Can' kill CLB Rootkit infection aka WinNT-Alureon

Discussion in 'Malware Help (A Specialist Will Reply)' started by kleach, Sep 8, 2009.

  1. kleach

    kleach Private E-2

    I am running Vista... and have AntiVir Guard running..
    AVira does report a random bogus file name with a TR/Alureon.BF.2 signature in it.
    I have been battling this for 24 hours now.. and need help.
    I had a UACd.sys stealth service running but RootRepela no longer sees it I tried to remove with Avanger and made some progress..


    I walked through your startup script..
    SuperAntiSpyware: Got this to install after many tries.. but when run, like all other apps it dies in the middle of processing. Then the permissions are changed and I am locked out until I manually change remove the and add them back.
    Malwarebytes: Same deal here..
    ComboFix Got this to finally install.. when I go to run (with AVIRa off) it takes a restore point and never advances (sat all night) Same is true for safe mode..
    MGTools Did get this installed (I attached the MGLogs.zip)
    HiJackThis dies in the middle of running. (even the MGTools version)
    UAC is off
    internet access is blocked via sonicwall

    RootRepela will run..
    If I try to run a Files scan it will crash the app and change the permissions so I can't run it again..
    process explorer is one of the only apps that will run..

    Here is the basic Rootrepeal log (minus the "files"
    ROOTREPEAL (c) AD, 2007-2009
    ==================================================
    Scan Start Time: 2009/09/08 12:14
    Program Version: Version 1.3.5.0
    Windows Version: Windows Vista SP1
    ==================================================

    Drivers
    -------------------
    Name: dump_dumpfve.sys
    Image Path: C:\Windows\System32\Drivers\dump_dumpfve.sys
    Address: 0x8B61B000 Size: 69632 File Visible: No Signed: -
    Status: -

    Name: dump_iaStor.sys
    Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
    Address: 0x8B5A8000 Size: 471040 File Visible: No Signed: -
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\Windows\system32\drivers\rootrepeal.sys
    Address: 0x9A380000 Size: 49152 File Visible: No Signed: -
    Status: -

    Name: win32k.sys:1
    Image Path: C:\Windows\win32k.sys:1
    Address: 0x8B683000 Size: 20480 File Visible: No Signed: -
    Status: -

    Name: win32k.sys:2
    Image Path: C:\Windows\win32k.sys:2
    Address: 0x8B688000 Size: 61440 File Visible: No Signed: -
    Status: -

    Processes
    -------------------
    Path: System
    PID: 4 Status: Locked to the Windows API!

    Path: C:\Windows\System32\audiodg.exe
    PID: 1216 Status: Locked to the Windows API!

    SSDT
    -------------------
    #: 078 Function Name: NtCreateThread
    Status: Hooked by "<unknown>" at address 0x9568519c

    #: 194 Function Name: NtOpenProcess
    Status: Hooked by "<unknown>" at address 0x95685188

    #: 201 Function Name: NtOpenThread
    Status: Hooked by "<unknown>" at address 0x9568518d

    #: 334 Function Name: NtTerminateProcess
    Status: Hooked by "<unknown>" at address 0x95685197

    ==EOF==


    Ran BitDefender online scan.
    I loaded / installed and started scanning.. then the entire browser shut down in the middle of scanning.. now I can't use IE again.. (until a reset the permissions)
    Same deal with Trends housecall

    It is as if whatever is causing the issue is scanning.. it closes the app that is scanning and changes the permissions of that app so you can't run it again.

    I ran Root Kit Buster from Trend Micro.. same deal.. runs up to a point and crashes..then I get locked out..
    I did play with this one a little and I am able to cleanly run the MBR,Process and Driver test.. the Reg test is what kills the app itself.

    There does not seem to be any files in the system that even begin with UAC now..
    Lots of stuff tries to get into c:\users\kenl\appdata\local\temp (admin user that I am logged into now)

    There is SOMETHING running that prevents be from running ANY tools that can help..
    At this point I am looking for any help... this one is annoying..

    Thanks in advance...
     

    Attached Files:

    kleach, Sep 8, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    The infection that you have replaces required Windows files with their own infected copies. We need to find out which file or files have been changed and attempt to replace them. I see you ran Avenger before coming here. You may have now made it impossible for us to use Avenger to fix this malware since the malware (as you have noticed) frequently allows programs to be run only once and from then on, it blocks them. Were you working on another forum or were you running things on your own?



    Please download this Win32kDiag and save to your Desktop.
    • Double-click the Utility to run it and and let it finish.
    • When it states Finished! Press any key to exit, press any key to close the program.
    • It will save a Win32kDiag.txt file to your desktop automatically. Attach this log file to your next message.
     
    chaslang, Sep 12, 2009
    #2
  3. kleach

    kleach Private E-2

    It was me.. I only removed non OS files...
    Your tool did not get far...

    Log file is located at: C:\Users\Kenl\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\Windows'...



    Found mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

    Mount point destination : \Device\__max++>\^

    Cannot access: C:\Windows\CSC\v2.0.6\pq
     
    kleach, Sep 13, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    How long did you wait? It can take this program a long time to run. Did it crash? If not, then wait for it to finish and attach the log.

    Below is something else you can try for programs that do not run (at least do not run more than once which is what this infection will do).

    Using Inherit to correct program execution permissions issues


    The above procedure just gives one example with SUPERAntiSpyware.exe but you could also do the same for RootRepeal and other programs.

    What I suspect is that your C:\windows\system32\cngaudit.dll file has become infected and will need to be replaced by a good copy, but you will not be able to do this while Windows is running.
     
    chaslang, Sep 13, 2009
    #4
  5. kleach

    kleach Private E-2

    I tried to download the inherit.exe but avira pops up..
    I tried to download it to the c:\downloads directory and it seems something grabbed it and tried to put a copy into the users temp location ... a sign of the bad stuff..
    I let you app run it just stopped on its own and posted the text in my last message..
    I do not want to run the inherit.exe since I think it is now infected.
    to replace the file your recommeded.. I assume I have to put a clean copy somewhere safe... and then boot into safe mode / command line?
    and replace?
     
    kleach, Sep 14, 2009
    #5
  6. kleach

    kleach Private E-2

    I posted a reply to the original message by mistake.
    Looks like the system file you are talking about is OK..
    The issue seems to be with the fact that I can't scan the drive with rootrepeal completely.. is crashes.. like your tool does..
    here is the rootrepeal data minus the file info:

    ROOTREPEAL (c) AD, 2007-2009
    ==================================================
    Scan Start Time: 2009/09/15 16:26
    Program Version: Version 1.3.5.0
    Windows Version: Windows Vista SP1
    ==================================================

    Drivers
    -------------------
    Name: dump_dumpfve.sys
    Image Path: C:\Windows\System32\Drivers\dump_dumpfve.sys
    Address: 0x8B208000 Size: 69632 File Visible: No Signed: -
    Status: -

    Name: dump_iaStor.sys
    Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
    Address: 0x8B195000 Size: 471040 File Visible: No Signed: -
    Status: -

    Name: PROCEXP111.SYS
    Image Path: C:\Windows\system32\Drivers\PROCEXP111.SYS
    Address: 0x98B3A000 Size: 9856 File Visible: No Signed: -
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\Windows\system32\drivers\rootrepeal.sys
    Address: 0x98B55000 Size: 49152 File Visible: No Signed: -
    Status: -

    Processes
    -------------------
    Path: System
    PID: 4 Status: Locked to the Windows API!

    Path: C:\Windows\System32\audiodg.exe
    PID: 1192 Status: Locked to the Windows API!

    SSDT
    -------------------
    #: 078 Function Name: NtCreateThread
    Status: Hooked by "<unknown>" at address 0x80d6bd7c

    #: 194 Function Name: NtOpenProcess
    Status: Hooked by "<unknown>" at address 0x80d6bd68

    #: 201 Function Name: NtOpenThread
    Status: Hooked by "<unknown>" at address 0x80d6bd6d

    #: 334 Function Name: NtTerminateProcess
    Status: Hooked by "<unknown>" at address 0x80d6bd77

    ==EOF==
     
    kleach, Sep 15, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please stop posting logs or pieces of logs inline. Logs need to be attachments.

