RootKit And Lots More Problems Thank You In Advance ! Ahhhhhhhhhhhh :-(

system · October 24, 2011, 8:15am

HI There, (Message Part 1, Sorry Its So Long)

And Thank You In Advance Anyone !

I Have A Box Running Vista H/P 64 Bit Windows i7 CPU Etc…i Can Goive You ALL The Specs If That Would Help …

Running Avast For Home “Program 6.0.1.1289” “Virus Def Ver 111023-2”

I Scanned My Machine Like I Do Every Nite And This Came Up…Never Has Before ??
Sorry To List So Many Files, They Are “samples” Of “each Catagory” Didn’t Want To Put All 1100+ File Here …

"Infected files: 1171
Total files: 1672945
Total folders: 96917
Total size: 3.3 TB "

Scan name: Full system scan

Started on: Sunday, October 23, 2011 3:00:04 AM
VPS: 111022-1, 10/22/2011
*=====================================================
This Was Just The Night Before “Infected files: 0
Total files: 1665645
Total folders: 96872
Total size: 3.3 TB”
Scan stopped: Saturday, October 22, 2011 12:44:18 PM
Run-time was 9 hour(s), 44 minute(s), 14 second(s)
======================================

PID 64128 [L] Rootkit: hidden process (0)
PID 11 [L] Rootkit: hidden process (0)
PID 64128 [L] Rootkit: hidden process (0)
PID 9 [L] Rootkit: hidden process (0)
PID 64128 [L] Rootkit: hidden process (0)
PID 11 [L] Rootkit: hidden process (0)
PID 64128 [L] Rootkit: hidden process (0)
PID 11 [L] Rootkit: hidden process (0)
PID 64128 [L] Rootkit: hidden process (0)
PID 11 [L] Rootkit: hidden process (0)
PID 64128 [L] Rootkit: hidden process (0)
PID 9 [L] Rootkit: hidden process (0)
PID 64128 [L] Rootkit: hidden process (0)
PID 11 [L] Rootkit: hidden process (0)
PID 64128 [L] Rootkit: hidden process (0)
PID 9 [L] Rootkit: hidden pr
C:\EXCEL_FILES~$OPEN_10_21_2011.xlsx [E] The process cannot access the file because it is being used by another process (32)
C:\hiberfil.sys [E] The process cannot access the file because it is being used by another process (32)
C:\pagefile.sys [E] The process cannot access the file because it is being used by another process (32)
C:\System Volume Information\ISwift3.dat [E] The process cannot access the file because it is being used by another process (32)
C:\System Volume Information{0b06c3e1-f5ef-11e0-b16f-0024e8294a9c}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\System Volume Information{0b06c3f1-f5ef-11e0-b16f-0024e8294a9c}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\System Volume Information{0b06c442-f5ef-11e0-b16f-0024e8294a9c}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\System Volume Information{0b06c451-f5ef-11e0-b16f-0024e8294a9c}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\Users\Wildwizard\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\Wildwizard\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 [E] The process cannot access the file because it is being used by another process (32)
\Local\Google\Chrome\User Data\Default\Cache\data_5 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\Wildwizard\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{86380433-FB0D-11E0-A068-0024E8294A9C}.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Users\Wildwizard\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{01F0C3F0-FC89-11E0-A068-0024E8294A9C}.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Users\Wildwizard\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{0EEECE00-FC41-11E0-A068-0024E8294A9C}.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Users\Wildwizard\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{579FBFA0-FD46-11E0-A068-0024E8294A9C}.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Users\Wildwizard\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{6EEC5A10-FC88-11E0-A068-0024E8294A9C}.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Users\Wildwizard\AppData\Local\Microsoft\Windows\UsrClass.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Users\Wildwizard\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\Wildwizard\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\Wildwizard\AppData\Local\Temp\etilqs_3PBzf7AdZTgIIIG [E] The process cannot access the file because it is being used by another process (32)
because it is being used by another process (32)
C:\Users\Wildwizard\ntuser.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\Wildwizard\ntuser.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch.17892.38909332 [E] Access is denied (5)
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch.17892.38909332 [E] Access is denied (5)
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\LocalService\ntuser.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
CC:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\catroot2\edb.log [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\catroot2{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\catroot2{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\components [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\Temp_avast_\Webshlock.txt [E] The process cannot access the file because it is being used by another process (32)
D:\System Volume Information{0b06c4ce-f5ef-11e0-b16f-0024e8294a9c}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
D:\System Volume Information{fa34a6a2-fb01-11e0-b3a9-0024e8294a9c}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
O:\ [E] Skipped due to exclusions settings. (42019)
o:\storagewipe\storagewipe.exe [E] Skipped due to exclusions settings. (42019)
Infected files: 1171
Total files: 1672945
Total folders: 96917
Total size: 3.3 TB

Scan stopped: Sunday, October 23, 2011 10:41:53 AM
Run-time was 7 hour(s), 41 minute(s), 49 second(s)

A Total Over OVER 1100+ Files

No String Like C:.….….… For TheRootkit Files ?

