BleepingComputer.com: BOO/Whistler Infection

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

BOO/Whistler Infection cannot remove

#1 User is offline   dut36 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 13-December 11

Posted 13 December 2011 - 01:30 PM

Windows XP machine. Recently, got a warning from Avira that I was infected with BOO/Whistler. Selected remove and booted into SAFE mode where I ran Avira again (found the BOO/Whistler - removed - LOG attached)....ran MALWAREBYTES - found infections - removed - LOG attached)

Please advise how to remove this virus/malware. Thanks......

DDS LOG

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by chris dutkowsky at 12:27:02 on 2011-12-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.635 [GMT -5:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.inbox.com/homepage.aspx?tbid=80105&lng=en
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60516
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60516
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60516
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{44D8A7DF-5EB6-46EE-9FB5-A226F56823C0} : DhcpNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli ACGina
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chris dutkowsky\application data\mozilla\firefox\profiles\418o2001.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/?ref=hp
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-12-13 64512]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-12 2152152]
S1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-12-12 36000]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-12-12 86224]
S2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-12-12 110032]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-12-12 74640]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-15 136176]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2010-11-26 398176]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-6-18 53248]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-15 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
=============== Created Last 30 ================
.
2011-12-13 17:00:33 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-13 16:54:32 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-12-13 16:54:09 -------- d-----w- c:\program files\Lavasoft
2011-12-12 19:17:43 -------- d-----w- c:\documents and settings\chris dutkowsky\application data\Avira
2011-12-12 19:16:29 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-12-12 19:16:29 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-12-12 19:16:28 -------- d-----w- c:\program files\Avira
2011-12-12 19:16:28 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-12-12 19:09:37 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-12 19:09:36 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-12 19:09:35 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-12-12 19:09:34 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-12-12 19:09:34 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-12-12 19:09:34 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-12-12 19:09:33 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-12-12 19:09:33 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 12:27:45.75 ===============

