Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

____.exe - Bad Image.


  • This topic is locked This topic is locked
11 replies to this topic

#1 lexing

lexing

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 24 September 2009 - 03:06 AM

Just about anything I do, I get a popup that says 'ProgramHere.extensionhere - Bad Image.' Along with, 'The Application or Dll GlobalRoot\SystemRoot\System32\Gasfkyumhdcmct.dll is not a valid windows image. Please check this against your installation diskette.' This even happens when I open a new tab in google chrome. That is, unless another tab I just opened it opened. But anyways, I attached the two logs. Also, if it helps, I first had this thing called Police Pro or something, it was on my computer when I turned it on and it didn't look right so I looked it up and uninstalled it with MalawareBytes. After that, when I rebooted, this all started.

Attached Files

  • Attached File  DDS.txt   17.21KB   3 downloads
  • Attached File  ark.txt   5KB   8 downloads


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:15 PM

Posted 10 October 2009 - 02:50 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 lexing

lexing
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 11 October 2009 - 03:37 PM

Attached New DDS log.
Edit: Attached them both this time!

Attached Files


Edited by lexing, 12 October 2009 - 12:57 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:15 PM

Posted 12 October 2009 - 01:58 AM

You attached only the attach.txt. Please post also the normal DDS log (the one that starts with a header and running processes) :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:15 PM

Posted 17 October 2009 - 09:49 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • All of my posts need to be checked by my coach, so please be patient while I attempt to remove your malware.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 lexing

lexing
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 17 October 2009 - 01:06 PM

Okay!
Thank you for taking the time. No rush. (:

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:15 PM

Posted 18 October 2009 - 10:50 AM

Hello lexing,

Once again, my apologies for the delay. The forums are really swamped with logs, but it was not my intention to keep you waiting after I asked for new logs.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


I notice the presence of Registry Easy v5.6 Registry Cleaner on your pc.

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.


http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html
http://forums.whatthetech.com/Regcleaner_t42862.html


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 lexing

lexing
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 19 October 2009 - 03:52 AM

Note: Bad Image windows have ceased, as you can tell from the deletions.

Attached Files



#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:15 PM

Posted 19 October 2009 - 07:48 AM

Hello lexing,

Your system is heavily infected, please keep this computer disconnected from the internet, unless otherwise instructed.
Note, you will need internet connection in order to follow the steps below.

It appears you have a file infector on your system. In order to find out what infection we are facing here, we need to upload a few system files. Please follow the steps below.

SHOW HIDDEN FILES AND FOLDERS
-------------------------------------------------
Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK


UPLOAD A FILE
--------------------
We need to check a file. Please click this link VirusTotal

When the page has finished loading, click the Choose file button and navigate to the following file and click Send file. Repeat this for all of the below listed files.

c:\windows\regedit.exe
c:\windows\system32\userinit.exe
c:\windows\explorer.exe

If you get the message that the file has already been scanned before, please click Reanalyse file now.
Please post back the results of the scan in your next post.


In your next reply, please include the following:
  • Scan results of the uploaded file

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 lexing

lexing
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 19 October 2009 - 07:53 PM

Scan for regedit.exe

4.5.0.41 2009.10.19 W32.Kakavex!IK
AhnLab-V3 5.0.0.2 2009.10.19 -
AntiVir 7.9.1.35 2009.10.19 W32/Kakavex.H
Antiy-AVL 2.0.3.7 2009.10.19 -
Authentium 5.1.2.4 2009.10.19 -
Avast 4.8.1351.0 2009.10.19 Win32:Expiro
AVG 8.5.0.420 2009.10.19 Win32/Expiro.Q
BitDefender 7.2 2009.10.20 Win32.Expiro.M
CAT-QuickHeal 10.00 2009.10.18 W32.Expiro.Gen
ClamAV 0.94.1 2009.10.19 -
Comodo 2661 2009.10.20 -
DrWeb 5.0.0.12182 2009.10.20 Win32.Expiro.15
eSafe 7.0.17.0 2009.10.19 -
eTrust-Vet 35.1.7075 2009.10.19 Win32/Xspiro!generic
F-Prot 4.5.1.85 2009.10.19 -
F-Secure 9.0.15300.0 2009.10.20 Win32.Expiro.M
Fortinet 3.120.0.0 2009.10.19 -
GData 19 2009.10.20 Win32.Expiro.M
Ikarus T3.1.1.72.0 2009.10.20 W32.Kakavex
Jiangmin 11.0.800 2009.10.19 -
K7AntiVirus 7.10.874 2009.10.19 -
Kaspersky 7.0.0.125 2009.10.20 Virus.Win32.Expiro.p
McAfee 5776 2009.10.19 W32/Expiro
McAfee+Artemis 5776 2009.10.19 W32/Expiro
McAfee-GW-Edition 6.8.5 2009.10.19 Win32.Kakavex.H
Microsoft 1.5101 2009.10.19 Virus:Win32/Expiro.F
NOD32 4524 2009.10.20 Win32/Expiro.L
Norman 6.03.02 2009.10.19 W32/Expiro.G
nProtect 2009.1.8.0 2009.10.19 -
Panda 10.0.2.2 2009.10.19 W32/Expiro.gen
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.20 -
Rising 21.52.04.00 2009.10.19 -
Sophos 4.46.0 2009.10.20 W32/Expiro-G
Sunbelt 3.2.1858.2 2009.10.20 Win32.Expiro.A (v)
Symantec 1.4.4.12 2009.10.20 W32.Kakavex
TheHacker 6.5.0.2.048 2009.10.20 -
TrendMicro 8.950.0.1094 2009.10.19 PE_EXPIRO.AD
VBA32 3.12.10.11 2009.10.19 -
ViRobot 2009.10.19.1993 2009.10.19 -
VirusBuster 4.6.5.0 2009.10.19 -

Additional information
File size: 299520 bytes
MD5   : b6a971fa2509783de241f4d060e7cf38
SHA1  : 84170e414a538fecc1fab1a544c73b2eff219cb8
SHA256: 3033bb7407dc0088b4df4f854c6df5c2b9e411320e85fae392abef7da17a8571
PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0x66000<br> timedatestamp.....: 0x48025214 (Sun Apr 13 20:33:56 2008)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 6 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x1000 0x17902 0x17A00 6.37 8d566c1e457741cced3b34f6d18c225d<br>.data 0x19000 0x40DA0 0x400 1.20 def7edb164ce2210badeb06959cdaa48<br>.rsrc 0x5A000 0xB8B0 0xBA00 3.68 55c800dc56999ec2683a54271953b1b7<br>.data 0x66000 0x20000 0x14200 6.71 b639abbf2fed8517878c10a0e42deaf0<br>.text 0x86000 0x28208 0xF50C 6.37 d5ca334446f94d9880a5aec34ba85208<br>.data 0xAF000 0x1E00 0x1E00 7.00 fba675cada0ff9e9ec0cc3e0d57eb561<br> <br> ( 14 imports )<br> <br>&gt; aclui.dll: -<br>&gt; advapi32.dll: RegQueryValueExA, RegOpenKeyExA, InitializeSecurityDescriptor, RegDeleteValueW, InitializeAcl, SetSecurityDescriptorDacl, SetSecurityDescriptorSacl, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, GetInheritanceSourceW, LookupAccountSidW, GetSidSubAuthorityCount, GetSidSubAuthority, GetSecurityDescriptorControl, GetSecurityDescriptorOwner, GetSecurityDescriptorGroup, GetSecurityDescriptorDacl, GetSecurityDescriptorSacl, SetSecurityInfo, SetNamedSecurityInfoW, GetNamedSecurityInfoW, MapGenericMask, RegSetValueExA, RegSetValueW, RegFlushKey, RegSaveKeyW, RegRestoreKeyW, RegConnectRegistryW, RegQueryValueExW, RegCloseKey, RegOpenKeyW, RegSetValueExW, RegCreateKeyW, RegEnumValueW, RegEnumKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegUnLoadKeyW, RegLoadKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegDeleteKeyW<br>&gt; authz.dll: AuthzInitializeContextFromSid, AuthzAccessCheck, AuthzFreeContext, AuthzFreeResourceManager, AuthzInitializeResourceManager<br>&gt; clb.dll: ClbAddData, ClbSetColumnWidths<br>&gt; comctl32.dll: -, -, -, -, InitCommonControlsEx, -, -, ImageList_SetBkColor, ImageList_Create, ImageList_Destroy, -, -, ImageList_ReplaceIcon, -, -, -, -, CreateStatusWindowW<br>&gt; comdlg32.dll: GetOpenFileNameW, GetSaveFileNameW, PrintDlgExW<br>&gt; gdi32.dll: GetStockObject, SetAbortProc, StartDocW, StartPage, SetViewportOrgEx, EndPage, EndDoc, AbortDoc, DeleteDC, CreateBitmap, CreatePatternBrush, PatBlt, ExcludeClipRect, SelectClipRgn, DeleteObject, SetBkColor, SetTextColor, ExtTextOutW, GetDeviceCaps, CreateFontIndirectW, SelectObject, GetTextMetricsW<br>&gt; kernel32.dll: ReadFile, DeleteFileW, WriteFile, WideCharToMultiByte, CreateFileW, OutputDebugStringW, GetLastError, SetFilePointer, GetFileSize, SearchPathW, GetTimeFormatW, GetDateFormatW, GetSystemDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, FreeLibrary, LoadLibraryW, MulDiv, lstrcpynW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, MultiByteToWideChar, lstrcmpW, FormatMessageW, GetThreadLocale, GetModuleHandleW, ExitProcess, GetCommandLineW, GetProcessHeap, lstrcatW, LocalAlloc, GetCurrentProcess, CloseHandle, LocalFree, GetComputerNameW, lstrcmpiW, lstrlenW, lstrcpyW, LocalReAlloc, GlobalAlloc, GlobalLock, GlobalUnlock, GetProcAddress, LoadLibraryA<br>&gt; msvcrt.dll: __p__commode, _adjust_fdiv, __p__fmode, _initterm, __getmainargs, _acmdln, __set_app_type, _except_handler3, __setusermatherr, _controlfp, exit, _XcptFilter, _exit, _c_exit, swprintf, iswprint, wcsncpy, wcslen, wcscat, wcscpy, _purecall, iswctype, wcscmp, wcschr, wcsncmp, wcsrchr, _cexit, memmove<br>&gt; ntdll.dll: RtlFreeHeap, RtlAllocateHeap<br>&gt; ole32.dll: CoCreateInstance, CoUninitialize, CoInitializeEx, ReleaseStgMedium<br>&gt; shell32.dll: ShellAboutW, DragQueryFileW, DragFinish<br>&gt; ulib.dll: _Resize@DSTRING@@UAEEK@Z, _Initialize@ARRAY@@QAEEKK@Z, _NewBuf@DSTRING@@UAEEK@Z, __1DSTRING@@UAE@XZ, __1OBJECT@@UAE@XZ, __0OBJECT@@IAE@XZ, _Compare@OBJECT@@UBEJPBV1@@Z, __0DSTRING@@QAE@XZ, _Initialize@WSTRING@@QAEEPBV1@KK@Z, _Strcat@WSTRING@@QAEEPBV1@@Z, __0ARRAY@@QAE@XZ, _Initialize@WSTRING@@QAEEPBGK@Z<br>&gt; user32.dll: SendDlgItemMessageW, SetDlgItemTextW, SetWindowLongW, DefWindowProcW, ReleaseDC, GetDC, SetScrollInfo, wsprintfW, DestroyCaret, ReleaseCapture, KillTimer, SetCaretPos, ScrollWindowEx, ShowCaret, HideCaret, InvalidateRect, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, GetClipboardData, WinHelpW, EndDialog, GetWindowLongW, EndPaint, BeginPaint, CreateCaret, SetTimer, SetCapture, SetFocus, CharLowerW, GetDlgItem, DestroyMenu, TrackPopupMenuEx, IsClipboardFormatAvailable, EnableMenuItem, GetSubMenu, LoadMenuW, GetKeyState, RegisterClassW, LoadCursorW, RegisterClipboardFormatW, CheckRadioButton, SendMessageW, GetWindowTextW, GetParent, GetDlgItemTextW, IsDlgButtonChecked, GetDlgCtrlID, CallWindowProcW, GetWindowTextLengthW, GetDlgItemInt, PostQuitMessage, GetWindowPlacement, SetWindowTextW, EnableWindow, GetWindowRect, DrawMenuBar, InsertMenuItemW, DeleteMenu, SetMenuItemInfoW, GetMenu, GetMenuItemInfoW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, IsIconic, DestroyIcon, LoadImageW, GetSysColor, SetCursor, ShowCursor, ShowWindow, SetWindowPlacement, CreateWindowExW, GetProcessDefaultLayout, GetMessageW, ScreenToClient, SetCursorPos, DispatchMessageW, ClientToScreen, GetDesktopWindow, LoadIconW, PostMessageW, SetMenuDefaultItem, InsertMenuW, GetMenuItemID, CheckMenuItem, UpdateWindow, RegisterClassExW, CharNextW, GetClientRect, DestroyWindow, CreateDialogParamW, CheckDlgButton, DrawAnimatedRects, IntersectRect, ModifyMenuW, GetMessagePos, TranslateMessage, TranslateAcceleratorW, LoadAcceleratorsW, SetForegroundWindow, GetLastActivePopup, BringWindowToTop, FindWindowW, LoadStringW, GetWindow, IsDialogMessageW, PeekMessageW, MessageBoxW, CharUpperBuffW, CharUpperW, IsCharAlphaNumericW, GetSystemMetrics, MoveWindow, MapWindowPoints, DialogBoxParamW, SetWindowPos, MessageBeep<br> <br> ( 0 exports )<br>
TrID&nbsp;&nbsp;: File type identification<br>Windows Screen Saver (39.4%)<br>Win32 Executable Generic (25.6%)<br>Win32 Dynamic Link Library (generic) (22.8%)<br>Generic Win/DOS Executable (6.0%)<br>DOS Executable Generic (6.0%)
ssdeep: 6144:XtkqxrqLckP+xn0YOBI+AG0TG0zkHrBdfmipP/ynck0HB6FTz:XDrVkP+xnXOBI+AM04LBtpP/YWo3
PEiD&nbsp;&nbsp;: -
RDS&nbsp;&nbsp;&nbsp;: NSRL Reference Data Set<br>-

scan for userinit.exe

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.19 W32.Kakavex!IK
AhnLab-V3 5.0.0.2 2009.10.19 -
AntiVir 7.9.1.35 2009.10.19 W32/Kakavex.H
Antiy-AVL 2.0.3.7 2009.10.19 -
Authentium 5.1.2.4 2009.10.19 -
Avast 4.8.1351.0 2009.10.19 Win32:Expiro
AVG 8.5.0.420 2009.10.19 Win32/Expiro.Q
BitDefender 7.2 2009.10.20 Win32.Expiro.M
CAT-QuickHeal 10.00 2009.10.18 W32.Expiro.Gen
ClamAV 0.94.1 2009.10.19 -
Comodo 2661 2009.10.20 -
DrWeb 5.0.0.12182 2009.10.20 Win32.Expiro.15
eSafe 7.0.17.0 2009.10.19 -
eTrust-Vet 35.1.7075 2009.10.19 Win32/Xspiro!generic
F-Prot 4.5.1.85 2009.10.19 -
F-Secure 9.0.15300.0 2009.10.20 Win32.Expiro.M
Fortinet 3.120.0.0 2009.10.19 -
GData 19 2009.10.20 Win32.Expiro.M
Ikarus T3.1.1.72.0 2009.10.20 W32.Kakavex
Jiangmin 11.0.800 2009.10.19 -
K7AntiVirus 7.10.874 2009.10.19 -
Kaspersky 7.0.0.125 2009.10.20 Virus.Win32.Expiro.p
McAfee 5776 2009.10.19 W32/Expiro
McAfee+Artemis 5776 2009.10.19 W32/Expiro
McAfee-GW-Edition 6.8.5 2009.10.19 Heuristic.LooksLike.Win32.SuspiciousPE.H
Microsoft 1.5101 2009.10.19 Virus:Win32/Expiro.F
NOD32 4524 2009.10.20 Win32/Expiro.L
Norman 6.03.02 2009.10.19 W32/Expiro.G
nProtect 2009.1.8.0 2009.10.19 -
Panda 10.0.2.2 2009.10.19 W32/Expiro.gen
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.20 -
Rising 21.52.04.00 2009.10.19 -
Sophos 4.46.0 2009.10.20 W32/Expiro-G
Sunbelt 3.2.1858.2 2009.10.20 Win32.Expiro.A (v)
Symantec 1.4.4.12 2009.10.20 W32.Kakavex
TheHacker 6.5.0.2.048 2009.10.20 -
TrendMicro 8.950.0.1094 2009.10.19 PE_EXPIRO.AD
VBA32 3.12.10.11 2009.10.19 -
ViRobot 2009.10.19.1993 2009.10.19 -
VirusBuster 4.6.5.0 2009.10.19 -

Additional information
File size: 179200 bytes
MD5...: 32fac08618ec670658550c2c28fee60f
SHA1..: e881dd58c9208736caa86637591716cbb7bcf8b9
SHA256: b4872bba0088cb3d503134659bba5e0ac9818f519f72869820efffba6ea19192
ssdeep: 3072:TJbDMOmFCLG9qkIbsGxtStvG/glNISTHU9yfLPWZCmVT1/VHeKBGNVT2oxw<br>tOU64:TJbFmAGn7GSt+/glNPHuVFV+KBGNfxql<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x9000<br>timedatestamp.....: 0x480251a8 (Sun Apr 13 18:32:08 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 6 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x520e 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1<br>.data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf<br>.rsrc 0x8000 0xb50 0xc00 3.27 bac832e39f87c4f5f640e5d5c6a1c2fc<br>.data 0x9000 0x20000 0x14200 6.70 e417a176bd9edab8cef75303f0c39a86<br>.text 0x29000 0x28208 0xf50c 6.33 522802977d551138793b3167a38a99c1<br>.data 0x52000 0x1e00 0x1e00 6.99 f5322a9ef4deaa918bfe1021185cfe13<br><br>( 9 imports ) <br>&gt; USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW<br>&gt; ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA<br>&gt; CRYPT32.dll: CryptProtectData<br>&gt; WINSPOOL.DRV: SpoolerInit<br>&gt; ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken<br>&gt; NETAPI32.dll: DsGetDcNameW, NetApiBufferFree<br>&gt; WLDAP32.dll: -, -, -, -, -, -<br>&gt; msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit<br>&gt; KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<br>publisher....: Microsoft Corporation<br>copyright....: © Microsoft Corporation. All rights reserved.<br>product......: Microsoft_ Windows_ Operating System<br>description..: Userinit Logon Application<br>original name: USERINIT.EXE<br>internal name: userinit<br>file version.: 5.1.2600.5512 (xpsp.080413-2113)<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

scan for explorer.exe

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.19 W32.Kakavex!IK
AhnLab-V3 5.0.0.2 2009.10.19 -
AntiVir 7.9.1.35 2009.10.19 W32/Kakavex.H
Antiy-AVL 2.0.3.7 2009.10.19 -
Authentium 5.1.2.4 2009.10.19 -
Avast 4.8.1351.0 2009.10.19 Win32:Expiro
AVG 8.5.0.420 2009.10.19 Win32/Expiro.Q
BitDefender 7.2 2009.10.20 Win32.Expiro.M
CAT-QuickHeal 10.00 2009.10.18 W32.Expiro.Gen
ClamAV 0.94.1 2009.10.19 -
Comodo 2661 2009.10.20 -
DrWeb 5.0.0.12182 2009.10.20 Win32.Expiro.15
eSafe 7.0.17.0 2009.10.19 -
eTrust-Vet 35.1.7075 2009.10.19 Win32/Xspiro!generic
F-Prot 4.5.1.85 2009.10.19 -
F-Secure 9.0.15300.0 2009.10.20 Win32.Expiro.M
Fortinet 3.120.0.0 2009.10.19 -
GData 19 2009.10.20 Win32.Expiro.M
Ikarus T3.1.1.72.0 2009.10.20 W32.Kakavex
Jiangmin 11.0.800 2009.10.19 -
K7AntiVirus 7.10.874 2009.10.19 -
Kaspersky 7.0.0.125 2009.10.20 Virus.Win32.Expiro.p
McAfee 5776 2009.10.19 W32/Expiro
McAfee+Artemis 5776 2009.10.19 W32/Expiro
McAfee-GW-Edition 6.8.5 2009.10.19 Win32.Kakavex.H
Microsoft 1.5101 2009.10.19 Virus:Win32/Expiro.F
NOD32 4524 2009.10.20 Win32/Expiro.L
Norman 6.03.02 2009.10.19 W32/Expiro.G
nProtect 2009.1.8.0 2009.10.19 -
Panda 10.0.2.2 2009.10.19 W32/Expiro.gen
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.20 -
Rising 21.52.04.00 2009.10.19 -
Sophos 4.46.0 2009.10.20 W32/Expiro-G
Sunbelt 3.2.1858.2 2009.10.20 Win32.Expiro.A (v)
Symantec 1.4.4.12 2009.10.20 W32.Kakavex
TheHacker 6.5.0.2.048 2009.10.20 -
TrendMicro 8.950.0.1094 2009.10.19 PE_EXPIRO.AD
VBA32 3.12.10.11 2009.10.19 -
ViRobot 2009.10.19.1993 2009.10.19 -
VirusBuster 4.6.5.0 2009.10.19 -

Additional information
File size: 1186816 bytes
MD5...: e42a50b6cf4fe05e1b153a5918815166
SHA1..: 6439566e3d3a1eb31da517a1c034e7b658a60589
SHA256: 2f960a855cb9a9e7ff7c325a10c759c99f23f07c32637e2cd90fb614c9ecb349
ssdeep: 24576:mmfty/wAvN7lrvbkf8w0VnH1/g/J/koCpHA:mmpcN7Bbkf8THvBq<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0xff000<br>timedatestamp.....: 0x48025c30 (Sun Apr 13 19:17:04 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 7 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x44c09 0x44e00 6.38 fd89c9ce334764ffdbb62637ad9b5809<br>.data 0x46000 0x1db4 0x1800 1.30 983f35021232560eaaa99fcbc1b7d359<br>.rsrc 0x48000 0xb2268 0xb2400 6.63 95339c37646fa93e3695e06572a21889<br>.reloc 0xfb000 0x374c 0x3800 6.78 ec335057489badbf6d8142b57175fd91<br>.data 0xff000 0x20000 0x14200 6.71 17aad27da3219ab54d989c9791aa3851<br>.text 0x11f000 0x28208 0xf50c 6.37 c10347114d519a0c94990356f282866e<br>.data 0x148000 0x1e00 0x1e00 7.00 52524c078e5e7b8f977a37de413e70e5<br><br>( 13 imports ) <br>&gt; ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW<br>&gt; BROWSEUI.dll: -, -, -, -<br>&gt; GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode<br>&gt; KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject<br>&gt; msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf<br>&gt; ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess<br>&gt; ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop<br>&gt; OLEAUT32.dll: -, -<br>&gt; SHDOCVW.dll: -, -, -<br>&gt; SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -<br>&gt; SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -<br>&gt; USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW<br>&gt; UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<br>publisher....: Microsoft Corporation<br>copyright....: © Microsoft Corporation. All rights reserved.<br>product......: Microsoft_ Windows_ Operating System<br>description..: Windows Explorer<br>original name: EXPLORER.EXE<br>internal name: explorer<br>file version.: 6.00.2900.5512 (xpsp.080413-2105)<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:15 PM

Posted 20 October 2009 - 11:13 AM

Hi lexing,

I'm afraid I have very bad news. Your system is infected with a nasty variant of Win32.Sality. Please see Microsoft's Threat Research awareness of Win32.Sality.

As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.

About Sality Virus

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach.

Your log shows numerous Windows System Files were infected. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD utilities that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Note: In order to use a rescue disk, the boot order must be set to start from the CD-ROM drive. If the CD is not first in the boot order, the computer will attempt to start normally by booting from the hard drive. The boot order is a setting found in the computer’s BIOS which runs when it is first powered on. This setting controls the order that the BIOS uses to look for a boot device from which to load the operating system. The default will normally be A:, C:, CD-ROM. Different computers have different ways to enter the BIOS. If you're not sure how to do this, refer to:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:15 PM

Posted 23 October 2009 - 02:18 AM

Due to lack of feedback this topic is now closed.

If you are the original topic starter and you need this topic re-opened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users