[xDokii]

It worked this time.

Contents of RootRepeal.txt:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/08/05 23:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFD60000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618eed0

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618f700

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618cda0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf619c9c0

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618c8e0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf6189620

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf6189a30

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf6188ef0

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618af20

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618bb90

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618c6f0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618e490

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf619d040

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618aa20

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf6189310

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618b420

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618f350

#: 145 Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618ea70

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618f8a0

#: 199 Function Name: NtRequestPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618d9a0

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618df90

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf619c550

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618c340

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618d190

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618b970

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618bd30

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618e370

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618c520

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618c130

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618bf40

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xf61f4620

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618b760

#: 262 Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618e780

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf618f520

==EOF==

Edited by xDokii, 05 August 2010 - 05:23 PM.

[Advertisements]

Looking good.

I see Online Armour all through there. Maybe what was stopping GMER.

Moving on

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[emeraldnzl]

Looking good.

I see Online Armour all through there. Maybe what was stopping GMER.

Moving on

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[xDokii]

Hello,

I disabled SUPERAntiSpyware and AVG resident shield as you told me. I disabled Online Armor's firewall and Program Guard then ran ComboFix. I went through the processes till ComboFix gave a message saying:

Warning!!!

Combofix has detected the following real time scanner(s) to be active:

antivirus: AVG Anti-Virus Free

Antivirus and intrusion prevention programs are known to interfere with ComboFix's running. This may lead to unpredictable results or possible machine damage.

Please disable these scanners before clicking 'Ok'.

So I went on anti-virus on AVG but i don't know if you can turn it off? Have I disabled all the programs properly?? Do I have to disable Online Armor's Program Guard aswell?

Online Armor asked me whether I wanted cmd.cfxxe to open C:\32788R22FWJFW\Nircmd.cfxxe but I blocked it. I haven't allowed cmd.cfxxe on Online Armor but I have allowed cmd.exe. Is it a virus??

Edited by xDokii, 06 August 2010 - 01:20 PM.

[emeraldnzl]

Online Armor asked me whether I wanted cmd.cfxxe to open C:\32788R22FWJFW\Nircmd.cfxxe but I blocked it. I haven't allowed cmd.cfxxe on Online Armor but I have allowed cmd.exe. Is it a virus??

Those are related to ComboFix and should be allowed.

Please disable the anti-malware programs as you did previously and run ComboFix. When it tells you that AVG is still running, just continue. Should run without a problem.

[xDokii]

I have been running ComboFix and it says that it is scanning for viruses and that it'll probably take 10 minutes or doouble that if i have bad viruses. after about an hour scanning, it hasn't had any stages completed. I also updated it when I was asked if I wanted to. It did take over 2 hours to do a full malwarebytes'/superantispyware scan. Howeer Rootrepeal only took less than 20 mins. I have alot of files and stuff on my computer so maybe thats why its taking so long but I have to turn off the computer soon. So is it possible to close Combofix and continue doing it tommorrow or will it cause harm to the computer?

Edited by xDokii, 06 August 2010 - 05:46 PM.

[emeraldnzl]

Hi xDokii,

Your computer should not be touched by anything while ComboFix is running. Even clicking your mouse can interrupt the process.

Having said that can you tell me what stage it is at?

ComboFix goes through a number of scanning stages which you can usually see on your computers screen.

[xDokii]

It hasn't done any stage. However I must say that when i was setting up combofix it had taken a lng time for the popups to come up? Not actually sure if it normally comes up that slowly.

Oh, and I am on a different conputer not on the computer currently scanning with combofix i forgot to mention it

Edited by xDokii, 06 August 2010 - 06:11 PM.

[emeraldnzl]

Okay, I am wondering if when you told Online Armour to stop one of those ComboFix files that it is now preventing ComboFix from working.

Let's try this:

For now

Just force your computer to stop and close it down.

When you come back do this:

Please delete your version of ComboFix, including the folders C:\Qoobox and C:\Combofix, and download a new version of Combofix.

Download Combofix from either of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2



Rename ComboFix to Confuse.exe

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt for review.

[xDokii]

Force the computer to stop? how do you do that??

And do i have to uninstall combofix? Or just right-click the icon on my desktop and click 'delete' and do i have to search for those files to delete?

[emeraldnzl]

Force the computer to stop? how do you do that??

Oh, just terminology... you may not be able to close your computer normally because ComboFix is still running so you may have to "force" it to close by some method e.g. pulling the plug.

If you can close down normally that is better.

And do i have to uninstall combofix?

No, just right click and delete your copy.

do i have to search for those files to delete?

Right click Start > Explore and navigate to C:\Qoobox and C:\Combofix and delete.

Tell me if you have trouble.

[xDokii]

Okay, so i did as you told me. I deleted combofix and downloaded a new one. I extracted it (forgetting i didn't need to) to the desktop but then i deleted combofix in my download file and desktop. I then downloaded a new combofix and did as you told me. It was working and had got up to at least stage_32 when i decided to leave the computer and come back after 5 - 10 minutes. When i came up there was a blue screen saying:

A problem has been detected and windows has shut down to prevent damage to your computer.

The problem seems to be caused by the following file: catchme.sys
PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure any hardware or software is properly installed. if this is a new installation, ask your hardware or software manufacturer for any windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use safe mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select safe Mode.

Technical information:

*** STOP: 0x00000050(0xFD03A000, 0x00000001, 0xF4D6B08D, 0x00000000)

*** catchme.sys - Address F4D6B08D base at F4D67000, DateStamp 49d3495d

Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or technical support group for further assistance

I rebooted my computer and when i logged on to my account it just gave a blank desktop but i rebooted again and now its fine

Edited by xDokii, 07 August 2010 - 06:57 AM.

[emeraldnzl]

Hello xDokii,

A problem has been detected and windows has shut down to prevent damage to your computer.

My guess is that Online Armour stopped it.

Let's see if we can find any information:

Right click on Start > Explore and navigate to:

C:\QooBox\LastRun\ <--Data from failed CF runs are stored here.

You should be able to find the data for the failed run there.

If you don't see LastRun try looking in C:\Qoobox\ComboFix.txt. Note: ComboFix.txt are numbered so if there was more than one run for instance you might find C:\Qoobox\ComboFix2.txt. etc.

Copy and paste back here.

[xDokii]

Yeah, I also think OA stopped it. It asks me for permission if I wanted to allow some things during the scan?? After I thought I disabled it. Any ideas how to disable OA properly?? :S

There's a file called Qoobox and in that file there are 5 files.
BackEnv, LastRun, Quarantine, Test, TestC.

There are things in BackEnv file (mostly blue DAT GOM files) and Quarantine (includes 2 files - C and Registry_backups). However there is nothing in the other files including LastRun.

Edited by xDokii, 07 August 2010 - 03:04 PM.

[emeraldnzl]

Any ideas how to disable OA properly?? :S

Nowadays anti-malware programs work at such a deep level that often you can't really completely turn them off.

The simplest thing would be just to uninstall Online Armour (re-install it later) and then run ComboFix again.

[xDokii]

What should I do next?? Delete ComboFix and rerun it?? If so what files do I delete?