Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

White X in red circle/critical warning virus help [Solved]

Started by MrParadox , Nov 02 2009 02:23 PM

This topic is locked

#1
MrParadox

Posted 02 November 2009 - 02:23 PM

Member

Member
16 posts

Hey all.

I've seem to have run into an issue recently where a red circle with a white x in it will show up in my system tray telling me that my computer is infected and I should download anti-virus software. However, I've run a full scan of AVG (Free version) and it hasn't found anything. I can't seem to get it to go away.

As well, whenever I start up my computer, AVG pops up and tells me there's a threat with a file called critical_warning.html. My desktop background goes white (and I can't change it) and when I try to open up my Task Manager, it says I don't have permission. I have found the registry keys to the problem though and can fix it so that I can change my background and open up Task Manager but whenever I turn on my computer afterwards, it returns. I can run everything else like AVG, internet explorer, and other programs just fine.

Can anyone please help me solve this?

Thanks.

PS. Does this virus actually do anything harmful besides annoy me with the pop-up balloon? My computer seems to be acting normal (no slow down or anything) and everything seems like it's in working condition.

#2
Onaipian

Posted 02 November 2009 - 03:07 PM

Notepad warrior

Retired Staff
2,130 posts

Hello!

Welcome to GeekstoGo! I'm piano9playa5 and will be assisting you with your malware problems. If you have any questions, ask away! Just a few tips to make things go smoothly:

Please be patient. I am still in training and there may be delays between posts.
I must check everything with a moderator before posting.
Don't run tools you see being used in another topic. Running tools unsupervised can be dangerous.
Copy\Paste logs in your replies, rather than attaching them, unless I instruct you to do otherwise.
This makes things easier for me, and the moderator looking over this topic.
Ensure "WordWrap" is disabled in Notepad.
- Click Start > All Programs > Accessories > Notepad.
- Click Format > Word Wrap (if checked, if not, leave it)
To everyone except MrParadox: The instructions following were created specifically for MrParadox, please do not perform these steps unless instructed by a Trusted Helper.

I'll post back some instructions shortly.

Edited by piano9playa5, 02 November 2009 - 03:08 PM.

#3
MrParadox

Posted 02 November 2009 - 03:36 PM

Member

Topic Starter
Member
16 posts

Hello piano9playa5.

Thanks for posting and I look forward to your help. I do have to leave for a few hours but I will be back later in the night so I hope you will be around then as well.

Thanks.

#4
Onaipian

Posted 02 November 2009 - 03:42 PM

Notepad warrior

Retired Staff
2,130 posts

Hello

Let's begin!

Step One
Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Step Two
Download RootRepeal from one of the following locations and save it to your desktop:Link 1
Link 2
Link 3

Double click to start the program
Click on the Report tab at the bottom of the program window
Click the button
In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
- Shadow SSDT
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

Step Three
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS to start the program.
Check the box that says Scan All Users
Check the box that says 64 bit
Under Additional Scans check the following:
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. It's usually located on the Desktop.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button.
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

Logs&Info
Remember to post back the following logs:

exeHelperlog.txt (Posted)
RootRepeal.txt (Attached)
OTS.txt (Attached)

#5
MrParadox

Posted 02 November 2009 - 09:53 PM

Member

Topic Starter
Member
16 posts

Thanks for your post and sorry it's taken me so long to reply (I had night class). When I try to download exeHelper to my desktop or try to run it, it gives me a message saying "Cannot copy exeHelper[1]: Access is denied." Also, AVG comes up and says there's a thread detected, the name of it being Downloader.Banload. The other two programs were downloaded fine. Should I run those still and post the logs or do I need to wait to do the exeHelper one first?

Also, for as long as this virus remains, should I stay off my computer except when to follow your instructions or am I still able to do things like browse the internet (Perhaps limit myself to sites I know are completely safe) and play games?

Edited by MrParadox, 02 November 2009 - 10:45 PM.

#6
Onaipian

Posted 03 November 2009 - 06:09 AM

Notepad warrior

Retired Staff
2,130 posts

Yes, skip exeHelper for now.

