Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

recalcitrant issue with malware (H8SRT...)


  • This topic is locked This topic is locked
15 replies to this topic

#1 fermomi

fermomi

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:06 AM

Posted 11 December 2009 - 05:16 PM

Good evening

I've been asked to move to this section from :

Here

I used different malware removal tools but it looks one is still hidden

--------------------------------here you have a copy of HJT log--------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:53:02, on 11/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\nsl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Fichiers communs\Evidian\WGSS\WGSS.exe
C:\WINDOWS\system32\FQS70SVR.EXE
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Fichiers communs\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Fichiers communs\Aladdin Shared\eToken\PKIClient\x32\PKIMonitor.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\divers\bginfo.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\WINDOWS\system32\FQS70SVR.EXE
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclToBTSrv.exe
D:\HJT\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.fr/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iww.alstom.com/altair
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://iww.alstom.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Alstom
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: SSOWatch Notification Class - {F3DCA10E-35FF-11D4-8744-00105A658389} - C:\Program Files\Evidian\WG SSOWatch\ie_notifier.dll
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [eTMonitor] C:\Program Files\Fichiers communs\Aladdin Shared\eToken\PKIClient\x32\PKIMonitor.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WiSEversionInfoCopy] C:\Program Files\Juniper Networks\copyVersionInfo.vbs
O4 - HKLM\..\Run: [BgIngo] "%windir%\divers\bginfo.exe" "%windir%\web\wallpaper\bginfo.bgi" /Timer:0 /SILENT /TASKBAR
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Juniper Networks\Odyssey Access Client\OdTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SSOWatch] "C:\Program Files\Evidian\WG SSOWatch\ssoengine.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FQS70Mgr] C:\WINDOWS\system32\FQS70SVR.EXE -uimanage
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" -r "D:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking10\Ereg.ini
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O15 - Trusted Zone: http://iww.alstom.com
O15 - Trusted Zone: http://www.alstom.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dom2.ad.sys
O17 - HKLM\Software\..\Telephony: DomainName = dom2.ad.sys
O17 - HKLM\System\CCS\Services\Tcpip\..\{108B37BB-8D87-4E26-9541-376401497A18}: Domain = dom2.ad.sys
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5D89090-665E-4C0C-A4AA-B697E163A8F9}: Domain = dom2.ad.sys
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dom2.ad.sys
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ad.sys,dom2.ad.sys,notes.alstom.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{108B37BB-8D87-4E26-9541-376401497A18}: Domain = dom2.ad.sys
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dom2.ad.sys
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ad.sys,dom2.ad.sys,notes.alstom.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{108B37BB-8D87-4E26-9541-376401497A18}: Domain = dom2.ad.sys
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = dom2.ad.sys
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = ad.sys,dom2.ad.sys,notes.alstom.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{108B37BB-8D87-4E26-9541-376401497A18}: Domain = dom2.ad.sys
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ad.sys,dom2.ad.sys,notes.alstom.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Fichiers communs\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Juniper TNC Endpoint Assessment (EacService) - Juniper Networks - C:\Program Files\Fichiers communs\Juniper Networks\TNC Client\jTnccService.exe
O23 - Service: WiseGuard Security Services (EnatelWGSS) - Evidian - C:\Program Files\Fichiers communs\Evidian\WGSS\WGSS.exe
O23 - Service: FUJIFILM FINEPIX QS-70 Status Manager (FQS70Mgr) - FUJIFILM Corporation - C:\WINDOWS\system32\FQS70SVR.EXE
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: Juniper Unified Network Service (JuniperAccessService) - Juniper Networks - C:\Program Files\Fichiers communs\Juniper Networks\JUNS\dsAccessService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Ouverture de session unique de Lotus Notes (Lotus Notes Single Logon) - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Juniper OAC Service (odClientService) - Juniper Networks, Inc. - C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - $System Drive$\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12456 bytes
--------------------------------------------------

looks a bit long, hope that helps

rgds

fmm

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:06 PM

Posted 12 December 2009 - 10:30 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:06 AM

Posted 12 December 2009 - 06:24 PM

Good evening Sam,

My name is Miguel and I thank you for your answer.

This afternoon, I worked with the infected PC and the issue I had yesterday evening didn't came back. I then ran RootRepeal in order to know whether the "virus" was still there ....... it was .

I tried to go to the directories given by RR but even asking for hidden files, I have been unable to see the files (sys, dll, ...) given by RR

I then connected my computer on internet and ... I am here ....


I don't know what wakes up the "virus" but to start it looks internet needs to be active and when it is running, from time to time, it opens an "icon" flashy green rectangle in the system tray icon (bottom right of the screen) and there is a warning : "please close the session and reopen it typing your logon and password" or something similar. If it is back, I shall take note word-by-word of the exact text of the warning.

--------------

I downloaded ComboFix on the desktop

I stopped the antivirus McAfee

I started ComboFix but after some seconds I had 2 bips telling me that the protections were not removed, and it was dangerous to continue. I then click to close the window and try to stop ComboFix but another window appeared telling me that ComboFix was going to continue at my risks ....

I stopped the process and I prefer ask you what do I have to do ? Do I run ComboFix anyway ? I already had a BSOD two days ago. If I run ComboFix is it going to check my computer and create a report only or is it going to try to repair now ?

Many Thanks for your support

Regards

FMM

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:06 PM

Posted 13 December 2009 - 10:53 AM

I'm not sure if you have the Mcafee security center or just the antivirus, so here are instructions for disabling both.

MCAFEE ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • Right-click it -> chose "Exit."
  • A popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
MCAFEE SECURITY CENTER 7.1
Please navigate to the system tray and double-click the taskbar icon to open Security Center.
  • Click Advanced Menu (bottom mid-left).
  • Click Configure (left).
  • Click Computer & Files (top left).
  • VirusScan can be disabled in the right-hand module and set when it should resume or you can do that manually later on.
  • Do the same via Internet & Network for Firewall Plus

Once you are certain that Mcafee is disabled you can proceed with Combofix. Disregard any warnings and let it run.
Combofix will attempt to remove the rootkit infection that shows up in your rootreveal log as well as any other infections that it's designed to remove.

Edited by Buckeye_Sam, 13 December 2009 - 10:54 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:06 AM

Posted 14 December 2009 - 04:53 AM

Good Morning Sam,

I had some issues when I tried to send you CF report. I am now trying again


--------CF report--------
ComboFix 09-12-11.05 - mfernand 14/12/2009 10:02:31.1.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.2038.1623 [GMT 1:00]
Lancé depuis: d:\documents and settings\mfernand\Bureau\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Un antivirus résident est actif

.
Les fichiers ci-dessous ont été désactivés pendant l'exécution:
c:\program files\SuperCopier2\SC2Hook.dll


(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1220945662-1682526488-725345543-500
c:\windows\system32\clrviddc.dll
c:\windows\system32\drivers\H8SRTyqvpkbabwr.sys
c:\windows\system32\H8SRTqrmpjoyqmq.dll
c:\windows\system32\H8SRTtexrrxewnp.dll
c:\windows\system32\H8SRTunbiuwqjom.dat
c:\windows\system32\st325602.dll

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((((((( Fichiers créés du 2009-11-14 au 2009-12-14 ))))))))))))))))))))))))))))))))))))
.

2009-12-14 08:53 . 2009-12-14 08:53 -------- d-----w- d:\documents and settings\NetworkService\Application Data\Juniper Networks
2009-12-12 16:35 . 2009-12-12 16:35 -------- d-----w- c:\program files\Jetico
2009-12-10 08:09 . 2009-12-10 08:09 54016 ----a-w- c:\windows\system32\drivers\ihhwfs.sys
2009-12-09 16:19 . 2009-12-09 16:19 133825 ----a-w- c:\windows\system32\compreg.dat
2009-12-09 16:19 . 2009-12-09 16:19 -------- d-----w- c:\windows\system32\extensions
2009-12-09 16:19 . 2009-12-09 16:19 99284 ----a-w- c:\windows\system32\xpti.dat
2009-12-09 16:19 . 2009-12-09 16:19 -------- d-----w- d:\documents and settings\Default User\Local Settings\Application Data\OpenTrust
2009-12-09 16:18 . 2009-12-09 16:18 -------- d-----w- c:\program files\OpenTrust
2009-12-09 16:17 . 2009-12-09 16:17 -------- d-----w- c:\program files\OpenTrust SCM Installation KIT
2009-12-09 15:39 . 2009-12-09 15:40 -------- d-----w- c:\program files\ALSTOM
2009-12-09 15:30 . 2009-12-09 15:30 -------- d-----w- d:\documents and settings\mfernand\Application Data\Malwarebytes
2009-12-09 15:30 . 2009-12-03 15:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-09 15:30 . 2009-12-09 15:30 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-09 15:30 . 2009-12-03 15:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 15:30 . 2009-12-09 15:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 11:57 . 2009-12-09 11:57 -------- d-----w- d:\documents and settings\mfernand\Mes documents
2009-12-09 11:57 . 2009-12-09 11:57 -------- d-----w- d:\documents and settings\\mfernand\Mes documents
2009-12-08 08:03 . 2009-12-08 07:50 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-08 07:50 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-08 07:50 . 2009-12-08 07:50 862040 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-08 07:50 . 2009-12-08 07:50 206944 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-08 07:50 . 2009-12-08 07:50 15880 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-12-08 07:50 . 2009-12-08 07:50 390288 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-08 07:50 . 2009-12-08 07:50 537576 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-08 07:50 . 2009-12-08 07:50 370744 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-08 07:50 . 2009-12-08 07:50 194104 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-08 07:50 . 2009-12-08 07:50 163728 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-12-08 07:50 . 2009-12-08 07:50 5908024 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-08 07:50 . 2009-12-08 07:50 87496 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-12-08 07:50 . 2009-12-08 07:50 327000 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-12-08 07:49 . 2009-12-08 07:49 933120 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-08 07:49 . 2009-12-08 07:49 641632 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-12-08 07:49 . 2009-12-08 07:49 816272 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-08 07:49 . 2009-12-08 07:49 822904 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-08 07:49 . 2009-12-08 07:49 1638640 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-08 07:49 . 2009-12-08 07:49 788880 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-08 07:49 . 2009-12-08 07:49 1184912 ----a-w- d:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-08 07:47 . 2009-12-08 07:47 -------- dc-h--w- d:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-08 07:47 . 2009-10-03 08:15 2924848 -c--a-w- d:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-12-08 07:46 . 2009-12-08 07:46 -------- d-----w- c:\program files\Lavasoft
2009-12-07 22:40 . 2009-12-07 22:40 -------- d-----w- d:\documents and settings\LocalService\Bureau
2009-12-07 22:40 . 2009-12-07 22:40 -------- d-----w- d:\documents and settings\\LocalService\Bureau
2009-12-07 22:30 . 2009-12-08 07:33 -------- d-----w- d:\documents and settings\All Users\Application Data\Lavasoft
2009-12-07 07:16 . 2009-12-07 07:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-07 07:16 . 2009-12-07 07:19 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-06 19:55 . 2009-12-06 19:59 -------- d-----w- C:\disque_1bis_a-graver
2009-11-21 18:48 . 2009-11-21 18:48 -------- d-----w- d:\documents and settings\mfernand\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-14 08:55 . 2008-07-18 08:03 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys
2009-12-14 08:52 . 2008-08-12 11:02 -------- d-----w- c:\program files\SuperCopier2
2009-12-12 16:32 . 2009-01-14 19:55 -------- d-----w- d:\documents and settings\mfernand\Application Data\Skype
2009-12-12 16:11 . 2009-01-14 22:17 -------- d-----w- d:\documents and settings\mfernand\Application Data\skypePM
2009-12-09 16:17 . 2008-07-18 09:27 -------- d-----w- d:\documents and settings\LocalService\Application Data\idxscm
2009-12-09 16:17 . 2008-07-18 09:27 -------- d-----w- c:\program files\IDX-SCM
2009-12-08 15:21 . 2009-09-22 20:45 -------- d-----w- c:\program files\Fichiers communs\ArcSoft
2009-12-05 22:33 . 2009-06-09 20:20 -------- d-----w- c:\program files\Tracé de CI
2009-12-05 21:12 . 2009-08-05 20:54 -------- d-----w- d:\documents and settings\mfernand\Application Data\BitTorrent
2009-11-11 20:03 . 2008-07-04 11:10 41 ----a-w- C:\AClient.dat
2009-11-07 11:03 . 2009-11-07 11:03 -------- d-----w- c:\program files\YouTube Downloader
2009-10-25 19:58 . 2008-06-25 16:00 68936 ----a-w- c:\windows\system32\perfc00C.dat
2009-10-25 19:58 . 2008-06-25 16:00 452368 ----a-w- c:\windows\system32\perfh00C.dat
2009-10-24 10:31 . 2008-07-04 11:39 -------- d--h--w- c:\program files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperCopier2.exe"="c:\program files\SuperCopier2\SuperCopier2.exe" [2006-07-07 1052672]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2009-12-14 184320]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 36975]
"eTMonitor"="c:\program files\Fichiers communs\Aladdin Shared\eToken\PKIClient\x32\PKIMonitor.exe" [2008-08-05 221184]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2008-03-14 136512]
"WiSEversionInfoCopy"="c:\program files\Juniper Networks\copyVersionInfo.vbs" [2007-05-23 2097]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-10-30 153416]
"OdTray.exe"="c:\program files\Juniper Networks\Odyssey Access Client\OdTray.exe" [2006-12-15 1028160]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-08-13 111952]
"SSOWatch"="c:\program files\Evidian\WG SSOWatch\ssoengine.exe" [2008-01-11 200704]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2006-03-02 144384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"FQS70Mgr"="c:\windows\system32\FQS70SVR.EXE" [2007-08-07 73728]
"SSBkgdUpdate"="c:\program files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]

d:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184]
Lancement rapide d'Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"= 300 (0x12c)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HomePage"= 1 (0x1)
"NoPropertiesRecycleBin"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"RecycleBinSize"= 5 (0x5)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HomePage"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2008-08-12 09:54 122949 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/12/2009 08:50 64288]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [23/01/2006 14:19 254208]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [29/05/2007 17:55 9216]
R2 EnatelWGSS;WiseGuard Security Services;c:\program files\Fichiers communs\Evidian\WGSS\WGSS.exe [11/01/2008 11:59 22016]
R2 FQS70Mgr;FUJIFILM FINEPIX QS-70 Status Manager;c:\windows\system32\FQS70SVR.EXE [08/12/2008 21:27 73728]
R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Fichiers communs\Juniper Networks\JUNS\dsAccessService.exe [11/12/2006 18:12 87664]
R3 eTSCFLT;eToken SmartCard Upper Class Filter Driver;c:\windows\system32\drivers\eTSCFLT.sys [18/07/2008 10:27 12456]
R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [14/11/2006 17:49 398720]
S3 busbcrw;USB Card Reader Writer driver;c:\windows\system32\drivers\busbcrw.sys [20/02/2009 23:33 16896]
S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\Fichiers communs\Juniper Networks\TNC Client\jTnccService.exe [15/12/2006 21:42 81992]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 12:17 1184912]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;$System Drive$\oracle\ora81\BIN\ONRSD.EXE --> $System Drive$\oracle\ora81\BIN\ONRSD.EXE [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\FRRaccourciNM3]
2008-03-19 09:37 582 ----a-w- c:\program files\NetMeeting\RaccourciNM3.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Lotus Notes Icones FR 32]
2008-02-12 12:14 694 ----a-w- c:\program files\Lotus\Notes\Copicones.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3A22897C-6519-47F7-A7D0-637033DE6053}]
2005-05-04 12:45 78848 ----a-w- c:\windows\system32\msiexec.exe
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://iww.alstom.com/altair
mStart Page = hxxp://iww.alstom.com/
uInternet Settings,ProxyOverride = <local>
Trusted Zone: alstom.com\iww
Trusted Zone: alstom.com\www
.
- - - - ORPHELINS SUPPRIMES - - - -

HKLM-Run-BgInfo - (no file)
HKLM-Run-BgIngo - c:\windows\divers\bginfo.exe %windir%\web\wallpaper\bginfo.bgi
ActiveSetup-Winzip - Msiexec
ActiveSetup-{9F38A2EB-A089-48E5-9608-A5AF2E8A8267} - msiexec
ActiveSetup-{AC76BA86-7AD7-1036-7B44-A70900000002} - msiexec
ActiveSetup-{D3973444-9417-46D1-A555-6CF9B8062839} - msiexec



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-14 10:11
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\windows\system32\odyEvent.dll
c:\windows\system32\msi.dll
.
Heure de fin: 2009-12-14 10:12:53
ComboFix-quarantined-files.txt 2009-12-14 09:12

Avant-CF: 3 557 195 776 octets libres
Après-CF: 3 516 735 488 octets libres

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect

- - End Of File - - 9E088A36DC566FBDFCFD98A111CA5055


--------------------

In a few seconds, I will post you also what happend during CF analysis

Best Regards

Miguel

#6 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:06 AM

Posted 14 December 2009 - 05:04 AM

Good Morning Sam,

I comeback again. Message in two parts due to an issue when uploading a long info into the forum



When CF started, the following program tried to connect

C:\Program Files\SuperCopier2\SC2Hook.dll


Rootkits detected :

4 files H8SRT ... .sys .dll .dat .dll

the same than the ones detected earlier


Windows restarted but the first time it asked me for my password - the account was blocked by the administrator


The second time with the same pw the machine restarted

CF restarted .....

going through a lot of stages 1, 2 , ....50


files suppressed

directories suppressed


end of work


Here you have the complete story

If you need more, do not hesitate, I wrote down many details taken when CF was working


Best regards

Miguel

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:06 PM

Posted 14 December 2009 - 08:09 AM

Well done! :(


Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:06 AM

Posted 16 December 2009 - 02:35 AM

Good Morning Sam (at least in London)

Sorry for yesterday evening, I hadn't the opportunity to connect my computer to the net ... family reasons.

Yesterday morning, I ran CF. It lasted more than 1h. CF found 4 threats almost equivalent to what the other softwares found ie H8SRT...

After running CF, I got a first log, .... then ask for removal ....then a second log ..... then restarted my computer .... looks OK.

If you don't mind I am going to launch again MBAM and Root Repeal, just to see what happen.

To know whether my computer is OK, I need to put it on the net for 1 or 2 hours, because the green icon appearing in the system tray - bottom right of the screen is a bit long to come and needs some conditions like being connected to internet .... difficult to say the exact conditions

I wait your approval for running MBAM and RR, even something else, I don't know.


I attach the log I obtained yesterday morning

---------------------------------log after repair---------------------
Malwarebytes' Anti-Malware 1.42
Database version: 3359
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

15/12/2009 09:28:07
mbam-log-2009-12-15 (09-28-07).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 192893
Time elapsed: 1 hour(s), 4 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTtexrrxewnp.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\H8SRTyqvpkbabwr.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD6E26CF-F91A-4066-B4F6-C7A42D3C4A92}\RP0\A0000001.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD6E26CF-F91A-4066-B4F6-C7A42D3C4A92}\RP0\A0000002.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
---------------------------------------------------

Thank you

Miguel

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:06 PM

Posted 16 December 2009 - 10:12 AM

It's looking good to me. Go ahead and put it through some normal routine and let me know how it behaves.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:06 AM

Posted 17 December 2009 - 12:54 PM

Good Afternoon Sam,

Ii looks it works well. No more pop-ups, the only remaining thing (but perhaps it is normal) is that as soon as I connect internet, I have a green rectangle in the system tray (bottom right of the screen) and attached to this new icon, there is a warning bubble (like in cartoons) asking me to log off and restart my computer with my login, ...

"Windows needs your present identification information
log off this computer then log in with the last password. Then press CTRL+ALT+SUPR and press ENTER"

Is that a normal process into windows ?

I ran RootRepeal and MBAM with no detection.

----------------RR log-----------------
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/17 09:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: mc2A9.tmp
Image Path: D:\DOCUME~1\mfernand\LOCALS~1\Temp\mc2A9.tmp
Address: 0xBA6D1000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7A33000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba11887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba118bfe

==EOF==







----------------MBAM log--------------
Malwarebytes' Anti-Malware 1.42
Database version: 3359
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

17/12/2009 11:11:57
mbam-log-2009-12-17 (11-11-57).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 193041
Time elapsed: 1 hour(s), 1 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



----------------------------------------------------

Best Regards
my mail is m DOT fm AT wanadoo dot fr
do you have a postal address

Regards

Miguel

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:06 PM

Posted 17 December 2009 - 07:43 PM

Hmmm. . . I'm not sure. Can you get a screen shot for me?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:06 AM

Posted 19 December 2009 - 12:40 PM

Good Evening Sam

Sorry for the long delay to answer, I've been travelling back home.

I am attaching a doc file with the info. the bmp file is 577k then too big to be attached.

When I connect my computer through WiFi I don't have the green icon

The green icon only comes when I connect my computer with a cable.

Tomorrow I'll be uploading a new McAfee antivirus.

Best Regards

Miguel

my mail is m DOT fm AT wanadoo DOT fr
do you have a postal address

Attached Files



#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:06 PM

Posted 20 December 2009 - 07:58 AM

It sounds like to me that's network related, but I'm not positive. I haven't seen a message like that before. However it doesn't appear to be malicious to me. Is your computer behaving properly otherwise?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 fermomi

fermomi
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:06 AM

Posted 20 December 2009 - 04:00 PM

Good evening Sam

I only have WiFi at home and the "green icon" doen't pop up. I Shall be able to reconnect my computer to a network after the 11th of Jan.

For the time being, my computer behaves normaly.

May I do something for you ? My computer is a Dell Latitude D430 running XP pro. Do you need other infos ?

Best Regards and Thank you very much for you help.

Miguel

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:06 PM

Posted 21 December 2009 - 07:35 AM

Here are some final steps and recommendations for you.


We need to remove Combofix now that we're done with it.
  • Click Start -> Run
  • Now type Combofix /uninstall in the runbox and click OK

==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users