Attach LOG

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/24/2010 7:50:22 AM
System Uptime: 12/13/2011 12:01:46 PM (0 hours ago)
.
Motherboard: LENOVO | | 945795U
Processor: Genuine Intel® CPU T2300 @ 1.66GHz | None | 1662/167mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 53 GiB total, 23.532 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP186: 7/17/2011 3:56:04 PM - System Checkpoint
RP187: 7/18/2011 4:19:22 PM - System Checkpoint
RP188: 7/19/2011 7:04:54 PM - System Checkpoint
RP189: 7/20/2011 7:48:04 PM - System Checkpoint
RP190: 7/24/2011 3:02:07 PM - System Checkpoint
RP191: 7/30/2011 7:27:48 PM - System Checkpoint
RP192: 7/31/2011 7:35:19 PM - System Checkpoint
RP193: 8/12/2011 4:45:58 PM - Software Distribution Service 3.0
RP194: 8/13/2011 6:05:02 PM - System Checkpoint
RP195: 8/15/2011 4:38:35 PM - System Checkpoint
RP196: 8/17/2011 1:51:35 AM - System Checkpoint
RP197: 8/19/2011 7:08:31 AM - System Checkpoint
RP198: 8/20/2011 7:43:55 AM - System Checkpoint
RP199: 8/24/2011 4:22:12 PM - Software Distribution Service 3.0
RP200: 8/25/2011 7:20:52 PM - System Checkpoint
RP201: 8/28/2011 11:33:33 AM - System Checkpoint
RP202: 9/3/2011 6:46:50 PM - System Checkpoint
RP203: 9/4/2011 9:27:07 PM - System Checkpoint
RP204: 9/7/2011 4:08:50 PM - Software Distribution Service 3.0
RP205: 9/14/2011 3:52:57 PM - Installed PMB
RP206: 9/14/2011 3:58:25 PM - Installed DirectX
RP207: 9/15/2011 9:02:49 PM - Software Distribution Service 3.0
RP208: 9/16/2011 4:49:50 PM - Software Distribution Service 3.0
RP209: 9/24/2011 12:54:02 PM - System Checkpoint
RP210: 9/27/2011 6:46:03 PM - System Checkpoint
RP211: 9/30/2011 6:46:52 AM - Software Distribution Service 3.0
RP212: 10/13/2011 9:53:31 PM - Software Distribution Service 3.0
RP213: 10/13/2011 9:59:55 PM - Software Distribution Service 3.0
RP214: 10/21/2011 9:31:45 PM - System Checkpoint
RP215: 11/3/2011 10:12:37 PM - System Checkpoint
RP216: 11/11/2011 7:48:32 PM - System Checkpoint
RP217: 11/12/2011 12:30:07 PM - Software Distribution Service 3.0
RP218: 12/6/2011 9:18:16 PM - System Checkpoint
RP219: 12/12/2011 5:39:51 PM - System Checkpoint
RP220: 12/13/2011 11:51:53 AM - Installed Ad-Aware
RP221: 12/13/2011 11:54:04 AM - Installed Ad-Aware
.
==== Installed Programs ======================
.
.
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.6
AIM 7
AiO_Scan_CDA
AiOSoftwareNPI
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira Free Antivirus
Bonjour
CCleaner
Compatibility Pack for the 2007 Office system
dj_sf_software_req
Download Updater (AOL LLC)
Fax_CDA
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Deskjet Printer Driver Software 9.0
HP Photosmart, Officejet and Deskjet 7.0.A
IBM Lotus Symphony
IBM ThinkPad UltraNav Driver
Image Resizer Powertoy for Windows XP
Intel PROSet Wireless
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless WiFi Software
InterVideo Register Manager
InterVideo WinDVD
iTunes
Java™ 6 Update 20
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mozilla Firefox 8.0.1 (x86 en-US)
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
NewCopy_CDA
On Screen Display
ooVoo
PC-Doctor 5 for Windows
PMB
QFolder
QuickTime
Readme
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype Toolbars
Skype™ 5.0
Sonic Express Labeler
Sonic RecordNow!
Sonic Update Manager
SoundMAX
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Modem
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad Presentation Director
ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
ThinkVantage Access Connections
Toolbox
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
12/8/2011 1:46:46 PM, error: Dhcp [1002] - The IP address lease 192.168.1.9 for the Network Card with network address 0018DE8A04ED has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
12/7/2011 10:47:27 PM, error: Dhcp [1002] - The IP address lease 192.168.1.8 for the Network Card with network address 0018DE8A04ED has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
12/6/2011 9:04:24 PM, error: Dhcp [1002] - The IP address lease 192.168.1.5 for the Network Card with network address 0018DE8A04ED has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
12/10/2011 5:54:47 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0018DE8A04ED. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
.
==== End Of File ===========================

GMER

will attempt to attach in follow-on post

Malewarebytes LOG

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8358

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/13/2011 11:24:53 AM
mbam-log-2011-12-13 (11-24-53).txt

Scan type: Full scan (C:\|)
Objects scanned: 222933
Time elapsed: 1 hour(s), 20 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{fa86cd36-6ea6-460c-969f-7168662beb67}\RP218\A0075546.exe (Trojan.Dropper.BCM) -> Quarantined and deleted successfully.
c:\system volume information\_restore{fa86cd36-6ea6-460c-969f-7168662beb67}\RP218\A0075547.exe (Trojan.Dropper.BCM) -> Quarantined and deleted successfully.