I'm not entirely sure what all may be on your machine, so I can't really say how much you should do... I'll let you know when I get the next logs.

#7
MrParadox

Posted 03 November 2009 - 10:22 AM

Member

Topic Starter
Member
16 posts

Thanks for your reply.

Here is the RootRepeal log and attachment for the OTS file.

While RootRepeal was scanning, when it reached the SSDT tab, a message came up saying it couldn't scan the boot sector and told me to adjust the Disk Access Level in the Options dialog but I tried that and it didn't work.

And I couldn't find the 64 bit checkbox you spoke for the OTS.

If you need me to do the scans again, let me know.

Thanks!

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/03 10:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF42E5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF89D1000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP3076
Image Path: \Driver\PCI_NTPNP3076
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFA44000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\HIBERFIL.SYS
Status: Locked to the Windows API!

Path: c:\documents and settings\john\local settings\temporary internet files\content.ie5\hrqlyppy\white-x-red-circle-critical-warning-virus-help-t257317[2].htm
Status: Allocation size mismatch (API: 1081344, Raw: 131072)

Path: c:\documents and settings\john\local settings\temporary internet files\content.ie5\hrqlyppy\search[2].htm
Status: Allocation size mismatch (API: 1081344, Raw: 65536)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "sptd.sys" at address 0xf82bb0d0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf82c0fb2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf82c1340

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf82bb0b0

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf82c1418

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf82c1298

#: 247 Function Name: NtSetValueKey
Status: Hooked by "sptd.sys" at address 0xf82c14aa

Stealth Objects
-------------------
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x82d671e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x828661e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x828661e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x828661e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x828661e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x828661e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x828661e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x828661e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x828661e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x828661e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x828661e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x828661e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x829471e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x829471e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x829471e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x829471e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x829471e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x829471e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x829471e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x82dd61e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x82dd61e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x82dd61e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82dd61e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82dd61e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82dd61e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82dd61e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x82dd61e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x82dd61e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82dd61e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x82dd61e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x82960270 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x82960270 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82960270 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82960270 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x82960270 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x82960270 Size: 121

Object: Hidden Code [Driver: aixlgmv9Ѕ敓Ёఈ䵃慖, IRP_MJ_CREATE]
Process: System Address: 0x8290d1e8 Size: 121

Object: Hidden Code [Driver: aixlgmv9Ѕ敓Ёఈ䵃慖, IRP_MJ_CLOSE]
Process: System Address: 0x8290d1e8 Size: 121

Object: Hidden Code [Driver: aixlgmv9Ѕ敓Ёఈ䵃慖, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8290d1e8 Size: 121

Object: Hidden Code [Driver: aixlgmv9Ѕ敓Ёఈ䵃慖, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8290d1e8 Size: 121

Object: Hidden Code [Driver: aixlgmv9Ѕ敓Ёఈ䵃慖, IRP_MJ_POWER]
Process: System Address: 0x8290d1e8 Size: 121

Object: Hidden Code [Driver: aixlgmv9Ѕ敓Ёఈ䵃慖, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8290d1e8 Size: 121

Object: Hidden Code [Driver: aixlgmv9Ѕ敓Ёఈ䵃慖, IRP_MJ_PNP]
Process: System Address: 0x8290d1e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x828821e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x828821e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x828821e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x828821e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x828821e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x828821e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x828821e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x82a16790 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ瑁䅭뺰쀇ँFileNa, IRP_MJ_CREATE]
Process: System Address: 0x829af790 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ瑁䅭뺰쀇ँFileNa, IRP_MJ_CLOSE]
Process: System Address: 0x829af790 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ瑁䅭뺰쀇ँFileNa, IRP_MJ_READ]
Process: System Address: 0x829af790 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ瑁䅭뺰쀇ँFileNa, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x829af790 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ瑁䅭뺰쀇ँFileNa, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x829af790 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ瑁䅭뺰쀇ँFileNa, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x829af790 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ瑁䅭뺰쀇ँFileNa, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x829af790 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ瑁䅭뺰쀇ँFileNa, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x829af790 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ瑁䅭뺰쀇ँFileNa, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x829af790 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ瑁䅭뺰쀇ँFileNa, IRP_MJ_SHUTDOWN]
Process: System Address: 0x829af790 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ瑁䅭뺰쀇ँFileNa, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x829af790 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ瑁䅭뺰쀇ँFileNa, IRP_MJ_CLEANUP]
Process: System Address: 0x829af790 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ瑁䅭뺰쀇ँFileNa, IRP_MJ_PNP]
Process: System Address: 0x829af790 Size: 121

==EOF==

Attached Files

OTS.txt 191.63KB 230 downloads

Edited by MrParadox, 03 November 2009 - 01:22 PM.

#8
MrParadox

Posted 03 November 2009 - 01:22 PM

Member

Topic Starter
Member
16 posts

Some odd news. It seems as though the red circle with white x icon has disappeared from my system tray. I've tried restarting a few times just to make sure it hasn't been hidden away or anything but each time, it hasn't shown up. During the OTS scan, AVG had detected some threats which I took care of so could that have been some solution to it? Still, I cannot open the Task Manager and change my desktop background bu I'm not sure if those issues were related to the fake virus warning.

#9
MrParadox

Posted 04 November 2009 - 01:40 PM

Member

Topic Starter
Member
16 posts

Sory to triple post but it seems like I've solved my desktop background and task manager problem. I'm not really sure what has happened here but I guess the virus has been taken care of.

However, if you (piano9playa5 or other staff member) could take a look through my logs to check if there are any problems, that would be great.

Thanks.

#10
Onaipian

Posted 04 November 2009 - 04:23 PM

Notepad warrior

Retired Staff
2,130 posts

Hello

I can see from your logs that the main infection, is for the most part gone. I do see some more items we need to take care of though..

Step One
I see that you once had Norton installed. This one can be a bugger to remove, and often leave straps behind.
Please download and run the Norton Removal Tool, to remove these scraps.

Step Two
Start OTS again.

Copy/Paste the information in the CodeBox below, into the panel where it says "Paste fix here".

[Kill All Processes]
[Unregister Dlls]
[Driver Services - Safe List]
YY -> (nv) nv [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\nv4_mini.sys
[Registry - Safe List]
< HOSTS File > (151 bytes and 5 lines) -> C:\WINDOWS\system32\drivers\etc\hosts
YN -> Reset Hosts -> 
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "system tool" -> C:\Program Files\assirh\qgrcsysguard.exe [C:\Program Files\assirh\qgrcsysguard.exe]
YY -> "winupdate.exe" -> C:\WINDOWS\system32\winupdate.exe [C:\WINDOWS\system32\winupdate.exe]
< Run [HKEY_USERS\S-1-5-21-130833806-2211579550-2880065967-1009\] > -> HKEY_USERS\S-1-5-21-130833806-2211579550-2880065967-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "system tool" -> C:\Program Files\assirh\qgrcsysguard.exe [C:\Program Files\assirh\qgrcsysguard.exe]
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
YN -> \\"NoSetActiveDesktop" -> [1]
YN -> \\"NoActiveDesktopChanges" -> [1]
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-130833806-2211579550-2880065967-1009] > -> HKEY_USERS\S-1-5-21-130833806-2211579550-2880065967-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
YN -> \\"NoSetActiveDesktop" -> [1]
YN -> \\"NoActiveDesktopChanges" -> [1]
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-130833806-2211579550-2880065967-1009] > -> HKEY_USERS\S-1-5-21-130833806-2211579550-2880065967-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
YN -> \\"DisableTaskMgr" -> [1]
[Files/Folders - Created Within 30 Days]
NY ->  C:\Program Files\pkquiq -> C:\Program Files\pkquiq
[Files/Folders - Modified Within 30 Days]
NY -> ~.exe -> C:\WINDOWS\System32\~.exe
[Files - No Company Name]
NY -> AVR09.exe -> C:\WINDOWS\System32\AVR09.exe
NY -> winhelper.dll -> C:\WINDOWS\System32\winhelper.dll
NY -> nmswcnsf.exe -> C:\nmswcnsf.exe
NY -> ~.exe -> C:\WINDOWS\System32\~.exe
NY ->  prvlcl.dat -> C:\Documents and Settings\John\Local Settings\Application Data\prvlcl.dat
NY -> mp3Media2.dll -> C:\WINDOWS\System32\mp3Media2.dll
NY -> 3gpcore.dll -> C:\WINDOWS\System32\3gpcore.dll
NY -> LMAAG2DD.ini -> C:\WINDOWS\LMAAG2DD.ini
NY -> resourceGeneric.dll -> C:\WINDOWS\System32\resourceGeneric.dll
[Custom Items]
:files
C:\Program Files\assirh
c:\documents and settings\john\local settings\temporary internet files\content.ie5\hrqlyppy\white-x-red-circle-critical-warning-virus-help-t257317[2].htm
c:\documents and settings\john\local settings\temporary internet files\content.ie5\hrqlyppy\search[2].htm

:end
[Empty Temp Folders]
[Reboot]

Ensure you have pasted everything in, then click the Run Fix button.
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished.
Click the Ok button and Notepad will open with a log of actions taken during the fix.
Post the contents of the Notepad back here.

I will review the information when it comes back in.

Step Three
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step Four
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Please open OTS.

Check the box that says Scan All Users
Under Custom Scans paste in the following:
%SYSTEMDRIVE%\*.exe
%SYSTEMROOT%\*.* /s /r
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
%SYSTEMDRIVE%\comres.dll /s /md5
%SYSTEMDRIVE%\appmgmts.dll /s /md5
Under Additional Scans check the following:
- Reg - NetSvcs
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. It's usually located on the Desktop.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button.
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

Logs&Info
Remember to post back the following logs:

OTS Fix Results
MalwareBytes' AntiMalware log
OTS.txt (attached)

#11
MrParadox

Posted 05 November 2009 - 12:00 AM

Member

Topic Starter
Member
16 posts

Thanks for your reply. Here are my logs.

OTS Fix

All Processes Killed
[Driver Services - Safe List]
Unable to stop service nv!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nv deleted successfully.
C:\WINDOWS\system32\drivers\nv4_mini.sys moved successfully.
[Registry - Safe List]
HOSTS file reset successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\system tool deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\winupdate.exe deleted successfully.
File C:\WINDOWS\system32\winupdate.exe not found.
Registry value HKEY_USERS\S-1-5-21-130833806-2211579550-2880065967-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\system tool deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSetActiveDesktop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
Registry key HKEY_USERS\Microsoft\Windows\CurrentVersion\policies\Explorer not found.
Registry key HKEY_USERS\Microsoft\Windows\CurrentVersion\policies\Explorer not found.
Registry key HKEY_USERS\Microsoft\Windows\CurrentVersion\policies\System not found.
[Files/Folders - Created Within 30 Days]
C:\Program Files\pkquiq folder moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\System32\~.exe moved successfully.
[Files - No Company Name]
File C:\WINDOWS\System32\AVR09.exe not found!
File C:\WINDOWS\System32\winhelper.dll not found!
File C:\nmswcnsf.exe not found!
File C:\WINDOWS\System32\~.exe not found!
C:\Documents and Settings\John\Local Settings\Application Data\prvlcl.dat moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\mp3Media2.dll
C:\WINDOWS\System32\mp3Media2.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\3gpcore.dll
C:\WINDOWS\System32\3gpcore.dll moved successfully.
C:\WINDOWS\LMAAG2DD.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\resourceGeneric.dll
C:\WINDOWS\System32\resourceGeneric.dll moved successfully.
[Custom Items]
========== FILES ==========
File/Folder C:\Program Files\assirh not found.
File/Folder c:\documents and settings\john\local settings\temporary internet files\content.ie5\hrqlyppy\white-x-red-circle-critical-warning-virus-help-t257317[2].htm not found.
c:\documents and settings\john\local settings\temporary internet files\content.ie5\hrqlyppy\search[2].htm moved successfully.
[Empty Temp Folders]

User: Default User
->Temp folder emptied: 9216771 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 5206150 bytes

User: Chung Huynh
->Temp folder emptied: 24655490 bytes
->Temporary Internet Files folder emptied: 135796413 bytes
->Java cache emptied: 1010787 bytes
->FireFox cache emptied: 4717690 bytes

User: Computer User
->Temp folder emptied: 189518032 bytes
->Temporary Internet Files folder emptied: 262727394 bytes
->Java cache emptied: 3412757 bytes
->FireFox cache emptied: 58323635 bytes

User: John
->Temp folder emptied: 1148032279 bytes
->Temporary Internet Files folder emptied: 644118076 bytes
->Java cache emptied: 3608160 bytes
->FireFox cache emptied: 52533402 bytes

User: Guest
->Temp folder emptied: 9422154 bytes
->Temporary Internet Files folder emptied: 2951081 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 81009 bytes
%systemroot%\System32 .tmp files removed: 8995213 bytes
Windows Temp folder emptied: 65983789 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = -1587.41 mb

< End of fix log >
OTS by OldTimer - Version 3.1.3.0 fix logfile created on 11042009_224818

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Malwarebyte log

Malwarebytes' Anti-Malware 1.41
Database version: 3103
Windows 5.1.2600 Service Pack 3

11/4/2009 11:20:35 PM
mbam-log-2009-11-04 (23-20-35).txt

Scan type: Quick Scan
Objects scanned: 126388
Time elapsed: 11 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Also, it seems that now wheneverI use the scroll bar it moves extremely slow. I believe this may have occured after I ran the MalwareBytes scan. It's not all scroll bars but it's a majority of them like on Internet Explorer, notepad, etc.

Attached Files

OTS2.txt 200.88KB 274 downloads

Edited by MrParadox, 05 November 2009 - 12:05 AM.

#12
Onaipian

Posted 06 November 2009 - 02:41 PM

Notepad warrior

Retired Staff
2,130 posts

Hello! Sorry for the delay.

Step One
Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step Two
Java is a program that is required for many functions over the Internet. We need it now, to perform an on-line-scan.

Upgrading Java:

Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 15.
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u15-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u15-windows-i586.exe and select "Run as an Administrator.")

Step Three
Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, adware, dialers, and other riskware
- Archives
- E-mail databases
Click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View report... at the bottom.
Click the Save report... button.
Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Logs&Info
Remember to post back the following logs:

KasReport.txt

#13
MrParadox

Posted 08 November 2009 - 04:18 PM

Member

Topic Starter
Member
16 posts

Hello. Sorry for taking so long to reply to you. I've done step one and two but I am unable to complete step three. I go to the Kaspersky Online Scanner website and run the scan but the scan stops and is frozen around the 25% mark. I've tried running the scan several times but each time, it freezes/stop. I'v turned off my antivirus programs and closed all the programs but still get the same results.

Is there anything I can do to help this?

#14
Onaipian

Posted 08 November 2009 - 06:25 PM

Notepad warrior

Retired Staff
2,130 posts

Hello... Let's try this instead.

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode.

You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
It will by default install it to your desktop folder.Click Next.
Hit ok at the prompt for scanning in Safe Mode.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

System Memory
Startup Objects
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be Neutralized then chooose The delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

#15
MrParadox

Posted 11 November 2009 - 02:33 PM

Member

Topic Starter
Member
16 posts

Hello.

Sorry for taking such a long time to reply once again. I find myself not having much time to get onto the computer lately because of my school and work but I hope we can fix this soon so we can both be done with it.

Before I proceedwith the instructions in your last post, I do have a question. Now I've downloaded the AVP tool and followed your instructions up to the Scan part. When I did hit scan, I was quite surprised to see that it would take around 8 or 9 hours just to complete the scan. I had to stop because I had to leave and didn't want to leave my computer on at that time. Is this normal though? It seems like a very long time. I'm not sure what exactly is stored in the "My Computer" folder aside from my own stuff but there seems to be quite a lot.

Regardless, I will do the scan at some point during the weekend to get it all done.

Thanks.