Solve : Need to remove TROJAN:WIN32?FakeScanti?

1.	Solve : Need to remove TROJAN:WIN32?FakeScanti?
Answer» Scanned again over 2 1/2 hrs, when I went to save it, wouldn't let me name it and froze up then disappeared. STARTED the scan again and the computer restarted itself. Not sure If I should do it again or not, seems to be some sort of glitch happening. Ok. Let's try another one. * Download the following tool: RootRepeal - Rootkit Detector * Direct download link is here: RootRepeal.zip * Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan. * Click this link to see a list of such programs and how to disable them. * Extract the program file to a new folder such as C:\RootRepeal * Run the program RootRepeal.exe and GO to the REPORT tab and click on the Scan button. * Select ALL of the checkboxes and then click OK and it will start scanning your system. * If you have MULTIPLE DRIVES you only need to check the C: drive or the one Windows is installed on. * When done, click on Save Report * Save it to the same location where you ran it from, such as C:RootRepeal * Save it as rootrepeal.txt * Then open that log and select all and copy/paste it back on your next reply please. * Close RootRepeal. ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2010/08/15 00:12 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0x9FDFE000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\Fifoed\A0001104.exe Status: Could not get file information (Error 0xc0000008) Path: C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP13\A0004451.rbf Status: Locked to the Windows API! Path: C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP13\A0004590.rbf Status: Locked to the Windows API! Path: C:\Documents and Settings\Sherry\Temporary Internet Files\Content.IE5\GE67E3S2\quota_bg-86245791[1].gif Status: Locked to the Windows API! Path: C:\Documents and Settings\Sherry\Local Settings\Apps\2.0\YJ35ZCX8.61Y\5OVG2LMG.M1W\manifests\LogMeIn Host Software.exe.cdf-ms Status: Locked to the Windows API! Path: C:\Documents and Settings\Sherry\Local Settings\Apps\2.0\YJ35ZCX8.61Y\5OVG2LMG.M1W\manifests\LogMeIn Host Software.exe.manifest Status: Locked to the Windows API! Path: C:\Documents and Settings\Sherry\Local Settings\Apps\2.0\YJ35ZCX8.61Y\5OVG2LMG.M1W\manifests\LogMeInBootstrapper.cdf-ms Status: Locked to the Windows API! Path: C:\Documents and Settings\Sherry\Local Settings\Apps\2.0\YJ35ZCX8.61Y\5OVG2LMG.M1W\manifests\LogMeInBootstrapper.manifest Status: Locked to the Windows API! SSDT ------------------- #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df52a0 #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df334e #: 047 Function Name: NtCreateProcess Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df4fd0 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5140 #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5e10 #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df58ae #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df67d0 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5450 #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df2ea0 #: 116 Function Name: NtOpenFile Status: Hooked by "kl1.sys" at address 0xf70d0030 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df4dc0 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5c3e #: 173 Function Name: NtQuerySystemInformation Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6436 #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df3930 #: 206 Function Name: NtResumeThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6740 #: 213 Function Name: NtSetContextThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6b00 #: 224 Function Name: NtSetInformationFile Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df70c0 #: 237 Function Name: NtSetSecurityObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1af0 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5a90 #: 254 Function Name: NtSuspendThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df66f0 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df31b0 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xa0eb0620 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5310 Shadow SSDT ------------------- #: 013 Function Name: NtGdiBitBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df3080 #: 307 Function Name: NtUserAttachThreadInput Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df3a10 #: 378 Function Name: NtUserFindWindowEx Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df2b10 #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1a00 #: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1a80 #: 416 Function Name: NtUserGetKeyState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1a40 #: 460 Function Name: NtUserMessageCall Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df2a10 #: 475 Function Name: NtUserPostMessage Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6ea0 #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df2ac0 #: 502 Function Name: NtUserSendInput Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1f90 #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6cf0 #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6ef0 ==EOF==Please download TDSSKiller from here and save it to your Desktop. Doubleclick TDSSKiller.exe to run the tool Click the Start Scan button (If prompted with a "hidden service warning" do go ahead and delete it.) After the scan has finished, click the Close button Click the Report button and copy/paste the contents of it into your next reply Note:It will also create a log in the C:\* directory.*

Answer»

Scanned again over 2 1/2 hrs, when I went to save it, wouldn't let me name it
and froze up then disappeared. STARTED the scan again and the computer
restarted itself. Not sure If I should do it again or not, seems to be some
sort of glitch happening.
Ok. Let's try another one.

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and GO to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have MULTIPLE DRIVES you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/08/15 00:12
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9FDFE000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume
Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\Fifoed\A0001104.exe
Status: Could not get file information (Error 0xc0000008)

Path: C:\System Volume
Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP13\A0004451.rbf
Status: Locked to the Windows API!

Path: C:\System Volume
Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP13\A0004590.rbf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Sherry\Temporary Internet
Files\Content.IE5\GE67E3S2\quota_bg-86245791[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Sherry\Local
Settings\Apps\2.0\YJ35ZCX8.61Y\5OVG2LMG.M1W\manifests\LogMeIn Host
Software.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Sherry\Local
Settings\Apps\2.0\YJ35ZCX8.61Y\5OVG2LMG.M1W\manifests\LogMeIn Host
Software.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Sherry\Local
Settings\Apps\2.0\YJ35ZCX8.61Y\5OVG2LMG.M1W\manifests\LogMeInBootstrapper.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Sherry\Local
Settings\Apps\2.0\YJ35ZCX8.61Y\5OVG2LMG.M1W\manifests\LogMeInBootstrapper.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df52a0

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df334e

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df4fd0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5140

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5e10

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df58ae

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df67d0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5450

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df2ea0

#: 116 Function Name: NtOpenFile
Status: Hooked by "kl1.sys" at address 0xf70d0030

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df4dc0

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5c3e

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6436

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df3930

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6740

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6b00

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df70c0

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1af0

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5a90

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df66f0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df31b0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address
0xa0eb0620

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5310

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df3080

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df3a10

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df2b10

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1a00

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1a80

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1a40

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df2a10

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6ea0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df2ac0

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1f90

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6cf0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6ef0

==EOF==Please download TDSSKiller from here and save it to your Desktop.

Doubleclick TDSSKiller.exe to run the tool
Click the Start Scan button (If prompted with a "hidden service warning" do go ahead and delete it.)
After the scan has finished, click the Close button
Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.

Solve : Need to remove TROJAN:WIN32?FakeScanti?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment