Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Trojan in MBR reinstalls after using SDFix?


  • This topic is locked This topic is locked
8 replies to this topic

#1 david22

david22

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 17 January 2009 - 08:35 AM

Hello

I'm having trouble removing some sort of Trojan I think in the MBR.

TrendMicro Housecall and the Zone Alarm Security Suite installed on PC doesn't detect anything. It may have slipped through when doing some PC maintenance and Zone Alarm was accidentally left switched off.

Spotted when brings up spoof NatWest bank login asking for full pin, although address bar stays green, URL looks correct with padlock. My bank said it was a Trojan virus.

SDFix did detect and remove Trojan first time and deleted
C:\WINDOWS\system32\FTCUMN47.dll

When reboot, Windows says installing update 1 of 1 despite PC up to date.

Reruns of SDFix doesn't now detect anything but bank spoof comes up after each reboot. Above dll file no longer in system32 dir.

Cleared browser cache in case bank spoof was a cached page.

Any suggestions on how to remove this bug.

Not sure if relevant but it's a dual boot iMAc desktop (white flat panel one). I run Windows XP2 on it. Can I use the Mac boot up to remove the Windows disk partition and would this remove the MBR or is this infected on the Mac partition as well. On a normal PC I'd probably buy new HD and reinstal, but these iMacs i gather are hard to take apart.

Thanks for any insight.

regards
David

Windows XP2 up to date with all patches.
iMac running dual boot.
ZoneAlarm uninstalled when using SDFix. Logged on as admin and user.

Log below.


SDFix: Version 1.240
Run by Administrator on 17/01/2009 at 12:00

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 12:08:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0014515867ae]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0014515867ae]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Mon 16 Jun 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 12 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 8 Jun 2000 93,040 A..H. --- "C:\Small HD archive\System Volume Information\_restore{1044BE57-6290-4555-9873-4C67F168D8D2}\RP575\A0159186.com"
Thu 8 Jun 2000 110,080 A..H. --- "C:\Small HD archive\System Volume Information\_restore{1044BE57-6290-4555-9873-4C67F168D8D2}\RP575\A0159188.sys"
Thu 8 Jun 2000 129,078 A.SH. --- "C:\Small HD archive\System Volume Information\_restore{1044BE57-6290-4555-9873-4C67F168D8D2}\RP575\A0159189.SYS"
Fri 1 Sep 2000 1,667 A..H. --- "C:\Small HD archive\System Volume Information\_restore{1044BE57-6290-4555-9873-4C67F168D8D2}\RP575\A0159192.SYS"
Sat 19 Mar 2005 51,200 A.SH. --- "C:\Small HD archive\VaiorootC\Program Files\RegiStax\Setup.exe"
Tue 6 Dec 2005 82 A..H. --- "C:\Documents and Settings\Owner\NikView\EN\Disk1\._Setup.exe"
Tue 6 Dec 2005 82 A..H. --- "C:\Documents and Settings\Owner\NikView\EN\Disk1\.__isres.dll"
Tue 6 Dec 2005 82 A..H. --- "C:\Documents and Settings\Owner\NikView\EN\Utilities\._RegSweeper.exe"
Mon 6 Dec 2004 4,348 A.SH. --- "C:\Small HD archive\VaiorootC\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 6 Dec 2004 4,348 A..H. --- "C:\Small HD archive\VaiorootC\Documents and Settings\Dave\My Documents\My Music\License Backup\drmv1key.bak"
Wed 8 Dec 2004 20 A..H. --- "C:\Small HD archive\VaiorootC\Documents and Settings\Dave\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 17 Nov 2004 312 A.SH. --- "C:\Small HD archive\VaiorootC\Documents and Settings\Dave\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:59 AM

Posted 17 January 2009 - 09:40 AM

Hello, david22

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


DDS

Posted Image
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.
  • Post the contents of dds.txt in your next reply, attaching Attach.txt
Note: When you see the black dos window like this:

Posted Image

The scan is taking place. A log will pop up when complete. It should not take longer than 3 minutes.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 david22

david22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 17 January 2009 - 10:05 AM

Hello Jat

Thanks for your prompt reply and help. I enclose the DDS reports as requested.

with regards
David


DDS (Ver_09-01-07.01) - NTFSx86
Run by Owner at 14:54:19.17 on 17/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2032.1529 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\AppleCDEject.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\Owner\My Documents\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,
BHO: @497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [Eraser] c:\program files\eraser\eraser.exe -hide
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [EPSON Stylus Photo R800] c:\windows\system32\spool\drivers\w32x86\3\e_fati9ye.exe /fu "c:\windows\temp\E_S149.tmp" /EF "HKCU"
mRun: [AppleCdEject] c:\windows\system32\AppleCDEject.exe
mRun: [Brightness] c:\windows\system32\Brightness.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [AppleTime] c:\windows\system32\AppleTime.exe
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [CallControl 4.7] "c:\program files\faxtalk communicator\FTCtrl32.exe" /autoload
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\palmre~1.lnk - c:\program files\palm\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\documents and settings\owner\my documents\winzip\WZQKPICK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll schannel.dll digest.dll msnsspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\pc525io2.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

