   56 downloads
  
  
• Extract FindIt.zip
  
• Run the RunMe.bat file in the enclosed folder.
  
• Go through Device Manager -> View -> Show Hidden Devices -> Non plug and Play Drivers, and see if the following drivers are visible
  

  Quote

  SKYNETrsblnsrr.sys
  UACbxrmwcylkn.sys
• If they are, disable them and after a restart Combofix may have a chance to run.
  
• After a restart try running ComboFix

[musicshouldbefree101]

Okay, I d/l, & unzipped findit. I then transferred it to my infected computer and ran it. Below is the log file that I got.

-c----w 180,224 2004-08-04 07:56:44 c:\Windows\$NtServicePackUninstall$\scecli.dll
------w 181,248 2008-04-14 00:12:05 c:\Windows\ServicePackFiles\i386\scecli.dll
----a-w 60,928 2008-04-14 00:12:05 c:\Windows\system32\scecli.dll

Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 422,400 Blocks: 825

I then did the following

Go through Device Manager -> View -> Show Hidden Devices -> Non plug and Play Drivers, and see if the following drivers are visible


Attached is a photo of all items displayed under the Non-plug and Play Drivers



I didn't see the files in question and have not done anything else. I will wait for further instructions.

[SpySentinel]

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

Quote

@Echo Off
Ren C:\WINDOWS\system32\scecli.dll scecli.dll.vir
Copy /Y c:\Windows\ServicePackFiles\i386\scecli.dll C:\WINDOWS\system32\dllcache\scecli.dll
Copy /Y c:\Windows\ServicePackFiles\i386\scecli.dll C:\WINDOWS\system32\scecli.dll
Exit

3. Save the file as "fixes2.bat". Make sure to save it with the quotation marks.

4. Double click fixes2.bat.


Then please run the FindIt instructions above again.

[musicshouldbefree101]

I opened notepad and copy the following in it

@Echo Off
Ren C:\WINDOWS\system32\scecli.dll scecli.dll.vir
Copy /Y c:\Windows\ServicePackFiles\i386\scecli.dll C:\WINDOWS\system32\dllcache\scecli.dll
Copy /Y c:\Windows\ServicePackFiles\i386\scecli.dll C:\WINDOWS\system32\scecli.dll
Exit


than saved it as the "fixes2.bat" than copied it to my infected computer. I then double-clicked on it. A window popped open for a second than closed.

I then re-ran the the findit and I got the following log file.

-c----w 180,224 2004-08-04 07:56:44 c:\Windows\$NtServicePackUninstall$\scecli.dll
------w 181,248 2008-04-14 00:12:05 c:\Windows\ServicePackFiles\i386\scecli.dll
----a-w 60,928 2008-04-14 00:12:05 c:\Windows\system32\scecli.dll
-c--a-w 181,248 2008-04-14 00:12:05 c:\Windows\system32\dllcache\scecli.dll

Entries: 4 (4)
Directories: 0 Files: 4
Bytes: 603,648 Blocks: 1,179


I then went to the device manager under non-plug and play drivers and here is an image of everything under that name.

[SpySentinel]

Did you attach the image because it is not showing up