TechSpot

Win32/Heur SHeur3.AQRA Win32/Zbot.B Infection

By MrT0ad
Sep 19, 2010
  1. AVG free has detected several viruses.

    I have followed a similar infection forum thread running currently and taken the following steps

    run TFC .... done

    run MBAM .... log attached

    run GMER .... blue screen of death several times, ran in safe mode and initial setup scan revealed the following

    type name value
    ------ ------- --------
    device \filesystem\ntfs\ntfs 86F8F410
    attachedID \filesystem\fastfat\fastfat fltmgr.sys(microsoft filesystem filter
    service (***hidden***) (boot) nzsrby

    then GMER pauses waiting to scan, when I then scan I get the bluescreen of death again (tried several times)

    (I assume this is a rootkit!)

    so I then ran DDS .... both logs attached

    I also ran Kaspersky online scan which detected no infections

    I then immediately ran eset online scan which detected 1078 infected files (ramnit.A) .... log attached

    what next?
     

    Attached Files:

  2. crunchie

    crunchie Malware Helper Posts: 728

    Hi and welcome to TechSpot forums :).

    ====

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
     
  3. MrT0ad

    MrT0ad TS Rookie Topic Starter Posts: 52

    Downloaded and ran Combofix and received the blue screen of death about 40+ phases into the scan.

    The message on the screen was "bad pool header"
     
  4. MrT0ad

    MrT0ad TS Rookie Topic Starter Posts: 52

    I went ahead and ran Combofix in SafeMode

    It ran and completed, rebooted and was preparing the txt file when it blue screened again.

    However it did write the txt file and I have attached it here .... not sure if it is complete
     

    Attached Files:

  5. crunchie

    crunchie Malware Helper Posts: 728

    That seems to have removed a few nasties. Are you able to run combofix in normal mode now? If so, please do so as that log was incomplete.
    Another Eset scan would be great too.
     
  6. MrT0ad

    MrT0ad TS Rookie Topic Starter Posts: 52

    Apologies this might be slow for a few days, as I am travelling.

    I ran Combofix in normal mode and it blue screened at the same stage as the first time I ran it in normal mode
     
  7. crunchie

    crunchie Malware Helper Posts: 728

    No worries. Post up the ESET log when you can.
     
  8. MrT0ad

    MrT0ad TS Rookie Topic Starter Posts: 52

    ESET run tonight .... more viruses cleaned
     

    Attached Files:

  9. crunchie

    crunchie Malware Helper Posts: 728

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    KillAll::
    
    
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  10. MrT0ad

    MrT0ad TS Rookie Topic Starter Posts: 52

    same routine with combofix as last time

    in normal mode I got the BSOD some way through the CF routine

    in safe mode I got the BSOD after the file had been written

    Combofix txt file attached not sure whether it is complete or not
     

    Attached Files:

  11. crunchie

    crunchie Malware Helper Posts: 728

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  12. MrT0ad

    MrT0ad TS Rookie Topic Starter Posts: 52

    ran the scan .... two files created

    limit was 20,000 characters

    both files are 110,000 characters so I have attached them
     

    Attached Files:

