[maezhou]

OK, i got it. But will this scanning really take one day to finish?

[Advertisements]

It should not tak that long - but if you wish you can stop the scan and go for the system analysis, that takes about ten minutes

[Essexboy]

It should not tak that long - but if you wish you can stop the scan and go for the system analysis, that takes about ten minutes

[maezhou]

Stop scan now and do it later?
If I stop scanning and do the sys analysis, will that not affect the system analysis?

OK. I stopped the scanning. It's just 7% completed after more than 2 hours of scanning.
I'm now running the Manual Disinfection > Gathering system information.

I'll post the result.

Edited by maezhou, 23 October 2011 - 02:25 PM.

[Essexboy]

No as the system analysis looks at different elements

[maezhou]

Attached Manual Disinfection report file
 avptool_sysinfo.zip   18.17KB   425 downloads

Edited by maezhou, 23 October 2011 - 02:40 PM.

[Essexboy]

• Re-run AVPTool
• Select the Manual Disinfection tab and press Script execution
  
  
  
• Where it states Insert text script in the following box copy the below script and press Run script
  Copy from Begin until End
  
  
  
  

  begin
  SetAVZPMStatus(True);
  SetAVZGuardStatus(True);
  SearchRootkit(true, true);
   DelBHO('{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A}');
   DeleteFile('C:\ProgramData\6DSS92c31Apgjk.exe');
   BC_DeleteFile('C:\ProgramData\6DSS92c31Apgjk.exe');
   BC_DeleteFile('C:\Users\Owner\AppData\Local\Temp\_uninst_68522918.bat');
   DeleteFile('C:\Users\Owner\AppData\Local\Temp\_uninst_68522918.bat');
   DeleteFile('res:\C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll/206');
   BC_DeleteFile('res:\C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll/206');
   DeleteFile('C:\Windows\system32\Drivers\uti1odu0.sys');
   BC_DeleteFile('C:\Windows\system32\Drivers\uti1odu0.sys');
  BC_ImportDeletedList;
  BC_ImportAll;
  ExecuteSysClean;
  BC_Activate;
  RebootWindows(true);
  end.
  

  
  
• Your system will reboot on completion, if it does not please do so yourself
• On completion please run another analysis scan and attach the zip file

Now retry combofix please

[maezhou]

Here's the log for second run of analysis.
 avptool_sysinfo.zip   19.57KB   408 downloads

I'll run ComboFix now.

[maezhou]

I run ComboFix. After when I thought that it's done, I checked the C drive, but there's no C:\ComboFix.Txt file. I have a file "32788R22FWJFW" instead, which on mouse-over shows "Shows the disk drives and hardware connected to this computer".

And then this alert came up:

But i've already clicked "Exit" on the Webroot icon (taskbar) before I run ComboFix.
Guess that's not the way to turn off Webroot scanning.

Update: I have successfully turned off all the shields on Webroot Antivirus. And clicked "OK" button on the ComboFix warning window. ComboFix continue to run again, and then asked if I want the latest version. I clicked on OK. Then it downloaded the latest version. I was expecting for it to just continue running after it downloads the latest, but it did not. It just brought me back to the desktop after downloading. I checked the ComboFix.exe file on my desktop and it was not updated. It's still the version that was downloaded yesterday.

I run ComboFix again. When I thought that it's done -- after the scanning/fixing window disapperead, I looked into the C drive. But can't find ComboFix.Txt. I now have a ComboFix file that can't be opened. and can't be attached here. It says "Shows the disk drives and hardware connected to this computer" on mouse-over.

Edited by maezhou, 23 October 2011 - 05:42 PM.

[Essexboy]

Something is not quite right here - have you rebooted ?

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[maezhou]

Thanks. I clicked on gmer.exe from desktop. Then an alert came up with this copy:

LoadDrive("C:\Users\Owners\AppData\Local\Tmep\ugtdapod.sys") errir 0xC000010E. An instance of the service is already running.
[OK button]

[Essexboy]

Could you reboot and try again please

[maezhou]

I reboot, tried it again, and still the same alert came up.
I'm not clicking on the [OK] button since it might cause me some issues.

Edited by maezhou, 24 October 2011 - 11:35 AM.

[Essexboy]

Lets try another one

Please download Rootkit Revealer (It should be part of the Top 10 Downloads list)

• Unzip it to your desktop.
• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Close ALL windows and programs and do nothing on the pc while the scan runs. This includes games, browser windows, email clients, etc.
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

[maezhou]

OK. So before I try the other solution, I closed the alert window first (clicked on the top right window x) - and gmer run. Didn't have time to see what's on the window (come checkboxes, selections) before it made some sort of scanning. The window with selections and checkboxes just came up for about a sec, then it was replaced by a blank window with a taskbar at the bottom which shows files (being scanned? or something).

But nothing happened after that. The scanning (sort of) happened for just a couple of seconds, 15 seconds max, I guess. And it was done. And it looks like nothing's happening now. It might be running at the back-end?

[Essexboy]

It should take no longer that 10 minutes and a log will be generated