BleepingComputer.com: Trend ChipawayVirus Infection

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Trend ChipawayVirus Infection Virus shut down Windows + prevented restart. Hard disc affected.

#16 User is offline   fraser06 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 29-January 12

Posted 23 February 2012 - 05:14 PM

Nasdaq,

Sorry if I sound a bit thick. I'm not sure exactly how to type what you asked me to into the command line.

I have pressed START and RUN and typed cmd and OK. I now have a black dialog box with DOS type in it. The top line displays the Windows version. The bottom line displays:

c:\Documents and Settings\Richard>

Do I type in at the end of the line to produce this:

c:\Documents and Settings\Richard>ipconfig /flushdns and then press Enter, then type to produce this:

c:\Documents and Settings\Richard>ipconfig /renew and then press Enter, or do I type in something like this:

c:\Documents and Settings\Richard>ipconfig /flushdns/ipconfig /renew and then press Enter.

I am confused, because you did not say press Enter after the ipconfig /flushdns command, so I was not sure how to then add the second command.

#17 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 24 February 2012 - 08:54 AM

Sorry about this. Both command must be done seperately.

c:\Documents and Settings\Richard>ipconfig /flushdns and then press Enter, then type to produce this:

c:\Documents and Settings\Richard>ipconfig /renew and then press Enter, or do I type in something like this:

When done type EXIT AND press the Enter key.

#18 User is offline   fraser06 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 29-January 12

Posted 24 February 2012 - 08:50 PM

Nasdaq,

Thanks v much for this. I will work on this during the weekend and get back to you soonest with results.

#19 User is offline   fraser06 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 29-January 12

Posted 25 February 2012 - 06:09 PM

Nasdaq,

OK, I've followed all your your instructions now. I shut down what virus and spyware software I could first: unnstalled Windows Defender, disabled Secunia, I think, uninstalled my out of date version of Norton Internet Security 2010, turned off Windows Firewall, uninstalled Malwarebytes, as I could not find out for sure if it was running in the background.

When I first tried to flush the DNS cache, I got an error message saying "Unable to flush DNS Cache. Your DNS Client is turned off (or words to that effect) So, in order to flush the DNS, I had to turn my PC's own DNS Client back to automatic. I had previously turned it to Manual in response to the HostsXpert program instructions. I also reverted my HOSTS file back to my original one from the HostsXpert one, just in case.

When ComboFix did its scan, I was a bit concerned that it was deleting certain files, in particular:

Documents and Settings\Richard\WINDOWS.

Anyway, here is the pasted ComboFix.exe log report:

