Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Has my computer been infected, hacked, need help


  • This topic is locked This topic is locked
14 replies to this topic

#1 rogue212

rogue212

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 11 March 2010 - 01:56 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/301495/has-my-computer-been-infected-hacked-need-help/ ~ OB

Please note no antivirus including, AVG, Spybot - Search & Destroy, SUPERAntiSpyware or my Sygate firewall were disabled. folder options, show hidden files and folders, hide extensions, hide protected system files etc were not shown as the instructions didn't tell me to, and no signs had yet shown up of any infecton, thanks.


Program.exe installed had these infections :
W32/BackdoorX.DHLT
Win32.Small.guj
Backdoor/Small.gue

Infection showing from today, gmer and other scans were run couple of days ago, Malbytes was today.

GMER Log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-09 18:35:15
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Ricky\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xBA1BAB30]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xBA1BA6F0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xBA1BA470]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xBA1BAC50]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xBA1BA990]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xBA1BA8D0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xBA1BAD60]

Code 88A77BAC ZwRequestPort
Code 88A77C4C ZwRequestWaitReplyPort
Code 88A77B0C ZwTraceEvent
Code 88A77BAB NtRequestPort
Code 88A77C4B NtRequestWaitReplyPort
Code 88A77B0B NtTraceEvent

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (TrueImage Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (TrueImage Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (TrueImage Backup Archive Explorer/Acronis)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----

DDS Log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Ricky at 18:10:25.25 on 09/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1790.855 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\Ricky\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uWindow Title =
mWindow Title =
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [USB Antivirus] c:\program files\usb disk security\USBGuard.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Windows Search.lnk.disabled
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ricky\applic~1\mozilla\firefox\profiles\mjd9ed9m.default\
FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2010-1-22 40368]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-9 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-9 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2010-3-9 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2010-3-9 297752]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2010-3-7 12672]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-8-28 68136]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-3-9 311568]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-12-1 119296]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [2009-12-19 122504]
S3 SysProtDrv.sys;SysProtDrv.sys;\??\c:\documents and settings\ricky\desktop\rootkit\sysprot\sysprot\sysprotdrv.sys --> c:\documents and settings\ricky\desktop\rootkit\sysprot\sysprot\SysProtDrv.sys [?]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-03-09 18:02:41 0 ----a-w- c:\documents and settings\ricky\defogger_reenable
2010-03-09 16:29:57 1355 ----a-w- c:\windows\imsins.BAK
2010-03-09 13:23:02 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-03-09 13:13:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-09 13:13:48 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-09 13:13:43 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-09 13:13:38 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-09 13:13:35 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-03-09 13:13:25 0 d-----w- c:\docume~1\alluse~1\applic~1\avg8
2010-03-09 12:51:46 0 d-----w- c:\docume~1\ricky\applic~1\AVG8
2010-03-07 23:19:29 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2010-03-07 23:19:28 0 d-----w- c:\program files\CPUID
2010-03-07 21:59:32 0 d-----w- c:\program files\Softwin
2010-03-07 21:01:57 0 d-----w- C:\AUTORUN.INF
2010-03-07 18:07:15 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-07 12:30:29 0 d-----w- c:\program files\CCleaner
2010-03-05 19:22:23 0 d-----w- c:\program files\USB Disk Security
2010-03-05 16:38:07 0 d-sha-r- C:\cmdcons
2010-03-05 13:50:04 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-05 13:46:55 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-05 10:54:15 0 d-----w- c:\docume~1\ricky\applic~1\FRISK Software
2010-03-05 10:28:49 0 d-----w- c:\docume~1\alluse~1\applic~1\FRISK Software
2010-03-04 23:17:53 0 d-----w- c:\program files\common files\Symantec Shared
2010-03-04 23:13:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-03-04 23:13:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-03-04 23:13:09 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-02-26 00:17:16 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-26 00:17:09 0 d-----w- c:\program files\Novel Games
2010-02-26 00:09:35 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-24 16:04:02 0 d-----w- C:\GrandMasterChess3
2010-02-19 10:53:58 0 d-----r- c:\temp\Ricky
2010-02-17 20:17:01 0 d-----w- c:\docume~1\ricky\applic~1\HTML Executable
2010-02-17 20:17:00 0 d-----w- c:\program files\common files\HTML Executable Viewer
2010-02-17 20:15:41 0 d-----w- c:\program files\YeaChess
2010-02-17 20:02:21 224016 ----a-w- c:\windows\system32\tabctl32.ocx
2010-02-17 20:02:21 152848 ----a-w- c:\windows\system32\comdlg32.ocx
2010-02-17 20:02:21 109248 ----a-w- c:\windows\system32\mswinsck.ocx
2010-02-17 20:02:20 0 d-----w- c:\program files\3DFiBs
2010-02-17 20:00:56 0 d-----w- c:\program files\Pawn 3
2010-02-15 18:17:31 0 d-----w- c:\docume~1\alluse~1\applic~1\CA
2010-02-10 04:40:36 0 d-----w- c:\program files\Panda Security

