Helpp

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 5:53 pm

the malware program is doing the same tihng wont open. Should i rename it?

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 6:07 pm

Idk why none of these programs are letting me run them

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 6:14 pm

You There?

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 6:19 pm

Lets try GMER again.

See if you can download it from here:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 6:21 pm

this worked what should i do?

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 6:22 pm

i am running the scan now

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 6:28 pm

The log could be quite long, so you may need to upload it mediafire.com for me to see.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 6:31 pm

when its done ill do that

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 6:42 pm

how long is this going to take??

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 6:43 pm

It can take quite awhile if there is a lot of files on your machine.
GMER goes in for a VERY deep scan, checkings lots of places malware is known to hide.

Even goes as far the checking the Master Boot Record (MBR).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 6:45 pm

so will this be able to get rid of the cryptor or is there more stuff after this?

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 6:46 pm

We haven't been able to get logs, so I can't say for sure what's on your machine right now. If it's cryptor, I can kill it. Cryptor doesn't block the avenger, so not sure why it won't run.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 6:51 pm

if you want send me the link to the avenger and i can try doing that again in the safe mode

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 6:52 pm

If this works, everything will seem normal again, programs will work. I assure you this will not kill the rootkit straight away, only disable it.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 6:53 pm

can i run this while i am running the other scan?

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 6:55 pm

Stop the GMER scan first, then run it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:01 pm

Is that what you need?




Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 7:05 pm

Yep. Smile

No active rootkit driver.
Please download MBAM from one of these mirrors if you can:
[You must be registered and logged in to see this link.]

If you can, download and install.
Then update it and run the scan.

Do this in safe mode.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:12 pm

It is not opening

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:15 pm

nvm i got one to work i think

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 7:16 pm

Okay, direct link in case you need it:

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:25 pm

i have its on my desktop but it wont open up

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 7:26 pm

Rename the installer too.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:28 pm

idk whats going on, its freezing everytime i try and install it

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 7:28 pm

Did you rename it?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:32 pm

yup whwn it gets to extracting files it just stops

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 7:35 pm

Damn it, this is stubborn.
Since we have the avenger going, lets use that to get rid of what I can see so far.

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
ldkgl
SamSsCOMSysApp
CDAVFS

Files to delete:
c:\windows\system32\3835764631.dat
C:\WINDOWS\system32\prunnet.exe

Folders to delete:
C:\Documents and Settings\APR\Application Data\gadcom

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:43 pm

Ok.

found!
Deletion of driver "CDAVFS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\3835764631.dat" deleted successfully.

Error: file "C:\WINDOWS\system32\prunnet.exe" not found!
Deletion of file "C:\WINDOWS\system32\prunnet.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Documents and Settings\APR\Application Data\gadcom" not found!
Deletion of folder "C:\Documents and Settings\APR\Application Data\gadcom" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 7:45 pm

Half the log is missing.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:46 pm

sorry

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ldkgl" not found!
Deletion of driver "ldkgl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "SamSsCOMSysApp" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\CDAVFS" not found!
Deletion of driver "CDAVFS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\3835764631.dat" deleted successfully.

Error: file "C:\WINDOWS\system32\prunnet.exe" not found!
Deletion of file "C:\WINDOWS\system32\prunnet.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Documents and Settings\APR\Application Data\gadcom" not found!
Deletion of folder "C:\Documents and Settings\APR\Application Data\gadcom" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 7:47 pm

Lets give this a try.
You can use it in safe mode if needed.

* Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:56 pm

theres no options buttons

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 7:58 pm

i unclicked heuritcs but there's no red buttons

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 8th May 2009, 8:01 pm

i am leaving my office now for the day can we try and do this monday? This is a real pain but i want to try and get rid of this

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 8th May 2009, 8:05 pm

Yeah, okay.

It will give me time to revamp my Dr.web instructions, they are old now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 3:48 pm

Hey. SO lets get back to this what do i need to do.

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 4:13 pm

Revamped now.

Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]


  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 4:41 pm

i am stil running the express scan it is taking quite a while

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 4:47 pm

ok so the express one ended i have 5 that i guess are incureable so i should report those??

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 4:59 pm

Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 6:17 pm

so it just finshed scanning i clicked select all and i clicked cure and only delete, move or rename comes up

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 6:19 pm

IDk if that helps

S\system32;Probably Trojan.Packed.365;;
UAConqxkptalkktkra.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;
UACqxofkkdlsqtkytp.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;
UACvmenvfmxkvkhscw.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;
TDSS3b67.tmp;C:\DOCUME~1\APR\LOCALS~1\Temp;Trojan.Packed.365;;
TDSS3b67.tmp;C:\Documents and Settings\APR\Local Settings\Temp;Trojan.Packed.365;Incurable.;
sprtsync.dll;C:\Program Files\Dell Support Center\bin;Probably DLOADER.Trojan;;
UACmancsvfticmqoba.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;
UAConqxkptalkktkra.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;
UACqxofkkdlsqtkytp.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;
UACvmenvfmxkvkhscw.dll;C:\WINDOWS\system32;Probably Trojan.Packed.365;;

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 6:21 pm

Hello.
I want to run a rootrepeal scan.

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from [You must be registered and logged in to see this link.].
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 6:35 pm

its to long how do i go about posting it

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 6:37 pm

[You must be registered and logged in to see this link.]


?? does that work

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 6:42 pm

Yep. Big Grin
Suprising that Dr.Web didn't detect the rootkits main driver, Dr.Web was a lot more powerful back in the day.

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACuckunupaeprfdgv.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 6:49 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACuckunupaeprfdgv.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 7:00 pm

Maybe now MBAM will work.
Instructions if needed:

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Helpp

Post by jarons1 on 11th May 2009, 7:04 pm

just so you know, my main problem i was having was when i was searching on yahoo and when i clicked on results it would send me to random pages, but i just tried it and it seems to be working again.

jarons1
Intermediate
Intermediate

Posts Posts : 55
Joined Joined : 2009-05-07
OS OS : 98
Points Points : 27777
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Helpp

Post by Belahzur on 11th May 2009, 7:05 pm

That's because the main rootkit driver is now dead, so lots of stuff will work. Smile That includes MBAM, so give it a go. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum