Malware problem in globalroot\systemroot

Due to the slightly different engine, Install SuperAntispyware Free, then update the Definitions and do a full scan.

 

It also produces a log.

 

Then reinstall Norton or what ever,

 

When SAS comes back clean, I would say you are clean (free).

 

So finished

 

oh this was the kungsf script

 


Drivers to disable:

kungsfmonowbap

kungsfuupchtiv.sys

 

Drivers to delete:

kungsfmonowbap

kungsfuupchtiv.sys

 

Files to delete:

C:\WINDOWS\system32\drivers\kungsfuupchtiv.sys

C:\WINDOWS\system32\kungsfwsp.dll

C:\WINDOWS\system32\kungsfxmxfumhy.dll

C:\WINDOWS\system32\kungsfvtbxwjxr.dat

C:\WINDOWS\system32\kungsfmuvturqj.dll

C:\WINDOWS\system32\kungsfyiqrbqwu.dat 

 

Registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kungsfmonowbap

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kungsfmonowbap 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kungsfmonowbap\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kungsfmonowbap\ 


 

Quads 

 

Ok i ran SAS

 

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/09/2009 at 02:14 AM

Application Version : 4.26.1004

Core Rules Database Version : 3930
Trace Rules Database Version: 1873

Scan type       : Complete Scan
Total Scan Time : 01:12:14

Memory items scanned      : 511
Memory threats detected   : 0
Registry items scanned    : 4869
Registry threats detected : 0
File items scanned        : 16010
File threats detected     : 5

Adware.Tracking Cookie
    C:\Documents and Settings\Bevo\Cookies\bevo@doubleclick[1].txt

Trojan.Unclassified
    C:\WINDOWS\SYSTEM32\MPFSERVICEFAILURECOUNT.TXT

Trace.Known Threat Sources
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4Z678LGH\warning[1].gif
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IVWLSH6D\loads[1].htm
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8DIZ0XE3\winlogon[1].htm

 

Second scan

 

 SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/09/2009 at 06:35 AM

Application Version : 4.26.1004

Core Rules Database Version : 3930
Trace Rules Database Version: 1873

Scan type       : Complete Scan
Total Scan Time : 00:59:34

Memory items scanned      : 452
Memory threats detected   : 0
Registry items scanned    : 4869
Registry threats detected : 0
File items scanned        : 16011
File threats detected     : 1

Adware.Tracking Cookie
    C:\Documents and Settings\Bevo\Cookies\bevo@doubleclick[1].txt

Sage:

 

Do consider trying our product.  I think you will be greatly pleased with it. :smileywink:


gally wrote:

Hi Quads,

 

I have similar problem with globalroot/systemroot/system32. Symantech is detecting a UACS**.dll file in this path but could not remove it. It asks for rebooting the system, but if I reboot it the login screen will not show up.

 

I have searched the net completely related to this and found your thread useful. I have taken the log using rootpeal but dont know what to do with it. I have sent the log to you. can you please help me with this as I could not login to my system unless I restart it for 10 - 15 times.

 

Gally


 
Gally are you there??
 
Quads 

 

Message and its replies moved to a new thread for better exposure

sorry i have not been on here (work). but i have downloaded norton 360 works wonders cleand most of my unused/ temp files. my system Runs much better i can run games better as well (less lag). by the way i ran root repeal again and it came up with some red files no clue what this means but can you take a look at them.everything else checks out

 

 

Thanks Quads =D

 

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time:            2009/06/10 23:42
Program Version:        Version 1.2.3.0
Windows Version:        Windows XP SP2
==================================================

Drivers
-------------------
Name: aujasnkj.sys
Image Path: C:\DOCUME~1\Bevo\LOCALS~1\Temp\aujasnkj.sys
Address: 0xF438E000    Size: 81664    File Visible: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF606B000    Size: 98304    File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B5E000    Size: 8192    File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF43FD000    Size: 45056    File Visible: No
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xBAED4000    Size: 323584    File Visible: No
Status: -

SSDT
-------------------
#: 012    Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8243a530

#: 013    Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x82416398

#: 017    Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x815e7e20

#: 019    Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x824d6050

#: 031    Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x82557710

#: 041    Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf63c9040

#: 043    Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x815e75c0

#: 052    Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x815e70a8

#: 053    Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x81612dc0

#: 057    Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8261c368

#: 063    Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf63c92c0

#: 065    Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf63c9820

#: 068    Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x815e7f78

#: 083    Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x815e7c80

#: 089    Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x824ad200

#: 091    Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x82649af8

#: 097    Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x825a8ab8

#: 108    Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x815e7ba0

#: 114    Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x82470e78

#: 122    Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x815ea118

#: 123    Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x825ab940

#: 125    Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8258b788

#: 128    Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x815e7008

#: 137    Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x815e7178

#: 206    Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x82506bf8

#: 213    Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x82446260

#: 228    Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x815e7a48

#: 240    Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x82425720

#: 247    Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf63c9a70

#: 253    Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8256e2a8

#: 254    Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8248c7c0

#: 257    Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf62efdf0

#: 258    Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x82419a50

#: 267    Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8249c260

#: 277    Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x815e7d50

Ok..  I have this same issue. I use Zone Alarm and was using Spybot S&D but I have since uninstalled that. I've tried to get the various programs listed, I got "first" and "third" (that was referred to on previous thread) but could not get the Malwarebytes to install. I did find a program called: Spy Hunter 3 from enigmasoftware, it "see" alot but of course won't clean anything until it uses the web to authenticate the program BUT it's blocked.. great huh?

 

I saw a post about "Avenger" and DL'd that but with ZA running, if I start it ZA shuts it down as a "bad progrom" and won't let it run and I am a little concerned about adding to my issue. Suggestions?  I have been able to find "gxvx*" entries in my registry and I deleted those along with the "block", "My*" and all the other listings that were with that. Figured they all came together, all get deleted together. 

 

In working with Zonelabs, they suggested clearing the Hosts file to leave only "127,0,0,1 localhosts" and then the two websites ZA needs to update, ZA now updates, see's the one High virus in memory, reboots.. it's gone then I guess with me doing something - like opening a browser, it comes back.. I also seem to have that darn "re-direction" thing too.. "overture" or something that sends me to other search engines or undesired webpages..  

 

Suggestions?

Hi

 

If you have Zone Alarm IS, and it updates now, for definitions, means you don't have Norton, and this forum is for Norton product users

 

Avenger can be misused, the scripts for this family of Malware has the posers individual files as the file names have random characters,  

 

Avenger getting detected, people have used it on this forum with guidance and have no detections said yet (except you). 

 

Quads 

 

 

Message Edited by Quads on 06-13-2009 11:26 PM
Message Edited by Quads on 06-13-2009 11:31 PM

Hi Quads its been a wile since i was here... i had a question i was wondering if u could tell me what is the stuff that rootrepeal keeps finding i posted it here [link removed]

 

[edit: Link removed. If you wish to attach logs, please post them directly to the thread or use the INSERT CODE button in the editor..]

Message Edited by MikeLee on 07-07-2009 01:00 PM

Hi Sage:

 

There have been some improvements since you were here last.  Please post the log again, but use the attachment link you will find under the post button.