Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus and/or Malware? (SHeur2.BAPH)


  • Please log in to reply
11 replies to this topic

#1 Taggart

Taggart

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 09 September 2009 - 07:08 AM

Okay... I am new to these forums so first off hello & I wish this was on better timing lol.

The other day I was infected with the Windows Police Pro deal but I was able to get rid of that. Now I am having a problem with AVG continuously finding this Trojan SHeur2.BAPH

I have also run other spyware/malware programs trying to get rid of this thing such as your suggested Malwarebytes, Ad-aware, Windows Defender, and a program suggested to me - IOBit (Advanced system care, IOBit Security 360).

Here is a list of things that Malware bytes has found just this morning (9/9/2009):

Rootkit.TDSS


Now since I have been running AVG & Malwarebytes I haven't had any noticeable problems but seeing as though this Rootkit is still being found by Malwarebytes I figure I need to ask someone what to do. Should I be worried about what AVG is finding or be more concerned about this rootkit?

My system is:

Self Build
Windows XP
Anti-Virus/Anti-Spyware programs installed: Ad-Aware, CCleaner, IOBit Advanced SystemCare, IOBit Security 360, AVG, Malwarebytes, HijackThis

I don't know what else to tell you or if I have multiple unrelated problems that need separate posts.

Thank you for your time in advance.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:41 AM

Posted 09 September 2009 - 11:04 AM

Welcome to our forums.

IMPORTANT NOTE: It appears one or more of the identified infections was related to a nasty variant of the TDSSSERV rootkit. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Taggart

Taggart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 09 September 2009 - 01:10 PM

I would like to try and clean the problem out if at all possible. I have a lot of files that have not been backed up as of yet that I wonder if it is possible to salvage them before a re-format is done (music, documents, photographs, etc.) I do do some online payment of bills on this computer and I will be notifying the bank and such asap and will most likely begin using another computer for that kind of work. Again thank you for your time in advance!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:41 AM

Posted 09 September 2009 - 01:29 PM

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links previously provided. As I already said, in some instances an infection may leave so many remnants behind that security tools cannot find them and your system cannot be completely cleaned, repaired or trusted. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

Should you decide to reformat or do a factory restore due to malware infection, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.

Again, do not back up any data with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you decide to attempt disinfection, then continue as follows:

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs


Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Posted Image > Run..., then copy and paste this command into the open box: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Important: Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Taggart

Taggart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 09 September 2009 - 03:37 PM

Here is the last MBAM log:

Malwarebytes' Anti-Malware 1.40
Database version: 2766
Windows 5.1.2600 Service Pack 3

9/9/2009 4:35:14 PM
mbam-log-2009-09-09 (16-35-10).txt

Scan type: Quick Scan
Objects scanned: 88720
Time elapsed: 1 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rotscxewftidwq (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


EDIT

I have scanned about 3 times with Sophos Anti-Rootkit and it has come up with nothing that says it should be removed (cleanup recommended). Just before I did the last scan I ran MBAM again with this as the log:

9/9/2009 7:42:12 PM
mbam-log-2009-09-09 (19-42-12).txt

Scan type: Quick Scan
Objects scanned: 88638
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rotscxewftidwq (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I then ran the Sophos scan again still with nothing that was checked. What should I do from here?

Edited by Taggart, 09 September 2009 - 08:21 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:41 AM

Posted 09 September 2009 - 09:00 PM

As I said, not all hidden components detected by ARKs are malevolent. Thus, its not unusal to find legitimate files mixed in with malicious ones. Sophos ARK does not recommend removal of those files which the scanner does not recognize. However, that does not mean those files are all good and should be left alone. Further investigation is required after the initial scan to analyze and identify the files which were detected so they can be manually removed during a subsequent scan if found to be malicious. Please post the sarscan.log results for my review.

