4 replies to this topic

[levn05]

Hello,

My laptop has been infected with avcare. I ran NOD32 and then used rootrepeal to remove what I could find. The pop ups and such stopped but I am still prevented from running malwarebytes (it shuts down 2 seconds into the scan) and I can't use the rootrepeal feature to scan for locked files (shuts down again). I also can't use AVG and hijackthis. Combofix (even though I rename it to combo-fix before downloading, and I've tried other names) gives a small loading bar that says combofix above but never actually starts. I can run avenger successfully though. Here is the lot from rootrepeal except the files feature (can't run that).

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/12 22:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9503000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5D6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA5BA000 Size: 7872 File Visible: No Signed: -
Status: -

Name: REGSYS701.SYS
Image Path: C:\WINDOWS\system32\Drivers\REGSYS701.SYS
Address: 0xA8A45000 Size: 33184 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9183000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xBA458000 Size: 20480 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x8aa99210

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x8aa9b128

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x8aa8dd68

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8aabd238

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x8aab1618

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8aabe020

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x8aad05e8

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x8aad8268

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x8aa941e8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8aa31238

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x8aa9b2e8

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8aa5c1e0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8aa8d0a0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x8aa8d308

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8aa992f8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8aa311c0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8aa4a4b0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8aa8d020

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8aad82e0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x8a7d6a18 Size: 1175

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a7d6838 Size: 1655

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x8a7d67c0 Size: 1775

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x8a7d6748 Size: 1895

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x8a7d66d0 Size: 2015

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a7d6658 Size: 2135

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a7d65e0 Size: 2255

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a7d6568 Size: 2375

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x8a7d64f0 Size: 2495

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7d6478 Size: 2615

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a7d6400 Size: 2735

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a7d6388 Size: 2855

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a7bea20 Size: 1504

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a7be9a8 Size: 1624

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7be930 Size: 1744

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7be8b8 Size: 1864

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7be840 Size: 1984

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a7be7c8 Size: 2104

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7be750 Size: 2224

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a7be6d8 Size: 2344

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a7be660 Size: 2464

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a7be5e8 Size: 2584

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x8a7be570 Size: 2704

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7be4f8 Size: 2824

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a7be480 Size: 2944

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a7be408 Size: 3064

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a815020 Size: 3655

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x8a815750 Size: 1815

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACcfvbnnojkm.sys < I removed this file (it hasn't come back after restarts).

==EOF==

[levn05]

Log from win32kdiag is attached:

Attached Files

•  Win32kDiag.txt   15.67K   15 downloads

[levn05]

Nevermind. It was hiding as eventlog.dll. Used avenger to replace that file and then ran all the other anti-spyware programs, including malwarebytes. This can be closed.

[LonnyRJ]

Hi levn05
Your PC still OK ?

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.