    Then disable Avira. It is not helping you anyway right now. ;)

    It would a much much better idea to put it on your Desktop or to temporarily copy inherit.exe into the same folder as the file that you cannot run. This makes the drag and drop easier and it make fix scripts we may need to make easier since we will know where file is if it is on your Desktop.

    Please refer to programs by name. I'm guessing that you meant Win32kDiag?

    It's not infected. But your Windows Operating System is. Which is what we are trying to fix.

    You cannot replace the file unless you use special tools or you boot to the Recovery Console from your Windows Boot CD if you have one. The files cannot be replaced while Windows is running.
     
    chaslang, Sep 20, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No it is not!!!!! It is infected and it is the root of your problems. It is the wrong size. The valid cngaudit.dll file has been renamed to logevent.dll and now the cngaudit.dll is simply the infection hooked into your Windows Operating System.

    You don't need to try and run RootRepeal anymore. We already know what your the heart of your problem is and that is the cngaudit.dll file. This needs to get replaced first and then there will be lots of additional damage to cleanup.


    Please do the below to make a copy of the good system file into the root folder of your hard disk so that we can use it to fix your problem.
    1. Click on the Start button, then click on Run...
    2. In the empty "Open:" box provided, type cmdand press Enter
      • This will launch a Command Prompt window (looks like DOS).
    3. Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
      copy C:\WINDOWS\system32\logevent.dll C:\ /y
    4. In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
    5. Press Enter.
      • When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
        NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script below will not work if the file copy was not successful.
    6. Exit the Command Prompt window.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now do the following (make sure you redownload the file. Do not use the old copy.):
    • Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log
    C:\win32kdiag.exe -f -r

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Then attach the below logs:
    • C:\avenger.txt
    • the new log from Win32kDiag
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Sep 20, 2009
    chaslang, Sep 20, 2009
    #8
  9. kleach

    kleach Private E-2

    Thanks for the help.. it has taken me some time to get to this... sorry for the delay..
    I was able to run the avenger change ,...seemed to go ok.. see below..

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows Vista

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    File move operation "C:\logevent.dll|C:\WINDOWS\system32\cngaudit.dll" completed successfully.

    Completed script processing.

    *******************

    Finished! Terminate.


    I have attached the MGlogs.zip file.. the other one is still running..
     

    Attached Files:

    kleach, Sep 24, 2009
    #9
  10. kleach

    kleach Private E-2

    C:\>win32kdiag.exe -f -r
    Starting up...
    Running from: win32kdiag.exe
    Log file at : C:\Users\Kenl\Desktop\Win32kDiag.txt
    Removing all found mount points.
    Attempting to reset file permissions.
    WARNING: Could not get backup privileges!
    Searching 'C:\Windows'...

    Found mount point : C:\Windows\CSC\v2.0.6\namespace\namespace
    Mount point destination : \Device\__max++>\^
    Removing mount point : C:\Windows\CSC\v2.0.6\namespace\namespace
    Cannot access: C:\Windows\CSC\v2.0.6\pq
    Attempting to restore permissions of : C:\Windows\CSC\v2.0.6\pq
    Cannot access: C:\Windows\CSC\v2.0.6\temp\ea-{2f9d2000-5de9-11dd-80b7-005056c000
    08}
    Attempting to restore permissions of : C:\Windows\CSC\v2.0.6\temp\ea-{2f9d2000-5
    de9-11dd-80b7-005056c00008}
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\3dfb6e68d3
    67fb8f4a87c37935e1494d\x86_microsoft-windows-workstationservice_31bf3856ad364e35
    _6.0.6000.16868_none_ca1affdbd9d49d2f\x86_microsoft-windows-workstationservice_3
    1bf3856ad364e35_6.0.6000.16868_none_ca1affdbd9d49d2f: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\3dfb6e68d3
    67fb8f4a87c37935e1494d\x86_microsoft-windows-workstationservice_31bf3856ad364e35
    _6.0.6000.21065_none_caa173eaf2f52436\x86_microsoft-windows-workstationservice_3
    1bf3856ad364e35_6.0.6000.21065_none_caa173eaf2f52436: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\3dfb6e68d3
    67fb8f4a87c37935e1494d\x86_microsoft-windows-workstationservice_31bf3856ad364e35
    _6.0.6001.18270_none_cbee6c45d70a7f59\x86_microsoft-windows-workstationservice_3
    1bf3856ad364e35_6.0.6001.18270_none_cbee6c45d70a7f59: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\3dfb6e68d3
    67fb8f4a87c37935e1494d\x86_microsoft-windows-workstationservice_31bf3856ad364e35
    _6.0.6001.22447_none_cc9f7cc0f00979d8\x86_microsoft-windows-workstationservice_3
    1bf3856ad364e35_6.0.6001.22447_none_cc9f7cc0f00979d8: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\3dfb6e68d3
    67fb8f4a87c37935e1494d\x86_microsoft-windows-workstationservice_31bf3856ad364e35
    _6.0.6002.18049_none_cdfe5271d41061e0\x86_microsoft-windows-workstationservice_3
    1bf3856ad364e35_6.0.6002.18049_none_cdfe5271d41061e0: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\3dfb6e68d3
    67fb8f4a87c37935e1494d\x86_microsoft-windows-workstationservice_31bf3856ad364e35
    _6.0.6002.22150_none_ce741cb6ed3e398c\x86_microsoft-windows-workstationservice_3
    1bf3856ad364e35_6.0.6002.22150_none_ce741cb6ed3e398c: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\43aad48fe3
    fe7ab00579858cb6500554\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_
    6.0.6000.16868_none_9012d8998bc4efa4\x86_microsoft-windows-video-for-windows_31b
    f3856ad364e35_6.0.6000.16868_none_9012d8998bc4efa4: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\43aad48fe3
    fe7ab00579858cb6500554\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_
    6.0.6000.21065_none_90994ca8a4e576ab\x86_microsoft-windows-video-for-windows_31b
    f3856ad364e35_6.0.6000.21065_none_90994ca8a4e576ab: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\43aad48fe3
    fe7ab00579858cb6500554\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_
    6.0.6001.18270_none_91e6450388fad1ce\x86_microsoft-windows-video-for-windows_31b
    f3856ad364e35_6.0.6001.18270_none_91e6450388fad1ce: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\43aad48fe3
    fe7ab00579858cb6500554\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_
    6.0.6001.22447_none_9297557ea1f9cc4d\x86_microsoft-windows-video-for-windows_31b
    f3856ad364e35_6.0.6001.22447_none_9297557ea1f9cc4d: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\43aad48fe3
    fe7ab00579858cb6500554\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_
    6.0.6002.18049_none_93f62b2f8600b455\x86_microsoft-windows-video-for-windows_31b
    f3856ad364e35_6.0.6002.18049_none_93f62b2f8600b455: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\43aad48fe3
    fe7ab00579858cb6500554\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_
    6.0.6002.22150_none_946bf5749f2e8c01\x86_microsoft-windows-video-for-windows_31b
    f3856ad364e35_6.0.6002.22150_none_946bf5749f2e8c01: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\49b81bec0b
    f09d6386d41acc55d253ba\x86_microsoft-windows-telnet-server-tlntsess_31bf3856ad36
    4e35_6.0.6000.16868_none_a7d7e7e38b82194a\x86_microsoft-windows-telnet-server-tl
    ntsess_31bf3856ad364e35_6.0.6000.16868_none_a7d7e7e38b82194a: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\49b81bec0b
    f09d6386d41acc55d253ba\x86_microsoft-windows-telnet-server-tlntsess_31bf3856ad36
    4e35_6.0.6000.21065_none_a85e5bf2a4a2a051\x86_microsoft-windows-telnet-server-tl
    ntsess_31bf3856ad364e35_6.0.6000.21065_none_a85e5bf2a4a2a051: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\49b81bec0b
    f09d6386d41acc55d253ba\x86_microsoft-windows-telnet-server-tlntsess_31bf3856ad36
    4e35_6.0.6001.18270_none_a9ab544d88b7fb74\x86_microsoft-windows-telnet-server-tl
    ntsess_31bf3856ad364e35_6.0.6001.18270_none_a9ab544d88b7fb74: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\49b81bec0b
    f09d6386d41acc55d253ba\x86_microsoft-windows-telnet-server-tlntsess_31bf3856ad36
    4e35_6.0.6001.22447_none_aa5c64c8a1b6f5f3\x86_microsoft-windows-telnet-server-tl
    ntsess_31bf3856ad364e35_6.0.6001.22447_none_aa5c64c8a1b6f5f3: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\49b81bec0b
    f09d6386d41acc55d253ba\x86_microsoft-windows-telnet-server-tlntsess_31bf3856ad36
    4e35_6.0.6002.18049_none_abbb3a7985bdddfb\x86_microsoft-windows-telnet-server-tl
    ntsess_31bf3856ad364e35_6.0.6002.18049_none_abbb3a7985bdddfb: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\49b81bec0b
    f09d6386d41acc55d253ba\x86_microsoft-windows-telnet-server-tlntsess_31bf3856ad36
    4e35_6.0.6002.22150_none_ac3104be9eebb5a7\x86_microsoft-windows-telnet-server-tl
    ntsess_31bf3856ad364e35_6.0.6002.22150_none_ac3104be9eebb5a7: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\686d09f0ac
    25fcac373cbaa1643482ec\x86_microsoft-windows-mediaplayer-wmpdxm_31bf3856ad364e35
    _6.0.6000.16885_none_a2006a922ae150af\x86_microsoft-windows-mediaplayer-wmpdxm_3
    1bf3856ad364e35_6.0.6000.16885_none_a2006a922ae150af: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\686d09f0ac
    25fcac373cbaa1643482ec\x86_microsoft-windows-mediaplayer-wmpdxm_31bf3856ad364e35
    _6.0.6000.21083_none_a287deeb4400f10d\x86_microsoft-windows-mediaplayer-wmpdxm_3
    1bf3856ad364e35_6.0.6000.21083_none_a287deeb4400f10d: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\686d09f0ac
    25fcac373cbaa1643482ec\x86_microsoft-windows-mediaplayer-wmpdxm_31bf3856ad364e35
    _6.0.6001.18289_none_a3eaaa60280446fc\x86_microsoft-windows-mediaplayer-wmpdxm_3
    1bf3856ad364e35_6.0.6001.18289_none_a3eaaa60280446fc: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\686d09f0ac
    25fcac373cbaa1643482ec\x86_microsoft-windows-mediaplayer-wmpdxm_31bf3856ad364e35
    _6.0.6001.22470_none_a47616634121e3ed\x86_microsoft-windows-mediaplayer-wmpdxm_3
    1bf3856ad364e35_6.0.6001.22470_none_a47616634121e3ed: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\686d09f0ac
    25fcac373cbaa1643482ec\x86_microsoft-windows-mediaplayer-wmpdxm_31bf3856ad364e35
    _6.0.6002.18065_none_a5e2bcde251dfc09\x86_microsoft-windows-mediaplayer-wmpdxm_3
    1bf3856ad364e35_6.0.6002.18065_none_a5e2bcde251dfc09: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\686d09f0ac
    25fcac373cbaa1643482ec\x86_microsoft-windows-mediaplayer-wmpdxm_31bf3856ad364e35
    _6.0.6002.22172_none_a65e88df3e466bbf\x86_microsoft-windows-mediaplayer-wmpdxm_3
    1bf3856ad364e35_6.0.6002.22172_none_a65e88df3e466bbf: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\c76925252b
    3c13d1c58d52dd806e5df5\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad36
    4e35_6.0.6000.16865_none_2dcbeeccc8adc633\x86_microsoft-windows-t..s-clientactiv
    excore_31bf3856ad364e35_6.0.6000.16865_none_2dcbeeccc8adc633: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\c76925252b
    3c13d1c58d52dd806e5df5\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad36
    4e35_6.0.6000.21061_none_2e516291e1cf33e3\x86_microsoft-windows-t..s-clientactiv
    excore_31bf3856ad364e35_6.0.6000.21061_none_2e516291e1cf33e3: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\c76925252b
    3c13d1c58d52dd806e5df5\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad36
    4e35_6.0.6001.18266_none_2fb32dbcc5d3707b\x86_microsoft-windows-t..s-clientactiv
    excore_31bf3856ad364e35_6.0.6001.18266_none_2fb32dbcc5d3707b: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\c76925252b
    3c13d1c58d52dd806e5df5\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad36