============= SERVICES / DRIVERS ===============

R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [2008-8-6 3026]
R3 StartupDiskDriver;StartupDiskDriver;c:\windows\system32\drivers\StartupDiskDriver.sys [2006-3-10 4096]
R3 vidcap;vidcap;c:\windows\system32\drivers\vidcap.sys [2006-12-27 9006]
R4 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\common files\abbyy\finereader\9.00\licensing\pe\NetworkLicenseServer.exe [2008-10-27 759072]
R4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
S3 BLUETOOTH_KICKER;Apple Bluetooth Kicker Driver;c:\windows\system32\drivers\BthKicker.sys [2006-3-15 6016]
S3 DCamUSBET;ET USB 2750 Camera;c:\windows\system32\drivers\etDevice.sys [2007-4-3 106496]
S3 filter;filter;c:\windows\system32\drivers\filter.sys [2006-3-8 5376]
S3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\drivers\etFilter.sys [2007-4-3 160128]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-24 33752]
S3 iSightUpdate;iSight Update Driver;c:\windows\system32\drivers\iSightUP.sys [2006-9-5 16384]
S3 OM2800;Motic MC Camera;c:\windows\system32\drivers\ovtcam2.sys [2006-7-20 252551]
S3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\drivers\etScan.sys [2007-4-3 6016]
S3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys --> c:\windows\system32\drivers\scrcap.sys [?]
S4 318cu;MICROMETRICS 318CU Driver (X18cu.SYS);c:\windows\system32\drivers\X18cu.SYS [2008-10-24 12418]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
S4 EZUSB;Opticstar USB2.0 Camera Driver (DTUSB20.sys);c:\windows\system32\drivers\DTUSB20.sys [2008-8-7 13184]
S4 SnapTHP;SnapTHP;c:\windows\system32\drivers\SnapTHP.sys [1998-2-23 31232]
S4 TBFTPSyncService;TurboFTP Sync Service;c:\program files\turboftp\tftpsvc.exe [2005-11-29 790528]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-01-17 14:52 368,922 a------- C:\dds.com
2009-01-17 14:27 <DIR> --d----- c:\docume~1\owner\applic~1\ABBYY
2009-01-17 14:24 <DIR> --d----- c:\program files\common files\ABBYY
2009-01-17 14:22 <DIR> --d----- c:\program files\ABBYY FineReader 9.0
2009-01-17 14:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ABBYY
2009-01-17 14:19 <DIR> --d----- c:\temp\FR90PE
2009-01-17 14:19 <DIR> --d----- C:\temp
2009-01-17 14:13 257,035,288 a------- C:\FR90PE_ESD.exe
2009-01-15 16:42 805 a------- C:\rollback.ini
2009-01-15 15:53 <DIR> --d----- c:\windows\ERUNT
2009-01-15 15:06 <DIR> --d----- C:\SDFix
2009-01-15 15:05 1,529,241 a------- C:\SDFix.exe
2009-01-15 14:46 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-15 12:42 30,856 a------- c:\windows\system32\drivers\fsbts.sys
2009-01-04 17:34 <DIR> --d----- c:\program files\iPod
2009-01-04 17:34 <DIR> --d----- c:\program files\iTunes
2009-01-04 17:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-04 17:33 <DIR> --d----- c:\program files\Bonjour
2009-01-04 14:38 <DIR> --d----- c:\program files\LizardTech
2008-12-28 19:39 100,352 a--sh--- C:\Thumbs.db

==================== Find3M ====================

2009-01-17 11:15 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-01-02 14:40 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLeh.DAT
2009-01-02 14:40 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdz.DAT
2009-01-02 14:40 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdy.DAT
2008-12-31 20:28 7,372 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2008-12-12 21:06 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLbz.DAT
2008-12-11 11:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-10-23 13:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-09-19 14:23 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2008-09-19 14:03 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2007-06-03 18:28 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLea.DAT
2007-02-09 13:34 0 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2007-02-09 13:22 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2006-08-22 09:46 6,359 a------- c:\documents and settings\owner\update.exe
2003-09-16 00:19 99,544 a------- c:\windows\inf\virprn.exe
2003-09-16 00:19 18,950 a------- c:\windows\inf\virpntd.dll
2003-09-16 00:19 10,240 a------- c:\windows\inf\virport.dll
2003-09-16 00:19 90,624 a------- c:\windows\inf\prtproc.dll

============= FINISH: 14:55:29.42 ===============

Attached Files



#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:59 AM

Posted 18 January 2009 - 02:43 PM

:thumbup2: Backdoor Threat

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 david22

david22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 18 January 2009 - 05:10 PM

Hello Jat

Thanks for the advice. I have moved to a spare PC and renewed passwords on critical aspects. I was given a a completely new bank login from my bank as soon as I phoned after spotting the spoof bank page.

The infection is in Windows running under Mac OS Bootcamp on an Intel iMac. Do you know if the MacOS partition will still be OK, if so can I delete the Windows drive from within the Mac.

Or should I start from scratch with both Mac and Windows.

Thanks.

regards
David

:thumbup2: Backdoor Threat

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.



#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:59 AM

Posted 19 January 2009 - 03:19 AM

Deleting the Windows Partition is the best option here. It's highly unlikely that the trojan would have infected your mac partition.

Let me know if this is what your going to do :thumbup2:
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 david22

david22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 20 January 2009 - 10:13 AM

Hello Jat

The MacOSX Tiger Bootcamp Assistant did allow me to completely remove the Windows partition and repartition whole drive for the Mac, so hopefully this Trojan is now gone.

Many thanks for your help.

regards
David


Deleting the Windows Partition is the best option here. It's highly unlikely that the trojan would have infected your mac partition.

Let me know if this is what your going to do :thumbup2:



#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:59 AM

Posted 20 January 2009 - 10:57 AM

Hi,

thanks for letting us know :thumbup2:
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:59 AM

Posted 20 January 2009 - 11:03 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users