Enhanced protection mode problem.

Viruses and worms
1

RogueKiller V5.3.3 [08/18/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Lukas [Admin rights]
Mode: Remove – Date : 08/24/2011 16:28:47

Bad processes: 10
[HJ NAME] svchost.exe – c:\windows\update.5.0\svchost.exe → KILLED [TermProc]
[HJ NAME] svchost.exe – c:\windows\update.2\svchost.exe → KILLED [TermProc]
[SVCHOST] svchost.exe – c:\windows\update.5.0\svchost.exe → KILLED [TermProc]
[SUSP PATH] sysdriver32.exe – c:\windows\sysdriver32.exe → KILLED [TermProc]
[HJ NAME] svchost.exe – c:\windows\update.1\svchost.exe → KILLED [TermProc]
[SUSP PATH] systemup.exe – c:\windows\systemup.exe → KILLED [TermProc]
[SUSP PATH] l1rezerv.exe – c:\windows\l1rezerv.exe → KILLED [TermProc]
[SVCHOST] svchost.exe – c:\windows\update.tray-7-0\svchost.exe → KILLED [TermProc]
[SVCHOST] svchost.exe – c:\windows\update.2\svchost.exe → KILLED [TermProc]
[SVCHOST] svchost.exe – c:\windows\update.tray-7-0-lnk\svchost.exe → KILLED [TermProc]

Registry Entries: 12
[BLACKLIST] HKLM[…]\services : srvbtcclient (C:\Windows\update.5.0\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srviecheck (C:\Windows\update.2\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srvsysdriver32 (C:\Windows\sysdriver32.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : wxpdrivers (C:\Windows\update.1\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srvbtcclient (C:\Windows\update.5.0\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srviecheck (C:\Windows\update.2\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srvsysdriver32 (C:\Windows\sysdriver32.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : wxpdrivers (C:\Windows\update.1\svchost.exe srv) → DELETED
[HJ] HKLM[…]\System : ConsentPromptBehaviorAdmin (0) → REPLACED (2)
[HJ] HKLM[…]\System : EnableLUA (0) → REPLACED (1)
[HJ] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → REPLACED (0)
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)

Particular Files / Folders:

HOSTS File:
127.0.0.1 localhost
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
127.0.0.1 et-ee.facebook.com
127.0.0.1 en-gb.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 eo-eo.facebook.com
127.0.0.1 eu-es.facebook.com
127.0.0.1 tl-ph.facebook.com
127.0.0.1 fo-fo.facebook.com
[…]

Finished : << RKreport[1].txt >>
RKreport[1].txt

Here is link to mediafire OTS.txt file http://www.mediafire.com/?bm5oqqy13uh33z5
Hope that i’ve posted and did all you need.

Thanks.

2

Could you either attach the logs or upload to Megaupload please as I am experiencing problems with mediafire

3

Sure here it is: http://www.megaupload.com/?d=OS5KLHPQ

4

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Processes - Safe List]
YY -> svchostdriver.exe -> C:\Windows\update.7.1\svchostdriver.exe
YY -> ufa.exe -> C:\Windows\ufa\ufa.exe
[Win32 Services - Safe List]
YY -> (ddservice) ddservice [Auto | Running] -> C:\Windows\update.7.1\svchostdriver.exe
[Registry - Safe List]
< HOSTS File > ([2011.08.24 16:17:28 | 000,202,984 | -H-- | M] - 100098 lines) -> C:\Windows\SysNative\Drivers\etc\hosts
YN -> Reset Hosts -> 
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "1061364.exe" -> C:\Users\Lukas\AppData\Local\Temp\1061364.exe ["C:\Users\Lukas\AppData\Local\Temp\1061364.exe"]
YY -> "3573962.exe" -> C:\Windows\Temp\3573962.exe ["C:\Windows\Temp\3573962.exe"]
YY -> "5666469.exe" -> C:\Users\Lukas\AppData\Local\Temp\5666469.exe ["C:\Users\Lukas\AppData\Local\Temp\5666469.exe"]
YY -> "8336656.exe" -> C:\Windows\Temp\8336656.exe ["C:\Windows\Temp\8336656.exe"]
YY -> "8623443.exe" -> C:\Windows\Temp\8623443.exe ["C:\Windows\Temp\8623443.exe"]
YY -> "86495693-loader2.exe" -> C:\Windows\Temp\86495693-loader2.exe ["C:\Windows\Temp\86495693-loader2.exe"]
YY -> "l1rezerv.exe" -> C:\Windows\l1rezerv.exe ["C:\Windows\l1rezerv.exe"]
YY -> "sysdriver32.exe" -> C:\Windows\sysdriver32.exe ["C:\Windows\sysdriver32.exe" rezerv]
YN -> "sysdriver32_.exe" -> ["C:\Windows\sysdriver32_.exe" rezerv]
YY -> "systemup" -> C:\Windows\systemup.exe ["C:\Windows\systemup.exe" stand]
YN -> "tray_ico" -> []
YY -> "tray_ico0" -> C:\Windows\update.tray-7-0\svchost.exe [C:\Windows\update.tray-7-0\svchost.exe]
YN -> "tray_ico1" -> []
YN -> "tray_ico2" -> []
YN -> "tray_ico3" -> []
YN -> "tray_ico4" -> []
YY -> "wxpdrv" -> C:\Windows\services32.exe [C:\Windows\services32.exe]
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
YN -> "AlternateShell" -> services32.exe
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{8bbddd8f-b630-11e0-8d60-806e6f6e6963}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8bbddd8f-b630-11e0-8d60-806e6f6e6963}\shell\AutoRun\command -> 
YY -> \{8bbddd8f-b630-11e0-8d60-806e6f6e6963}\shell\AutoRun\command\\"" -> D:\run.exe [D:\Run.exe]
[Files/Folders - Created Within 30 Days]
NY ->  av_ico -> C:\Windows\av_ico
NY ->  update.tray-7-0-lnk -> C:\Windows\update.tray-7-0-lnk
NY ->  update.tray-7-0 -> C:\Windows\update.tray-7-0
NY ->  rpcminer -> C:\Windows\rpcminer
NY ->  phoenix -> C:\Windows\phoenix
NY ->  update.7.1 -> C:\Windows\update.7.1
NY ->  update.5.0 -> C:\Windows\update.5.0
NY ->  update.2 -> C:\Windows\update.2
NY ->  THQ -> C:\Users\Lukas\AppData\Local\THQ
NY ->  update.1 -> C:\Windows\update.1
[Files/Folders - Modified Within 30 Days]
NY ->  hîsts -> C:\Windows\SysNative\drivers\etc\hîsts
NY ->  info1 -> C:\Windows\info1
NY ->  l1rezerv.exe -> C:\Windows\l1rezerv.exe
NY ->  phoenix.rar -> C:\Windows\phoenix.rar
NY ->  rpcminer.rar -> C:\Windows\rpcminer.rar
NY ->  unrar.exe -> C:\Windows\unrar.exe
NY ->  ufa.rar -> C:\Windows\ufa.rar
NY ->  systemup.exe -> C:\Windows\systemup.exe
NY ->  geoiplist.rar -> C:\Windows\geoiplist.rar
[Files - No Company Name]
NY ->  l1rezerv.exe -> C:\Windows\l1rezerv.exe
NY ->  phoenix.rar -> C:\Windows\phoenix.rar
NY ->  rpcminer.rar -> C:\Windows\rpcminer.rar
NY ->  ufa.rar -> C:\Windows\ufa.rar
NY ->  systemup.exe -> C:\Windows\systemup.exe
NY ->  geoiplist -> C:\Windows\geoiplist
NY ->  geoiplist.rar -> C:\Windows\geoiplist.rar
NY ->  unrar.exe -> C:\Windows\unrar.exe
NY ->  info1 -> C:\Windows\info1
[Custom Scans]
YY ->  svchost.exe : MD5=5DCDE53F902E7BBBE5171E6A9E6B5B90 -> C:\Windows\update.2\svchost.exe
YY ->  svchost.exe : MD5=6C447372C1C601DCE714F7CDB354DAAD -> C:\Windows\update.5.0\svchost.exe
YY ->  svchost.exe : MD5=B8F3E2AEE9E0D7BCA1691165B5A2EBA1 -> C:\Windows\update.1\svchost.exe
YY ->  svchost.exe : MD5=B8F3E2AEE9E0D7BCA1691165B5A2EBA1 -> C:\Windows\update.tray-7-0\svchost.exe
YY ->  svchost.exe : MD5=B8F3E2AEE9E0D7BCA1691165B5A2EBA1 -> C:\Windows\update.tray-7-0-lnk\svchost.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Custom Items]
:files
ipconfig /flushdns /c
:end

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

Please download Malwarebytes’ Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish, so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

5

I think that I screwed up little bit because I’ve set up czech language in Malwarebytes so you wont understand that log i will update it anyway, one more time sorry for that.