    4e35_6.0.6001.22443_none_304f6b67dee38985\x86_microsoft-windows-t..s-clientactiv
    excore_31bf3856ad364e35_6.0.6001.22443_none_304f6b67dee38985: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\c76925252b
    3c13d1c58d52dd806e5df5\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad36
    4e35_6.0.6002.18045_none_31ae4118c2ea718d\x86_microsoft-windows-t..s-clientactiv
    excore_31bf3856ad364e35_6.0.6002.18045_none_31ae4118c2ea718d: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\c76925252b
    3c13d1c58d52dd806e5df5\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad36
    4e35_6.0.6002.22146_none_3238de2ddc072aae\x86_microsoft-windows-t..s-clientactiv
    excore_31bf3856ad364e35_6.0.6002.22146_none_3238de2ddc072aae: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbd
    d98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_
    6.0.6000.16870_none_e4a4f2ddb3dfbcec\x86_microsoft-windows-security-kerberos_31b
    f3856ad364e35_6.0.6000.16870_none_e4a4f2ddb3dfbcec: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbd
    d98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_
    6.0.6000.21067_none_e54039bcccef2568\x86_microsoft-windows-security-kerberos_31b
    f3856ad364e35_6.0.6000.21067_none_e54039bcccef2568: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbd
    d98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_
    6.0.6001.18272_none_e68d3217b104808b\x86_microsoft-windows-security-kerberos_31b
    f3856ad364e35_6.0.6001.18272_none_e68d3217b104808b: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbd
    d98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_
    6.0.6001.22450_none_e72a700cca13b2ec\x86_microsoft-windows-security-kerberos_31b
    f3856ad364e35_6.0.6001.22450_none_e72a700cca13b2ec: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbd
    d98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_
    6.0.6002.18051_none_e8884573ae1b819d\x86_microsoft-windows-security-kerberos_31b
    f3856ad364e35_6.0.6002.18051_none_e8884573ae1b819d: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbd
    d98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_
    6.0.6002.22152_none_e912e288c7383abe\x86_microsoft-windows-security-kerberos_31b
    f3856ad364e35_6.0.6002.22152_none_e912e288c7383abe: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbd
    d98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-schannel_31bf3856ad364e35_
    6.0.6000.16870_none_1fe460c0585503b5\x86_microsoft-windows-security-schannel_31b
    f3856ad364e35_6.0.6000.16870_none_1fe460c0585503b5: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbd
    d98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-schannel_31bf3856ad364e35_
    6.0.6000.21067_none_207fa79f71646c31\x86_microsoft-windows-security-schannel_31b
    f3856ad364e35_6.0.6000.21067_none_207fa79f71646c31: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbd
    d98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-schannel_31bf3856ad364e35_
    6.0.6001.18272_none_21cc9ffa5579c754\x86_microsoft-windows-security-schannel_31b
    f3856ad364e35_6.0.6001.18272_none_21cc9ffa5579c754: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbd
    d98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-schannel_31bf3856ad364e35_
    6.0.6001.22450_none_2269ddef6e88f9b5\x86_microsoft-windows-security-schannel_31b
    f3856ad364e35_6.0.6001.22450_none_2269ddef6e88f9b5: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbd
    d98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-schannel_31bf3856ad364e35_
    6.0.6002.18051_none_23c7b3565290c866\x86_microsoft-windows-security-schannel_31b
    f3856ad364e35_6.0.6002.18051_none_23c7b3565290c866: 3
    Could not open reparse point C:\Windows\SoftwareDistribution\Download\f0e7510dbd
    d98e00504ebcf9a6bc42ad\x86_microsoft-windows-security-schannel_31bf3856ad364e35_
    6.0.6002.22152_none_2452506b6bad8187\x86_microsoft-windows-security-schannel_31b
    f3856ad364e35_6.0.6002.22152_none_2452506b6bad8187: 3
    Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
    Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup
    \EtwRTDiagLog.etl
    [1] 2009-09-24 09:25:40 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLo
    g.etl ()

    Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Applicati
    on.etl
    Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup
    \EtwRTEventLog-Application.etl
    [1] 2009-09-24 09:25:25 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventL
    og-Application.etl ()

    Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft
    -Windows-Backup.etl
    Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup
    \EtwRTEventLog-Microsoft-Windows-Backup.etl
    [1] 2009-09-24 09:25:11 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLo
    g-Microsoft-Windows-Backup.etl ()

    Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.
    etl
    Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup
    \EtwRTEventlog-Security.etl
    [1] 2009-09-24 09:25:11 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlo
    g-Security.etl ()

    Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.et
    l
    Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup
    \EtwRTEventLog-System.etl
    [1] 2009-09-24 09:25:25 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventL
    og-System.etl ()

    Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
    Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup
    \EtwRTMsMpPsSession.etl
    [1] 2009-09-24 09:26:38 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsS
    ession.etl ()

    Cannot access: C:\Windows\System32\wbem\WmiPrvSE.exe
    Attempting to restore permissions of : C:\Windows\System32\wbem\WmiPrvSE.exe
    Cannot access: C:\Windows\System32\WerFault.exe
    Attempting to restore permissions of : C:\Windows\System32\WerFault.exe

    Finished! Press any key to exit...
     
    kleach, Sep 24, 2009
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Wrong order! You must complete all steps in the order written. MGtools should be run after the other steps are completed. NEVER EVER run multiple scans at the same time.

    You are forgetting our forum rules. No inline logs! Please remember to attach ALL logs.

    Also you did not tell me how things are working.


    Download and save Inherit to your C:\MGtools folder.

    Then from your Windows Explorer window, drag C:\MGtools\analyse.exe ontop of inherit.exe.

    Did you get an OK?


    Please try to run other scans from SUPERAntiSpyware, Malwarebytes and ComboFix now.
     
    Last edited: Sep 28, 2009
    chaslang, Sep 28, 2009
    #11
  12. kleach

    kleach Private E-2

    OK.. I ran the inherit on analyse.exe and got the OK.
    I ran win32kdiag and attached the log
    I ran mgtools and attached the log
    I install SAS and I am running a scan now...
    I will post when all three scanners complete.

    Overall I am just using this system for email at the moment. While it seems a little slow it is functioning OK. I think we got most of the really bad stuff out.
    You tell me!?

    Thanks again for your help.

    -Ken
     

    Attached Files:

    kleach, Sep 28, 2009
    #12
  13. kleach

    kleach Private E-2

    I ran SAS and only had three bad cookies.
    I ran Malwarebytes and it did not find anything.
    I ran RootRepeal and it crashed on Vista.. I re-downloaded it and it is running now.
     
    kleach, Sep 29, 2009
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean.


    Just delete all the below left overs from failed attempts at running ComboFix:
    Code:
    C:\Windows\System32\
cf10559.exe   Sep  8 2009      318976  "CF10559.exe"
cf11377.exe   Sep  8 2009      318976  "CF11377.exe"
cf15292.exe   Sep  8 2009      318976  "CF15292.exe"
cf17714.exe   Sep  8 2009      318976  "CF17714.exe"
cf18635.exe   Sep  8 2009      318976  "CF18635.exe"
cf21936.exe   Sep  8 2009      318976  "CF21936.exe"
cf26908.exe   Sep  8 2009      318976  "CF26908.exe"
cf27128.exe   Sep  8 2009      318976  "CF27128.exe"
cf28723.exe   Sep  9 2009      318976  "CF28723.exe"
cf31250.exe   Sep  8 2009      318976  "CF31250.exe"
cf4521.exe    Sep  8 2009      318976  "CF4521.exe"
cf8116.exe    Sep  8 2009      318976  "CF8116.exe"
cf8637.exe    Sep  8 2009      318976  "CF8637.exe"

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\Windows\Temp
    C:\Users\Kenl\AppData\Local\temp

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Oct 3, 2009
    #14
  15. kleach

    kleach Private E-2

    Thanks for your help..

    -Ken
     
    kleach, Oct 8, 2009
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Oct 12, 2009
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds