Exploit.Java.CVE-2009, Antimalware Doctor, FakeAlert, and others

[ken545]

Hi,

I just briefly looked through your OTL log and nothing is jumping out at me but I need some time to look it over more carefully. In the meantime I would like you to run this Rootkit scanner because if there is a rootkit installed it will not show up on most scanners. Have to warn you, depending on your system it could take awhile.

morkee.com <--Do you want this site in your Internet Explorer Trusted Zone ?





Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

[orleans_rob]

morkee can be removed; was from a previous employer

about to start the next task

[orleans_rob]

was running GMER when itt went to blue scren

canot make out the first coul=ple of letters on the right side of the screen,
but here is what i bcan see

??p: c000021a {Fatal System Error}
??? Windows Subsystem system process terminated unexpectedly with a status of
???00005 (0x001e000a 0x02b6e064).
??? system has been shut down.

[ken545]

Try running it in Safemode, make sure you disabled your AV

To Enter Safemode

• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
  this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode
• Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode

[orleans_rob]

was able to restart the program in normal mode

ran for about 2 hours and then got another blue screen

running it in safemode now

should be done in 3.5-4 hours if it takes as long as some of the other scans

[orleans_rob]

aahhgg!!

i am able to start it in safemode, but i noticed that i cannot access any buttons below "scan" because of screen resolution
(tried to change it but only let me see 640 by 480)

if i remember correctly, the save button is below the scan button

i'll start it and you can let me now if i am wasting my time since i cannot access the save button
or if a report is created and i don't need to access that button

i was also wondering if i could highlite the info in the main window and paste it to a text document after it ran

let know know what you think

[ken545]

well, really not sure although I have had other posters run this in Safemode and post a log. You can try copy and pasting the info if you cant save it.

If no luck either way you can try running this one, GMER gives more info but this one may do

Please download RootRepeal from one of these locations and save it to your desktop
Here
Here
Here

• Open on your desktop.
• Click the tab.
• Click the button.
• Check just these boxes:
• 
• Push Ok
• Check the box for your main system drive (Usually C:, and press Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

[orleans_rob]

well, that was a waste if 4+ hours.

not your fault.
i should of stopped when you sent me the notice about rootrepeal

i'll run rootrepeal now and post the report in the morning when i get up

if we get somewhere with root them maybe i will be able to run gmer in normal

[orleans_rob]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/05/16 23:51
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF735E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BBD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6E18000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf76e787e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf76e7bfe

==EOF==

[ken545]

Good Morning,

Let me tell ya, been at this for a good many years and this garbage is getting harder and harder to remove, be nice if these dirtbags where on our side. Rootrepeal was fine, nothing bad

Where going to run OTL again

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  Code:

  :OTL
  O1 - Hosts: 127.0.0.1 localhost
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
  O15 - HKCU\..Trusted Domains: morkee.com ([i2] https in Trusted sites)
  O16 - DPF: {FD3FF62E-61A7-48EE-A4A4-97CE7BD1F99D} https://i2.morkee.com/postauthACC/SodaAgent.CAB  (SodaAgt Class)
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done

Then we are going to reset your hosts file

Download the HostsXpert 4.3 - Hosts File Manager.

• Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
• Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
• Click "Make Hosts Writable?" in the upper left corner.
• Click Restore Microsoft's Hosts file and then click OK.
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Post the OTL report and let me know if this helped