Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty Virus?


  • Please log in to reply
9 replies to this topic

#1 Redweller

Redweller

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 09 August 2010 - 09:58 PM

I believe my computer was recently compromised. HP computer with Windows 7 Home Premium pre-installed. I use Avira antivirus. I have a 64bit OS with latest Windows updates,etc.

Recently started receiving prompts/popups from Microsoft stating that Windows may not be genuine. I went to the Windows Validation website has confirmed this. Further investigation revealed that the Windows Key was not the same as posted on the sticker. Communication was made with Microsoft which has corrected the issue (i think). But Windows Authentication website still says Windows is not genuine. HP was also contacted and it was further determined that the partition may have been corrupted. I haven't tried to verify that yet.

I also believe i have some guests/listener(s) on the computer as well. Whoever they are may have left some nasty Trojans/rootkits/bugs. Avira anti virus has confirmed multiple viruses revealed in Java as "Agent" class variations. Also a "TR/Horse.TLS" class Trojan. I uninstalled Java and they mysteriously dissapeared (see second Avira scan). I have another anti virus program which currently detects 2 viruses: "system32\cmdlineext_x64.dll" and "SysWOW64\CmdLineExt_x64.dll" which i believe are related to secuROM?


1st run with Avira:



Avira AntiVir Personal
Report file date: Monday, August 09, 2010 16:40

Scanning for 2701388 virus strains and unwanted programs.


The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 x64
Windows version : (plain) [6.1.7600]
Boot mode : Normally booted
Username : SYSTEM


Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 17:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 20:38:42
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 20:38:44
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 20:38:49
VBASE008.VDF : 7.10.9.166 2048 Bytes 7/23/2010 20:38:49
VBASE009.VDF : 7.10.9.167 2048 Bytes 7/23/2010 20:38:49
VBASE010.VDF : 7.10.9.168 2048 Bytes 7/23/2010 20:38:49
VBASE011.VDF : 7.10.9.169 2048 Bytes 7/23/2010 20:38:50
VBASE012.VDF : 7.10.9.170 2048 Bytes 7/23/2010 20:38:50
VBASE013.VDF : 7.10.9.198 157696 Bytes 7/26/2010 20:38:50
VBASE014.VDF : 7.10.9.255 997888 Bytes 7/29/2010 20:38:52
VBASE015.VDF : 7.10.10.28 139264 Bytes 8/2/2010 20:38:53
VBASE016.VDF : 7.10.10.52 127488 Bytes 8/3/2010 20:38:53
VBASE017.VDF : 7.10.10.84 137728 Bytes 8/6/2010 20:38:53
VBASE018.VDF : 7.10.10.107 176640 Bytes 8/9/2010 20:38:54
VBASE019.VDF : 7.10.10.108 2048 Bytes 8/9/2010 20:38:54
VBASE020.VDF : 7.10.10.109 2048 Bytes 8/9/2010 20:38:54
VBASE021.VDF : 7.10.10.110 2048 Bytes 8/9/2010 20:38:54
VBASE022.VDF : 7.10.10.111 2048 Bytes 8/9/2010 20:38:54
VBASE023.VDF : 7.10.10.112 2048 Bytes 8/9/2010 20:38:54
VBASE024.VDF : 7.10.10.113 2048 Bytes 8/9/2010 20:38:55
VBASE025.VDF : 7.10.10.114 2048 Bytes 8/9/2010 20:38:55
VBASE026.VDF : 7.10.10.115 2048 Bytes 8/9/2010 20:38:55
VBASE027.VDF : 7.10.10.116 2048 Bytes 8/9/2010 20:38:55
VBASE028.VDF : 7.10.10.117 2048 Bytes 8/9/2010 20:38:55
VBASE029.VDF : 7.10.10.118 2048 Bytes 8/9/2010 20:38:55
VBASE030.VDF : 7.10.10.119 2048 Bytes 8/9/2010 20:38:55
VBASE031.VDF : 7.10.10.126 94720 Bytes 8/9/2010 20:38:56
Engineversion : 8.2.4.34
AEVDF.DLL : 8.1.2.1 106868 Bytes 8/9/2010 20:39:03
AESCRIPT.DLL : 8.1.3.42 1364347 Bytes 8/9/2010 20:39:03
AESCN.DLL : 8.1.6.1 127347 Bytes 8/9/2010 20:39:02
AESBX.DLL : 8.1.3.1 254324 Bytes 8/9/2010 20:39:03
AERDL.DLL : 8.1.8.2 614772 Bytes 8/9/2010 20:39:01
AEPACK.DLL : 8.2.3.5 471412 Bytes 8/9/2010 20:38:59
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/9/2010 20:38:59
AEHEUR.DLL : 8.1.2.11 2834805 Bytes 8/9/2010 20:38:59
AEHELP.DLL : 8.1.13.2 242039 Bytes 8/9/2010 20:38:57
AEGEN.DLL : 8.1.3.19 393587 Bytes 8/9/2010 20:38:57
AEEMU.DLL : 8.1.2.0 393588 Bytes 8/9/2010 20:38:57
AECORE.DLL : 8.1.16.2 192887 Bytes 8/9/2010 20:38:56
AEBB.DLL : 8.1.1.0 53618 Bytes 8/9/2010 20:38:56
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 17:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 17:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 19:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files (x86)\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, August 09, 2010 16:40