To retrieve the Sophos rootkit scan log go to Posted Image > Run..., then copy and paste this command into the open box: %temp%\sarscan.log
Press Ok.
This should open the log in notepad so you can copy and paste it into your next reply.
If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Taggart

Taggart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 09 September 2009 - 10:23 PM

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 9/9/2009 at 16:41:55 PM
User "Greg Pistner" on computer "CORPDESK"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009030620090307
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009030820090309
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\Greg Pistner\Local Settings\Temporary Internet Files\Content.IE5\KXMZ8XUZ\2460749&ga_hid=1543278913&ga_fc=0&u_tz=-240&u_his=1&u_java=1&u_h=768&u_w=1360&u_ah=740&u_aw=1360&u_cd=32&u_nplug=0&u_nmime=0&biw=336&bih=280&fu=0&ifi=1&dtd=79
Hidden: file C:\Documents and Settings\Greg Pistner\Local Settings\Temporary Internet Files\Content.IE5\GTYVKHEF\52460749&ga_hid=908916429&ga_fc=0&u_tz=-240&u_his=1&u_java=1&u_h=768&u_w=1360&u_ah=740&u_aw=1360&u_cd=32&u_nplug=0&u_nmime=0&biw=336&bih=280&fu=0&ifi=1&dtd=63
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\bg2-1.2b.exe
Hidden: file C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\is360setup.exe
Hidden: file C:\Program Files\InstallShield Installation Information\{E8AEA11B-E60A-455E-B008-E4E763604612}\ISSetup.dll
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\mbam-setup.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\FoF_Client_2.5_Full.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\New Folder\avg_free_stf_en_8_176a1400.exe
Hidden: file C:\Program Files\n52te\flashplayer9.exe
Hidden: file C:\Program Files\AVG\AVG8\AVGToolbarInstall.exe
Hidden: file C:\ACID Pro 5.0\InstMsi-x86a.exe
Hidden: file C:\Games\Steam\steamapps\common\call of duty 4\PB\pbsvc.exe
Hidden: file C:\Games\Steam\steamapps\common\quake 3 arena\Check for Q3A Updates.exe
Hidden: file C:\Games\Steam\steamapps\common\quake 3 arena\Check for Quake III Arena Updates.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\gamebooster.exe
Hidden: file C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\spyware-doctor.exe
Hidden: file C:\Program Files\CCleaner\uninst.exe
Hidden: file C:\Program Files\Sony Setup\ACID Pro 5.0\InstMsi-x86a.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\BF2_Patch_1.41.exe
Hidden: file C:\Games\Call of Duty - World at War\pb\pbclold.dll
Hidden: file C:\Program Files\InstallShield Installation Information\{149464D9-B06F-4505-9968-FD1206F67AD3}\ISSetup.dll
Hidden: file C:\Program Files\InstallShield Installation Information\{9F01A67B-7D67-482F-9D4F-D5980A440FD4}\ISSetup.dll
Hidden: file C:\Program Files\Realtek\InstallShield\RTHDCPL.exe
Hidden: file C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlredis.exe
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\xpsp2res.dll
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\dpcdll.dll
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\sprb040d.dll
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\sprb0401.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\kperdpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\msncli.exe
Hidden: file C:\WINDOWS\ServicePackFiles\i386\ipevldpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\kprodpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\ipseldpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\isdpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\knperdpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\knprodpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\isendpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\sprb040d.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\sprb0401.dll
Hidden: file C:\WINDOWS\system32\mui\0401\xpsp2res.dll
Hidden: file C:\WINDOWS\system32\mui\040D\xpsp2res.dll
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\My Pictures\Werewolf stuff\Other\Pics\blaaaaa\KAZA Stuff\KazaaUpdate131.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\airmixuk.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\DefragSetup.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\DirEttoreFREESetup.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\DivX52XP2K.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_anemia.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_ardennes.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_aura.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_belfort_b2.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_breugelb8.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_celes_b2.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_coire.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_cr44_krug.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_crete.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_harbor_rc1.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_rouen_b1.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_salerno.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_santos_b1.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_scary.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_smallhill_snowday.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_strand.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\dod_stug.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\frostwire-4.13.1.7.windows.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\Insurgency_Beta1_Client.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\pbsetup.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\RommelsModifiedInsaneHUD.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\RaDoX_BloodBath_2004_theMovie\XviD-1.0.3.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\Acid Pro 5.0 + Keygen\Keygen.exe
