Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: virus issues?

  1. #1
    Member
    Join Date
    Aug 2010
    Location
    Kent, England
    Posts
    250
    Points
    0

    Default virus issues?

    Please could someone kindly advise me - I've posted this here on the recommendation of abseh1 who previously made mention regarding 'rootkits'? I have a laptop, Advent 7201 model no. AL096 it's running Windows XP 32 bit, and the processor is a 'family 6 model, 14 stepping, 12 genuine Intel 1866Mhz, its actually my step-son's laptop. He recently downloaded something (though I have no idea what), but it killed his hard drive stone dead!! I bought a new hard drive for him today - 250GB, replaced it into his laptop no problem, reinstalled windows xp 32 bit no problem, and then downloaded AVG. A following scan of the system revealed the following - 1 virus, removed & dealt with, but also 4 rootkits not removed. Please could you advise, what on earth is a rootkit??? Because it seems that whatever this is its playing hell with his laptop, he can't get certain websites, the system freezes or crashes, or he's simply shut down without a chance of redemption. This is totally beyond me, please can you help me? I'll tell you whatever you want to know & help you in any way I can to rescue his laptop, sorry to sound so dramatic but this is really stressing me out. Thank you for your help, time, and patience with me on this.

  2. #2
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello and welcome to Help2Go

    We apologize for the delay in responding to your request for help. Here at Help2Go we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

    Please take note:

    1. If you have since resolved the original problem you were having, we would appreciate you letting us know.
    2. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
      • If you are unsure about any of these characteristics just post what you can and we will guide you.
    3. Please tell us if you have your original Windows CD/DVD available.
    4. If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
    5. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
    6. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
    7. If you have already posted a DDS log, please do so again, as your situation may have changed.
    8. Use the 'Add Reply' and add the new log to this thread.


    We need to see some information about what is happening in your machine. Please perform the following scan again:

    • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    • Notepad will open with the results.
    • Follow the instructions that pop up for posting the results.
    • Close the program window, and delete the program from your desktop.
    Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

    Information on A/V control HERE


    We also need a new log from the GMER anti-rootkit Scanner.

    Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step. Then proceed to run aswMbr.exe as noted below.

    Please first disable any CD emulation programs using the steps found in this topic:

    Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:


    Note:
    If you are unable to run a Gmer scan due the fact you are running a 64bit machine please run the following tool and post its log.

    Please download aswMBR ( 511KB ) to your desktop.
    • Double click the aswMBR.exe icon to run it
    • Click the Scan button to start the scan
    • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


    Can you please supply a Screen shot of what Avg is picking up as a rootkit? If not can you please tell me the whole message and the file name if it is provided.

    Thanks and again sorry for the delay.
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  3. The Following User Says Thank You to fireman4it For This Useful Post:


  4. #3
    Member
    Join Date
    Aug 2010
    Location
    Kent, England
    Posts
    250
    Points
    0

    Default

    Dear fireman4it, sorry to bother you again. I've attempted to follow your instructions by the letter, I attempted this on my step-sons laptop which has the problem. The system shut me down 3 times, blocked the installation of DDS.scr & wouldn't let me get any further. However, I managed to download DDS.pif, executed a scan which displayed the following results;

    swMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-06-27 15:12:15
    -----------------------------
    15:12:15.734 OS Version: Windows 5.1.2600 Service Pack 2
    15:12:15.734 Number of processors: 1 586 0xE0C
    15:12:15.750 ComputerName: JOSH-DFC1D3166B UserName: Joshua
    15:12:16.968 Initialize success
    15:12:17.609 AVAST engine defs: 12062700
    15:12:28.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    15:12:28.109 Disk 0 Vendor: WDC_WD2500BEVT-00A23T0 01.01A01 Size: 238475MB BusType: 3
    15:12:28.156 Disk 0 MBR read successfully
    15:12:28.171 Disk 0 MBR scan
    15:12:28.187 Disk 0 Windows XP default MBR code
    15:12:28.203 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
    15:12:28.218 Disk 0 scanning sectors +488376000
    15:12:28.312 Disk 0 scanning C:\WINDOWS\system32\drivers
    15:12:33.312 Service scanning
    15:12:48.859 Modules scanning
    15:12:57.156 Disk 0 trace - called modules:
    15:12:57.187 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    15:12:57.203 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84b93ab8]
    15:12:57.218 3 CLASSPNP.SYS[f773505b] -> nt!IofCallDriver -> \Device\00000063[0x84b59ec0]
    15:12:57.296 5 ACPI.sys[f76ab620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x84b1b5d8]
    15:12:57.890 AVAST engine scan C:\WINDOWS
    15:13:01.093 AVAST engine scan C:\WINDOWS\system32
    15:14:06.453 AVAST engine scan C:\WINDOWS\system32\drivers
    15:14:18.015 AVAST engine scan C:\Documents and Settings\Joshua
    15:14:51.593 AVAST engine scan C:\Documents and Settings\All Users
    15:14:59.484 Scan finished successfully
    15:15:22.078 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joshua\My Documents\MBR.dat"
    15:15:22.093 The log file has been saved successfully to "C:\Documents and Settings\Joshua\My Documents\aswMBR.txt"