==================== Find3M ====================

2010-03-09 13:33:11 16608 ----a-w- c:\windows\gdrv.sys
2010-03-09 12:11:11 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2010-01-29 23:34:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-01-29 23:34:24 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 17:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-08-28 15:07:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082820090829\index.dat

============= FINISH: 18:10:49.84 ===============

Attached Files


Edited by rogue212, 11 March 2010 - 07:13 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:31 PM

Posted 13 March 2010 - 04:25 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 14 March 2010 - 11:34 AM

Hi, thank you for replying, even thought I decided to delete all my exe programs and lots of data that I can not replace from all of my partitions, three in all, I kept my mp3, Videos, TXT, PDF, ISO and some related program data files and over wrote my C: partition and restored a disk image of my operating system. Things have now gone probably from a low risk to a very serious situation.

After F-Prot was one of the online scanners on VirusTotal that found the original infection I decided to try the trial version to scan all my back up drives etc, I found a folder hidden inside a folder inside another folder etc etc on one of my external hard drives containing all my important data, this is what it found, please could you give me some advice on the possibility of these infections infecting other files on my drive or drives with malicious code and what to do, it's my fault for sharing my computer, thank you

I have never installed these programs.

F-Prot found:
AnyDVD.exe W32/Backdoor2.DAVN (exact)
SetupAnyDVD6184.exe W32/Backdoor2.AXXB (exact)
FLVDownloader_Install.0xe W32/Backdoor2.BBNJ (exact)
CloneDVD1.3.10.1.exe

Sent them to VirusTotal for scanning, alarming!
VirusTotal Found:

File AnyDVD.exe received on 2010.03.14 14:17:24 (UTC)
Current status: finished
Result: 8/42 (19.05%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.14 Riskware.Hacktool.Keygen.anydvd!IK
AhnLab-V3 5.0.0.2 2010.03.14 -
AntiVir 8.2.1.180 2010.03.12 -
Antiy-AVL 2.0.3.7 2010.03.12 -
Authentium 5.2.0.5 2010.03.13 W32/Backdoor2.DAVN
Avast 4.8.1351.0 2010.03.14 -
Avast5 5.0.332.0 2010.03.14 -
AVG 9.0.0.787 2010.03.14 -
BitDefender 7.2 2010.03.14 -
CAT-QuickHeal 10.00 2010.03.13 Trojan.Agent.irc
ClamAV 0.96.0.0-git 2010.03.14 -
Comodo 4254 2010.03.14 -
DrWeb 5.0.1.12222 2010.03.14 -
eSafe 7.0.17.0 2010.03.14 Win32.TrojanHorse
eTrust-Vet 35.2.7359 2010.03.12 -
F-Prot 4.5.1.85 2010.03.13 W32/Backdoor2.DAVN
F-Secure 9.0.15370.0 2010.03.14 -
Fortinet 4.0.14.0 2010.03.13 -
GData 19 2010.03.14 -
Ikarus T3.1.1.80.0 2010.03.14 not-a-virus.Hacktool.Keygen.anydvd
Jiangmin 13.0.900 2010.03.14 -
K7AntiVirus 7.10.997 2010.03.13 -
Kaspersky 7.0.0.125 2010.03.14 -
McAfee 5919 2010.03.13 -
McAfee+Artemis5919 2010.03.13 -
McAfee-GW-Edition 6.8.5 2010.03.13 Heuristic.LooksLike.Win32.Suspicious.H
Microsoft 1.5502 2010.03.12 -
NOD32 4943 2010.03.14 -
Norman 6.04.08 2010.03.14 -
nProtect 2009.1.8.0 2010.03.13 -
Panda 10.0.2.2 2010.03.14 -
PCTools 7.0.3.5 2010.03.14 -
Prevx 3.0 2010.03.14 -
Rising 22.38.04.03 2010.03.12 -
Sophos 4.51.0 2010.03.14 -
Sunbelt 5877 2010.03.14 -
Symantec 20091.2.0.41 2010.03.14 -
TheHacker 6.5.2.0.233 2010.03.13 -
TrendMicro 9.120.0.1004 2010.03.14 -
VBA32 3.12.12.2 2010.03.14 -
ViRobot 2010.3.13.2226 2010.03.13 -
VirusBuster 5.0.27.0 2010.03.13 Backdoor.BackDoor.B