I Read About Rootkit’s And Says A Total Security Breach Has Begun On My System
Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh Nooooooooooooooooo

Can I Go Into DOS And Look For/And Delete Them ??

Avast Recomended A 'Delete" FOr ALL Files, I Tried That And Said FIle Could NOT Be Found…

I Did A Scan Again And Got The Same Results

And Again Avast Said Cound Not Delete File Specified Not Found …Did This Again And Again…

I Rebooted And Scanned And There Were NO Threats Detected …

However The San Usually Starts Out “Enumerating Registery” Etc And Then Scans…
NOW It STARTS @ C:\windows\system32\lsm.exe And Continues From That Point Which I Believe Is Not Where It Usually Starts, I Could Be Wrong …

Also i Have 2 Internal HDA’s ( 1x 1TB, 1X 2TB) External Drives 5X 1TB Passports, And 1X 500GB Passport 7 Logical Drives And 6 Physical Drives ( Recovery Partion On Root Drive C:\ Is D:\

Any Chance They Are Infected ?? And I Just Cannot See It ?? 1 HDA Is For Back-ups Everyday…

Should I Do A Restore From Maybe 5-7 Days Ago

Pleaseeeeeeeeeeeeeeeeeeeeee Helppppppppppppppppp !!
Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

Thank For Your Time And Efforts, I Cannot Tell You How Much i Appreciate It !!
Best Wishes To All For A Great Week Ahead,
Blessings,
Wild Wizard

system · October 24, 2011, 8:23am

http://forum.avast.com/index.php?topic=53253.0

follow the guide and then attach the logs…
if logs are too big upload them to
www.mediafire.com
and then post the download link here…
essexboy notified…

he will take a look at them when he arrives…

system · October 24, 2011, 8:46am

Hi There And TY VERY Much !

Used Malwarebytes’ Anti-Malware And It Said All Was Ok …No Infections Anywhere…
I Am Scanning C:, D:, Z:\ Right Now…( Z:\ = 2TB Internal Drive) 83% Done Will Give You The Log Report When Done If Thats Ok …Thx Again !!!

http://www.mediafire.com/?4bk3t7o1he71ioo That Should Be The Link For The Entire Explanation,

THANK YOU SOOOOOOOOOOOOOOO Much !!
Best Wishes,
Blessings,
~~Wild Wizard~~

system · October 24, 2011, 9:09am

http://www.mediafire.com/?l2d34cu8gav7yrb

Thats Just The Complete Avast Log…

Thank You Very Much !
Blessings,
~~Wild Wizard~~

system · October 24, 2011, 9:13am

please post malwarebytes and OTL logs for essexboy to review…
http://forum.avast.com/index.php?topic=53253.0

essexboy · October 24, 2011, 5:19pm

Hi were you running a custom memory scan at the time ?

Once OTL has run could you attach that log and the aswMBR one please

system · October 25, 2011, 1:12am

HI There And Thank You For Your Help !! Its Greatly Appreciated !

Here Are The Results Of The AVG Scan …I Stopped It A Little Early Still WOuld Have Run For 5-6 Hours So I Took Screenshots And Here They Are

Can You Show Me The Link For Using The OTL Software Again, I Need To Insert Those Parameters And Run The Scan…

http://www.mediafire.com/?lc9crlooor545

Thanks Again ,
Best Wishes,
Blessings,
~~Wild Wizard~~

system · October 25, 2011, 2:00am

Yes I Was Running A Custom Scan Don’t Know If That Means Custom Memory Scan Though ? Was A Through Scan At All The Highest Levels Was With AVG Prog Version 6.0.1289, Virus Def Versions 111024-2

I Couldn’t FInd The Files Anywhere Looked Under Users\wildwizard\documents
And Could Not Find The txt File For Either Of The Files, So I Copied And Pasted Into Notepad…

IDK Maybe I Am Just Too Tired After 28 Hours Of This… ???

