TechSpot

[Inactive] Redirect virus won't die

By joeystar
Feb 7, 2010
  1. joeystar

    joeystar TS Rookie Topic Starter Posts: 18

    avenger result

    here is the result. it did activate a threat in avg

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    File move operation "C:\WINDOWS\system32\ReinstallBackups\0083\DriverFiles\nvata.sys|C:\WINDOWS\system32\drivers\nvata.sys" completed successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,635   +341

    I want you to re-run OTL...

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  3. joeystar

    joeystar TS Rookie Topic Starter Posts: 18

    No "Extras" log was created

    Too long to paste. OTL.txt zipped and attached
     

    Attached Files:

    • OTL.zip
      File size:
      11.9 KB
      Views:
      2
  4. Broni

    Broni Malware Annihilator Posts: 52,635   +341

    Still not good :(

    Please download Sophos Anti-rootkit & save it to your desktop.

    IMPORTANT!
    • Disconnect from the Internet or physically unplug you Internet cable connection.
    • Clean out your temporary files.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
    • After starting the scan, do not use the computer until the scan has completed.
    • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

    • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
    • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
    • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
    • Make sure the following are checked:
      • Running processes
      • Windows Registry
      • Local Hard Drives

    • Click Start scan.
    • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
    • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
    • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
      • Files tagged as Removable: No are not marked for removal and cannot be removed.
      • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
      • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.

    • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
    • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
    • After reboot, a dialog box displays the files you selected for removal and the action taken.
    • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
    • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
    • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\
     
  5. joeystar

    joeystar TS Rookie Topic Starter Posts: 18

    Think I'm giving up...

    Well, I think I know when I've been beaten.

    I really want to thank you for all of your effort and input on this but I'm realizing that fixing this has already taken a lot longer than a clean install. This is one brutal virus to say the least.

    Again, my sincerest thanks...I'm going to concentrate my efforts on making sure this doesn't happen again. I just have to get this system running again.

    Joe
     
  6. Broni

    Broni Malware Annihilator Posts: 52,635   +341

    What about running Sophos?
     
  7. joeystar

    joeystar TS Rookie Topic Starter Posts: 18

    Sophos

    I had no luck with it.
    Thanks anyways.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,635   +341

    Means?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...