Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unruy.d


  • This topic is locked This topic is locked
26 replies to this topic

#1 Animation Director

Animation Director

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 21 July 2010 - 01:08 PM

Microsoft Security Essentials finds Unruy.d and cleans "TrojanDownloader:Win32/Unruy.D" every time I boot up. I click "clean computer" and reboot, and it shows up again. I also have MalwareBytes, but it doesn't find it. Both are updated.
-
Windows XP Professionsal
Version 2002
Service Pack 3
-
Intel Core 2 CPU
6600 @ 2.40 GHz
2.40GHz, 2 GB RAM
-
ATI Radeon x1950 PRO
-

My computer kept crashing during Gmer's scan, so I ran it in safe mode (with networking). It seemed to see a lot more stuff in regular mode, but I never got a log from that.

_________________________________________________________________________________________________________________________

DDS (Ver_10-03-17.01) - NTFSx86
Run by adam at 11:52:45.65 on Tue 07/20/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.989 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
C:\Program Files\Autodesk\3ds Max 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Xobni\XobniService.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\program files\steam\steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\adam\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ScreenshotCaptor\ScreenshotCaptor.exe
C:\Program Files\Clipdiary\clipdiary.exe
C:\Program Files\TimeLeft3\TimeLeft.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\adam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\adam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\adam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\adam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\adam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\adam\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Google Update] "c:\documents and settings\adam\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Screenshot Captor] "c:\program files\screenshotcaptor\ScreenshotCaptor.exe" /autorun
uRun: [Clipdiary] c:\program files\clipdiary\clipdiary.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\smax4.exe" /tray
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [JMB36X Configure] c:\windows\system32\JMRaidSetup.exe boot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [LVCOMSX] "c:\program files\common files\logitech\lcommgr\LVComSX.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [idpcgqoa] c:\windows\system32\config\systemprofile\local settings\application data\djtchjjwy\yobooywtssd.exe
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
StartupFolder: c:\docume~1\adam\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\adam\startm~1\programs\startup\timeleft.lnk - c:\program files\timeleft3\TimeLeft.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185840304767
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553536000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\xobni\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
R2 mi-raysat_3dsmax2011_32;mental ray 3.8 Satellite for Autodesk 3ds Max 2011 32-bit 32-bit;c:\program files\autodesk\3ds max 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe [2010-3-10 86016]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-5-4 151552]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-5-7 5010288]
R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2009-4-8 45288]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2007-7-30 35840]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-5-4 19584]
S3 SmartpenBus;Smartpen Enumerator;c:\windows\system32\drivers\smartpenbus.sys --> c:\windows\system32\drivers\SmartpenBus.sys [?]
S3 SmartpenCom;Smartpen Communications;c:\windows\system32\drivers\smartpencom.sys --> c:\windows\system32\drivers\SmartpenCom.sys [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-5-7 16168]

============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-07-20 18:50:11 0 ----a-w- c:\documents and settings\adam\defogger_reenable
2010-07-09 16:44:46 400 ----a-w- c:\windows\system32\Wacom_Tablet.dat
2010-07-01 00:54:43 1413424 ----a-r- c:\windows\system32\drivers\lvpopflt.sys
2010-07-01 00:54:33 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-01 00:53:54 4770 ----a-r- c:\windows\system32\Repository.reg
2010-07-01 00:53:54 22334 ----a-r- c:\windows\system32\lvcoinst.ini
2010-07-01 00:53:53 513584 ----a-r- c:\windows\system32\LVUI2RC.dll
2010-07-01 00:53:53 38960 ----a-r- c:\windows\system32\drivers\LVUSBSta.sys
2010-07-01 00:53:53 116272 ----a-r- c:\windows\system32\lvcoinst.dll
2010-07-01 00:53:52 210480 ----a-r- c:\windows\system32\LVUI2.dll
2010-07-01 00:53:51 263728 ----a-r- c:\windows\system32\lvcodec2.dll
2010-07-01 00:53:45 348160 ----a-r- c:\windows\system\msvcr71.dll
2010-07-01 00:53:44 961072 ----a-r- c:\windows\system32\drivers\lvuvc.sys
2010-07-01 00:53:26 55984 ----a-r- c:\windows\system32\drivers\lvselsus.sys
2010-07-01 00:53:26 20272 ----a-r- c:\windows\system32\drivers\lvuvcflt.sys
2010-07-01 00:42:31 0 d-----w- c:\program files\common files\Logitech
2010-06-29 18:55:33 24576 ----a-w- c:\windows\system32\drivers\KBDCLASS.SYS
2010-06-28 18:18:39 0 d-----w- c:\docume~1\adam\applic~1\Malwarebytes
2010-06-22 23:59:55 819200 ----a-w- c:\windows\system32\xvidcore.dll
2010-06-22 23:59:55 77824 ----a-w- c:\windows\system32\xvid.ax
2010-06-22 23:59:55 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2010-06-22 23:59:55 0 d-----w- c:\program files\Xvid
2010-06-22 18:41:51 102400 ----a-w- c:\windows\system32\tsccvid.dll