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout\381b4222-f694-41f0-9685-ff5bb260df2e
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout\a1841308-3541-4fab-bc81-f71556f20b4a
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'iexplore.exe' - '110' Module(s) have been scanned
Scan process 'iexplore.exe' - '74' Module(s) have been scanned
Scan process 'avscan.exe' - '75' Module(s) have been scanned
Scan process 'avscan.exe' - '30' Module(s) have been scanned
Scan process 'avgnt.exe' - '68' Module(s) have been scanned
Scan process 'sched.exe' - '50' Module(s) have been scanned
Scan process 'avguard.exe' - '66' Module(s) have been scanned
Scan process 'DVDAgent.exe' - '58' Module(s) have been scanned
Scan process 'CLMLSvc.exe' - '60' Module(s) have been scanned
Scan process 'wmplayer.exe' - '97' Module(s) have been scanned
Scan process 'jusched.exe' - '27' Module(s) have been scanned
Scan process 'hpwuschd2.exe' - '20' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '18' Module(s) have been scanned
Scan process 'YahooAUService.exe' - '48' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '27' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '25' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '89' files ).


Starting the file scan:

Begin scan in 'C:\' <HP>
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\2f310681-415e4694
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.2 Java virus
--> dev/s/DyesyasZ.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.2 Java virus
--> dev/s/LoaderX.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.1 Java virus
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\2d0c428a-7ba6c0a2
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.J Java virus
--> gogol/Familie.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.J Java virus
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\134ca791-3f199c86
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AO Java virus
--> Is.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AO Java virus
--> MyName.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AN Java virus
--> Phone.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AP Java virus
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\7bb99554-1cc5ef72
[0] Archive type: ZIP
[DETECTION] Is the TR/Horse.TLS Trojan
--> vmain.class
[DETECTION] Is the TR/Horse.TLS Trojan
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\608553a1-5f88b45f
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Agent.L Java virus
--> Downloader.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Agent.L Java virus
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\2e1d60a6-13896281
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.2 Java virus
--> dev/s/DyesyasZ.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.2 Java virus
--> dev/s/LoaderX.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.1 Java virus
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\556445eb-27cb8449
[0] Archive type: ZIP
[DETECTION] Is the TR/Horse.TLS Trojan
--> vmain.class
[DETECTION] Is the TR/Horse.TLS Trojan
Begin scan in 'D:\' <FACTORY_IMAGE>

