realsched.exe (virus?) [SOLVED]

When I run aswMBR, realsched.exe is listed as infected. I’m not sure if it’s a virus or not. Help?

here’s my log.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-31 01:08:22

01:08:22.170 OS Version: Windows x64 6.0.6002 Service Pack 2
01:08:22.171 Number of processors: 4 586 0x203
01:08:22.171 ComputerName: LEENA-PC UserName: Leena
01:08:24.532 Initialize success
01:08:24.984 AVAST engine defs: 12033001
01:08:42.485 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\0000005f
01:08:42.490 Disk 0 Vendor: Hitachi_ GM4O Size: 476940MB BusType: 8
01:08:42.586 Disk 0 MBR read successfully
01:08:42.759 Disk 0 MBR scan
01:08:42.763 Disk 0 unknown MBR code
01:08:42.820 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 463296 MB offset 63
01:08:42.871 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 13641 MB offset 948831030
01:08:43.055 Disk 0 scanning C:\Windows\system32\drivers
01:09:37.244 Service scanning
01:09:58.452 Modules scanning
01:09:58.466 Disk 0 trace - called modules:
01:09:58.502 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys storport.sys hal.dll nvstor64.sys
01:09:58.509 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004fb3790]
01:09:58.520 3 CLASSPNP.SYS[fffffa60007bbc33] → nt!IofCallDriver → [0xfffffa8003c58a60]
01:09:58.530 5 acpi.sys[fffffa60008f3fde] → nt!IofCallDriver → \Device\0000005f[0xfffffa8004c109e0]
01:10:00.403 AVAST engine scan C:\Windows
01:13:36.764 AVAST engine scan C:\Windows\system32
01:25:27.046 AVAST engine scan C:\Windows\system32\drivers
01:25:51.818 AVAST engine scan C:\Users\Leena
01:44:11.573 File: C:\Users\Leena\AppData\Local\Temp~rnsetup\RNADMIN\realsched.exe INFECTED Win32:Malware-gen
02:20:19.835 AVAST engine scan C:\ProgramData
02:28:01.558 Scan finished successfully

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

Realsched is part of realplayer. but i wonder if a malware/virus injected a code into it

Yea. I’m not quite sure since I disabled it on realplayer.

hmm. try uninstalling realplayer. and see if it gets rid of the problem. but first. i try scanning the file on www.virustotal.com and see what it says

please post a link to the scan.

Here you go.

https://www.virustotal.com/file/72bf67597bebf80e62fec0182eb1fc0ed8a920111380e8e98cf35a991ba5b7d6/analysis/1333177650/

And avast detected it. hmm. Ok try uninstalling it and see if it gets rid of the problem

Alright. Should I run aswMBR again after uninstalling it?

yes. also try to locate this file below.

[quote author=yatsuri link=topic=96513.msg769550#msg769550
01:44:11.573 File: C:\Users\Leena\AppData\Local\Temp~rnsetup\RNADMIN\realsched.exe INFECTED Win32:Malware-gen]

oops. didnt see the realsched part. look for it anyways after actually. thats abnormal as i dont see it in my computer like that

I ran aswMBR again. It still says that thing is infected, and I searched for the folder it’s in, and it’s still there.

Did you read: Reply #1…!?? :wink:

Here:

Malwarebtyes Anti-Malware
Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.30.12

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Leena :: LEENA-PC [administrator]

Protection: Enabled

31/03/2012 12:58:08 PM
mbam-log-2012-03-31 (12-58-08).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196748
Time elapsed: 11 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

aswMBR
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-31 01:08:22

01:08:22.170 OS Version: Windows x64 6.0.6002 Service Pack 2
01:08:22.171 Number of processors: 4 586 0x203
01:08:22.171 ComputerName: LEENA-PC UserName: Leena
01:08:24.532 Initialize success
01:08:24.984 AVAST engine defs: 12033001
01:08:42.485 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\0000005f
01:08:42.490 Disk 0 Vendor: Hitachi_ GM4O Size: 476940MB BusType: 8
01:08:42.586 Disk 0 MBR read successfully
01:08:42.759 Disk 0 MBR scan
01:08:42.763 Disk 0 unknown MBR code
01:08:42.820 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 463296 MB offset 63
01:08:42.871 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 13641 MB offset 948831030
01:08:43.055 Disk 0 scanning C:\Windows\system32\drivers
01:09:37.244 Service scanning
01:09:58.452 Modules scanning
01:09:58.466 Disk 0 trace - called modules:
01:09:58.502 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys storport.sys hal.dll nvstor64.sys
01:09:58.509 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004fb3790]
01:09:58.520 3 CLASSPNP.SYS[fffffa60007bbc33] → nt!IofCallDriver → [0xfffffa8003c58a60]
01:09:58.530 5 acpi.sys[fffffa60008f3fde] → nt!IofCallDriver → \Device\0000005f[0xfffffa8004c109e0]
01:10:00.403 AVAST engine scan C:\Windows
01:13:36.764 AVAST engine scan C:\Windows\system32
01:25:27.046 AVAST engine scan C:\Windows\system32\drivers
01:25:51.818 AVAST engine scan C:\Users\Leena
01:44:11.573 File: C:\Users\Leena\AppData\Local\Temp~rnsetup\RNADMIN\realsched.exe INFECTED Win32:Malware-gen
02:20:19.835 AVAST engine scan C:\ProgramData

OTL and Extras are attached.

I have always considered Realplayer as malware 'cos you cannot turn of the updater withiout being really sneaky… Having said that I do not see realplayer on your system

Have you just cleaned out an infection ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-2007369944-2615274158-1955863640-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421; [2012/03/30 01:15:41 | 000,000,256 | ---- | M] () -- C:\ProgramData\XcLeoxaOs3iBoW [2012/03/30 01:12:04 | 000,000,200 | ---- | M] () -- C:\ProgramData\-XcLeoxaOs3iBoWr [2012/03/30 01:12:04 | 000,000,000 | ---- | M] () -- C:\ProgramData\-XcLeoxaOs3iBoW

:Files
ipconfig /flushdns /c
C:\Users\Leena\AppData\Local\Temp~rnsetup

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I just uninstalled realplayer so it’s not on there anymore.
Yup. I had the Alureon-K rootkit before this. I think it succesfully got removed? I’m not quite sure.

Hmm some elements do not appear to have wanted to go

Could you run combofix again please, allow it to update and post the resultant log

Here you go.

OK I will now use combofix to target the ones that wanted to stay. Once done can you let me know what problems remain

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
Folder:: C:\ProgramData\XcLeoxaOs3iBoW C:\ProgramData\-XcLeoxaOs3iBoWr C:\ProgramData\-XcLeoxaOs3iBoW C:\Users\Leena\AppData\Local\Temp\~rnsetup
Save this as [b]CFScript.txt[/b], in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Here~