==================== Find3M ====================

2010-06-28 17:15:03 3304 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2008-09-26 18:06:14 39066832 ----a-w- c:\program files\Trillian.zip
2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

============= FINISH: 11:53:27.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 23 July 2010 - 09:48 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


===========================================


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.




~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 25 July 2010 - 05:36 PM

Do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 Animation Director

Animation Director
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 25 July 2010 - 10:11 PM

Yes! Definitely. Its my work machine though, so I will go through your steps Monday morning.

Thanks,
animation director

#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 26 July 2010 - 07:35 AM

Hi,

Is this an office PC? Have you tried contacting the IT department of the company?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 Animation Director

Animation Director
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 26 July 2010 - 02:35 PM

It is an office PC. As we are a small company we don't have in-house IT, and the guy we call in to take care of that stuff every once in a while took a look and threw up his hands and told me to reinstall windows. So I turned to you guys. ; )

Combo fix log:

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 10-07-24.06 - adam 07/26/2010 12:14:04.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1359 [GMT -7:00]
Running from: c:\documents and settings\adam\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\system volume information\Microsoft\smss.exe
c:\system volume information\Microsoft\smss.exe095E90E9
c:\system volume information\Microsoft\smss.exeA8EACB88
c:\windows\Temp\tmp3.tmp
c:\system volume information\Microsoft . . . . failed to delete
c:\system volume information\Microsoft\services.exe . . . . failed to delete

.
MBR is infected with the Whistler Bootkit !!

((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.