AVIRA LOG



Avira Free Antivirus
Report file date: Tuesday, December 13, 2011 11:39

Scanning for 3560421 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CHRISLAPTOP

Version information:
BUILD.DAT : 12.0.0.849 41825 Bytes 9/23/2011 20:19:00
AVSCAN.EXE : 12.1.0.17 490448 Bytes 9/23/2011 23:04:46
AVSCAN.DLL : 12.1.0.17 54224 Bytes 9/23/2011 18:34:56
LUKE.DLL : 12.1.0.17 68304 Bytes 9/23/2011 17:55:16
AVSCPLR.DLL : 12.1.0.21 99536 Bytes 12/12/2011 19:18:27
AVREG.DLL : 12.1.0.27 227536 Bytes 12/12/2011 19:18:27
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 01:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 16:07:39
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 22:08:51
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 17:00:55
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 17:18:22
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 19:12:53
VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 14:26:09
VBASE007.VDF : 7.11.15.106 2389504 Bytes 10/5/2011 19:18:04
VBASE008.VDF : 7.11.18.32 2132992 Bytes 11/24/2011 19:18:09
VBASE009.VDF : 7.11.18.33 2048 Bytes 11/24/2011 19:18:09
VBASE010.VDF : 7.11.18.34 2048 Bytes 11/24/2011 19:18:09
VBASE011.VDF : 7.11.18.35 2048 Bytes 11/24/2011 19:18:09
VBASE012.VDF : 7.11.18.36 2048 Bytes 11/24/2011 19:18:10
VBASE013.VDF : 7.11.18.89 204800 Bytes 11/28/2011 19:18:10
VBASE014.VDF : 7.11.18.145 143872 Bytes 12/1/2011 19:18:11
VBASE015.VDF : 7.11.18.180 173056 Bytes 12/2/2011 19:18:12
VBASE016.VDF : 7.11.18.208 164864 Bytes 12/5/2011 19:18:12
VBASE017.VDF : 7.11.18.239 177152 Bytes 12/6/2011 19:18:13
VBASE018.VDF : 7.11.19.36 171520 Bytes 12/9/2011 19:18:13
VBASE019.VDF : 7.11.19.37 2048 Bytes 12/9/2011 19:18:13
VBASE020.VDF : 7.11.19.38 2048 Bytes 12/9/2011 19:18:14
VBASE021.VDF : 7.11.19.39 2048 Bytes 12/9/2011 19:18:14
VBASE022.VDF : 7.11.19.40 2048 Bytes 12/9/2011 19:18:14
VBASE023.VDF : 7.11.19.41 2048 Bytes 12/9/2011 19:18:14
VBASE024.VDF : 7.11.19.42 2048 Bytes 12/9/2011 19:18:15
VBASE025.VDF : 7.11.19.43 2048 Bytes 12/9/2011 19:18:15
VBASE026.VDF : 7.11.19.44 2048 Bytes 12/9/2011 19:18:15
VBASE027.VDF : 7.11.19.45 2048 Bytes 12/9/2011 19:18:15
VBASE028.VDF : 7.11.19.46 2048 Bytes 12/9/2011 19:18:16
VBASE029.VDF : 7.11.19.47 2048 Bytes 12/9/2011 19:18:16
VBASE030.VDF : 7.11.19.48 2048 Bytes 12/9/2011 19:18:16
VBASE031.VDF : 7.11.19.72 136192 Bytes 12/12/2011 19:18:17
Engineversion : 8.2.6.134
AEVDF.DLL : 8.1.2.2 106868 Bytes 12/12/2011 19:18:26
AESCRIPT.DLL : 8.1.3.90 491899 Bytes 12/12/2011 19:18:25
AESCN.DLL : 8.1.7.2 127349 Bytes 9/2/2011 04:46:02
AESBX.DLL : 8.2.4.5 434549 Bytes 12/12/2011 19:18:26
AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 04:16:06
AEPACK.DLL : 8.2.14.5 741751 Bytes 12/12/2011 19:18:25
AEOFFICE.DLL : 8.1.2.21 201084 Bytes 12/12/2011 19:18:23
AEHEUR.DLL : 8.1.3.6 3895670 Bytes 12/12/2011 19:18:23
AEHELP.DLL : 8.1.18.0 254327 Bytes 12/12/2011 19:18:19
AEGEN.DLL : 8.1.5.17 405877 Bytes 12/12/2011 19:18:19
AEEMU.DLL : 8.1.3.0 393589 Bytes 9/2/2011 04:46:01
AECORE.DLL : 8.1.24.0 196983 Bytes 12/12/2011 19:18:18
AEBB.DLL : 8.1.1.0 53618 Bytes 9/2/2011 04:46:01
AVWINLL.DLL : 12.1.0.17 27344 Bytes 9/23/2011 17:13:18
AVPREF.DLL : 12.1.0.17 51920 Bytes 9/23/2011 16:53:57
AVREP.DLL : 12.1.0.17 179408 Bytes 9/23/2011 16:55:01
AVARKT.DLL : 12.1.0.17 223184 Bytes 9/23/2011 16:25:26
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 9/23/2011 16:34:37
SQLITE3.DLL : 3.7.0.0 398288 Bytes 9/16/2011 07:05:58
AVSMTP.DLL : 12.1.0.17 62928 Bytes 9/23/2011 17:03:47
NETNT.DLL : 12.1.0.17 17104 Bytes 9/23/2011 17:58:06
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 9/23/2011 18:37:25
RCTEXT.DLL : 12.1.0.16 96208 Bytes 9/23/2011 18:37:24