  13. crunchie

    crunchie Malware Helper Posts: 728

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :Files
      C:\Documents and Settings\User1\Application Data\Yvohe
      C:\Documents and Settings\LocalService\Application Data\bawuho.dat
      C:\Documents and Settings\User1\Local Settings\Application Data\imnegkrbc
      C:\WINDOWS\ecefotizicifa.dll
      :OTL
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva346.sys -- (XDva346)
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva345.sys -- (XDva345)
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva343.sys -- (XDva343)
      DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\DRIVERS\tclondrv.sys -- (tclondrv)
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\User1\LOCALS~1\Temp\sony_ssm.sys -- (sony_ssm.sys)
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\EagleNT.sys -- (EagleNT)
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\MediaCoder iPhone Edition\SysInfo.sys -- (CrystalSysInfo)
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\User1\LOCALS~1\Temp\catchme.sys -- (catchme)
      IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
      O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - No CLSID value found.
      O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll File not found
      O4 - HKLM..\Run: [Dtito] C:\WINDOWS\ecefotizicifa.DLL File not found
      O4 - HKLM..\Run: [NPSStartup]  File not found
      O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe File not found
      O4 - HKCU..\Run: [{F19DB013-8657-82F5-B23E-030E63C9724D}] C:\Documents and Settings\User1\Application Data\Yvohe\xiqon.exe File not found
      O4 - HKCU..\Run: [asam] C:\WINDOWS\asam.exe File not found
      O4 - HKCU..\Run: [JumiController]  File not found
      O4 - HKCU..\Run: [noicgoqj] C:\Documents and Settings\User1\Local Settings\Application Data\imnegkrbc\lelqvyxtssd.exe File not found
      O4 - HKCU..\Run: [Omagiko] C:\WINDOWS\dsclok.DLL File not found
      O4 - HKCU..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe File not found
      O15 - HKLM\..Trusted Domains: amaena.com ([]* in Trusted sites)
      O15 - HKLM\..Trusted Domains: antispyexpert.com ([]* in Trusted sites)
      O15 - HKLM\..Trusted Domains: avsystemcare.com ([]* in Trusted sites)
      O15 - HKLM\..Trusted Domains: imageservr.com ([]* in Trusted sites)
      O15 - HKLM\..Trusted Domains: imagesrvr.com ([]* in Trusted sites)
      O15 - HKLM\..Trusted Domains: onerateld.com ([]* in Trusted sites)
      O15 - HKLM\..Trusted Domains: safetydownload.com ([]* in Trusted sites)
      O15 - HKLM\..Trusted Domains: spyguardpro.com ([]* in Trusted sites)
      O15 - HKLM\..Trusted Domains: storageguardsoft.com ([]* in Trusted sites)
      O15 - HKLM\..Trusted Domains: trustedantivirus.com ([]* in Trusted sites)
      O15 - HKLM\..Trusted Domains: virusremover2008.com ([]* in Trusted sites)
      O15 - HKLM\..Trusted Domains: virusschlacht.com ([]* in Trusted sites)
      O15 - HKCU\..Trusted Domains: amaena.com ([]* in Trusted sites)
      O15 - HKCU\..Trusted Domains: antispyexpert.com ([]* in Trusted sites)
      O15 - HKCU\..Trusted Domains: avsystemcare.com ([]* in Trusted sites)
      O15 - HKCU\..Trusted Domains: imageservr.com ([]* in Trusted sites)
      O15 - HKCU\..Trusted Domains: imagesrvr.com ([]* in Trusted sites)
      O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
      O15 - HKCU\..Trusted Domains: onerateld.com ([]* in Trusted sites)
      O15 - HKCU\..Trusted Domains: safetydownload.com ([]* in Trusted sites)
      O15 - HKCU\..Trusted Domains: spyguardpro.com ([]* in Trusted sites)
      O15 - HKCU\..Trusted Domains: storageguardsoft.com ([]* in Trusted sites)
      O15 - HKCU\..Trusted Domains: trustedantivirus.com ([]* in Trusted sites)
      O15 - HKCU\..Trusted Domains: virusremover2008.com ([]* in Trusted sites)
      O15 - HKCU\..Trusted Domains: virusschlacht.com ([]* in Trusted sites)
      O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
      :Reg
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "{F19DB013-8657-82F5-B23E-030E63C9724D}"=-
      :Commands
      [clearallrestorepoints]
      [emptyflash]
      [emptytemp]
      [resethosts]
      
      [Reboot]
    • Then click the Run Fix button at the top.
    • Let the program run unhindered, reboot the PC when it is done.
    • Post log from this run.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  14. MrT0ad

    MrT0ad TS Rookie Topic Starter Posts: 52

    First run .... file posted below

    All processes killed
    ========== FILES ==========
    File\Folder C:\Documents and Settings\User1\Application Data\Yvohe not found.
    C:\Documents and Settings\LocalService\Application Data\bawuho.dat moved successfully.
    C:\Documents and Settings\User1\Local Settings\Application Data\imnegkrbc folder moved successfully.
    File\Folder C:\WINDOWS\ecefotizicifa.dll not found.
    ========== OTL ==========
    Service XDva346 stopped successfully!
    Service XDva346 deleted successfully!
    File C:\WINDOWS\System32\XDva346.sys not found.
    Service XDva345 stopped successfully!
    Service XDva345 deleted successfully!
    File C:\WINDOWS\System32\XDva345.sys not found.
    Service XDva343 stopped successfully!
    Service XDva343 deleted successfully!
    File C:\WINDOWS\System32\XDva343.sys not found.
    Service tclondrv stopped successfully!
    Service tclondrv deleted successfully!
    File C:\WINDOWS\System32\DRIVERS\tclondrv.sys not found.
    Service sony_ssm.sys stopped successfully!
    Service sony_ssm.sys deleted successfully!
    File C:\DOCUME~1\User1\LOCALS~1\Temp\sony_ssm.sys not found.
    Service EagleNT stopped successfully!
    Service EagleNT deleted successfully!
    File C:\WINDOWS\System32\drivers\EagleNT.sys not found.
    Service CrystalSysInfo stopped successfully!
    Service CrystalSysInfo deleted successfully!
    File C:\Program Files\MediaCoder iPhone Edition\SysInfo.sys not found.
    Service catchme stopped successfully!
    Service catchme deleted successfully!
    File C:\DOCUME~1\User1\LOCALS~1\Temp\catchme.sys not found.
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Dtito deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NPSStartup deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\WinampAgent deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\{F19DB013-8657-82F5-B23E-030E63C9724D} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F19DB013-8657-82F5-B23E-030E63C9724D}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\asam deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\JumiController deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\noicgoqj deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Omagiko deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Rainlendar2 deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\antispyexpert.com\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\avsystemcare.com\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imageservr.com\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\onerateld.com\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\spyguardpro.com\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\storageguardsoft.com\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusremover2008.com\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\antispyexpert.com\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\avsystemcare.com\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imageservr.com\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\onerateld.com\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\spyguardpro.com\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\storageguardsoft.com\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusremover2008.com\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com\ deleted successfully.
    Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
    ========== REGISTRY ==========
    Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{F19DB013-8657-82F5-B23E-030E63C9724D} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F19DB013-8657-82F5-B23E-030E63C9724D}\ not found.
    ========== COMMANDS ==========
    Restore points cleared and new OTL Restore Point set!

    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Ben2
    ->Flash cache emptied: 456 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    User: Sara

    User: Sara.BEN
    ->Flash cache emptied: 0 bytes

    User: User1
    ->Flash cache emptied: 301430 bytes

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Ben2
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->Java cache emptied: 131549 bytes
    ->FireFox cache emptied: 20101334 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 970 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Sara
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Sara.BEN
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: User1
    ->Temp folder emptied: 32768 bytes
    ->Temporary Internet Files folder emptied: 10968829 bytes
    ->Java cache emptied: 18437830 bytes
    ->FireFox cache emptied: 79728897 bytes
    ->Google Chrome cache emptied: 245961842 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 17867 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 358.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.14.1 log created on 09252010_153905

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  15. MrT0ad

    MrT0ad TS Rookie Topic Starter Posts: 52

    second OTL run

    too long again (66000+)

    attached below
     

    Attached Files:

  16. crunchie

    crunchie Malware Helper Posts: 728

    Are you still getting alerts from AVG?
     
  17. MrT0ad

    MrT0ad TS Rookie Topic Starter Posts: 52

    no more alerts at the moment.

    Very early into the process, I switched from AVG to Avira

    Will run a full scan now
     
  18. MrT0ad

    MrT0ad TS Rookie Topic Starter Posts: 52

    Avira scan picked up rootkit RKIT/agent.biiu

    report below




    Avira AntiVir Personal
    Report file date: 26 September 2010 08:32

    Scanning for 2874959 virus strains and unwanted programs.

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 3) [5.1.2600]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : DELLPC-BEN

