system
March 31, 2012, 6:30am
1
When I run aswMBR, realsched.exe is listed as infected. I’m not sure if it’s a virus or not. Help?
here’s my log.
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-31 01:08:22
01:08:22.170 OS Version: Windows x64 6.0.6002 Service Pack 2
01:08:22.171 Number of processors: 4 586 0x203
01:08:22.171 ComputerName: LEENA-PC UserName: Leena
01:08:24.532 Initialize success
01:08:24.984 AVAST engine defs: 12033001
01:08:42.485 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\0000005f
01:08:42.490 Disk 0 Vendor: Hitachi_ GM4O Size: 476940MB BusType: 8
01:08:42.586 Disk 0 MBR read successfully
01:08:42.759 Disk 0 MBR scan
01:08:42.763 Disk 0 unknown MBR code
01:08:42.820 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 463296 MB offset 63
01:08:42.871 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 13641 MB offset 948831030
01:08:43.055 Disk 0 scanning C:\Windows\system32\drivers
01:09:37.244 Service scanning
01:09:58.452 Modules scanning
01:09:58.466 Disk 0 trace - called modules:
01:09:58.502 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys storport.sys hal.dll nvstor64.sys
01:09:58.509 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004fb3790]
01:09:58.520 3 CLASSPNP.SYS[fffffa60007bbc33] → nt!IofCallDriver → [0xfffffa8003c58a60]
01:09:58.530 5 acpi.sys[fffffa60008f3fde] → nt!IofCallDriver → \Device\0000005f[0xfffffa8004c109e0]
01:10:00.403 AVAST engine scan C:\Windows
01:13:36.764 AVAST engine scan C:\Windows\system32
01:25:27.046 AVAST engine scan C:\Windows\system32\drivers
01:25:51.818 AVAST engine scan C:\Users\Leena
01:44:11.573 File: C:\Users\Leena\AppData\Local\Temp~rnsetup\RNADMIN\realsched.exe INFECTED Win32:Malware-gen
02:20:19.835 AVAST engine scan C:\ProgramData
02:28:01.558 Scan finished successfully
Asyn
March 31, 2012, 6:36am
2
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
system
March 31, 2012, 6:55am
3
Realsched is part of realplayer. but i wonder if a malware/virus injected a code into it
system
March 31, 2012, 6:59am
4
Yea. I’m not quite sure since I disabled it on realplayer.
system
March 31, 2012, 7:05am
5
hmm. try uninstalling realplayer. and see if it gets rid of the problem. but first. i try scanning the file on www.virustotal.com and see what it says
system
March 31, 2012, 7:05am
6
please post a link to the scan.
system
March 31, 2012, 7:13am
8
And avast detected it. hmm. Ok try uninstalling it and see if it gets rid of the problem
system
March 31, 2012, 7:17am
9
Alright. Should I run aswMBR again after uninstalling it?
system
March 31, 2012, 7:30am
10
yes. also try to locate this file below.
[quote author=yatsuri link=topic=96513.msg769550#msg769550
01:44:11.573 File: C:\Users\Leena\AppData\Local\Temp~rnsetup\RNADMIN\realsched.exe INFECTED Win32:Malware-gen]
system
March 31, 2012, 7:33am
11
oops. didnt see the realsched part. look for it anyways after actually. thats abnormal as i dont see it in my computer like that
system
March 31, 2012, 7:51am
12
I ran aswMBR again. It still says that thing is infected, and I searched for the folder it’s in, and it’s still there.
Asyn
March 31, 2012, 7:54am
13
Did you read: Reply #1 …!??
system
March 31, 2012, 6:05pm
14
Here:
Malwarebtyes Anti-Malware
Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.30.12
Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Leena :: LEENA-PC [administrator]
Protection: Enabled
31/03/2012 12:58:08 PM
mbam-log-2012-03-31 (12-58-08).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196748
Time elapsed: 11 minute(s), 46 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
aswMBR
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-31 01:08:22
01:08:22.170 OS Version: Windows x64 6.0.6002 Service Pack 2
01:08:22.171 Number of processors: 4 586 0x203
01:08:22.171 ComputerName: LEENA-PC UserName: Leena
01:08:24.532 Initialize success
01:08:24.984 AVAST engine defs: 12033001
01:08:42.485 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\0000005f
01:08:42.490 Disk 0 Vendor: Hitachi_ GM4O Size: 476940MB BusType: 8
01:08:42.586 Disk 0 MBR read successfully
01:08:42.759 Disk 0 MBR scan
01:08:42.763 Disk 0 unknown MBR code
01:08:42.820 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 463296 MB offset 63
01:08:42.871 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 13641 MB offset 948831030
01:08:43.055 Disk 0 scanning C:\Windows\system32\drivers
01:09:37.244 Service scanning
01:09:58.452 Modules scanning
01:09:58.466 Disk 0 trace - called modules:
01:09:58.502 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys storport.sys hal.dll nvstor64.sys
01:09:58.509 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004fb3790]
01:09:58.520 3 CLASSPNP.SYS[fffffa60007bbc33] → nt!IofCallDriver → [0xfffffa8003c58a60]
01:09:58.530 5 acpi.sys[fffffa60008f3fde] → nt!IofCallDriver → \Device\0000005f[0xfffffa8004c109e0]
01:10:00.403 AVAST engine scan C:\Windows
01:13:36.764 AVAST engine scan C:\Windows\system32
01:25:27.046 AVAST engine scan C:\Windows\system32\drivers
01:25:51.818 AVAST engine scan C:\Users\Leena
01:44:11.573 File: C:\Users\Leena\AppData\Local\Temp~rnsetup\RNADMIN\realsched.exe INFECTED Win32:Malware-gen
02:20:19.835 AVAST engine scan C:\ProgramData
OTL and Extras are attached.
I have always considered Realplayer as malware 'cos you cannot turn of the updater withiout being really sneaky… Having said that I do not see realplayer on your system
Have you just cleaned out an infection ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
IE - HKU\S-1-5-21-2007369944-2615274158-1955863640-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421;
[2012/03/30 01:15:41 | 000,000,256 | ---- | M] () -- C:\ProgramData\XcLeoxaOs3iBoW
[2012/03/30 01:12:04 | 000,000,200 | ---- | M] () -- C:\ProgramData\-XcLeoxaOs3iBoWr
[2012/03/30 01:12:04 | 000,000,000 | ---- | M] () -- C:\ProgramData\-XcLeoxaOs3iBoW
:Files
ipconfig /flushdns /c
C:\Users\Leena\AppData\Local\Temp~rnsetup
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the
Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the
Quick Scan button. Post the log it produces in your next reply.
system
March 31, 2012, 8:13pm
16
I just uninstalled realplayer so it’s not on there anymore.
Yup. I had the Alureon-K rootkit before this. I think it succesfully got removed? I’m not quite sure.
Hmm some elements do not appear to have wanted to go
Could you run combofix again please, allow it to update and post the resultant log
OK I will now use combofix to target the ones that wanted to stay. Once done can you let me know what problems remain
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\ProgramData\XcLeoxaOs3iBoW
C:\ProgramData\-XcLeoxaOs3iBoWr
C:\ProgramData\-XcLeoxaOs3iBoW
C:\Users\Leena\AppData\Local\Temp\~rnsetup Save this as [b]CFScript.txt[/b], in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.