Beginning disinfection:
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\556445eb-27cb8449
[DETECTION] Is the TR/Horse.TLS Trojan
[NOTE] The file was moved to the quarantine directory under the name '49e3daaf.qua'.
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\2e1d60a6-13896281
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.1 Java virus
[NOTE] The file was moved to the quarantine directory under the name '5173f538.qua'.
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\608553a1-5f88b45f
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Agent.L Java virus
[NOTE] The file was moved to the quarantine directory under the name '0325ac1b.qua'.
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\7bb99554-1cc5ef72
[DETECTION] Is the TR/Horse.TLS Trojan
[NOTE] The file was moved to the quarantine directory under the name '6548e017.qua'.
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\134ca791-3f199c86
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AP Java virus
[NOTE] The file was moved to the quarantine directory under the name '209acd1a.qua'.
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\2d0c428a-7ba6c0a2
[DETECTION] Contains recognition pattern of the JAVA/Agent.J Java virus
[NOTE] The file was moved to the quarantine directory under the name '5f85ff4a.qua'.
C:\Users\SKYNET\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\2f310681-415e4694
[DETECTION] Contains recognition pattern of the JAVA/Agent.M.1 Java virus
[NOTE] The file was moved to the quarantine directory under the name '133ed306.qua'.


End of the scan: Monday, August 09, 2010 18:14
Used time: 1:29:46 Hour(s)

The scan has been done completely.

36677 Scanned directories
695936 Files were scanned
11 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
7 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
695925 Files not concerned
3577 Archives were scanned
0 Warnings
7 Notes
722111 Objects were scanned with rootkit scan
2 Hidden objects were found


:thumbsup: I then uninstalled Java and ran another full Avira scan :flowers:




Avira AntiVir Personal
Report file date: Monday, August 09, 2010 21:05

Scanning for 2701388 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 x64
Windows version : (plain) [6.1.7600]
Boot mode : Normally booted
Username : SYSTEM


Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 17:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 20:38:42
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 20:38:44
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 20:38:49
VBASE008.VDF : 7.10.9.166 2048 Bytes 7/23/2010 20:38:49
VBASE009.VDF : 7.10.9.167 2048 Bytes 7/23/2010 20:38:49
VBASE010.VDF : 7.10.9.168 2048 Bytes 7/23/2010 20:38:49
VBASE011.VDF : 7.10.9.169 2048 Bytes 7/23/2010 20:38:50
VBASE012.VDF : 7.10.9.170 2048 Bytes 7/23/2010 20:38:50
VBASE013.VDF : 7.10.9.198 157696 Bytes 7/26/2010 20:38:50
VBASE014.VDF : 7.10.9.255 997888 Bytes 7/29/2010 20:38:52
VBASE015.VDF : 7.10.10.28 139264 Bytes 8/2/2010 20:38:53
VBASE016.VDF : 7.10.10.52 127488 Bytes 8/3/2010 20:38:53
VBASE017.VDF : 7.10.10.84 137728 Bytes 8/6/2010 20:38:53
VBASE018.VDF : 7.10.10.107 176640 Bytes 8/9/2010 20:38:54
VBASE019.VDF : 7.10.10.108 2048 Bytes 8/9/2010 20:38:54
VBASE020.VDF : 7.10.10.109 2048 Bytes 8/9/2010 20:38:54
VBASE021.VDF : 7.10.10.110 2048 Bytes 8/9/2010 20:38:54
VBASE022.VDF : 7.10.10.111 2048 Bytes 8/9/2010 20:38:54
VBASE023.VDF : 7.10.10.112 2048 Bytes 8/9/2010 20:38:54
VBASE024.VDF : 7.10.10.113 2048 Bytes 8/9/2010 20:38:55
VBASE025.VDF : 7.10.10.114 2048 Bytes 8/9/2010 20:38:55
VBASE026.VDF : 7.10.10.115 2048 Bytes 8/9/2010 20:38:55
VBASE027.VDF : 7.10.10.116 2048 Bytes 8/9/2010 20:38:55
VBASE028.VDF : 7.10.10.117 2048 Bytes 8/9/2010 20:38:55
VBASE029.VDF : 7.10.10.118 2048 Bytes 8/9/2010 20:38:55
VBASE030.VDF : 7.10.10.119 2048 Bytes 8/9/2010 20:38:55
VBASE031.VDF : 7.10.10.126 94720 Bytes 8/9/2010 20:38:56
Engineversion : 8.2.4.34
AEVDF.DLL : 8.1.2.1 106868 Bytes 8/9/2010 20:39:03
AESCRIPT.DLL : 8.1.3.42 1364347 Bytes 8/9/2010 20:39:03
AESCN.DLL : 8.1.6.1 127347 Bytes 8/9/2010 20:39:02
AESBX.DLL : 8.1.3.1 254324 Bytes 8/9/2010 20:39:03
AERDL.DLL : 8.1.8.2 614772 Bytes 8/9/2010 20:39:01
AEPACK.DLL : 8.2.3.5 471412 Bytes 8/9/2010 20:38:59
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/9/2010 20:38:59
AEHEUR.DLL : 8.1.2.11 2834805 Bytes 8/9/2010 20:38:59
AEHELP.DLL : 8.1.13.2 242039 Bytes 8/9/2010 20:38:57
AEGEN.DLL : 8.1.3.19 393587 Bytes 8/9/2010 20:38:57
AEEMU.DLL : 8.1.2.0 393588 Bytes 8/9/2010 20:38:57
AECORE.DLL : 8.1.16.2 192887 Bytes 8/9/2010 20:38:56
AEBB.DLL : 8.1.1.0 53618 Bytes 8/9/2010 20:38:56
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 17:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 17:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 19:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files (x86)\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, August 09, 2010 21:05

Starting search for hidden objects.
An ARK library instance is already running.

The scan of running processes will be started
Scan process 'avscan.exe' - '72' Module(s) have been scanned
Scan process 'avscan.exe' - '30' Module(s) have been scanned
Scan process 'iexplore.exe' - '116' Module(s) have been scanned
Scan process 'HijackThis.exe' - '71' Module(s) have been scanned
Scan process 'iexplore.exe' - '92' Module(s) have been scanned
Scan process 'DVDAgent.exe' - '60' Module(s) have been scanned
Scan process 'CLMLSvc.exe' - '60' Module(s) have been scanned
Scan process 'avscan.exe' - '82' Module(s) have been scanned
Scan process 'avscan.exe' - '30' Module(s) have been scanned
Scan process 'avcenter.exe' - '95' Module(s) have been scanned
Scan process 'wmplayer.exe' - '97' Module(s) have been scanned
Scan process 'avgnt.exe' - '56' Module(s) have been scanned
Scan process 'hpwuschd2.exe' - '20' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '18' Module(s) have been scanned
Scan process 'YahooAUService.exe' - '48' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '27' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '25' Module(s) have been scanned
Scan process 'avguard.exe' - '69' Module(s) have been scanned
Scan process 'sched.exe' - '50' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '87' files ).


Starting the file scan:

Begin scan in 'C:\' <HP>
Begin scan in 'D:\' <FACTORY_IMAGE>


End of the scan: Monday, August 09, 2010 22:24
Used time: 1:19:16 Hour(s)

The scan has been done completely.

36697 Scanned directories
676507 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
676507 Files not concerned
3508 Archives were scanned
0 Warnings



I haven't reinstalled Java. But Windows Authentication website still shows Windows as not genuine. :trumpet:

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:49 PM

Posted 09 August 2010 - 11:27 PM

I believe I see Rootkits in there. The 64 bit limits the tools we can use here in AII and we will need to move you. Are you opposed to reinstalling the system as Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Where to draw the line? When to recommend a format and reinstall?


Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation. Let me know how you wish to proceed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Redweller

Redweller
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 09 August 2010 - 11:47 PM

Thank you very much for the reply. Very interesting. How would have this stuff been installed on the computer? In your expertise, where do you think this stuff came from/how it was aquired?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:49 PM

Posted 10 August 2010 - 12:13 AM

OK,, this is a CD rom cpy protection device by Sony. it incorporated with some game software. That is how it gets installed.. It is a Rootkit..
The use of SecuROM has generated controversy due to the fact that it is not uninstalled upon removal of the game. In 2008, a class-action lawsuit was filed against Electronic Arts for its use of SecuROM in the video game Spore. Also found in games BioShock and Mass Effect.

Sorry a bit as it is not the nastiest of Rootkits. But a rootkit none the less that can allow access.

I am surprised it installed thru a 64 bit systema and that is what really had me feeling it as one of the worst.
We still cannot remove it here in this forum.. We would need to move .
If you want it out as I cannot say for certain it did not allow the java exploit.


Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,it may not on the 64 bit system.,skip it and move on.
Let me know if that went well.

Edited by boopme, 10 August 2010 - 12:32 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Redweller

Redweller
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 10 August 2010 - 12:51 AM

I have Mass Effect 2 installed. I've beaten the game and haven't played it in a few months. Also, I recently had Spore reinstalled on my computer. I uninstalled it because a friend told me that it has securROM. I did start receiving the Windows Validation errors after the uninstall of Spore as a matter of fact. I'm going to re-contact Microsoft or perhaps EA regarding this. And btw both are great games! Spore kept freezing up on me and it never used to do that. That's another reason why i uninstalled it.

There is a way to remove securROM. The process is on their official page. Should i uninstall Mass Effect 2 and securROM since the virus may be using it's cmdlineext 64 to attach itself? What really get's me is that
whatever the virus is maybe went into my partition.

Ultimately, I want to make sure i'm doing the right thing here. My personal information is ok right now. And i hope that my information doesn't get compromised.


I clicked the link and am reading steps 6-9. For further referance, all my games are legitimate i.e i buy them at the store. I appreciate all the help boopme! :thumbsup: :flowers:

Edited by Redweller, 10 August 2010 - 01:02 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:49 PM

Posted 10 August 2010 - 09:42 AM

I think you should still make the post and let them at least review it. it'll be several days any way as they are that bacl;ogged.
Do you have any other malware symptoms?? Popups,redirects??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Redweller

Redweller
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 10 August 2010 - 04:33 PM

Gmer did not work. No i do not have any pop-ups or redirects.

Looks like Microsoft has sent out a bunch of Security patches today also. All have installed (including the Malicious Software Removal Tool update which i'm running full scan now). But seems KB2092914 will not install and it says the file is in use. Hmmmm

I'm proceeding with the further steps.

Edited by Redweller, 10 August 2010 - 05:55 PM.


#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:49 PM

Posted 10 August 2010 - 06:36 PM

Hello Redweller,

I see that you posted a new topic but apparently removed the logs. We cannot analyze your computer nor remove the infection without logs.

If you do not wish to post those logs, then I would suggest a reformat and reinstall to be certain your system is clean.

Given the lack of logs, I have deleted your new topic.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#9 Redweller

Redweller
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 10 August 2010 - 09:33 PM

Thanks for the reply Orange. Should i post my TCPView log first? I do think someone or something is listening. :thumbsup:

#10 Rossi23

Rossi23

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 13 August 2010 - 04:43 PM

"Recently started receiving prompts/popups from Microsoft stating that Windows may not be genuine."

If this is the one that removes your desktop wallpaper and replaces it with a black screen, and the 'non genuine Windows' box appeared in the bottom right of the screen, this is what I had. I successfully removed it a few months ago, and haven't had it return.

If this is what you have, let me know and I'll tell you how I got rid of it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users