Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32/Patched.FL and .FL


  • This topic is locked This topic is locked
43 replies to this topic

#1 rmauer

rmauer

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 26 August 2010 - 11:01 AM

My AVG is going nuts with this thing. I already ran combofix because I read another post that said to run it. It did not fix the problem.

Now I'm following the instructions for a proper post. Bellow is my dds.txt log and attached is the attach.txt. I could not run gmer because it kept freezing and blue screening before it would complete the task:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Rob at 10:30:43.34 on Thu 08/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1092 [GMT -5:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {28CA5513-F61F-4E45-9DB1-9F24715FD6E3}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesTrend MicroBMTMBMSRV.exe
C:WINDOWSSystem32svchost.exe -k Akamai
C:Program FilesAVGAVG9avgwdsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesTrend MicroOfficeScan Clientntrtscan.exe
C:Program FilesSolutoSolutoService.exe
C:Program FilesAVGAVG9avgnsx.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSsystem32SearchIndexer.exe
C:Program FilesTrend MicroOfficeScan Clienttmlisten.exe
C:Program FilesTrend MicroOfficeScan ClientCNTAoSMgr.exe
C:Program FilesSolutosoluto.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:Program FilesGoogleGoogle Talkgoogletalk.exe
C:Program FilesTrend MicroOfficeScan Clientpccntmon.exe
C:Documents and SettingsRobScreenSnapr.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMicrosoft OfficeOffice12OUTLOOK.EXE
C:Program FilesAVGAVG9avgcsrvx.exe
C:Documents and SettingsRobLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsRobLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsRobLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsRobLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsRobLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsRobLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Program FilesAVGAVG9avgtray.exe
C:Documents and SettingsRobLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:WINDOWSsystem32SearchProtocolHost.exe
C:Documents and SettingsRobLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsRobMy DocumentsDownloadsdds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg9toolbarIEToolbar.dll
mWinlogon: Userinit=c:windowssystem32userinit.exe,c:program filessolutosoluto.exe /userinit
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg9avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg9toolbarIEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:program filesavgavg9toolbarIEToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ScreenSnapr] c:documents and settingsrobScreenSnapr.exe
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:program filesmicrosoft officeoffice12GrooveMonitor.exe"
mRun: [googletalk] c:program filesgooglegoogle talkgoogletalk.exe /autostart
mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportAppleSyncNotifier.exe
mRun: [OfficeScanNT Monitor] "c:program filestrend microofficescan clientpccntmon.exe" -HideWindow
mRun: [AVG9_TRAY] c:progra~1avgavg9avgtray.exe
mRun: [MSConfig] c:windowspchealthhelpctrbinariesMSCONFIG.EXE /auto
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
IE: Add to Google Photos Screensa&ver - c:windowssystem32GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:progra~1micros~2office12EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://192.168.1.6:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://192.168.1.6:4343/officescan/console/html/ClientInstall/setup.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://192.168.1.6:4343/officescan/console/html/root/AtxEnc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} - hxxps://192.168.1.6:4343/officescan/console/html/root/AtxPie.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://pcln06.corp.priceline.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://pcln06.corp.priceline.com/dana-cached/sc/JuniperSetupClient.cab
TCP: {0B440C20-AFC3-47B5-95B2-3634DBFBA5FC} = 192.168.1.222
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:program filesmicrosoft officeoffice12GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg9avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:program fileswindows desktop searchMSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1robapplic~1mozillafirefoxprofiles57g7nibj.default
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - component: c:program filesavgavg9firefoxcomponentsavgssff.dll
FF - component: c:program filesavgavg9toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils2.dll
FF - component: c:program filesavgavg9toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils3.dll
FF - component: c:program filesavgavg9toolbarfirefoxavg@igearedcomponentsIGeared_tavgp_xputils35.dll
FF - component: c:program filesavgavg9toolbarfirefoxavg@igearedcomponentsxpavgtbapi.dll
FF - plugin: c:documents and settingsroblocal settingsapplication datagoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:program filesdivxdivx plus web playernpdivx32.dll
FF - plugin: c:program filesgooglepicasa3npPicasa3.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-11-16 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2009-11-16 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:windowssystem32driversavgtdix.sys [2009-11-16 243024]
R1 NEOFLTR_650_15255;Juniper Networks TDI Filter Driver (NEOFLTR_650_15255);c:windowssystem32driversNEOFLTR_650_15255.SYS [2010-4-16 85360]
R2 Akamai;Akamai NetSession Interface;c:windowssystem32svchost.exe -k Akamai [2008-4-14 14336]
R2 avg9wd;AVG Free WatchDog;c:program filesavgavg9avgwdsvc.exe [2010-7-15 308136]
R2 SolutoService;Soluto PCGenome Core Service;c:program filessolutoSolutoService.exe [2010-6-28 339520]
R2 tmevtmgr;tmevtmgr;c:windowssystem32driverstmevtmgr.sys [2009-11-24 50192]
R2 TmFilter;Trend Micro Filter;c:program filestrend microofficescan clientTmXpflt.sys [2009-9-30 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:program filestrend microofficescan clientTmPreflt.sys [2009-9-30 36368]
R2 UltraMonUtility;UltraMon Utility Driver;c:program filescommon filesrealtime softultramonmirrordrvx32UltraMonUtility.sys [2008-11-14 17184]
S0 PCGenFAM;PCGenFAM;c:windowssystem32driversPCGenFAM.sys [2010-6-29 179656]
S2 TmProxy;OfficeScan NT Proxy Service;c:program filestrend microofficescan clientTmProxy.exe [2009-2-23 652552]

=============== Created Last 30 ================

2010-08-26 14:02:10 0 d-sha-r- C:cmdcons
2010-08-26 13:58:08 77312 ----a-w- c:windowsMBR.exe
2010-08-26 13:58:06 256512 ----a-w- c:windowsPEV.exe
2010-08-26 13:58:05 98816 ----a-w- c:windowssed.exe
2010-08-26 13:58:05 161792 ----a-w- c:windowsSWREG.exe
2010-08-26 13:44:18 664 ----a-w- c:windowssystem32d3d9caps.dat
2010-08-25 21:46:28 0 d-----w- c:docume~1robapplic~15C6BB68D79434F6CA33FE72503B8757A
2010-07-28 20:53:17 0 d-----w- c:program filescommon filesWindows Live
2010-07-28 20:35:53 0 d-----w- c:program filesiPod
2010-07-28 20:35:48 0 d-----w- c:program filesiTunes
2010-07-27 15:52:22 0 d-----w- C:S Drive Down

==================== Find3M ====================

2010-08-03 15:00:03 56488 ---ha-w- c:windowssystem32mlfcache.dat
2010-07-15 14:28:38 243024 ----a-w- c:windowssystem32driversavgtdix.sys
2010-07-15 14:28:36 12536 ----a-w- c:windowssystem32avgrsstx.dll
2010-07-15 14:28:27 216400 ----a-w- c:windowssystem32driversavgldx86.sys
2010-06-30 12:23:55 149504 ----a-w- c:windowssystem32schannel.dll
2010-06-28 14:05:36 179656 ----a-w- c:windowssystem32driversPCGenFAM.sys
2010-06-24 12:22:03 916480 ----a-w- c:windowssystem32wininet.dll
2010-06-24 02:14:38 1861120 ----a-w- c:windowssystem32win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:windowssystem32iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:windowssystem32msxml3.dll

============= FINISH: 10:31:36.76 ===============

Attached is the combofix log too. Might be helpful.

Attached Files


Edited by Pandy, 26 August 2010 - 12:15 PM.
Merged posts ~Pandy


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:52 PM

Posted 28 August 2010 - 03:33 PM

Good evening. smile.gif

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download BootCheck.exe and save it to your Desktop.
  • Double click BootCheck.exe to run the tool.
  • A Command Window will open and close a few seconds later and a Notepad window will then appear, as if by magic, with some text in it
  • Assuming you can contain your excitement, please post the contents in your next reply

So long, and thanks for all the fish.

 

 


#3 rmauer

rmauer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 30 August 2010 - 02:19 PM

First off, thank you very much for your help.

Attached are the results from the ESET Scan.

Here are the notes from the Bootcheck:

CMDCONS Folder exists!

Contents of C:\boot.ini:

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Thanks again, Rob.

Attached Files

  • Attached File  eset.txt   531bytes   3 downloads


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:52 PM

Posted 30 August 2010 - 02:29 PM

Good evening. smile.gif

Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop:
  • Linky #1
  • Linky #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    explorer.exe
    hlp.dat
    winlogon.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan - the log can also be found on your Desktop entitled SystemLook.txt
  • Please post the contents of this log in your next reply.

So long, and thanks for all the fish.

 

 


#5 rmauer

rmauer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 30 August 2010 - 02:33 PM

Thanks for your quick response.

SystemLook log attached.

Rob.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:31 on 30/08/2010 by Rob (Administrator - Elevation successful)

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a--- 1033728 bytes [12:00 14/04/2008] [12:00 14/04/2008] 24656C92C8274EACE64D3D958DE5A23C

Searching for "hlp.dat"
C:\WINDOWS\system32\hlp.dat --a--- 34699 bytes [12:00 14/04/2008] [12:00 14/04/2008] B811EDB8A0D09C850F33EF924F0A3ECB

Searching for "winlogon.exe"
C:\WINDOWS\system32\winlogon.exe --a--- 507904 bytes [12:00 14/04/2008] [12:00 14/04/2008] C6E25BC6701AD639D1113C394648A15A

-=End Of File=-

Attached Files


Edited by Noviciate, 30 August 2010 - 03:08 PM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:52 PM

Posted 30 August 2010 - 03:14 PM

Your PC has two system files that have been infected and they need to be replaced in order to solve the problem. Unfortunately your system doesn't appear to have copies of either, assuming that the nasty isn't affecting the tool you've just used. I think we'll double check the results first.

Will you run a search for two files using Start > Search > All files and folders. The files are:

explorer.exe
winlogon.exe


Let me know if you get any other results than C:\WINDOWS\explorer.exe and C:\WINDOWS\system32\winlogon.exe

So long, and thanks for all the fish.

 

 


#7 rmauer

rmauer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 30 August 2010 - 03:23 PM

Here are the results for both searches:

explorer.exe - C:\WINDOWS - 1,010 KB - Application - 4/14/2008 7:00 AM
EXPLORER.EXE - 082F38A9.pf - C:\WINDOWS\Prefetch - 154 KB - PF File - 8/30/2010 8:26 AM
explorer.exe.vir - C:\Qoobox\Quarantine\C\WINDOWS - 1010 KB - VIR File - 4/14/2008 7:00 AM

winlogon.exe - C:\WINDOWS\system32 - 496 KB - Application - 4/14/2008 7:00 AM



#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:52 PM

Posted 30 August 2010 - 03:34 PM

Not good. Do you know anybody with a PC with the same version of Windows as you that could supply you with a couple of system files?

So long, and thanks for all the fish.

 

 


#9 rmauer

rmauer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 30 August 2010 - 03:38 PM

I do share an office with a bunch of people that use the same Windows version as I do.

Are you suggesting I simply swap the files with clean copies. Is that all that's necessary?

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:52 PM

Posted 30 August 2010 - 05:36 PM

QUOTE
I do share an office with a bunch of people that use the same Windows version as I do.

Is this a business machine that you are having issues with?

Edited by Noviciate, 30 August 2010 - 05:38 PM.

So long, and thanks for all the fish.

 

 


#11 rmauer

rmauer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 31 August 2010 - 08:45 AM

No, this is my personal machine.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:52 PM

Posted 31 August 2010 - 02:01 PM

Good evening. smile.gif

I ask because the first thing you need to do is to uninstall one of your anti-virus programs. Two or more running in real-time can cause conflictions and one of those that show as installed is Trend Micro OfficeScan Antivirus - not top of every home users list of security programs.

Once you've decided which AV to keep and you've uninstalled the other, the two files you need to get hold of are:

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe


Make sure you get the same versions as is on your machine - right click each file and select Properties to find out what that is.

Let me know when you've got the the files and also let me have the results of the following:

Please download BootCheck.exe and save it to your Desktop.
  • Double click BootCheck.exe to run the tool.
  • A Command Window will open and close a few seconds later and a Notepad window will then appear, as if by magic, with some text in it
  • Assuming you can contain your excitement, please post the contents in your next reply

So long, and thanks for all the fish.

 

 


#13 rmauer

rmauer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 31 August 2010 - 02:28 PM

I installed the Trend Micro from my work on this machine.

QUOTE
Let me know when you've got the the files and also let me have the results of the following:


When you say 'have' do you mean pasted onto my machine, overwriting the infected ones?

If yes, I assume you want me to run the bootcheck afterwards, but if no do you want me to run the bootcheck before i overwrite the infected files?

Thanks, Rob.

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:52 PM

Posted 31 August 2010 - 03:50 PM

What you need to do with the clean files is to place them in the root of your hard drive. This will give you the following:

C:\explorer.exe
C:\winlogon.exe


Once you've got them there and let me have the bootcheck log we'll set about replacing the two infected files with the clean copies.

So long, and thanks for all the fish.

 

 


#15 rmauer

rmauer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 31 August 2010 - 04:06 PM

Placed them in the root and below is the bootcheck log:


CMDCONS Folder exists!

Contents of C:\boot.ini:

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Thanks!!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users