Thanks A LOT !
Best Wishes,
Blessings
~~Wild Wizard~~

system · October 25, 2011, 2:05am

Yes I Was Running A Custom Scan Don’t Know If That Means Custom Memory Scan Though ? Was A Through Scan At All The Highest Levels Was With AVG Prog Version 6.0.1289, Virus Def Versions 111024-2

I Couldn’t Find The Files Anywhere Looked Under Users\wildwizard\desktop
And Could Not Find The txt File For Either Of The Files, So I Copied And Pasted Into Notepad…

IDK Maybe I Am Just Too Tired After 28 Hours Of This…

Thanks A LOT !
Best Wishes,
Blessings
~~Wild Wizard~~

Sorry If This Is Being Redundant ahhhhhhhhhhhhhhhhhhhhhhh
Thanks Again For Your Help !

Pondus · October 25, 2011, 5:43am

so as i can see from the picures and log, you have posted…you have both AVG and avast installed :

you need to uninstall one…

Never install two antivirus (see reply from quietman7)
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638

use a removal tool to clear any leftover after the uninstall

run and reboot - Uninstallers for Security Software
http://thewebatom.net/uninstallers/security-software/

system · October 25, 2011, 6:15am

Pondus post:10:

so as i can see from the picures and log, you have posted…you have both AVG and avast installed :

you need to uninstall one…

Never install two antivirus (see reply from quietman7)
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638

use a removal tool to clear any leftover after the uninstall

run and reboot - Uninstallers for Security Software
http://thewebatom.net/uninstallers/security-software/

Thank you for looking at my posts I really appreciate it very much! !

When I got the over 1100 errors I did not have both anti virus programs
loaded just the avast 6.1.zzz

I installed and ran AVG as a last resort
And used the OLE software …logs are attached
Running the Microsoft from the cd I made as
Told to do …quick scan was ok …
Now running a regular scan for the last
Few hours …im at 3,220,000 files now …

Was weird that when I started that scan said run scan on vista c:\ or
D:\ ???

Idk but tried to UPGRADE from vista h/p 64 bit to win 7 h/p 64bit
And got bsod twice and failed install …it rolled back to win vista so
No data loss whew!

Didn’t want to do it but I had to let dell
Take over my box and I am wondering. If they put
A back door in the system? ??

Still cannot get over 1100+ errors from 1the day to the next …
I scan the box every nite always (avast 6.1.***)

Im hoping for just was a lot of false positives (crossing fingers)
did u look at the ole reports? ??

Thanks again for everything! I really
Appreciate your help greatly! !!

Best wishes always
Blessings
wild wizard
From my phone DROID X

essexboy · October 25, 2011, 6:58pm

I see that PCTools is installed coudl you run a quick standard scan with Avast and let me know if it still reports

Also lets run aswMBR to see what that reveals

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

system · October 26, 2011, 12:46am

Hi There essexboy And Thanks For Your Help !

I Tried To Run awsMBR Scan And Got The BSOD

The Avast Quick Scan Showed 0 Infected Files

Thanks A Lot For Looking At Everything For Me, I REALLY Appreciate It !

Best Wishes Always,
Blessings,
~~Wild Wizard~~

essexboy · October 26, 2011, 5:46pm

Have the alerts disappeared ?

system · October 26, 2011, 8:09pm

Looks Like It ??? What Caused Them All ??

Thanks For All Your Help !! So Do You Think They Were False Positives Or What ??

I Attached The Log From The Avast Scan From Running All Nite…Stopped It At Z:\ Drive…I Have C:\ = 1 TB WD Internal, D:\ (Recovery) Partion In Drive C:, F:\ = 1 TB Passport Drive, M:\ = 1 TB Passport Drive, O:\ = 1.5 TB Powered WD Drive, Q:\ = 500 GB Passport Drive, Z:\ 2 TB Internal WD Drive

And SHould I Worry ABout Anything In The Attached Log ??

Thanks Again !
Best Wishes,
Blessings,
~~Wild Wizard~~

Maybe If Have The Time Can Answer This ??? …Did A “Fresh” Install Of Win XP Home 32 Bit On Another Machine WITHOUT Formatting It…Not A Repair But Fresh Install, ALL My Pics And File Are There ? Also In The Program Folder Are ALL The Programs, However Since The Install Wiped Out All The Settings And I Would Imagine Registery Etc…Any Way To Get The Programs To Work Again ??