    Version information:
    BUILD.DAT : 9.0.0.422 21701 Bytes 3/9/2010 10:29:00
    AVSCAN.EXE : 9.0.3.10 466689 Bytes 12/3/2009 21:57:31
    AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 09:58:24
    LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 10:35:49
    LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 09:58:52
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 21:57:26
    VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 21:57:27
    VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 17:05:48
    VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 19:21:25
    VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 14:12:57
    VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 08:59:33
    VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 14:29:57
    VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 08:36:53
    VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 18:36:34
    VBASE009.VDF : 7.10.11.134 2048 Bytes 9/13/2010 18:36:34
    VBASE010.VDF : 7.10.11.135 2048 Bytes 9/13/2010 18:36:35
    VBASE011.VDF : 7.10.11.136 2048 Bytes 9/13/2010 18:36:35
    VBASE012.VDF : 7.10.11.137 2048 Bytes 9/13/2010 18:36:35
    VBASE013.VDF : 7.10.11.165 172032 Bytes 9/15/2010 18:25:36
    VBASE014.VDF : 7.10.11.202 144384 Bytes 9/18/2010 18:23:11
    VBASE015.VDF : 7.10.11.231 129024 Bytes 9/21/2010 18:23:16
    VBASE016.VDF : 7.10.12.4 126464 Bytes 9/23/2010 19:29:07
    VBASE017.VDF : 7.10.12.5 2048 Bytes 9/23/2010 19:29:07
    VBASE018.VDF : 7.10.12.6 2048 Bytes 9/23/2010 19:29:07
    VBASE019.VDF : 7.10.12.7 2048 Bytes 9/23/2010 19:29:07
    VBASE020.VDF : 7.10.12.8 2048 Bytes 9/23/2010 19:29:07
    VBASE021.VDF : 7.10.12.9 2048 Bytes 9/23/2010 19:29:07
    VBASE022.VDF : 7.10.12.10 2048 Bytes 9/23/2010 19:29:07
    VBASE023.VDF : 7.10.12.11 2048 Bytes 9/23/2010 19:29:07
    VBASE024.VDF : 7.10.12.12 2048 Bytes 9/23/2010 19:29:07
    VBASE025.VDF : 7.10.12.13 2048 Bytes 9/23/2010 19:29:08
    VBASE026.VDF : 7.10.12.14 2048 Bytes 9/23/2010 19:29:08
    VBASE027.VDF : 7.10.12.15 2048 Bytes 9/23/2010 19:29:08
    VBASE028.VDF : 7.10.12.16 2048 Bytes 9/23/2010 19:29:08
    VBASE029.VDF : 7.10.12.17 2048 Bytes 9/23/2010 19:29:08
    VBASE030.VDF : 7.10.12.18 2048 Bytes 9/23/2010 19:29:08
    VBASE031.VDF : 7.10.12.30 73728 Bytes 9/24/2010 19:29:08
    Engineversion : 8.2.4.66
    AEVDF.DLL : 8.1.2.1 106868 Bytes 8/5/2010 08:37:15
    AESCRIPT.DLL : 8.1.3.45 1368443 Bytes 9/18/2010 18:23:21
    AESCN.DLL : 8.1.6.1 127347 Bytes 5/14/2010 17:44:28
    AESBX.DLL : 8.1.3.1 254324 Bytes 4/23/2010 18:09:47
    AERDL.DLL : 8.1.9.2 635252 Bytes 9/21/2010 18:23:19
    AEPACK.DLL : 8.2.3.7 471413 Bytes 9/18/2010 18:23:19
    AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/5/2010 08:37:08
    AEHEUR.DLL : 8.1.2.27 2933110 Bytes 9/24/2010 19:29:17
    AEHELP.DLL : 8.1.13.4 242038 Bytes 9/24/2010 19:29:11
    AEGEN.DLL : 8.1.3.22 401780 Bytes 9/18/2010 18:23:15
    AEEMU.DLL : 8.1.2.0 393588 Bytes 4/23/2010 18:09:46
    AECORE.DLL : 8.1.17.0 196982 Bytes 9/24/2010 19:29:09
    AEBB.DLL : 8.1.1.0 53618 Bytes 4/23/2010 18:09:45
    AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 07:47:59
    AVPREF.DLL : 9.0.3.0 44289 Bytes 9/8/2009 18:10:28
    AVREP.DLL : 8.0.0.7 159784 Bytes 2/17/2010 20:27:41
    AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 09:32:09
    AVARKT.DLL : 9.0.0.3 292609 Bytes 4/27/2009 18:02:01
    AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 09:37:08
    SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 14:03:49
    SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 07:21:33
    NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 09:32:10
    RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 6/10/2009 17:57:49
    RCTEXT.DLL : 9.0.73.0 86785 Bytes 12/3/2009 21:57:21

    Configuration settings for the scan:
    Jobname.............................: Complete system scan
    Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:, D:,
    Process scan........................: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium

    Start of the scan: 26 September 2010 08:32

    Starting search for hidden objects.
    '62960' objects were checked, '0' hidden objects were found.

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'agent.exe' - '1' Module(s) have been scanned
    Scan process 'ISUSPM.exe' - '1' Module(s) have been scanned
    Scan process 'CLI.exe' - '1' Module(s) have been scanned
    Scan process 'CLI.exe' - '1' Module(s) have been scanned
    Scan process 'NMIndexingService.exe' - '1' Module(s) have been scanned
    Scan process 'BTTray.exe' - '1' Module(s) have been scanned
    Scan process 'iPodService.exe' - '1' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
    Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
    Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
    Scan process 'btdna.exe' - '1' Module(s) have been scanned
    Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
    Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
    Scan process 'realsched.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'TrayIcon.exe' - '1' Module(s) have been scanned
    Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
    Scan process 'CLI.exe' - '1' Module(s) have been scanned
    Scan process 'issch.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
    Scan process 'searchindexer.exe' - '1' Module(s) have been scanned
    Scan process 'UAService7.exe' - '1' Module(s) have been scanned
    Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'PnkBstrB.exe' - '1' Module(s) have been scanned
    Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
    Scan process 'NMSAccessU.exe' - '1' Module(s) have been scanned
    Scan process 'MDM.EXE' - '1' Module(s) have been scanned
    Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
    Scan process 'jqs.exe' - '1' Module(s) have been scanned
    Scan process 'iDownloadService.exe' - '1' Module(s) have been scanned
    Scan process 'FsUsbExService.Exe' - '1' Module(s) have been scanned
    Scan process 'BDTUpdateService.exe' - '1' Module(s) have been scanned
    Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
    Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'btwdins.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    58 processes with 58 modules were scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!
    Master boot sector HD1
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!
    Boot sector 'D:\'
    [INFO] No virus was found!

    Starting to scan executable files (registry).
    The registry was scanned ( '78' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    C:\hiberfil.sys
    [WARNING] The file could not be opened!
    [NOTE] This file is a Windows system file.
    [NOTE] This file cannot be opened for scanning.
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    [NOTE] This file is a Windows system file.
    [NOTE] This file cannot be opened for scanning.
    C:\Documents and Settings\User1\My Documents\Downloads\Hjsplit\DWTTOC42698763.7z.001
    [WARNING] The file could not be read!
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_nzsrby_.sys.zip
    [0] Archive type: ZIP
    --> nzsrby.sys
    [DETECTION] Contains recognition pattern of the RKIT/Agent.biiu root kit
    Begin scan in 'D:\' <Media Drive>

    Beginning disinfection:
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_nzsrby_.sys.zip
    [NOTE] The file was moved to '4d192251.qua'!


    End of the scan: 26 September 2010 11:35
    Used time: 2:35:34 Hour(s)

    The scan has been done completely.

    21167 Scanned directories
    816879 Files were scanned
    1 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    1 Files were moved to quarantine
    0 Files were renamed
    2 Files cannot be scanned
    816876 Files not concerned
    8842 Archives were scanned
    3 Warnings
    3 Notes
    62960 Objects were scanned with rootkit scan
    0 Hidden objects were found
     
  19. crunchie

    crunchie Malware Helper Posts: 728

    That rootkit was already removed by Combofix :). Avira just found it in it's quarantine folder.

    Is the PC behaving itself now?
     
  20. MrT0ad

    MrT0ad TS Rookie Topic Starter Posts: 52

    yes the PC is running well, no alerts or bad behaviour.

    I am going to give it a good clean up, way too much rubbish on it .... my son has been using it for a few years and it is overdue a good clean.
     
  21. crunchie

    crunchie Malware Helper Posts: 728

    Ok then, you may as well do the following:

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC by OldTimer:
    Save it to your Desktop.
    Double click OTC.exe.
    Click the CleanUp! button.
    If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.
     
  22. MrT0ad

    MrT0ad TS Rookie Topic Starter Posts: 52

    done all tools are now gone
     
  23. crunchie

    crunchie Malware Helper Posts: 728

    No worries. Keep it clean :).
     
  24. MrT0ad

    MrT0ad TS Rookie Topic Starter Posts: 52

    thanks very much for all your help ..... much appreciated :)

    Simon
     
  25. crunchie

    crunchie Malware Helper Posts: 728

    You are welcome :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...