ComboFix 12-02-24.02 - Richard 25/02/2012 19:18:57.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.409 [GMT 0:00]
Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Alex\Favorites\Thumbs.db
c:\documents and settings\All Users\SPL121.tmp
c:\documents and settings\All Users\SPL258.tmp
c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
c:\documents and settings\Richard\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2012-01-25 to 2012-02-25 )))))))))))))))))))))))))))))))
.
.
2012-02-25 08:53 . 2012-02-25 08:53 -------- d-----w- c:\program files\Common Files\xing shared
2012-02-25 03:13 . 2012-02-25 03:13 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2012-02-25 02:12 . 2012-02-25 03:37 -------- d-----w- c:\windows\system32\Adobe
2012-02-20 18:04 . 2012-02-23 00:54 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2012-02-18 14:18 . 2012-01-29 05:10 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 21:34 . 2012-02-17 21:34 -------- d-----w- c:\program files\Common Files\Java
2012-02-17 21:23 . 2012-02-17 21:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-17 20:21 . 2012-02-17 20:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-02-17 19:18 . 2012-02-17 19:18 -------- d-----w- c:\documents and settings\Richard\Local Settings\Application Data\Secunia PSI
2012-02-17 19:17 . 2012-02-17 19:17 -------- d-----w- c:\program files\Secunia
2012-02-17 02:54 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-17 02:54 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-16 20:17 . 2012-02-16 20:17 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-02-16 17:01 . 2012-02-16 17:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-02-14 21:28 . 2012-02-14 21:28 -------- d-----w- C:\spoolerlogs
2012-02-08 20:56 . 2012-02-08 20:56 -------- d-----w- c:\documents and settings\Richard\Application Data\Malwarebytes
2012-02-08 20:55 . 2012-02-08 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-08 19:48 . 2012-02-08 19:48 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-26 20:26 . 2012-01-26 20:26 -------- d-----w- C:\Install
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-25 15:41 . 2011-06-08 09:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-25 08:51 . 2006-07-11 17:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-02-23 10:47 . 2011-05-05 01:19 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-02-17 21:22 . 2011-06-13 23:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-12 16:53 . 2001-08-18 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2001-08-18 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2001-08-18 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2001-08-18 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-09-27 19:01 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DSLAGENTEXE"="dslagent.exe USB" [X]
"UpdReg"="c:\windows\Updreg.exe" [2000-05-10 90112]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"GSICONEXE"="gsicon.exe" [2003-05-14 90112]
"Gainward"="c:\program files\XpertVision\TBPanel.exe" [2007-04-23 2165520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"lxeamon.exe"="c:\program files\Lexmark S300-S400 Series\lxeamon.exe" [2010-01-18 770728]
"EzPrint"="c:\program files\Lexmark S300-S400 Series\ezprint.exe" [2010-01-18 139944]
"Lexmark S300-S400 Series Fax Server"="c:\program files\Lexmark S300-S400 Series\fm3032.exe" [2010-01-18 316072]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-02-25 296056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Richard\Start Menu\Programs\Startup\
TimeLeft.lnk - c:\program files\TimeLeft3\TimeLeft.exe [2011-4-6 2011944]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Broadband Help.lnk - c:\program files\BT Broadband\Help\bin\matcli.exe [2004-9-27 200704]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbChannelScan.exe"=
"c:\\WINDOWS\\system32\\lxeacoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxeaserv.exe [2010-01-07 98984]
R3 dfg;dfg;c:\windows\system32\DRIVERS\dfg.sys [2008-12-12 23552]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
R3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-10-14 994360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 BCSWAP;BCSWAP; [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe [2010-01-07 598696]
S2 PCPrintLogger;PaperCut Print Logger;c:\program files\PaperCut Print Logger\pcpl.exe PCPrintLogger [x]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2011-10-14 399416]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfsxp.sys [2011-10-01 584680]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplayxp.sys [2011-10-01 209512]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirxp.sys [2011-10-01 20584]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvolxp.sys [2011-10-01 18280]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-03-02 128008]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1060284298-1343024091-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 17:45]
.
2012-02-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1060284298-1343024091-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 17:45]
.
2012-02-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1060284298-1343024091-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 17:45]
.
2012-02-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1060284298-1343024091-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 17:45]
.
2012-02-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1060284298-1343024091-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 17:45]
.
2012-01-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1060284298-1343024091-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 17:45]
.
2012-02-25 c:\windows\Tasks\User_Feed_Synchronization-{25601AB7-B256-4C16-8815-40EDDA4CA64C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-Wdf01000.sys
AddRemove-Adobe Flash Player Plugin - c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-25 20:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1935655697-1060284298-1343024091-1004\RemoteAccess\Profile\x *]
"EnableAutodisconnect"=dword:00000001
"EnableExitDisconnect"=dword:00000001
"DisconnectIdleTime"=dword:00000014
.
[HKEY_USERS\S-1-5-21-1935655697-1060284298-1343024091-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2012-02-25 20:12:49
ComboFix-quarantined-files.txt 2012-02-25 20:12
.
Pre-Run: 20,163,768,320 bytes free
Post-Run: 28,181,237,760 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 42A761FFBCD118AEEEF00FFFEF2C930F

I have noticed that about.blank is still there whilst flitting between certain web pages. And since reverting to my PC's own HOSTS file, the pop up and animation ads on pweb pages have increased. So I am going to activate the HostsXpert HOSTS file once more.

#20 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 26 February 2012 - 08:49 AM

Open notepad and copy/paste the text in the quote box below into it:

ClearJavaCache::


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Make sure your virus protection software is enable before using the internet.

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

#21 User is offline   fraser06 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 29-January 12

Posted 02 March 2012 - 07:45 AM

Nasdaq,

Slight problem. I have now received my Norton Internet Security 2012 disc and installed it. Guess what, it has identified Combofix as malware and quarantined it. What would you advise? Is it possible/safe to get Norton to release it from Quarantine, or should I download a fresh copy of Combofix, temporarily disable Norton, then run that Combofix file?

Finally, if I install and run ESET, do I need to temporarily desible Norton to avoid any conflict, or should I just in fact run Norton?

Ta.

