Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with trojanpatched_c.jed


  • This topic is locked This topic is locked
33 replies to this topic

#1 poppyegan

poppyegan

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 03 October 2010 - 02:14 PM

Thank you for any help .

Google was redirecting when I clicked on a search result. Avg Free is now looping a Resident Sheild Alert . This si what appears in the AVG pop up

"c:\WINDOWS\explorer.exe";"Trojan horse Patched_c.JED";"Object is white-listed (critical/system file that should not be removed)"

I read on here to not remove it myself as you might delete the explorer.exe file. I have followed all the prep guidelines. I do not have an installation cd of Windows Xp.

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:45 PM

Posted 03 October 2010 - 02:29 PM

Good evening. smile.gif

I see from Attach.txt that you have run DDS. I would like you to copy and paste the contents of DDS.txt that should also have been created. If you didn't save a copy, you can always run the tool again.

So long, and thanks for all the fish.

 

 


#3 poppyegan

poppyegan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 03 October 2010 - 02:35 PM

thank you for your quick response

here is the file


DDS (Ver_10-03-17.01) - NTFSx86
Run by alma at 19:48:49.03 on 03/10/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.894.215 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\APPS\Powercinema\PCMService.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\alma\LOCALS~1\Temp\AutoDetect.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.EXE
C:\Documents and Settings\alma\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.eircom.net/email/?WT.svl=linke1
uWindow Title = Packard Bell
uSearch Bar = hxxp://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SmpcSys] c:\apps\smp\SmpSys.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Ceedo AutoDetect] c:\docume~1\alma\locals~1\temp\AutoDetect.exe /active
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.205.96.237:6500/activex/AMC.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: {87D286E9-4DA9-4DE3-BBBF-1B1C7453627B} = 10.3.40.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alma\applic~1\mozilla\firefox\profiles\v2rir8om.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://home.eircom.net/email/?WT.svl=linke1
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\alma\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-29 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-5-15 29584]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-29 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308136]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-11-8 1174152]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-3-13 24576]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-27 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-8-16 430152]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;c:\windows\system32\drivers\NtpaSp50.sys [2007-11-14 17536]

=============== Created Last 30 ================


==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-08-01 12:10:22 3532 ----a-w- C:\drmHeader.bin
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-15 18:35:16 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2008-11-11 19:49:05 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111120081112\index.dat

============= FINISH: 19:49:47.25 ===============


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:45 PM

Posted 03 October 2010 - 03:47 PM

OK, we'll start by seeing what else there may be lurking on your hard drive before we start deleting stuff.

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#5 poppyegan

poppyegan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 03 October 2010 - 05:27 PM

sorry - it took ages to scan my computer. Results are as follows:

C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application
C:\WINDOWS\Temp\hss_update.exe a variant of Win32/HotSpotShield application
Operating memory a variant of Win32/HotSpotShield application


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:45 PM

Posted 04 October 2010 - 02:04 PM

Good evening. smile.gif

Please go to Jotti's and click on the Browse... button at the top and navigate to the following file and then click on Submit:

C:\Windows\Explorer.exe

When all the scans have been completed, please copy and paste the "Permalink" that you'll find in the "Jotti's malware scan" box in the upper left hand part of the page into your next reply.

Would you then repeat the process for this file: C:\Windows\System32\Winlogon.exe

You may need to set Windows to show All Hidden Files and Folders - Instructions can be found here.
* These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after you have done.
*

So long, and thanks for all the fish.

 

 


#7 poppyegan

poppyegan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 04 October 2010 - 02:15 PM

Hello , Im not sure if this correct but nothing happened when i hit permalink, This is whats on the page at present. Can you let me know if thats correct and ill scan the next one

Filename: explorer.exe
Status:
Scan finished. 11 out of 18 scanners reported malware.
Scan taken on: Mon 4 Oct 2010 21:11:44 (CET) Permalink


File size: 1033728 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: bc3c9cedb8bf64dd415e4a08a7e1fd1d
SHA1: 82bb194527968a5e38c4427b55c0fd8a86b96128


[ArcaVir]
2010-10-04 Found nothing
[F-Secure Anti-Virus]
2010-10-04 Gen:Trojan.Heur.TP.@q0@bmizBzf
[Avast! antivirus]
2010-10-04 Win32:Bamital-AC
[G DATA]
2010-10-04 Gen:Trojan.Heur.TP.@q0@bmizBzf
[Grisoft AVG Anti-Virus]
2010-10-04 Patched_c.JED
[Ikarus]
2010-10-04 Virus.Win32.Patched.RP
[Avira AntiVir]
2010-10-04 TR/Spy.1033728.6
[ESET NOD32]
2010-10-04 Win32/Bamital.EC Patched
[Softwin BitDefender]
2010-10-04 Gen:Trojan.Heur.TP.@q0@bmizBzf
[Panda Antivirus]
2010-10-04 Found nothing
[ClamAV]
2010-10-04 Found nothing
[Quick Heal]
2010-10-04 Found nothing
[CPsecure]
2010-10-04 Found nothing
[Sophos]
2010-10-04 Troj/Patched-O
[Dr.Web]
2010-10-04 Win32.Dat.8
[VirusBlokAda VBA32]
2010-10-04 Found nothing
[Frisk F-Prot Antivirus]
2010-10-04 W32/Bamital.B
[VirusBuster]
2010-10-04 Found nothing