Additional information
File size: 175616 bytes
MD5 : 45429bc1d6f7a0218fea7827a8fc0685
SHA1 : 0557ee182b3ce28de2e12f07e0a7c0738366d502


File FLVDownloader_Install.0xe received on 2010.03.14 14:29:29 (UTC)
Current status: finished
Result: 19/42 (45.24%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.14 Backdoor.Win32.Sheldor!IK
AhnLab- V3 5.0.0.2 2010.03.14 -
AntiVir 8.2.1.180 2010.03.12 -
Antiy-AVL 2.0.3.7 2010.03.12 -
Authentium 5.2.0.5 2010.03.13 W32/Backdoor2.BBNJ
Avast 4.8.1351.0 2010.03.14 Win32:Adware-gen
Avast5 5.0.332.0 2010.03.14 Win32:Adware-gen
AVG 9.0.0.787 2010.03.14 -
BitDefender 7.2 2010.03.14 Adware.Generic.45143
CAT-QuickHeal 10.00 2010.03.13 -
ClamAV 0.96.0.0-git 2010.03.14 -
Comodo 4254 2010.03.14 -
DrWeb 5.0.1.12222 2010.03.14 -
eSafe 7.0.17.0 2010.03.14 Win32.Lmir.ac
eTrust-Vet 35.2.7359 2010.03.12 -
F-Prot 4.5.1.85 2010.03.13 W32/Backdoor2.BBNJ
F-Secure 9.0.15370.0 2010.03.14 Trojan.Generic.381620
Fortinet 4.0.14.0 2010.03.13 Adware/AdMoke
GData 19 2010.03.14 Adware.Generic.45143
Ikarus T3.1.1.80.0 2010.03.14 Backdoor.Win32.Sheldor
Jiangmin 13.0.900 2010.03.14 -
K7AntiVirus 7.10.997 2010.03.13 -
Kaspersky 7.0.0.125 2010.03.14 not-a-virus:AdWare.Win32.AdMoke.agg
McAfee 5919 2010.03.13 -
McAfee+Artemis 5919 2010.03.13 Artemis!DADD6DE8CE40
McAfee-GW-Editio 6.8.5 2010.03.13 -
Microsoft 1.5502 2010.03.12 -
NOD32 4943 2010.03.14 probably a variant of Win32/Adware.Agent
Norman 6.04.08 2010.03.14 -
nProtect 2009.1.8.0 2010.03.13 -
Panda 10.0.2.2 2010.03.14 Trj/CI.A
PCTools 7.0.3.5 2010.03.14 -
Rising 22.38.04.03 2010.03.12 -
Sophos 4.51.0 2010.03.14 Mal/Generic-A
Sunbelt 5877 2010.03.14 AdWare.Win32.AdMoke.agg
Symantec 20091.2.0.41 2010.03.14 Reser.Reputation.1
TheHacker 6.5.2.0.233 2010.03.13 -
TrendMicro 9.120.0.1004 2010.03.14 -
VBA32 3.12.12.2 2010.03.14 AdWare.Win32.AdMoke.agg
ViRobot 2010.3.13.2226 2010.03.13 -
VirusBuster 5.0.27.0 2010.03.13 -

Additional information
File size: 4041112 bytes
MD5 : dadd6de8ce408f9f676ddb20913c19f1
SHA1 : 68376b4cf849bc3da8727b5f2ea26bd4067c97c4