Configuration settings for the scan:
Jobname.............................: AVGuardAsyncScan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4ee77efa\guard_slideup.avp
Logging.............................: default
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Complete

Start of the scan: Tuesday, December 13, 2011 11:39

Starting master boot sector scan:

Start scanning boot sectors:
Master boot sector HD0
[DETECTION] Contains code of the BOO/Whistler boot sector virus
[NOTE] The boot sector has not been repaired!

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'PMBVolumeWatcher.exe' - '1' Module(s) have been scanned
Scan process 'Reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'EzEjMnAp.Exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'TpScrex.exe' - '1' Module(s) have been scanned
Scan process 'TPONSCR.exe' - '1' Module(s) have been scanned
Scan process 'ACWLIcon.exe' - '1' Module(s) have been scanned
Scan process 'ACTray.exe' - '1' Module(s) have been scanned
Scan process 'TPOSDSVC.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'SvcGuiHlpr.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'AcSvc.exe' - '1' Module(s) have been scanned
Scan process 'PWMDBSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'PMBDeviceInfoProvider.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'iviRegMgr.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'AcPrfMgrSvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ibmpmsvc.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned


End of the scan: Tuesday, December 13, 2011 11:39
Used time: 00:01 Minute(s)

The scan has been done completely.

0 Scanned directories
57 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
57 Files not concerned
0 Archives were scanned
0 Warnings
1 Notes

Attached File(s)


#2 User is offline   dut36 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 13-December 11

Posted 13 December 2011 - 02:29 PM

Additional files

GMER

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-13 14:28:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS541060G9SA00 rev.MB3IC60R
Running: gmer.exe; Driver: C:\DOCUME~1\CHRISD~1\LOCALS~1\Temp\kwryrpod.sys


---- System - GMER 1.0.15 ----

SSDT F7CF7EA4 ZwClose
SSDT F7CF7E5E ZwCreateKey
SSDT F7CF7EAE ZwCreateSection
SSDT F7CF7E54 ZwCreateThread
SSDT F7CF7E63 ZwDeleteKey
SSDT F7CF7E6D ZwDeleteValueKey
SSDT F7CF7E9F ZwDuplicateObject
SSDT F7CF7E72 ZwLoadKey
SSDT F7CF7E40 ZwOpenProcess
SSDT F7CF7E45 ZwOpenThread
SSDT F7CF7EC7 ZwQueryValueKey
SSDT F7CF7E7C ZwReplaceKey
SSDT F7CF7EB8 ZwRequestWaitReplyPort
SSDT F7CF7E77 ZwRestoreKey
SSDT F7CF7EB3 ZwSetContextThread
SSDT F7CF7EBD ZwSetSecurityObject
SSDT F7CF7E68 ZwSetValueKey
SSDT F7CF7EC2 ZwSystemDebugControl
SSDT F7CF7E4F ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\CHRISD~1\LOCALS~1\Temp\kwryrpod.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 Whistler@MBR code has been found <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


