Hi,

I have had several warnings from avast advising that suspected malware has been found, and others warning my memory may have been infected, I re-booted and ran a full scan, all infected files found were put in the chest.
After still having problems with warnings (rootkits found) and infected files I followed the advice on other posts and installed Malwarebytes’ Anti-Malware, performed a quick scan, and removed all files/folders shown in the results. Restarted and am now posting the log (below).

I’d be grateful if somone could advise on what to do next to clean up my computer. I’m still getting messages that Rootkits have been found as I’m posting this, and don’t know what to do!

Thanks very much

Malwarebytes’ Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

10/03/2010 20:28:12
mbam-log-2010-03-10 (20-28-12).txt

Scan type: Quick Scan
Objects scanned: 139468
Time elapsed: 30 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 28
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 16
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\seekmo.desktopflash (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmo.desktopflash.1 (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmoax.clientdetector (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmoax.clientdetector.1 (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmoax.userprofiles (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmoax.userprofiles.1 (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{bd5258af-20ae-4bd3-b748-b2851aca7335} (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID{4a40e8fc-c7e4-4f57-9fa4-85dd77402897} (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{914a8f99-38e4-47ec-b875-2b0653516030} (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{e313f5dc-cfe7-4568-84a4-c76653547571} (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{995e885e-3ff5-4f66-a107-8bfb3a0f8f12} (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{fbb40fdf-b715-4342-ab82-244ecc66e979} (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Features\9ee2330ae5f4470cac801baac83818c9 (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Products\568267acfc5644dab06f058006ddbae3 (Adware.Zango) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{914a8f99-38e4-47ec-b875-2b0653516030} (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{914a8f99-38e4-47ec-b875-2b0653516030} (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{e313f5dc-cfe7-4568-84a4-c76653547571} (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmo.desktopflash (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmo.desktopflash.1 (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmoax.clientdetector (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmoax.clientdetector.1 (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmoax.userprofiles (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmoax.userprofiles.1 (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\seekmo (Adware.Seekmo) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\seekmosa (Adware.Seekmo) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\Seekmo (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\Seekmo\IESkins (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\Seekmo\v3.0 (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\Seekmo\v3.0\Seekmo (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\Seekmo\v3.0\Seekmo\static (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\Seekmo\v3.0\Seekmo\static\DownLoad (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\Seekmo\v3.0\Seekmo\static\1 (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\Seekmo\v3.0\Seekmo\static\2 (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\Seekmo\v3.0\Seekmo\dynamic (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\Seekmo\v3.0\HostOL (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\Seekmo\v3.0\HostOL\dynamic (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\Seekmo\v3.0\HostOI (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\Seekmo\v3.0\HostOI\dynamic (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SeekmoSA (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo (Adware.Seekmo) → Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEULA.mht (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk (Adware.Seekmo) → Quarantined and deleted successfully.
C:\Documents and Settings\mani\Application Data\avdrn.dat (Malware.Trace) → Quarantined and deleted successfully.

Welcome sarah456

Looks like you need a bit of help.

Windows XP Service Pack 3 has been available for over a year and a half that provides many Critical Updates and performance improvements.

IE8 is more secure than IE6 and has a lot better performance:
http://www.microsoft.com/windows/Internet-explorer/default.aspx

Also you should enable Automatic Updates or at least be notified that Updates are available.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

follow this guide from essexboy and post the OTL log HERE
http://forum.avast.com/index.php?topic=53253.0

Hi there, thanks for your replies

• I have installed IE8 and installed all updates I could although windows XP service pack 3 fails
• Have run the OTL as described and first logs are attached
• Should I run Secunia now too?

Thanks

Wait for essexboy`s advice

Hi - this tool may not be strong enough to kill it - but lets see. Due to the amount of temporary files on your system this run may take a little longer than normal

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O4 - HKLM..\Run: [Amifelu] C:\WINDOWS\emiwegumesawe.DLL ()
O4 - HKLM..\Run: [SeekmoOE] C:\Program Files\Seekmo\bin\10.0.341.0\OEAddOn.exe File not found
O4 - HKLM..\Run: [SeekmoSA] C:\Program Files\Seekmo\bin\10.0.341.0\SeekmoSA.exe File not found
[2010/03/10 21:30:34 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Jcovuju.dat
[2010/03/10 19:29:40 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Avepi.bin
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[17516 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[2010/03/02 22:20:26 | 000,000,016 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\rbuwzv.dat
[1980/01/01 00:00:00 | 000,165,376 | ---- | C] () -- C:\WINDOWS\emiwegumesawe.dll


:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi essexboy thanks for you post - attached is the log generated after following your instructions and running quick scan.

Let me know if you also need the log generated straight after running the fix.

OK that killed it ;D

What problems do you have now ?

Brilliant, thankyou!

I still got an avast warning that a Rootkit had been found when I restarted
Also was unable to install Windows service pack 3 (I can try and found out why on their helpsite)
Should I also scan the pen drive that I’ve been using?

And last question - is Avast enough to have as an anti-virus program, should I also have anti-Spyware or anything else running?

Cheers

In that case I will need to look deeper if Avast is still alerting on a rootkit, OTL does not allways show them

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hi - installed combofix and windows recovery console and ran scan.
Rebooted, and log is attached.
I had switched avast off but after re-boot it was on again - ie on during production of the log - hope thats ok.
Also got another rootkit message whilst log was being produced, also attached.

Changer .sys is part of windows and is a very old scsi cd driver

I found one element to remove though

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
Reraal

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt [*]A new OTListit log.

Hi - followed your instructions and log is attached (logcombo2)

• restarted and just after combofix log was produced I received an avast warning that a suspected malware had been detected, it recommended i allow the file to be sent to avast and ignore, which I did

• message then came up advising I re-start and let avast perform a boot-time scan which I did

• 1 infected file was found and moved to chest:
  C:\windows\system32\drivers\changer.sys, virus Win32:Rootkit-gen.
  This is now in chest with other infected files detected last time I ran full scan

• I then ran OTL, log is attached (hope that’s what you needed)

Please let me know if you need any more info - and thanks for the time you’re spending helping me.

just in case its useful - screen grab of avast virus chest attached

OK lets kill that file - It will be in quarantine so if it does turn out that you need it for your CD we can reinstate it

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\windows\system32\drivers\changer.sys
C:\windows\system32\drivers\MAILKMD.SYS

Driver::
mailKmd
Registry::

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt .

Hi - followed instructions and log attached.
When the computer re-booted the same avast message warning of a rootkit, same file as before
C:\windows\system32\drivers\changer.sys

Thanks

OK lets try the low level kill

1. Please download The Avenger by Swandog46 to your Desktop.
   [*]Right click on the Avenger.zip folder and select “Extract All…”
   [*] Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Drivers to delete:
changer.sys
changer

Files to delete:
c:\windows\system32\drivers\changer.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

4. The Avenger will automatically do the following:
   [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
   [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
   [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
   [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply

Avenger text below:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: registry key “\Registry\Machine\System\CurrentControlSet\Services\changer.sys” not found!
Deletion of driver “changer.sys” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
→ the object does not exist

Driver “changer” deleted successfully.
File “c:\windows\system32\drivers\changer.sys” deleted successfully.

Completed script processing.

Finished! Terminate.

Are you still getting the alerts ?

No, it’s the first time one hasn’t come up!