File SetupAnyDVD6184.exe received on 2010.03.14 14:42:06 (UTC)
Current status: finished
Result: 30/42 (71.43%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.14 Downloader.QuickBatch!IK
AhnLab-V3 5.0.0.2 2010.03.14 Win32/Xema.worm.132814
AntiVir 8.2.1.180 2010.03.12 TR/Agent.2877454
Antiy-AVL 2.0.3.7 2010.03.12 AdWare/Win32.Shopper.gen
Authentium 5.2.0.5 2010.03.13 W32/Backdoor2.AXXB
Avast 4.8.1351.0 2010.03.14 -
Avast5 5.0.332.0 2010.03.14 -
AVG 9.0.0.787 2010.03.14 -
BitDefender 7.2 2010.03.14 Trojan.Generic.370028
CAT-QuickHeal 10.00 2010.03.13 Trojan.Agent.IRC
ClamAV 0.96.0.0-git 2010.03.14 Trojan.Agent-21076
Comodo 4254 2010.03.14 UnclassifiedMalware
DrWeb 5.0.1.12222 2010.03.14 Trojan.Iahonor
eSafe 7.0.17.0 2010.03.14 -
eTrust-Vet 35.2.7359 2010.03.12 -
F-Prot 4.5.1.85 2010.03.13 W32/Backdoor2.AXXB
F-Secure 9.0.15370.0 2010.03.14 Trojan.Generic.370028
Fortinet 4.0.14.0 2010.03.13 PossibleThreat
GData 19 2010.03.14 Trojan.Generic.370028
Ikarus T3.1.1.80.0 2010.03.14 Downloader.QuickBatch
Jiangmin 13.0.900 2010.03.14 TrojanDropper.Agent.ikl
K7AntiVirus 7.10.997 2010.03.13 not-a-virus:AdWare.Win32.Shopper.z
Kaspersky 7.0.0.125 2010.03.14 -
McAfee 5919 2010.03.13 -
McAfee+Artemis 5919 2010.03.13 Artemis!4E7D8DD949F9
McAfee-GW-Editio 6.8.5 2010.03.13 Trojan.Agent.2877454
Microsoft 1.5502 2010.03.12 -
NOD32 4943 2010.03.14 probably a variant of Win32/Agent
Norman 6.04.08 2010.03.14 W32/Shopper.AI
nProtect 2009.1.8.0 2010.03.13 -
Panda 10.0.2.2 2010.03.14 -
PCTools 7.0.3.5 2010.03.14 Trojan.Dropper.Hoy
Prevx 3.0 2010.03.14 High Risk Worm
Rising 22.38.04.03 2010.03.12 Dropper.Win32.KillAV.b
Sophos 4.51.0 2010.03.14 Mal/Generic-A
Sunbelt 5877 2010.03.14 -
Symantec 20091.0.41 2010.03.14 Trojan Horse
TheHacker 6.5.2.0.233 2010.03.13 Adware/Shopper.z
TrendMicro 9.120.0.1004 2010.03.14 TROJ_DROPPER.HOY
VBA32 3.12.12.2 2010.03.14 Trojan.Iahonor
ViRobot 2010.3.13.2226 2010.03.13 -
VirusBuster 5.0.27.0 2010.03.13 Backdoor.Agent.GROI

Additional information
File size: 2877454 bytes
MD5 : 4e7d8dd949f9b3e2699c7e2b6b63e588
SHA1 : c61c94dd8bdd8b2c38ce93146cbad9425b6a304a


CloneDVD1.3.10.1.exe received on 2010.03.14 14:22:30 (UTC)
Current status: finished
Result: 5/41 (12.20%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.14 -
AhnLab-V3 5.0.0.2 2010.03.14 -
AntiVir 8.2.1.180 2010.03.12 -
Antiy-AVL 2.0.3.7 2010.03.12 -
Authentium 5.2.0.5 2010.03.13 -
Avast 4.8.1351.0 2010.03.14 -
Avast5 5.0.332.0 2010.03.14 -
AVG 9.0.0.787 2010.03.14 -
BitDefender 7.2 2010.03.14 -
CAT-QuickHeal 10.00 2010.03.13 AdWare.CommonName.al (Not a Virus)
ClamAV 0.96.0.0-git 2010.03.14 -
Comodo 4254 2010.03.14 -
DrWeb 5.0.1.12222 2010.03.14 -
eSafe 7.0.17.0 2010.03.14 -
eTrust-Vet 35.2.7359 2010.03.12 -
F-Prot 4.5.1.85 2010.03.13 -
Fortinet 4.0.14.0 2010.03.13 -
GData 19 2010.03.14 -
Ikarus T3.1.1.80.0 2010.03.14 -
Jiangmin 13.0.900 2010.03.14 Adware/Agent.bfw
K7AntiVirus 7.10.997 2010.03.13 -
Kaspersky 7.0.0.125 2010.03.14 -
McAfee 5919 2010.03.13 -
McAfee+Artemis 5919 2010.03.13 -
McAfee-GW-Edition 6.8.5 2010.03.13 -
Microsoft 1.5502 2010.03.12 -
NOD32 4943 2010.03.14 -
Norman 6.04.08 2010.03.14 -
nProtect 2009.1.8.0 2010.03.13 -
Panda 10.0.2.2 2010.03.14 -
PCTools 7.0.3.5 2010.03.14 -
Prevx 3.0 2010.03.14 High Risk Worm
Rising 22.38.04.03 2010.03.12 -
Sophos 4.51.0 2010.03.14 -
Sunbelt 5877 2010.03.14 -
Symantec 20091.2.0.41 2010.03.14 -
TheHacker 6.5.2.0.233 2010.03.13 Adware/CommonName.z
TrendMicro 9.120.0.1004 2010.03.14 -
VBA32 3.12.12.2 2010.03.14 AdWare.Win32.CommonName.bl
ViRobot 2010.3.13.2226 2010.03.13 -
VirusBuster 5.0.27.0 2010.03.13 -

