Not sure if I have a problem (!)

The computer's working OK, but yesterday some .bat files appeared on the Desktop, they were:

rename.bat which contained:
net stop cryptsvc
cd %systemroot%\system32
ren catroot2 catroot2old
net start cryptsvc

register.bat:
regsvr32 /u softpub.dll /s
regsvr32 /u wintrust.dll /s
regsvr32 /u initpki.dll /s
regsvr32 /u dssenh.dll /s
regsvr32 /u rsaenh.dll /s
regsvr32 /u gpkcsp.dll /s
regsvr32 /u sccbase.dll
regsvr32 /u slbcsp.dll /s
regsvr32 /u mssip32.dll /s
regsvr32 /u cryptdlg.dll /s

and
register2.bat:
egsvr32 Softpub.dll /s
regsvr32 Wintrust.dll /s
regsvr32 Initpki.dll /s
regsvr32 Mssip32.dll /s

I have no idea how they got there so I was a little suspicoius so decided to check for malware, and a few hings were found. The results are attached.
I was unable to run Root Repeal.
I tried several times and got crash reports on the desktop such as:
RootRepeal_crash_091111.003237.txt:
ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP1
Exception Code: 0xc0000005
Exception Address: 0x76fd6468
Attempt to read from address: 0x62afd0cf

and:
RootRepeal_crash_091111.010357.txt:
ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP1
Exception Code: 0xc0000005
Exception Address: 0x00429d13
Attempt to write to address: 0x012f9000

It's reporting Vista sp1, but this is a Windows 7 virgin installation (not an upgrade).

Given the kind of thing that was found (Koobface) I'm a bit concerned. However, could it be a false positive because the Koobface one was found in a zip file that is 10 years old? Unless, of course, such files can be infected (see Super AntiSpyware log). I had them cleaned anyway - I don't see myself using Easy CD Cover.exe again!

So are the .bat files malign and do I need to do more cleaning up?

thanks and cheers, p45cal

 

Hi p45cal,

All of the .bat files you linked are used for fixing Windows Update. They aren't harmful. Although they wouldn't just appear. Nobody has used this computer other than you?

Give me a few minutes to analyze your logs to see if anything needs to be cleaned up. Thanks!

 

Aside from a couple of leftover traces of AVG (not malware related), your logs are clean, p45cal.

 

No, only me. I haven't had any sort of problem with Windows Update either. That's why I was surprised.

Glad to hear log files are clean. Thanks very much.

So it matters not that Root Repeal won't run?

regards, P45cal

 

Just to be safe, I'll have you run a couple more scans.

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

 

That's been done (I had re-enabled UAC, MS Security Essentials realtime protection and Windows Firewall last night and have not disabled them again to do these two runs (TDSSKiller and MBRCheck)). Logs attached.

Should I try Root Repeal now?
cheers, p45cal

 

These 2 logs are also clean.

I don't think it's necessary, but if you want to try it. Some programs just don't work on every PC. If you do decide to try RootRepeal, I would disable all your AV/Spyware Protection/Firewalls, etc. And also disable UAC once again before running RootRepeal. See if that makes any difference.

 

I probably won't then! Thanks v. much for all your help, regards, p45cal.

 

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!