    I don't know if this is what you wanted or if it is any use, I'm sorry I really don't know. Following this scan, I tried again to rectify the situation, I uninstalled AVG & installed Avast as an alternative, and following a scan, it found nothing??? Then I was shut down AGAIN & hit with the following error message:

    'Runtime error' prog C:/programfiles/intexplorer/IExplore.exe R6025 - pure virtual function call

    Error signiture - app name iexplore.exe - modver 6.0.2900.2853, appver 6.0.2900.2180, offset 0009d06f, modname mshtml.dll

    I've just about given up on this!! If possible if you could please educate me, otherwise I completely understand if you unable to help. I just don't know what else to do? Thank you again for your time & effort.

    Regards

    Chris

  5. #4
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello,

    Please try the following in Safemode with Networking.

    Now reboot into Safe Mode with Networking.
    This can be done tapping the F8 key as soon as you start your computer
    You will be brought to a menu where you can choose to boot into safe mode.
    Make sure you choose the option with networking support.
    Please see here for additional details.


    1.
    Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If TDSSKiller does not run, try renaming it.
    • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
    • Click the Start Scan button.
    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
      Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
    • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C.
    • Copy and paste the contents of that file in your next reply.


    2.
    Install Recovery Console and Run ComboFix

    This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

    Download Combofix from any of the links below, and save it to your desktop.

    Link 1
    Link 2
    • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
    • Close any open windows, including this one.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • If you did not have it installed, you will see the prompt below. Choose YES.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
    should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
    Leave your computer alone while ComboFix is running.
    ComboFix will restart your computer if malware is found; allow it to do so.


    Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


    Things to include in your next reply:;
    TdssKIller log
    Combofix.txt.
    How is your machine running now?
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  6. The Following User Says Thank You to fireman4it For This Useful Post:


  7. #5
    Member
    Join Date
    Aug 2010
    Location
    Kent, England
    Posts
    250
    Points
    0

    Default

    dear fireman4it, thank you for your patience, this situation is like a bad virus...if you'll pardon the pun!!! I rebooted my step-sons laptop in 'safemode networking', I downloaded TDSSKILLER as advised, carried out a scan which came out clear, no infections. However, I then excuted a AVG scan which although again showed no sign of any threats, the scan did indicate four rootkits: - 'unknown corrupted section ntoskrnl.ex object hidden', this message was displayed 4 times. I then downloaded 'COMBO' & ran a scan. I attempted to access 'help2go' on my step-sons laptop for the purpose of posting the results to you, the system blocked my access to 'help2go', and shut me down...twice!! Consequently I've had to copy the results from his laptop, onto a 'memory stick', and paste the results for you on my own system. I hope you can make sense of this because its all rocket science to me!! The results of the combo scan are as follows....

    ComboFix 12-06-28.01 - Joshua 28/06/2012 12:40:58.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.894.570 [GMT 1:00]
    Running from: c:\documents and settings\Joshua\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-28 )))))))))))))))))))))))))))))))
    .
    .
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-19 03:50 . 2012-04-19 03:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-06-28_10.43.04 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-01-31 03:46 . 2012-01-31 03:46 31952 c:\windows\system32\drivers\avgrkx86.sys
    + 2011-12-23 12:32 . 2011-12-23 12:32 41040 c:\windows\system32\drivers\avgmfx86.sys
    + 2011-12-23 12:32 . 2011-12-23 12:32 17232 c:\windows\system32\drivers\avgidsshimx.sys
    + 2011-12-23 12:32 . 2011-12-23 12:32 24144 c:\windows\system32\drivers\avgidsfilterx.sys
    + 2012-03-19 04:17 . 2012-03-19 04:17 301248 c:\windows\system32\drivers\avgtdix.sys
    + 2012-02-22 04:25 . 2012-02-22 04:25 235216 c:\windows\system32\drivers\avgldx86.sys
    + 2011-12-23 12:32 . 2011-12-23 12:32 139856 c:\windows\system32\drivers\avgidsdriverx.sys
    + 2012-06-28 11:01 . 2012-06-28 11:01 5161984 c:\windows\Installer\b0e3a.msi
    + 2012-06-28 10:59 . 2012-06-28 11:00 2208768 c:\windows\Installer\b0e36.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-06-28 11:01 2067328 ----a-w- c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll" [2012-06-28 2067328]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
    "vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-06-28 1116544]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
    .
    R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [19/04/2012 04:50 24896]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [31/01/2012 04:46 31952]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [22/02/2012 05:25 235216]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [19/03/2012 05:17 301248]
    R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [14/02/2012 04:53 193288]
    R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe [28/06/2012 12:01 932736]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [23/12/2011 13:32 139856]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [23/12/2011 13:32 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [23/12/2011 13:32 17232]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [30/04/2012 09:44 5106744]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2012-06-28 12:43
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2012-06-28 12:44:18
    ComboFix-quarantined-files.txt 2012-06-28 11:44
    ComboFix2.txt 2012-06-28 10:44
    .
    Pre-Run: 246,513,967,104 bytes free
    Post-Run: 246,536,552,448 bytes free
    .
    - - End Of File - - 7C1C86BEAD66860B7BB22C28DA8DF5AB

    The laptop is also running very, very slow and randomly freezes & shuts down from the internet, blocking access. Hope you can advise further? Thank you again

  8. #6
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello,


    which although again showed no sign of any threats, the scan did indicate four rootkits: - 'unknown corrupted section ntoskrnl.ex object hidden'
    The exact wording was Rootkit? Not Root Drive?


