HJT/Combofix logs

[Thor_11]

Having followed the instructions given by howard_hopkinso as closely as possible, I give you the HJT and Combofix logs from my computer. The primary issue I'm facing at the moment is the constant appearance of the counterfeit microsoft shield associated with System Live Protect and the accompanying popup. I've reached a bit of an impasse at this point because every time I attempt to boot my machine in safemode I get a nice BSOD for about 1 second before it crashes and reboots normally. At any rate, any assistance regarding the spyware and/or the safemode BSOD issues would be greatly appreciated.

Thanks all!

Edit: The results of the Rootkit scan showed no hidden files whatsoever.

 

[howard_hopkinso]

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log and an AVG Antispyware log.

6. Let me know the results of the AVG Antirootkit scan. Instructions in this thread HERE

Regards Howard

This thread is for the use of Thor_11 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Thor_11]

It appears as though running the avenger script solved the problem however, I'll go ahead and post the new logs in case there was something further which I am unaware of. Thanks for the help, it's greatly appreciated!

As for the results of the AVG Rootkit scan, they came up completely clean once again.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Microsoft Updates

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

svehost.exe<Not to be confused with svchost.exe.
pipmon.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {E271F4E9-D46E-4C7A-8608-AFDD4A87E582} - C:\WINDOWS\system32\gebayab.dll (file missing)

O4 - HKLM\..\Run: [Microsoft Updates] svehost.exe

O4 - HKLM\..\Run: [pipmon] pipmon.exe

O4 - HKLM\..\RunServices: [Microsoft Updates] svehost.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O20 - Winlogon Notify: gebayab - C:\WINDOWS\

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\pipmon.exe
C:\WINDOWS\system32\svehost.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log as well as a fresh Combofix log.

Regards Howard

This thread is for the use of Thor_11 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Thor_11]

As things stand currently, I am unable to follow these directions exactly because for some reason my computer cannot boot into safemode. Whenever I opt to boot in safemode the computer begins loading the windows boot files as usual, however, upon reaching the line;

'multi(0)disk(0)rdisk(0)partition1\windows\system32\drivers\TDI.sys'

a message is displayed at the bottom of the page saying "Press ESC to cancel loading SPTD.sys." After about 10 seconds this message disappears and the computer hangs on the above-mentioned file name for about 1.5 minutes after which a BSOD appears for about 1 second before the computer reboots again in normal mode. Please let me know if there is any further information I can provide that could assist you. Thanks again for your time.

Edit: I got a look at the BSOD and it didn't appear to contain any relevant information however, should the memory addresses actually be of any use to you regarding the issue of Safemode not working; they are as follows: 0x0000000A (0xF79A8354, 0x000000FF, 0x00000001, 0x804E5619) the accompanying error message was also MORE_OR_LESS_EQUAL

 

[howard_hopkinso]

Try the instructions from normal mode.

Regards Howard

This thread is for the use of Thor_11 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Thor_11]

The file svehost.exe was present in c:/windows/system32 so I went ahead and deleted it as you said however, pipmon.exe wasn't there. I also took care of everything else you instructed me to do, the odd thing is that according to the combofix log there is still a registry file associated with svehost.exe, what exactly does this mean? In any case, here are the new logs. Thanks.

 

[howard_hopkinso]

Your log files are now clean.

Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

Navigate to the following reg key and delete it.

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Updates

Close regedit.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Thor_11 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.