help

[venus_n]

Correct, no malware

Yippee.

Since you clicked the option to uninstall ESET these are probably just the leftovers. You could run the uninstaller.exe thats in the folder, then delete the folder.

i just saw but that ESET folder seems to be missing. i had switched off the computer. Maybe restart led to this. So i think ESET is anyway gone.

You can delete the rootrepeal icon from your desktop.

Can i scan with root repeal once more before deleting to check again.

 

[shelf life]

ESET folder seems to be missing

A restart may have finished the uninstall.

Can i scan with root repeal

sure

 

[venus_n]

Scan with rootrepeal, again beep and pop-up saying unrecognized partition type 14(0xe)!


Report:


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/09/27 10:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF154A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xFA43D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0F7E000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xfa65868e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xfa658684

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xfa658693

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xfa65869d

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xfa6586a2

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xfa658670

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xfa658675

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xfa6586ac

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xfa6586a7

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xfa658698

==EOF==

 

[shelf life]

Lets go back to combofix, read through the guide and apply the directions on your own machine as best as you can. The directions are pretty straight forward.

Do you you think combofix can create a system restore point

Combofix dosnt use the system restore archive to make a restore point.

 

[venus_n]

Here it is.


ComboFix 10-09-26.04 - Antivirus 09/27/2010 19:10:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222.93 [GMT 5.5:30]
Running from: c:\documents and settings\Antivirus\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 )))))))))))))))))))))))))))))))
.

2010-09-11 18:25 . 2010-09-11 18:26 -------- d-----w- c:\program files\ERUNT
2010-09-09 13:26 . 2010-09-09 13:26 0 ----a-w- c:\windows\nsreg.dat
2010-09-09 13:25 . 2010-09-09 13:25 -------- d-----w- c:\documents and settings\Antivirus\Local Settings\Application Data\Mozilla
2010-09-09 11:27 . 2010-09-26 07:04 -------- d-----w- c:\windows\system32\NtmsData
2010-09-09 11:01 . 2010-09-09 11:01 -------- d-----w- c:\documents and settings\Antivirus\Application Data\Avira
2010-09-09 07:42 . 2010-09-09 07:42 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-09-09 07:42 . 2010-03-01 03:35 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-09-09 07:42 . 2010-02-16 07:54 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-09-09 07:42 . 2009-05-11 06:19 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-09-09 07:42 . 2009-05-11 06:19 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-09-09 07:42 . 2010-09-09 07:42 -------- d-----w- c:\program files\Avira
2010-09-08 15:29 . 2010-09-08 15:29 -------- d-----w- c:\documents and settings\Antivirus\Local Settings\Application Data\WMTools Downloaded Files
2010-09-08 08:22 . 2010-09-08 08:22 -------- d-sh--w- c:\documents and settings\Antivirus\IECompatCache
2010-09-08 08:12 . 2010-09-08 08:12 -------- d-sh--w- c:\documents and settings\Antivirus\PrivacIE
2010-09-08 08:11 . 2010-09-08 08:11 -------- d-sh--w- c:\documents and settings\Antivirus\IETldCache
2010-09-08 08:09 . 2009-01-07 12:51 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-09-08 08:08 . 2010-09-08 08:09 -------- dc-h--w- c:\windows\ie8
2010-09-08 07:43 . 2010-09-08 07:43 -------- d-----w- c:\documents and settings\Antivirus\Local Settings\Application Data\Help
2010-09-08 05:50 . 2010-09-08 05:50 -------- d-sh--w- c:\documents and settings\Antivirus\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-25 09:37 . 2010-09-25 09:36 2826192 ----a-w- c:\documents and settings\Antivirus\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-09-20 07:03 . 2010-09-07 11:42 -------- d-----w- c:\program files\Alwil Software
2010-09-15 08:01 . 2010-09-15 08:01 -------- d-----w- c:\documents and settings\Antivirus\Application Data\Malwarebytes
2010-09-15 08:01 . 2010-09-15 08:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-15 08:01 . 2010-09-15 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-09 07:42 . 2010-09-07 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-09-08 06:41 . 2010-09-07 10:57 -------- d-----w- c:\program files\Kundli
2010-09-07 14:52 . 2010-09-07 10:30 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-09-07 13:19 . 2010-09-07 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-07 13:15 . 2010-09-07 13:10 -------- d-----w- c:\program files\Common Files\InstallShield
2010-09-07 13:12 . 2010-09-07 13:12 -------- d-----w- c:\program files\InstallShield Installation Information
2010-09-07 12:53 . 2010-09-07 12:53 42944 ----a-w- c:\documents and settings\Antivirus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-07 11:33 . 2010-09-07 11:33 -------- d-----w- c:\program files\Microsoft.NET
2010-09-07 11:33 . 2010-09-07 11:33 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-09-07 11:10 . 2010-09-07 11:10 -------- d-----w- c:\documents and settings\Antivirus\Application Data\vlc
2010-09-07 10:59 . 2010-09-07 10:59 -------- d-----w- c:\program files\VideoLAN
2010-09-07 10:56 . 2010-09-07 10:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-07 10:31 . 2010-09-07 10:31 -------- d-----w- c:\program files\microsoft frontpage
2010-09-07 10:27 . 2010-09-07 10:27 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-9-7 122880]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/9/2010 1:12 PM 135336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HTTPFILTER
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {7CC2FDD7-4E5F-41FE-93F0-688524BE22B2} = 202.56.215.54,202.56.215.55
FF - ProfilePath - c:\documents and settings\Antivirus\Application Data\Mozilla\Firefox\Profiles\b335fjj7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-27 19:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'explorer.exe'(3268)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-09-27 19:14:51
ComboFix-quarantined-files.txt 2010-09-27 13:44