    Have you tried running in Safemode with Networking and see if it is any better?

    Now reboot into Safe Mode with Networking.
    This can be done tapping the F8 key as soon as you start your computer
    You will be brought to a menu where you can choose to boot into safe mode.
    Make sure you choose the option with networking support.
    Please see here for additional details.

    Please run this tool then run Gmer and re run Avg and see if it still picks up a rookit.
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK

    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.


    1.
    Please download GMER from one of the following locations and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zipped Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.
    -- If you encounter any problems, try running GMER in Safe Mode.

    2.
    • Download RogueKiller on the desktop
    • Close all the running processes
    • Under Vista/Seven, right click -> Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • When prompted, Click Scan
    • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  9. The Following User Says Thank You to fireman4it For This Useful Post:


  10. #7
    Member
    Join Date
    Aug 2010
    Location
    Kent, England
    Posts
    250
    Points
    0

    Default

    Hi there 'fireman4it', sorry again for the delay. I've done as you requested, all in 'safemode networking', I've downloaded Gmer, Defogger, and rouguekiller, taken scans, and the results are as follows:
    RogueKiller V7.6.1 [06/28/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: RogueKiller - Geeks to Go Forums
    Blog: tigzy-RK

    Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
    Started in : Safe mode with network support
    User: Administrator [Admin rights]
    Mode: Scan -- Date: 06/29/2012 14:00:35

    Bad processes: 0

    Registry Entries: 1
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    Particular Files / Folders:

    Driver: [NOT LOADED]

    Infection :

    HOSTS File:
    127.0.0.1 localhost


    MBR Check:

    +++++ PhysicalDrive0: WDC WD2500BEVT-00A23T0 +++++
    --- User ---
    [MBR] 3c4378441732333f4ad88ef2f1f81a99
    [BSP] 77816da43d27099e1fe97f5a8915cb7e : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt

    MER 1.0.15.15641 - GMER - Rootkit Detector and Remover
    Rootkit scan 2012-06-29 13:55:58
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2500BEVT-00A23T0 rev.01.01A01
    Running: qbelvgi8.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fwgcaaoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----

    efogger_disable by jpshortstuff (23.02.10.1)
    Log created at 13:43 on 29/06/2012 (Administrator)

    Checking for autostart values...
    HKCU\~\Run values retrieved.
    HKLM\~\Run values retrieved.

    Checking for services/drivers...


    -=E.O.F=-

    Really hope all of this makes sense to you, and I look forward to your reply.

  11. #8
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Still Getting this from AVG?

    'unknown corrupted section ntoskrnl.ex object hidden'
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  12. The Following User Says Thank You to fireman4it For This Useful Post:


  13. #9
    Member
    Join Date
    Aug 2010
    Location
    Kent, England
    Posts
    250
    Points
    0

    Default

    Hi fireman4it, yes unfortunately, I get the same message!! If you said to me, "hit it with a hammer", I'd understand!!! Sorry, just joking. If you really can't find a solution please don't worry, I've completely run out of ideas. I've formatted the hard drive twice but the problem is still there. thank you for your time & effort anyway.

  14. #10
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Download the yorkyt.exe disinfection tool (1,31 MB).

    Save the file to your hard disk; to the Windows Desktop, for example.
    Double click the yorkyt.exe file.
    A reboot will be requested to install a driver.
    Another reboot will be requested to complete the disinfection.
    When the disinfection is completed, accept the message that will be displayed.
    In order to ensure a full cleanup, run a scan of your PC with the antivirus installed.



    Please download Sophos Anti-rootkit & save it to your desktop.
    alternate download link
    Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

    Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
    • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
    • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
    • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
    • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
    • If the scan did not start automatically, make sure the following are checked:
      • Running processes
      • Windows Registry
      • Local Hard Drives
    • Click Start scan.
    • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
    • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
    • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
      • Files tagged as Removable: No are not marked for removal and cannot be removed.
      • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
      • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
    • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
    • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
    • After reboot, a dialog box displays the files you selected for removal and the action taken.
    • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
    • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
    • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
    Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
    • Disconnect from the Internet or physically unplug you Internet cable connection.
    • Clean out your temporary files.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
    • After starting the scan, do not use the computer until the scan has completed.
    • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  15. The Following User Says Thank You to fireman4it For This Useful Post:


Page 1 of 2 12 LastLast