Additional information
File size: 3940232 bytes
MD5 : 3bef8be4317a0f93cb988daa2e23a9e6
SHA1 : f30e0d60e8fe2fc25f4a364ade969025a0d5a495

Edited by rogue212, 14 March 2010 - 11:36 AM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:31 PM

Posted 15 March 2010 - 05:50 PM

Hi,

I'm not sure this means that the files have been infected by some malware, it looks more that whatever is contained in the files is targeted.
For example AnyDVD is illegal in my country. 2 of the detections explicitely detect it as anydvd, one as anydvd.keygen. Keygens are often detected as malicious and false positives on those files sometimes aren't fix. The file may or may not be good.

For flvdownloader you can refer here, as to why the file is detected as malicious: http://www.moyea.com/forum/viewtopic.php?p...3eeda6abc1ebfc3
The same basically goes for clonedvd. The tool is often used illegally and for that reason may or may not use techniques that are similar to malware.

Another frequent source for setups to be detected as malicious is that they often come bundled with some kind of shady toolbar, that you do not need to install.

I can't say for sure, but I would think that if you downloaded these files fresh from the original website today it would get at least as many detections as the setups you have there. However for a general matter:
Usually I advise that when you reformat you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 16 March 2010 - 06:13 PM

Thanks for the reply, it's much appriciated, I had already backed up my data to my external hard drive as advised in your guide "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help"

1 Backup your data!

"We therefore suggest that before we move forward with this cleaning process, you first backup your data to a secure location. That secure location could be a burnable DVD, an external backup drive, or another computer."

I only backed up my mp3, movie, txt, ISO, TXT, PDF, ISO and some related program data files, but I my have made a big mistake, the drive I backed up to had been wiped with one pass and then formated to clean it. I had re-installed windows from a disk image onto my C: partition, but the data that I backed up was on another partition D:, I had deleted all dangerous files, exe, zip etc but not sure if autorun was disabled as I had just re-installed windows, the drive didn't appear to autorun, this may be due to it being an empty drive or the autoran folder on D: partition still contained a folder named zhengbo, put there by usb disk security to stop autorun, but I'm not sure.

I'd like to thank you for your help and advice, just to update you. I've found more files on two of my over extenal drives, mp3, exe, zip rar etc, I scanned the drives with F-Prot and it reported lots of my good programs, even Gigabyte display drivers, Zonealarm firewall.exe, are damaged, contain infected objects or are infected. Infections reported include. W32/Trojan3.BAT, W32/Backdoor2.DXMC (exact), W32/BackdoorX.BUJG, W32/Backdoor2.DAVN (exact), W32/Backdoor2.BBNJ (exact), W32/Backdoor2.AXXB, W32/Skintrim.1!Generic, but the main one is W32/Backdoor2.DXMC, more false positives?.

I know lots of these files were or are clean, if they are now truely infected then something very nasty is or may be on my external drives and could have been infecting my computer for some time. If the mp3 files are illegal then these can contain a worm in the tags that carry the songs data that spreads, it was supposedly introduced by the recording industry to infect P2P networks, 95% are said to be infected.

Most of the reported infections are being comfirmed by VirusTotal in a big way, abouts seven in all, Zonealarm is probably a false positive, some zip files are empty, F-Prot is reporting infected objects contained, many files can't be scanned, said to be damaged. a few files won't uplaod to VirusTotal for some reason. Infections detected by VirusTotal that F-Prot found include these, please remember that these contain all the different scanners differnitions of seven infected files.

AntiVir 8.2.1.180 2010.03.15 PCK/PESpin
Authentium 5.2.0.5 2010.03.15 W32/Heuristic-210!Eldorado, W32/Backdoor2.DXMC
AntiVir 8.2.1.180 2010.03.15 PCK/PESpin
CAT-QuickHeal 10.00 2010.03.15 Trojan.Agent.IRC
ClamAV 0.96.0.0-git 2010.03.15 Trojan.Backdoor-11
Comodo 4272 2010.03.15 UnclassifiedMalware, Heur.Packed.Unknown
eSafe 7.0.17.0 2010.03.14 Win32.Banker
F-Prot 4.5.1.85 2010.03.15 W32/Heuristic-210!Eldorado, W32/Backdoor2.DXMC
Ikarus T3.1.1.80.0 2010.03.15 Backdoor.Rbot
Jiangmin 13.0.900 2010.03.15 Backdoor/Huigezi.2008.tfj
K7AntiVirus 7.10.997 2010.03.13 Trojan.Win32.Malware.1
McAfee-GW-Edition 6.8.5 2010.03.15 Packer.PESpin
PCTools 7.0.3.5 2010.03.15 Packed/PeSpin
Sunbelt 5894 2010.03.15 Trojan.Win32.Packer.PESpinv1.32 (v)
TheHacker 6.5.2.0.233 2010.03.15 W32/Behav-Heuristic-070
VirusBuster 5.0.27.0 2010.03.14 Packed/PeSpin
Sophos 4.51.0 2010.03.15 MadCodeHook
Norman 6.04.08 2010.03.14 W32/Hupigon.JDZS
TrendMicro 9.120.0.1004 2010.03.15 PAK_Generic.001
VirusBuster 5.0.27.0 2010.03.14 Backdoor.Agent.ISZS
CAT-QuickHeal 10.00 2010.03.15 Trojan.Agent.IRC
ClamAV 0.96.0.0-git 2010.03.15 Trojan.Backdoor-11
Comodo 4272 2010.03.15 UnclassifiedMalware
eSafe 7.0.17.0 2010.03.14 Win32.Banker
F-Prot 4.5.1.85 2010.03.15 W32/Heuristic-210!Eldorado
Ikarus T3.1.1.80.0 2010.03.15 Backdoor.Rbot
Jiangmin 13.0.900 2010.03.15 Backdoor/Huigezi.2008.tfj
K7AntiVirus 7.10.997 2010.03.13 Trojan.Win32.Malware.1
McAfee-GW-Edition 6.8.5 2010.03.15 Packer.PESpin
PCTools 7.0.3.5 2010.03.15 Packed/PeSpin
Sunbelt 5894 2010.03.15 Trojan.Win32.Packer.PESpinv1.32 (v)
TheHacker 6.5.2.0.233 2010.03.15 W32/Behav-Heuristic-070
VirusBuster 5.0.27.0 2010.03.14 Packed/PeSpin

Have I lost all the data on my external drives, is there an infection spreading and infecting more and more of my files, what can do, please any advice. In all about seven files contained these infectionsl, the others I can't scan due to size or they won't upload, thanks.

Edited by rogue212, 16 March 2010 - 06:18 PM.


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:31 PM

Posted 17 March 2010 - 06:39 AM

Hi,

if all anti virus detect the file as malicious, it seems unlikely that this is an FP. Which file did you upload?

QUOTE
If the mp3 files are illegal then these can contain a worm in the tags that carry the songs data that spreads, it was supposedly introduced by the recording industry to infect P2P networks, 95% are said to be infected.


This is an urban legend. There are infections that will attack and modify music files to spread itself however they don't make a difference between legit and non legit music. Legit files can get infected just as well as non legit files can.

Can you do a scan with Eset and post the resutls here:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 18 March 2010 - 06:14 PM

Sorry for the delay and my long replies earlier, I'm disabled with head injuries so please excuse my english grammer.

Files found and sent to VirusTotal for scanning:

AnyDVD.exe
tsMuxerGUI.exe...........................part of a bundle of video tools, the original was clean
XviD4PSP.exe
SetupAnyDVD6184.exe
RipBot264v1.13.3.7z....................not the original Ripbot.exe program, it was clean when I downloaded and sent it for scanning.
Speed-Downloading_setup.exe
FLVDownloader_Install.0xe...........does not seem to be the original program
mpeg2repair.exe.........................downloaded the original from videohelp, same infections detected.


I did a scan with ESET, only managed to get half way through, will scan again tomorrow, scan log so far, two partitions to go:

I:\Replace\My Documents\New Downloads\unlocker1.8.7.exe a variant of Win32/Adware.ADON application
I:\Replace\My Documents\Video Conversion\mkvtoolnix-unicode-2.4.1-setup.exe probably a variant of Win32/Agent trojan

I've found out through the F-Prot logs it picked up far more then I realised, I have to copy to the clipboard and then to notepad so it my take some time but here's an example:

Event Type: Warning
Event Source: F-PROT Antivirus
Event Category: Scanner
Event ID: 4096
Date: 17/03/2010
Time: 10:50:12
User: NT AUTHORITY\SYSTEM
Computer: HOME
Description:
Found file, C:\WINDOWS\TEMP\FPQA.tmp->(NSIS)->tsMuxerGUI.exe, infected with W32/Backdoor2.DXMC
Found file, C:\WINDOWS\TEMP\FPQ6.tmp->mpeg2repair.exe->(PESpin), infected with W32/Heuristic-210!Eldorado
Found file, C:\WINDOWS\TEMP\FPQ1D.tmp, infected with W32/Skintrim.1!Generic

and one of my favourite programs:
I:\Replace\My Documents\Afterdawn recommended software\FAVC_105.exe->(7Z)->FAVC/HC/misc/adaptive_matrix/matrix4.dll, infected with W32/Heuristic-COC!Eldorado




#8 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 19 March 2010 - 05:45 AM

ESET infections comfirmed by VirusTotal, strange, mkvtoolnix is a well known and widely used program and comes from a reliable souce.

File unlocker1.8.7.exe received on 2010.03.19 10:24:40 (UTC)

Microsoft 1.5605 2010.03.19 TrojanClicker:Win32/Yabector.gen
NOD32 4957 2010.03.19 a variant of Win32/Adware.ADON
Norman 6.04.09 2010.03.18 -
nProtect 2009.1.8.0 2010.03.19 -
Panda 10.0.2.2 2010.03.18 Adware/AdOnDemand

File mkvtoolnix-unicode-2.4.1-setup.ex received on 2010.03.19 10:26:56 (UTC)

a-squared 4.5.0.50 2010.03.19 Trojan.Generic.IS!IK
K7AntiVirus 7.10.1001 2010.03.18 Trojan.Win32.Shutdowner.bsl
Kaspersky 7.0.0.125 2010.03.19 -
McAfee 5924 2010.03.18 Generic.dx!to
McAfee+Artemis 5924 2010.03.18 Generic.dx!to
McAfee-GW-Edition 6.8.5 2010.03.19 -
NOD32 4957 2010.03.19 probably a variant of Win32/Agent
Norman 6.04.09 2010.03.18 Suspicious_Gen2.DTJS
PCTools 7.0.3.5 2010.03.19 Trojan.Generic
Sunbelt 5966 2010.03.19 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.03.19 Trojan Horse
TheHacker 6.5.2.0.238 2010.03.19 Trojan/Shutdowner.bsl
VBA32 3.12.12.2 2010.03.19 Trojan.Win32.Shutdowner.bsl
ViRobot 2010.3.19.2236 2010.03.19 Backdoor.Win32.Small.4093126

Nothing by:

AVG
BitDefender
Comodo
DrWeb
F-Prot
F-Secure
Kaspersky
Panda
Sophos
TrendMicro
VirusBuster


#9 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 19 March 2010 - 05:12 PM

Here's the full ESET scan, infections detected were on my external drives, the only ones that have been installed in the past were, FreeMp3WmaOggConverter and mkvtoolnix.

J:\D backup\Audio Encoding\FreeMp3WmaOggConverter.exe Win32/Adware.OneStep application
K:\Audio Encoding\FreeMp3WmaOggConverter.exe Win32/Adware.OneStep application
K:\System Tools\New Downloads\unlocker1.8.7.exe a variant of Win32/Adware.ADON application
K:\Video Encoding\FreeMp3WmaOggConverter.exe Win32/Adware.OneStep application.................................clean when I first downloaded it?
K:\Video Encoding\mkvtoolnix\mkvtoolnix-unicode-2.4.1-setup.exe probably a variant of Win32/Agent trojan

Strange thing is, I have my favourite programs, when I first downloaded them they were sent to VirusTotal to be scanned, as I always do, and they were all clean. After about six months I accidently sent the wrong exe file to VirusTotal, one of my favourites was sent, and to my alarm it detected lots of infections. I decided to send all my favourite programs to be scanned again and they were all full of infections. I downloaded them again from the same source, nearly all were still the same version, after being sent again to VirusTotal they were all clean but mine had some how become infected.

Edited by rogue212, 19 March 2010 - 05:42 PM.


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:31 PM

Posted 20 March 2010 - 08:45 AM

Hi,

Most of the detections are typical toolbars that are often added to freeware tools to create some kind of revenue. It could be that the programs simply changed the provider of their tooblar and that hence the detection changed or was removed. This goes for Win32/Adware.OneStep and Win32/Adware.ADON.

In any case the detection on those files is not a malware that is capable of infecting or modifying files. The file is the same you downloaded years/month ago, what changed is the detection from the anti virus programs.

What does this tool do:
QUOTE
mkvtoolnix-unicode-2.4.1-setup.exe

The detection suggests that it is capable of shutting down the PC, and that is what it is getting detected for.

QUOTE
I:\Replace\My Documents\Afterdawn recommended software\FAVC_105.exe->(7Z)->FAVC/HC/misc/adaptive_matrix/matrix4.dll, infected with W32/Heuristic-COC!Eldorado

Heuristics are rather known for producing False Positives. For the files detected by F-Secure on your system. you can send them to F-Secure to get them reevaluated and maybe confirmed as False Positives here: link

I would be careful with the files listed as Backdoor, especially the one that gets detected by loads of anti virus program. This could really be malicious.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 20 March 2010 - 02:23 PM

Hi, mkvtoolnix-unicode-2.4.1-setup.exe is a bundle of tool's to change, edit, mkv video files, (All other versions were clean when sent to VirusTotal) My friend use to rip dvd's and put them on his PS3, most of the video tools are for making videos compatible for playback on PS3, Xbox360 and my PDA. I think a lot of the other programs were his that got backed up to my drives.

I've found there are program bundles which contain all the tools you need to do a certain job, it's these bundles that contained some of the viruses detected, if downloaded seperately the programs are clean.

My main internal drive is a bit messed up after a dual boot with Linux went wrong, so I've backed up everything from that which I think is safe, txt, iso, mp3, video. If I use killdisk and then reformat that drive and re-install windows could something on my external drives re-infect it, I'm deleting everything I can on them that's not needed. So I should have a clean windows install, just need to be sure my external drives are clean.

So if I had a program exe file on my external drives, which contained a nasty backdoor trojan, that has now been deleted, is it gone for good, if no infections are found on the files I keep are my external drives safe, or can some infections hide on partitions etc.

By the way, this is what Bitdefeader found when I scanned all my drives.

BitDefender Online Scanner
Scan report generated at: Wed, Mar 17, 2010 - 22:25:14
C:\Documents and Settings\Ricky\My Documents\online scanners.txt Infected with: Generic.Qhost.DE36A241
D:\Text\online scanners 22.txt Infected with: Generic.Qhost.DE36A241
E:\online scanners 22.txt Infected with: Generic.Qhost.DE36A241
F: etc
G: etc

It's a txt file I made with notepad of all the best online scanners that got backed up to all my drives. Sorry to post such a long reply, thanks for all your help.

Edited by rogue212, 20 March 2010 - 02:43 PM.


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:31 PM

Posted 21 March 2010 - 12:34 PM

Hi,

the detection on the text file is a false positive. The files you mentioned can not be "disinfected" since the file was not infected in the first place. The files are malicious and if they are detected as malicious they will be quarantined by the anti virus program.

In theory when you back up your data it is advised not to back up any executable files to eliminate the risk of reinfection. Now I understand that this is impossible since you will not be able to recover the programs later. But there is a risk associated with it.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 22 March 2010 - 06:51 AM

If I just keep a few exe files that are clean when sent to VirusTotal would they be safe files, thanks for all your help.

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:31 PM

Posted 22 March 2010 - 04:58 PM

Hi,


yes files that are not detected by any of the anti virus programs at virustotal.com are very likely clean.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,773 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:31 PM

Posted 07 April 2010 - 06:24 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users