Avira scan results

Avira Free Antivirus
Report file date: Tuesday, December 13, 2011 11:39

Scanning for 3560421 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CHRISLAPTOP

Version information:
BUILD.DAT : 12.0.0.849 41825 Bytes 9/23/2011 20:19:00
AVSCAN.EXE : 12.1.0.17 490448 Bytes 9/23/2011 23:04:46
AVSCAN.DLL : 12.1.0.17 54224 Bytes 9/23/2011 18:34:56
LUKE.DLL : 12.1.0.17 68304 Bytes 9/23/2011 17:55:16
AVSCPLR.DLL : 12.1.0.21 99536 Bytes 12/12/2011 19:18:27
AVREG.DLL : 12.1.0.27 227536 Bytes 12/12/2011 19:18:27
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 01:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 16:07:39
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 22:08:51
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 17:00:55
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 17:18:22
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 19:12:53
VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 14:26:09
VBASE007.VDF : 7.11.15.106 2389504 Bytes 10/5/2011 19:18:04
VBASE008.VDF : 7.11.18.32 2132992 Bytes 11/24/2011 19:18:09
VBASE009.VDF : 7.11.18.33 2048 Bytes 11/24/2011 19:18:09
VBASE010.VDF : 7.11.18.34 2048 Bytes 11/24/2011 19:18:09
VBASE011.VDF : 7.11.18.35 2048 Bytes 11/24/2011 19:18:09
VBASE012.VDF : 7.11.18.36 2048 Bytes 11/24/2011 19:18:10
VBASE013.VDF : 7.11.18.89 204800 Bytes 11/28/2011 19:18:10
VBASE014.VDF : 7.11.18.145 143872 Bytes 12/1/2011 19:18:11
VBASE015.VDF : 7.11.18.180 173056 Bytes 12/2/2011 19:18:12
VBASE016.VDF : 7.11.18.208 164864 Bytes 12/5/2011 19:18:12
VBASE017.VDF : 7.11.18.239 177152 Bytes 12/6/2011 19:18:13
VBASE018.VDF : 7.11.19.36 171520 Bytes 12/9/2011 19:18:13
VBASE019.VDF : 7.11.19.37 2048 Bytes 12/9/2011 19:18:13
VBASE020.VDF : 7.11.19.38 2048 Bytes 12/9/2011 19:18:14
VBASE021.VDF : 7.11.19.39 2048 Bytes 12/9/2011 19:18:14
VBASE022.VDF : 7.11.19.40 2048 Bytes 12/9/2011 19:18:14
VBASE023.VDF : 7.11.19.41 2048 Bytes 12/9/2011 19:18:14
VBASE024.VDF : 7.11.19.42 2048 Bytes 12/9/2011 19:18:15
VBASE025.VDF : 7.11.19.43 2048 Bytes 12/9/2011 19:18:15
VBASE026.VDF : 7.11.19.44 2048 Bytes 12/9/2011 19:18:15
VBASE027.VDF : 7.11.19.45 2048 Bytes 12/9/2011 19:18:15
VBASE028.VDF : 7.11.19.46 2048 Bytes 12/9/2011 19:18:16
VBASE029.VDF : 7.11.19.47 2048 Bytes 12/9/2011 19:18:16
VBASE030.VDF : 7.11.19.48 2048 Bytes 12/9/2011 19:18:16
VBASE031.VDF : 7.11.19.72 136192 Bytes 12/12/2011 19:18:17
Engineversion : 8.2.6.134
AEVDF.DLL : 8.1.2.2 106868 Bytes 12/12/2011 19:18:26
AESCRIPT.DLL : 8.1.3.90 491899 Bytes 12/12/2011 19:18:25
AESCN.DLL : 8.1.7.2 127349 Bytes 9/2/2011 04:46:02
AESBX.DLL : 8.2.4.5 434549 Bytes 12/12/2011 19:18:26
AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 04:16:06
AEPACK.DLL : 8.2.14.5 741751 Bytes 12/12/2011 19:18:25
AEOFFICE.DLL : 8.1.2.21 201084 Bytes 12/12/2011 19:18:23
AEHEUR.DLL : 8.1.3.6 3895670 Bytes 12/12/2011 19:18:23
AEHELP.DLL : 8.1.18.0 254327 Bytes 12/12/2011 19:18:19
AEGEN.DLL : 8.1.5.17 405877 Bytes 12/12/2011 19:18:19
AEEMU.DLL : 8.1.3.0 393589 Bytes 9/2/2011 04:46:01
AECORE.DLL : 8.1.24.0 196983 Bytes 12/12/2011 19:18:18
AEBB.DLL : 8.1.1.0 53618 Bytes 9/2/2011 04:46:01
AVWINLL.DLL : 12.1.0.17 27344 Bytes 9/23/2011 17:13:18
AVPREF.DLL : 12.1.0.17 51920 Bytes 9/23/2011 16:53:57
AVREP.DLL : 12.1.0.17 179408 Bytes 9/23/2011 16:55:01
AVARKT.DLL : 12.1.0.17 223184 Bytes 9/23/2011 16:25:26
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 9/23/2011 16:34:37
SQLITE3.DLL : 3.7.0.0 398288 Bytes 9/16/2011 07:05:58
AVSMTP.DLL : 12.1.0.17 62928 Bytes 9/23/2011 17:03:47
NETNT.DLL : 12.1.0.17 17104 Bytes 9/23/2011 17:58:06
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 9/23/2011 18:37:25
RCTEXT.DLL : 12.1.0.16 96208 Bytes 9/23/2011 18:37:24

Configuration settings for the scan:
Jobname.............................: AVGuardAsyncScan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4ee77efa\guard_slideup.avp
Logging.............................: default
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Complete

Start of the scan: Tuesday, December 13, 2011 11:39

Starting master boot sector scan:

Start scanning boot sectors:
Master boot sector HD0
[DETECTION] Contains code of the BOO/Whistler boot sector virus
[NOTE] The boot sector has not been repaired!

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'PMBVolumeWatcher.exe' - '1' Module(s) have been scanned
Scan process 'Reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'EzEjMnAp.Exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'TpScrex.exe' - '1' Module(s) have been scanned
Scan process 'TPONSCR.exe' - '1' Module(s) have been scanned
Scan process 'ACWLIcon.exe' - '1' Module(s) have been scanned
Scan process 'ACTray.exe' - '1' Module(s) have been scanned
Scan process 'TPOSDSVC.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'SvcGuiHlpr.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'AcSvc.exe' - '1' Module(s) have been scanned
Scan process 'PWMDBSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'PMBDeviceInfoProvider.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'iviRegMgr.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'AcPrfMgrSvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ibmpmsvc.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned


End of the scan: Tuesday, December 13, 2011 11:39
Used time: 00:01 Minute(s)

The scan has been done completely.

0 Scanned directories
57 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
57 Files not concerned
0 Archives were scanned
0 Warnings
1 Notes

Attached File(s)


#3 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,564
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 18 December 2011 - 01:00 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK

    Do not re-enable these drivers until otherwise instructed.


Download DDS:

    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt

    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply


Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

information and logs:

    In your next post I need the following

    • .logs from DDS
    • log from RKUnHooker
    • let me know of any problems you may have had


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#4 User is offline   dut36 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 13-December 11

Posted 19 December 2011 - 08:20 AM

Thanks for the reply. While waiting for it, a friend did the following to it and it appears to have fixed the problem

Problem was fixed by rewriting the master boot record as described in this url

http://www.tech-recipes.com/rx/483/xp_repair_fix_master_boot_record_recovery_console/

#5 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,564
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 19 December 2011 - 01:35 PM

OK thanks for letting me know


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#6 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,564
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 22 December 2011 - 12:39 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users