And Was Weird Scanned The Drive And Had 7 Viruses On It ! Right After The “Fresh INstall” ??? Trojan Horse Generic22.CSD …Virus Found Win/32/Cryptor C:\ Documents And Settings\wildwizard\local settings\temp\Pdo.exe …Virus Found Win/32/Cryptor Same But Pd2.exe, Pd3.exe, Pd4.exe, Pd5.exe, Pd6.exe…2X Corrupted Files In …IE5\xxxxxxxxx, And Generic22.CDS System VolumeInformation_restore…A0000871.exe…

How Can That Be ?? The Machine Was Unbootable Till I Booted From The XP Resource CD By F12 Boot Menu…Totally Strange To Me ???

Thanksssssssssss essexboy !

essexboy · October 26, 2011, 8:28pm

When you install windows over the top - unless you tell it to format the drive, then all the documents settings etc will copied to the new system under windows old.

Pdo.exe is an either or programme sometimes it is a virus and sometimes not depending on the location - temp file area is bad but, it is also an unpacking area for installations

The detection in system restore shows that a reformat was not done prior to the install

The alerts were probably malware signatures held in memory by your AV/Am software

system · October 26, 2011, 8:49pm

Thanks For Your QUICK Answer And Reading That Book, I Really Appreciate It VERY Much…
Iam Scannign Again And Looks Like C:\system Volume_restore Is Totally Infected With This Win32/Cryptor…Must Leave Lots Of Foot Prints Or Something Behind…

Looks Like On The XP Machine, No Over The Top, But Full Format ( Not A “Quick” One Either"
And Re-Install …

BUt What ABout This Machine (i7 920 Etc) Do You Think They Were All False Positives ??
Why Over 1100 “Infections” From One Day To The Next …Does Not Seem Like It Was Replicating,
I Could Be Wrong Though…What Happened ??

Thanks Again Soooooooooooo Much For All Your Time And Efforts For Me, Its DEEPLY Appreciated For SURE !!

Ok 1 More If I May ?? I Might Have To Do A Fresh Install Of Vista 64 Bit Home OS On This Machine, Seems Like The OS Id Corrupted In Some Way, Computer Is Way Too Slow For What It Has In It 12 Gigs DDR3 Ram, ( Usless In VISTA Doesn’t Recognize All The RAM ) Etc…

Was Going To Do A REAL Fresh Install With Complete Format, And Reinstall Vista OS…From There I Have An Upgrade Disk From Dell To Allow Me To Go From Vista To Win 7 64 Bit Home…

Sound Plausable ??

Thanks Again Sooooo Much !!
Awesome You Help Out So Many People
Blessings,
~~Wild Wizard~~

essexboy · October 26, 2011, 9:07pm

If you are going from 32 to 64 bit then windows will reformat the drive as a matter of course, 64 bit needs a clean drive

DavidR · October 26, 2011, 9:18pm

If the greatest majority of them were like the PID ones at the start of your listing, then I believe this was an issue with the scanner and not the system (forum search for PID, etc. should show a few topics), which if you tried to take any action the file/s couldn’t be found ?

I believe has now been corrected and why you aren’t getting them now. This appears to have been a problem for a small number people (or we would have seen much more activity in the forums)

system · October 26, 2011, 9:25pm

Didn’t Know That…No It Will Be From Vista Home 64 Bit Premium To Win 7 64 Bit Home Premium…
Thats All Thats Allowed With The Disks Provided …Thats On This Machine, The XP Is The 32 Bit Box…

Thanks For All Your Help And Time !
MUCH Appreciated
Blessings,
~~Wild Wizard~~

RootKit And Lots More Problems Thank You In Advance ! Ahhhhhhhhhhhh :-(

I Scanned My Machine Like I Do Every Nite And This Came Up…Never Has Before ?? Sorry To List So Many Files, They Are “samples” Of “each Catagory” Didn’t Want To Put All 1100+ File Here …

Thank For Your Time And Efforts, I Cannot Tell You How Much i Appreciate It !! Best Wishes To All For A Great Week Ahead, Blessings, Wild Wizard

Announcements

I Scanned My Machine Like I Do Every Nite And This Came Up…Never Has Before ??
Sorry To List So Many Files, They Are “samples” Of “each Catagory” Didn’t Want To Put All 1100+ File Here …

Thank For Your Time And Efforts, I Cannot Tell You How Much i Appreciate It !!
Best Wishes To All For A Great Week Ahead,
Blessings,
Wild Wizard