#22 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 02 March 2012 - 09:07 AM

Quote

Is it possible/safe to get Norton to release it from Quarantine, or should I download a fresh copy of Combofix, temporarily disable Norton, then run that Combofix file?


Norton will remove any other version of ComboFix.

Run your Norton program.

Let me know if the problem persists.

#23 User is offline   fraser06 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 29-January 12

Posted 05 March 2012 - 04:22 PM

Nasdaq,

I ran 3 initial scans using Norton 2012: 2 Full scans and one Quick scan. This is what its Scan History reported. I'm not sure if it is picking up files from the antimalware as false positives, or perhaps the virus files that the antimalware software has itself quarantined.


Full Path: c:\documents and settings\richard\desktop\combofix.exe
Threat: Trojan.ADH.2
____________________________
____________________________
On computers as of 26/02/2012 at 12:39:28
Last Used 26/02/2012 at 12:41:30
Startup Item No
Launched No
____________________________
____________________________
Few Users
Fewer than 50 users in the Norton Community have used this file.
____________________________
Very New
This file was released 10 days ago.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________


Source File:
combofix.exe
____________________________
File Actions
Infected file: c:\documents and settings\richard\desktop\combofix.exe
Removed
____________________________
Registry Actions
Registry change: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe
Removed
____________________________
File Thumbprint - SHA:
a34cd414fd1c85a172fa212afa1e43a455eea69aec6c98759c93970d2fb760ec
____________________________
File Thumbprint - MD5:
0f9990fea0c091c8ee167f662c36de3e
____________________________





Full Path: c:\system volume information\_restore{1d90d9c8-db39-4c85-89a6-7243a33da8ab}\rp4\a0000697.exe
Threat: Trojan.ADH.2
____________________________
____________________________
On computers as of Not Available
Last Used 27/02/2012 at 01:34:23
Startup Item No
Launched No
____________________________
____________________________
Unknown
Number of users in the Norton Community that have used this file: Unknown
____________________________
Unknown
This file release is currently not known.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________

____________________________
File Actions
File: c:\system volume information\_restore{1d90d9c8-db39-4c85-89a6-7243a33da8ab}\rp4\a0000697.exe
Removed
____________________________
File Thumbprint - SHA:
a34cd414fd1c85a172fa212afa1e43a455eea69aec6c98759c93970d2fb760ec
____________________________
File Thumbprint - MD5:
0f9990fea0c091c8ee167f662c36de3e
____________________________








Full Path: c:\tdsskiller_quarantine\08.02.2012_19.42.54\mbr0000\tdlfs0000\tsk0011.dta
Threat: Backdoor.Trojan
____________________________
____________________________
On computers as of 27/02/2012 at 04:06:11
Last Used 27/02/2012 at 04:08:14
Startup Item No
Launched No
____________________________
____________________________
Few Users
Fewer than 50 users in the Norton Community have used this file.
____________________________
Mature
This file was released 4 months ago.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________

Source File:
tsk0011.dta
____________________________
File Actions
Infected file: c:\tdsskiller_quarantine\08.02.2012_19.42.54\mbr0000\tdlfs0000\tsk0011.dta
Removed
____________________________
File Thumbprint - SHA:
d812e8db8d1a2da816f7690382346bfb9f8a3bed7671021c99e49c00d38a96af
____________________________
File Thumbprint - MD5:
d3d9020847db2024626897df3c85484f
____________________________


I have run several Quick Norton scans and a Full Norton scan since then, with no viruses or other threats found.

Of course, I may have some of the original threats still on my computer, but quarantined by the earlier antimalware software you advised me ot use. Would you recommend my deleting those quanrantined files now?

Should I still run ESET, or do you think Norton will have done the same thing?

Other than that, everything else seems to be back and working OK now (though Norton certainly slows my old PC!) except I still have the About.Blank infection, which is frustrating and also seems to slow down my internet page Refresh. Is there anything else I can try, or do I have to live with it now?

#24 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 06 March 2012 - 10:16 AM

All false/positive issues.

Execute this and you should be in good health.

Time for some housekeeping
    The following will implement some cleanup procedures as well as reset System Restore points:

    Click Start > Run and copy/paste the following bold text into the Run box and click OK:

    ComboFix /Uninstall

===

Delete the other tools we used.

#25 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 12 March 2012 - 08:44 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#26 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 30 March 2012 - 08:52 AM

Topic reopened.

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users