Hidden: file C:\Program Files\Logitech\SetPoint\Quicktour\QuickTour2.exe
Hidden: file C:\Documents and Settings\Greg Pistner\Desktop\OpenOffice.org 3.0 (en-US) Installation Files\instmsia.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\FoF_Client_2.5-2.6a_Update.exe
Hidden: file C:\Games\Battlefield 2\BF2.exe
Hidden: file C:\Games\Battlefield 2\pb\pbsetup.exe
Hidden: file C:\Games\Battlefield 2\BFMFC.DLL
Hidden: file C:\Games\Battlefield 2\MFC71.dll
Hidden: file C:\Games\Battlefield 2\DIAG.EXE
Hidden: file C:\Documents and Settings\Greg Pistner\Desktop\pbsetup.exe
Hidden: file C:\Games\Steam\steamapps\common\america's army 3\Binaries\pbsvc.exe
Hidden: file C:\Games\Steam\steamapps\common\america's army 3\Binaries\pbsetup.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\ccsetup223.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\Ad-AwareAE.exe
Hidden: file C:\Games\Call of Duty - World at War\CoDWaW.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\AdbeRdr910_en_US.exe
Hidden: file C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\ISSetup.dll
Hidden: file C:\Program Files\GOG.com\Rise of The Triad\gogwrap.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\asc-setup.exe
Hidden: file C:\Documents and Settings\Greg Pistner\My Documents\Archive\converter.exe
Info: Starting disk scan of E: (NTFS).
Hidden: file E:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Hidden: file E:\System Volume Information\_restore{08CB9091-93C3-4372-AEEA-93AAD9F23623}\RP373\A0060419.dll
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_santos_b1.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_breugelb8.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_coire.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\DefragSetup.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_knight.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\RaDoX_BloodBath_2004_theMovie\XviD-1.0.3.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\ccsetup210.exe
Hidden: file E:\Program Files\CCleaner\uninst.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_celes_b2.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\pbsetup.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_harbor_rc1.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_stug.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_smallhill_snowday.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_strand.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\Eternal_Silence_3_0_client.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\airmixuk.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_aura.exe
Hidden: file E:\Program Files\Logitech\SetPoint\Quicktour\QuickTour2.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_salerno.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_anemia.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\FrostWireWin_4.10.9_Beta.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\gaim-2.0.0beta3.1.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\Acid Pro 5.0 + Keygen\Keygen.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\My Pictures\Werewolf stuff\Other\Pics\blaaaaa\KAZA Stuff\KazaaUpdate131.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Acid Stuff\xNew Stuff\pvk_2.31_setup.exe
Hidden: file E:\Program Files\Winamp\UninstWA.exe
Hidden: file E:\Program Files\Gaim\GTK\2.0\uninst.exe
Hidden: file E:\Program Files\Sony Setup\ACID Pro 5.0\InstMsi-x86a.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\Insurgency_Beta1_Client.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_harrington2.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\pidgin-2.4.3.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\DirEttoreFREESetup.exe
Hidden: file E:\DirEttoreFREE\DirEttoreFREE.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_crete.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\RommelsModifiedInsaneHUD.exe
Hidden: file E:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Hidden: file E:\Program Files\coolpro2\coolpro2.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\pidgin-2.2.2.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_rouen_b1.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\.housecall6.6\tsc.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_scary.exe
Hidden: file E:\Games\Command & Conquer The First Decade\Command & Conquer™ Tiberian Sun™\SUN\Game.exe
Hidden: file E:\Games\Command & Conquer The First Decade\Command & Conquer Red Alert™ II\RA2\RA2MD.exe