OTS report: http://www.megaupload.com/?d=MGV2PGSP

and Malwarebytes log is here

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Verze databáze: 7552

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

24.8.2011 17:03:01
mbam-log-2011-08-24 (17-03-01).txt

Typ: Úplná kontrola (C:\|)
Kontrolované objekty: 268781
Uplynulý čas: 13 minut, 29 sekund

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče v registru: 5
Infikované hodnoty v registru: 13
Infikované datové položky v registru: 3
Infikované složky: 1
Infikované soubory: 43

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče v registru:
HKEY_LOCAL_MACHINE\SOFTWARE\sysdriver32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\systeminfog (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\SERVICES32.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers (Trojan.Agent) -> Quarantined and deleted successfully.

Infikované hodnoty v registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxpdrv (Trojan.Dropper) -> Value: wxpdrv -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5666469.exe (Trojan.Agent) -> Value: 5666469.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32.exe (Trojan.Agent) -> Value: sysdriver32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1061364.exe (Trojan.Agent) -> Value: 1061364.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8336656.exe (Trojan.Agent) -> Value: 8336656.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\86495693-loader2.exe (Trojan.Agent) -> Value: 86495693-loader2.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8623443.exe (Trojan.Agent) -> Value: 8623443.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\l1rezerv.exe (Trojan.Agent) -> Value: l1rezerv.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico0 (Trojan.Dropper) -> Value: tray_ico0 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systemup (Trojan.Agent.Gen) -> Value: systemup -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3573962.exe (Trojan.Agent) -> Value: 3573962.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32_.exe (Trojan.Agent) -> Value: sysdriver32_.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Services32.exe\close (Trojan.Agent) -> Value: close -> Quarantined and deleted successfully.

Infikované datové položky v registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infikované složky:
c:\Windows\rpcminer (Trojan.BCMiner) -> Quarantined and deleted successfully.

Infikované soubory:
c:\Windows\services32.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\Lukas\AppData\Local\Temp\5666469.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\sysdriver32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Lukas\AppData\Local\Temp\1061364.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\8336656.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\86495693-loader2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\8623443.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\l1rezerv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\update.tray-7-0\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\Lukas\Desktop\nová složka\install_flash_player.exe (Rootkit.0Access.XGen) -> Quarantined and deleted successfully.
c:\Users\Lukas\Desktop\rk_quarantine\l1rezerv.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Lukas\Desktop\rk_quarantine\svchost.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\Lukas\Desktop\rk_quarantine\sysdriver32.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\2921170.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\31105_myunrar2.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\Temp\36015340.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\425819.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\6273072.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\update.1\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\update.tray-7-0-lnk\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\systemup.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\2372364.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\3573962.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\5356814.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\7216598.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\8373321.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\179913642.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\Windows\update.2\svchost.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
c:\Windows\update.5.0\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\bitcoinmineropencl.cl (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\bitcoinminercuda_10.cubin (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\bitcoinminercuda_11.cubin (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\bitcoinminercuda_20.cubin (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\cudart32_32_16.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\curllib.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\libeay32.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\libsasl.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\openldap.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\rpcminer-4way.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\rpcminer-cpu.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\rpcminer-cuda.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\rpcminer-opencl.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\ssleay32.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.

Sorry for that language :frowning:

6

Language is no problem as the format is universal ;D

Did you run MBAM first before the OTS fix ? As OTS reported not finding the files

What problems are you experiencing now ?

7

Yeah unfortunately during waiting to response i watched other topics and did scan before you said me to. Also from what i see i can’t run windows media player. It’s reporting some server failure or something, and I am having some issues with skype but that may be that new version bug so… yeah. and my avast disappeared during process :smiley: but that is all. facebook etc… seems working

8

You will need to run a repair of Avast as it has taken out the gui file

what error does media player give exactly

Also could you check safe mode, system restore and windows updates please

9

What should I look for in safe mode?

http://img607.imageshack.us/img607/6021/vstiekp.png

and about repairing Avast there is nothing to repair whole avast is gone…

10

Download a fresh copy of Avast and reinstall

Basically it is just a check that you can access those areas of the system as the malware will try to kill them

Could you check this page for possible resolution to the media player problem http://answers.microsoft.com/en-us/windows/forum/windows_7-sound/windows-7-media-player-server-execution-failed/ecc08c3b-d445-48c2-b07d-9df48500434f

11

Ok I will do that thanks for help :slight_smile: If some problem appears I will report it.

12

If all is ok tomorrow let me know and I will remove my tools