2010-07-21 18:32 . 2010-07-21 18:32 -------- d-----w- c:\documents and settings\adam\Application Data\Unity
2010-07-21 18:30 . 2010-07-21 18:30 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Unity
2010-07-21 00:01 . 2010-07-21 00:01 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\PCHealth
2010-07-20 23:35 . 2010-07-20 23:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-20 23:19 . 2010-07-20 23:19 4 ----a-w- c:\program files\1156640.dat
2010-07-12 22:58 . 2010-07-12 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-07-09 16:44 . 2010-07-09 20:10 400 ----a-w- c:\windows\system32\Wacom_Tablet.dat
2010-07-07 20:25 . 2010-07-07 20:29 -------- d-----w- c:\documents and settings\adam\Application Data\Notepad++
2010-07-07 20:25 . 2010-07-07 20:25 -------- d-----w- c:\program files\Notepad++
2010-07-01 00:54 . 2006-06-22 22:29 1413424 ----a-r- c:\windows\system32\drivers\lvpopflt.sys
2010-07-01 00:53 . 2006-06-22 20:51 4770 ----a-r- c:\windows\system32\Repository.reg
2010-07-01 00:53 . 2006-06-22 22:29 38960 ----a-r- c:\windows\system32\drivers\LVUSBSta.sys
2010-07-01 00:53 . 2006-06-22 22:29 513584 ----a-r- c:\windows\system32\LVUI2RC.dll
2010-07-01 00:53 . 2006-06-22 22:29 210480 ----a-r- c:\windows\system32\LVUI2.dll
2010-07-01 00:53 . 2006-06-22 22:29 263728 ----a-r- c:\windows\system32\lvcodec2.dll
2010-07-01 00:53 . 2003-02-21 12:42 348160 ----a-r- c:\windows\system\msvcr71.dll
2010-07-01 00:53 . 2006-06-22 22:29 961072 ----a-r- c:\windows\system32\drivers\lvuvc.sys
2010-07-01 00:53 . 2006-06-22 22:29 20272 ----a-r- c:\windows\system32\drivers\lvuvcflt.sys
2010-07-01 00:53 . 2006-06-22 22:29 55984 ----a-r- c:\windows\system32\drivers\lvselsus.sys
2010-07-01 00:48 . 2010-07-26 19:19 304040 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-01 00:42 . 2010-07-01 00:43 -------- d-----w- c:\program files\Common Files\Logitech
2010-07-01 00:42 . 2010-07-01 00:42 -------- d-----w- c:\program files\Logitech
2010-07-01 00:42 . 2010-07-01 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-06-29 18:55 . 2010-06-29 18:55 24576 ----a-w- c:\windows\system32\drivers\KBDCLASS.SYS
2010-06-28 18:31 . 2010-06-28 18:31 -------- d-----w- c:\documents and settings\adam\Local Settings\Application Data\Threat Expert
2010-06-28 18:18 . 2010-06-28 18:18 -------- d-----w- c:\documents and settings\adam\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 19:24 . 2009-09-02 18:15 -------- d-----w- c:\program files\Steam
2010-07-26 19:24 . 2010-07-01 00:54 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-26 19:23 . 2010-03-01 22:15 -------- d-----w- c:\documents and settings\adam\Application Data\Clipdiary
2010-07-26 19:23 . 2010-01-22 18:40 -------- d-----w- c:\program files\ScreenshotCaptor
2010-07-26 19:21 . 2010-05-07 18:46 -------- d-----w- c:\documents and settings\adam\Application Data\WTablet
2010-07-26 19:21 . 2010-05-10 17:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WTablet
2010-07-20 23:45 . 2007-07-30 21:05 59552 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 22:52 . 2010-01-22 01:36 -------- d-----w- c:\program files\ATI Technologies
2010-07-01 17:35 . 2010-03-18 21:08 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-07-01 00:44 . 2010-07-01 00:44 10134 ----a-r- c:\documents and settings\adam\Application Data\Microsoft\Installer\{BEF726DD-4037-4214-8C6A-E625C02D2870}\ARPPRODUCTICON.exe
2010-07-01 00:44 . 2010-07-01 00:44 10134 ----a-r- c:\documents and settings\adam\Application Data\Microsoft\Installer\{8AC049F7-1383-45C3-9E7D-F93CA667F9E1}\ARPPRODUCTICON.exe
2010-07-01 00:44 . 2010-07-01 00:44 10134 ----a-r- c:\documents and settings\adam\Application Data\Microsoft\Installer\{EA516024-D84D-41F1-814F-83175A6188F2}\ARPPRODUCTICON.exe
2010-06-29 22:52 . 2007-07-31 01:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-28 18:36 . 2009-01-19 19:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-28 17:41 . 2010-06-28 17:41 282368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{230E4DF6-DA2E-E554-2022-2F75BB62BEFC}-yobooywtssd.exe
2010-06-28 17:15 . 2007-11-14 04:10 3304 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 23:59 . 2010-06-22 23:59 -------- d-----w- c:\program files\Xvid
2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\14872\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\14872\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\14872\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\8.2\ARM\14872\AcrobatUpdater.exe
2010-06-01 17:37 . 2009-10-16 18:07 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-29 01:13 . 2007-09-10 18:16 -------- d-----w- c:\program files\Winamp
2010-05-26 17:24 . 2010-05-26 17:24 348160 ----a-w- c:\documents and settings\adam\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-66e62d82-n\msvcr71.dll
2010-05-26 17:24 . 2010-05-26 17:24 503808 ----a-w- c:\documents and settings\adam\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-66e62d82-n\msvcp71.dll
2010-05-26 17:24 . 2010-05-26 17:24 499712 ----a-w- c:\documents and settings\adam\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-66e62d82-n\jmc.dll
2010-05-06 21:27 . 2009-09-02 18:03 59552 ----a-w- c:\documents and settings\adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-04 17:20 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2006-02-28 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-01-19 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-01-19 19:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-09-26 18:06 . 2008-09-26 18:05 39066832 ----a-w- c:\program files\Trillian.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]
@="{80E008A4-EAE7-4867-AEB0-1A245F070F25}"
[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]
2010-02-03 18:36 872448 ----a-w- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]
@="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}"
[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]
2010-02-03 18:36 872448 ----a-w- c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]
@="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}"
[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]
2010-02-03 18:36 872448 ----a-w- c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-02 133104]
"Steam"="c:\program files\steam\steam.exe" [2010-05-07 1238352]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"Screenshot Captor"="c:\program files\ScreenshotCaptor\ScreenshotCaptor.exe" [2009-12-24 6155264]
"Clipdiary"="c:\program files\Clipdiary\clipdiary.exe" [2010-03-23 3719680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 614960]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 243248]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\adam\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
TimeLeft.lnk - c:\program files\TimeLeft3\TimeLeft.exe [2010-3-19 2000112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4282651219-3403542997-3381365203-1247\Scripts\Logon\0\0]
"Script"=\\hiddenpath.local\NETLOGON\logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4282651219-3403542997-3381365203-1255\Scripts\Logon\0\0]
"Script"=\\hiddenpath.local\NETLOGON\logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\SN Systems\\PS3\\bin\\ps3tm.exe"=
"c:\\Program Files\\Microsoft XNA\\XNA Game Studio\\v2.0\\Bin\\XnaTrans.exe"=
"c:\\Program Files\\MysticGD\\LicenseAgent\\MGD_LicenseAgent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 6:36 PM 86016]
R2 mi-raysat_3dsmax2011_32;mental ray 3.8 Satellite for Autodesk 3ds Max 2011 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe [3/10/2010 2:10 AM 86016]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [5/4/2009 4:35 PM 151552]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [5/7/2010 11:45 AM 5010288]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [4/8/2009 12:23 PM 45288]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [7/30/2007 2:48 PM 35840]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 10:31 AM 42000]
S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [5/4/2009 4:35 PM 19584]
S3 SmartpenBus;Smartpen Enumerator;c:\windows\system32\DRIVERS\SmartpenBus.sys --> c:\windows\system32\DRIVERS\SmartpenBus.sys [?]
S3 SmartpenCom;Smartpen Communications;c:\windows\system32\DRIVERS\SmartpenCom.sys --> c:\windows\system32\DRIVERS\SmartpenCom.sys [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [5/7/2010 11:45 AM 16168]
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4282651219-3403542997-3381365203-1255Core.job
- c:\documents and settings\adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-02 18:13]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4282651219-3403542997-3381365203-1255UA.job
- c:\documents and settings\adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-02 18:13]