Hidden: file E:\Games\Command & Conquer The First Decade\Command & Conquer Red Alert™ II\RA2\YURI.exe
Hidden: file E:\Games\Command & Conquer The First Decade\Command & Conquer™ Generals\generals.exe
Hidden: file E:\Games\Command & Conquer The First Decade\Command & Conquer™ Generals Zero Hour\generals.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr710_en_US.exe
Hidden: file E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_belfort_b2.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_ardennes.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\dod_cr44_krug.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\School\icinst.exe
Hidden: file E:\Program Files\Pidgin\pidgin-uninst.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\Local Settings\Temp\c0ab468b-e9fc-407a-9644-e4f94f4279d1.tmp
Hidden: file E:\NVIDIA\WinXP\181.22\English\ISSetup.dll
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-11\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-12\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-13\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-20\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-21\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-22\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-23\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-24\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-25\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-26\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-26a\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-27\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-28\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-29\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-06-30\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-01\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-02\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-03\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-04\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-05\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-12\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-13\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-14\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-15\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-16\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-17\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-18\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-20\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-21\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-22\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-23b\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-07-23\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-08-30\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-09-01\Xpadder.exe
Hidden: file E:\Games\xpadder\xpadder_gamepad_profiler\history\v2and3dailies\2006-09-02\Xpadder.exe
Hidden: file E:\Games\Combat Arms\MFC71.dll
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\Application Data\U3\0001797170C3238C\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\master.exe
Hidden: file E:\Games\Steam\steamapps\common\call of duty 4\PB\pbsvc.exe
Hidden: file E:\WINDOWS\$NtServicePackUninstall$\xpsp2res.dll
Hidden: file E:\WINDOWS\$NtServicePackUninstall$\dpcdll.dll
Hidden: file E:\WINDOWS\$NtServicePackUninstall$\sprb040d.dll
Hidden: file E:\WINDOWS\$NtServicePackUninstall$\sprb0401.dll
Hidden: file E:\WINDOWS\ServicePackFiles\i386\kperdpc.dll
Hidden: file E:\WINDOWS\ServicePackFiles\i386\msncli.exe
Hidden: file E:\WINDOWS\ServicePackFiles\i386\ipevldpc.dll
Hidden: file E:\WINDOWS\ServicePackFiles\i386\kprodpc.dll
Hidden: file E:\WINDOWS\ServicePackFiles\i386\ipseldpc.dll
Hidden: file E:\WINDOWS\ServicePackFiles\i386\isdpc.dll
Hidden: file E:\WINDOWS\ServicePackFiles\i386\knperdpc.dll
Hidden: file E:\WINDOWS\ServicePackFiles\i386\knprodpc.dll
Hidden: file E:\WINDOWS\ServicePackFiles\i386\isendpc.dll
Hidden: file E:\WINDOWS\ServicePackFiles\i386\sprb040d.dll
Hidden: file E:\WINDOWS\ServicePackFiles\i386\sprb0401.dll
Hidden: file E:\WINDOWS\system32\mui\0401\xpsp2res.dll
Hidden: file E:\WINDOWS\system32\mui\040D\xpsp2res.dll
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Incomplete\GeForce_185.20_beta_WinXP_32bit\GeForce_185.20_beta_WinXP_32bit\ISSetup.dll
Hidden: file E:\System Volume Information\_restore{08CB9091-93C3-4372-AEEA-93AAD9F23623}\RP371\A0058040.dll
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Incomplete\nvidia_178.42_XP\nvidia_178.42_XP\ISSetup.dll
Hidden: file E:\System Volume Information\_restore{08CB9091-93C3-4372-AEEA-93AAD9F23623}\RP373\A0058327.exe
Hidden: file E:\WINDOWS\system32\pbsvc.exe
Hidden: file E:\Games\Call of Duty - World at War\CoDWaW.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Incomplete\avg_free_stf_en_8_176a1400.exe
Hidden: file E:\Documents and Settings\Cpl. Fly Taggart\My Documents\Archive\asc-setup.exe
Hidden: file E:\System Volume Information\_restore{08CB9091-93C3-4372-AEEA-93AAD9F23623}\RP376\A0062904.exe
Hidden: file E:\NVIDIA\WinXP\182.06\English\ISSetup.dll
Hidden: file E:\Program Files\AVG\AVG8\avgcorex.dll
Stopped logging on 9/9/2009 at 17:55:06 PM

Edited by Taggart, 09 September 2009 - 10:24 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:41 AM

Posted 10 September 2009 - 07:31 AM

IMPORTANT NOTE: Your scan log results indicate you are using keygens/crack tools.

C:\Documents and Settings\Greg Pistner\My Documents\Archive\Acid Pro 5.0 + Keygen\Keygen.exe

The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

trendmicro.com/vinfo

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Go to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, click the "browse" button and locate the following file:
E:\Documents and Settings\Cpl. Fly Taggart\Application Data\U3\0001797170C3238C\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\master.exe <- this file
Click "Open", then click the "Submit" button.
-- Post back with the results of the file analysis in your next reply.

-- If you cannot find the folder/file, you may have to Reconfigure Windows to show hidden files, folders.

Prevx reports C:\Windows\system32\pbsvc.exe as being suspicious. I note that many of the files in your log appear to be related to gaming sites. Do you recognize that file as being related to one of them?

A word of caution about gaming.

Gaming sites are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. They can lead to other sites containing malware which you can inadvertently download without knowledge. Users visiting such sites may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Gaming sites can put you at risk to fraud, phishing and theft of personal data. Even if the gaming site is a clean site, there is always the potential of some type of malware making its way there and then onto your system. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. In those cases, recovery is not possible and the only option is to reformat/reinstall the OS.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Taggart

Taggart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 10 September 2009 - 07:58 AM

The file you had me scan was apart of my thumb drive's software package.

Jotti's malware scan
Filename: master.exe
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Thu 10 Sep 2009 14:43:09 (CET) Permalink

Additional info
File size: 983829 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 5f640213d31e2a351e432bba18befa14
SHA1: a28bef3ccfae075572d1d129d0b7564d40777a12
Packer (Drweb): ZLIB


The other file I believe is appart of an anti-cheating program known as Punkbuster that is installed with some games from their CD's.

Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.


Filename: pbsvc.exe
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Tue 1 Sep 2009 02:25:52 (CET) Permalink

Additional info
File size: 794408 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 72784e42a8085b36fed865d1bec4538c
SHA1: c97993b9746a5009586ae39464f96661d618afd9
Packer (Avast): UPX
Packer (Drweb): UPX
Packer (Kaspersky): PE_Patch.UPX, UPX


The crack file you mentioned I also scanned just to be sure.

Jotti's malware scan
Filename: Keygen.exe
Status:
Scan finished. 1 out of 21 scanners reported malware.
Scan taken on: Thu 10 Sep 2009 14:52:45 (CET) Permalink

Additional info
File size: 188416 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 9c480918790c367f7c98d60e7a7ca773
SHA1: 1b8a8198e4718f43514a5a43cb1b2d563a9983ce
Packer (Avast): ASPack
Packer (Drweb): ASPACK
Packer (Kaspersky): ASPack

[Sophos]
2009-09-10 Mal/KeyGen-A


Is there anything else I should scan using this tool?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:41 AM

Posted 10 September 2009 - 08:23 AM

Anytime you come across a suspicious file for which you cannot find any information about, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to one of those online scanners.

Your log was rather long and a lot of those files appear to be game related but you may recognize many of the names since you use them. If your anti-virus and anti-malware tools are not detecting them as malware, then I would not be too concerned. My point was to make you aware of the security risks.

How is your computer running now? Are there any more reports/alerts, signs of infection or issues with your browser?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Taggart

Taggart
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 10 September 2009 - 08:16 PM

I have not seen any as of yet as I was away most of the day. I will give it a few hours of use and see how it goes. I am going to go through that log tonight also to check some stuff. Thank you for your time and I will keep this updated.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:41 AM

Posted 10 September 2009 - 09:42 PM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users