Pre-Run: 17,735,729,152 bytes free
Post-Run: 17,704,951,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0C68E8CDC2AC44AB89066012EE3E4022



And it hadnt disconnected me from internet during scan, unlike what it had said in instructions that it will.

 

[shelf life]

Log looks ok. you can remove combofix like this;
start>run and type in combofix /uninstall
note the space after the x and before the /

 

[venus_n]

When i write combofix /uninstall there, it says do you want to run combofix.exe from C:\documents and settings\antivirus\desktop. Is this not the same program combofix. Will it run combofix or uninstall combofix. combofix.exe.

After that, can i run rootrepeal, avira, malwarebytes. in what sequence.

After running combobofix, there is now a folder called RECYCLER in D:\ . I dont know if it was invisible earlier. It has 85 bytes. It says 2 files and 1 folder inside it, on the properties. But on clicking it, going inside, nothing's visible, inspite of selecting view invisible files and folders.

Also, my computer seems to be a bit slower.

 

[venus_n]

In addition to my above post, just above this, ....

The Qoobox seems to be for combofix. Inside it is one text file named ComboFix-quarantined-files. On clicking the text file, it lists these:

2010-09-27 13:42:13 . 2010-09-27 13:42:13 7,341 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-09-27 13:37:23 . 2010-09-27 13:37:23 51 ----a-w- C:\Qoobox\Quarantine\catchme.log

There is also a folder quarentine in Qoobox. Should i empty the quarentine folder before uninstalling combofix, or uninstalling will automatically delete the quarentine folder entries.

 

[shelf life]

combofix /uninstall should remove combofix. dont delete anything until after combofix uninstalls. If that dosnt work first then rename the combofix icon to: uninstall.exe and doubleclick it.
you can run what ever you want. I dont see any malware and we are 5 pages deep. I am done.

 

[tashi]

This topic has been closed. Thank you shelf life.

venus_n linked to WTT for further assistance with Yahoo! issues.
http://forums.spybot.info/showthread.php?p=384628#post384628