"Remains" of multiple viruses - need help with cleanup

[ken545]

I would sure like to see GMER, lets try running it again, be sure to disable your anti virus program and the Tea Timer in Spybot. Then were going to disable your CD drivers that may interfere, here are new instructions, just drag GMER to the trash and start over

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking

• Run Spybot-S&D in Advanced Mode.
• If it is not already set to do this Go to the Mode menu select "Advanced Mode"
• On the left hand side, Click on Tools
• Then click on the Resident Icon in the List
• Uncheck "Resident TeaTimer" and OK any prompts.
• Restart your computer.<--You need to do this for it to take effect

Disable Anti Virus
Link




Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.





Next:

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.



To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
• Click the Re-enable button to re-enable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

[W4yneb0t]

It worked after a few tries, here's the log:




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-18 13:27:49
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgqiyfoc.sys


---- System - GMER 1.0.15 ----

SSDT BAFAB186 ZwCreateKey
SSDT BAFAB17C ZwCreateThread
SSDT BAFAB18B ZwDeleteKey
SSDT BAFAB195 ZwDeleteValueKey
SSDT BAFAB19A ZwLoadKey
SSDT BAFAB168 ZwOpenProcess
SSDT BAFAB16D ZwOpenThread
SSDT BAFAB1A4 ZwReplaceKey
SSDT BAFAB19F ZwRestoreKey
SSDT BAFAB190 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9691360, 0x372FAD, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text D:\Program Files\Tunngle\TnglCtrl.exe[1740] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [90]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\prohlp02 \Device\ProHlp02 E1B19E78

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FAC105A1-FD17-E8F1-B9C0-892ED0053BD3}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FAC105A1-FD17-E8F1-B9C0-892ED0053BD3}@laakoamoolnkijhkmgoahhee 0x64 0x62 0x69 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FAC105A1-FD17-E8F1-B9C0-892ED0053BD3}@laogfanikkcgpklfjcapajda 0x64 0x62 0x69 0x70 ...

---- EOF - GMER 1.0.15 ----

[ken545]

Looks ok, how are things running now ?

[W4yneb0t]

Looks fine to me, do you think the virus is gone?

[ken545]

It appears to be. When you ran GMER, did you make sure there was a checkmark in the SECTIONS TAB ?

Why don't you use your computer for a few days and then post back and let me know how its running, if your still having issues than run GMER in safemode and make sure the SECTIONS TAB is checked

To Enter Safemode

• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
  this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode
• Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode

[ken545]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.