2010-07-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 04:40]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
.
------- File Associations -------
.
.txt=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 12:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1164)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1220)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(9524)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\program files\Perforce\p4exp.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\system volume information\Microsoft\smss.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
c:\autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\system volume information\Microsoft\services.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\documents and settings\adam\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\program files\Logitech\QuickCam10\COCIManager.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2010-07-26 12:31:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-26 19:31
ComboFix2.txt 2010-07-20 23:33

Pre-Run: 203,970,801,664 bytes free
Post-Run: 204,002,742,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 266B3F5F74D11D0C1EF020B9D95CD634


#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 26 July 2010 - 05:38 PM

Fair enough smile.gif , please the following.


Please download MBRCheck to your desktop.
  1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
  2. It will open a black window, please do not fix anything (if it gives you an option).
  3. Exit that window and it will produce a log (MBRCheck_date_time).
  4. Please post that log when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 Animation Director

Animation Director
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 26 July 2010 - 06:57 PM

Thanks for your help.

Here's the MBRCheck log.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive1

\\.\G: --> \\.\PhysicalDrive4



Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!

298 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!

465 GB \\.\PhysicalDrive4 Error reading raw MBR!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:



Done! Press ENTER to exit...


#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 27 July 2010 - 05:04 AM

Hi,

Do you have a dual boot system? If yes... can you please tell me the other OS installed.


=================================


1. Now we need to use the Recovery Console. Please print or make a copy of the next steps so you will not make any mistakes.
  1. Please restart your computer.
  2. During restart, you will see an option on which operating system to use.
  3. Please use arrow key and choose Microsoft Windows Recovery Console and hit enter.
  4. The Recovery Console will start and ask you which Windows installation you would like to log onto.
    Note: If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.
  5. It will then prompt you for the Administrator's password. If there is no password, simply press enter.
  6. You will now be presented with a C:\Windows> prompt
  7. Please type the bolded text below and hit enter key:
    fixmbr
  8. type exit to exit the command prompt and restart your computer normally.



2. After the computer restarted normally, wait for about five minutes then delete the old MBRCheck log. Run MBRCheck again the way you run it before and post the new log for my review. Thanks.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 Animation Director

Animation Director
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 27 July 2010 - 01:35 PM

As far as I know this is not a dual boot system. I inherited this computer from a coworker that left, but I've never seen the option to boot into another operating system.

Please allow me to interject two questions before continuing.

1: the recovery console threw up a warning about destroying partitions. You didn't mention it in your steps, and I have no idea if the drive is partitioned, so I didn't do it. How do I check?

2: our CEO (remember, small company) wants to take the hard drive out of my machine and put it in his, where he can do a scan. Is that advisable here? Would a virus scan clean out this particular infection from another machine? Thoughts?

Thanks
A

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 27 July 2010 - 09:01 PM

Hi,

You did the right thing and asked a question if in doubt. thumbup2.gif


====================================


QUOTE
1: the recovery console threw up a warning about destroying partitions. You didn't mention it in your steps, and I have no idea if the drive is partitioned, so I didn't do it. How do I check?

This is normal warning when fixing the MBR so please proceed. I want to let you know that the PC has a very nasty infection which is a Whistler Bootkit, the other partition (D:\ drive) is also infected. Unfortunately, replacing the MBR is the only way to removed this infection and doing it using Recovery Console is the safest way possible. We treat every users computer as our own.


QUOTE
2: our CEO (remember, small company) wants to take the hard drive out of my machine and put it in his, where he can do a scan. Is that advisable here? Would a virus scan clean out this particular infection from another machine? Thoughts?

Actually that's a bad idea because it can spread the infection and his PC can get infected as well... And I already mentioned above that there's only one way to remove this infection.
This is the reason why I don't usually offer help on office/company PC because they are under company policies and sometimes changes required approval first. Please let me know what your Boss decide.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 Animation Director

Animation Director
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 28 July 2010 - 04:16 PM

I got the go-ahead to continue.

here's the new MBR check log.

Oops, I just noticed that the external hard drive that was plugged in before wasn't for this scan. Sorry, hope that doesn't mess anything up.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive1



Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Windows XP MBR code detected

298 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:



Done! Press ENTER to exit...


#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 28 July 2010 - 09:06 PM

Hi,

Good! Now let's fix the other drive.

Please carefully follow this instructions.
  1. Please run MBRCheck again
  2. If you receive the message "Found non-standard or infected MBR".
  3. Please type Y and hit ENTER key for more options.
  4. When prompted to "Enter your choice:" Type 2 and hit the enter key.
  5. When prompted to "Enter the physical disk number to fix (0-99, -1 to cancel):" Type 1 and hit the enter key.
  6. When prompted to "Please select the MBR code to write to this drive:" Type 1 and hit the enter key.
  7. When you receive the message "Do you want to fix the MBR code?" Type YES and hit ENTER key.
  8. You will see the message "Successfully wrote new MBR code!" if successful.
    • Right click on the screen and choose Select All.
    • Press Control+C (to copy the data).
    • Open a notepad, Click on Edit tab > paste.
    • Save that notepad on your desktop as MBRfix.txt
  9. Press ENTER to exit
  10. Please post the contents of MBRfix.txt when you reply.



Now, please restart your PC, wait for about 5 minutes after the restart and do the following.
  1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
  2. It will open a black window, please do not fix anything (if it gives you an option).
  3. Exit that window and it will produce a log (MBRCheck_date_time).
  4. Please post that log when you reply.



Note: If instruction is unclear, please stop and ask me the part that you don't understand.

Edited by sempai, 28 July 2010 - 09:22 PM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 Animation Director

Animation Director
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 29 July 2010 - 02:57 PM

My only question is, why wait 5 minutes? What does that do? (I did it, I was just curious)


Here's the MBRfix.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

MBRCheck, version 1.1.1
© 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\D: --> \\.\PhysicalDrive1

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
298 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black I
nternet)!


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 1
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done! Press ENTER to exit...
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

and here's the MBRcheck(etc).txt

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive1



Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Windows XP MBR code detected

298 GB \\.\PhysicalDrive1 Windows XP MBR code detected





Done! Press ENTER to exit...

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:10 AM

Posted 29 July 2010 - 09:10 PM

Hi,

Because I want to make sure that Windows is properly loaded before running any tool.


====================================================


1. Please temporary disable system restore.
  1. Right click on My Computer > Properties.
  2. Click on System Restore Tab.
  3. Put a check on Turn off system restore on all drivers.
  4. Click Apply > OK.



2. Please delete (do not uninstall) the copy of ComboFix that you have and run a new copy.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.




3. Please run another DDS scan and post the new report for my review. Thanks.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users