#8 poppyegan

poppyegan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 04 October 2010 - 02:24 PM

Heres the next lot - thanks so much for your help smile.gif




Filename: winlogon.exe
Status:
Scan finished. 10 out of 19 scanners reported malware.
Scan taken on: Mon 4 Oct 2010 21:17:22 (CET) Permalink


File size: 507904 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 88642bde0e86380dd8a2cf01ae932867
SHA1: bcf341ead9a5c26ab2baf7a4b12018641d16a218


[ArcaVir]
2010-10-04 Found nothing
[F-Secure Anti-Virus]
2010-10-04 Gen:Trojan.Heur.TP.Fm0@b0StsIj
[Avast! antivirus]
2010-10-04 Win32:Bamital-AC
[G DATA]
2010-10-04 Gen:Trojan.Heur.TP.Fm0@b0StsIj
[Grisoft AVG Anti-Virus]
2010-10-04 Found nothing
[Ikarus]
2010-10-04 Virus.Win32.Bamital
[Avira AntiVir]
2010-10-04 TR/Spy.507904.55
[ESET NOD32]
2010-10-04 Win32/Bamital.EC Patched
[Softwin BitDefender]
2010-10-04 Gen:Trojan.Heur.TP.Fm0@b0StsIj
[Panda Antivirus]
2010-10-04 Found nothing
[ClamAV]
2010-10-04 Found nothing
[Quick Heal]
2010-10-04 Found nothing
[CPsecure]
2010-10-04 Found nothing
[Sophos]
2010-10-04 Troj/Patched-O
[Dr.Web]
2010-10-04 Win32.Dat.8
[VirusBlokAda VBA32]
2010-10-04 Found nothing
[Frisk F-Prot Antivirus]
2010-10-04 W32/Bamital.B
[VirusBuster]
2010-10-04 Found nothing

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:45 PM

Posted 04 October 2010 - 04:39 PM

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#10 poppyegan

poppyegan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 04 October 2010 - 04:59 PM

i cant close my avg so im going to go ahead with it running. Theres no exit or close button anywhere. Hope thats ok

ehh sorry , found out how to disable it smile.gif

Edited by poppyegan, 04 October 2010 - 05:02 PM.


#11 poppyegan

poppyegan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 04 October 2010 - 05:41 PM

HI , the log is below. So far the resident sheild pop up hasnt appeared ( touch wood!) I havnt tried google yet. The computer rebooted twice.

ComboFix 10-10-03.03 - alma 04/10/2010 23:14:54.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.894.438 [GMT 1:00]
Running from: c:\documents and settings\alma\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\Server\admin.txt
c:\documents and settings\All Users\Documents\Server\server.dat
c:\documents and settings\alma\Application Data\inst.exe
c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USNJSVC
-------\Service_usnjsvc


((((((((((((((((((((((((( Files Created from 2010-09-04 to 2010-10-04 )))))))))))))))))))))))))))))))
.

2010-10-04 19:00 . 2010-10-04 19:00 4100960 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-10-04 19:00 . 2010-10-04 19:00 4394336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-10-04 19:00 . 2010-10-04 19:00 2065760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-10-03 20:55 . 2010-10-03 20:55 -------- d-----w- c:\program files\ESET
2010-09-23 21:06 . 2010-09-23 21:06 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 21:06 . 2010-09-23 21:06 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-23 21:06 . 2010-09-23 21:06 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 21:06 . 2010-09-23 21:06 1377632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 21:06 . 2010-09-23 21:06 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 21:06 . 2010-09-23 21:06 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 21:06 . 2010-09-23 21:06 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 21:05 . 2010-09-23 21:05 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-04 21:56 . 2009-12-28 17:19 0 ----a-w- c:\documents and settings\alma\Local Settings\Application Data\prvlcl.dat
2010-10-04 19:00 . 2009-12-02 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-26 16:43 . 2008-07-11 20:49 -------- d-----w- c:\documents and settings\alma\Application Data\Canon
2010-09-24 16:12 . 2010-07-11 21:50 -------- d-----w- c:\program files\Google
2010-09-09 21:46 . 2009-12-20 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-09-09 21:46 . 2006-11-08 12:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-30 20:12 . 2009-12-31 01:09 -------- d-----w- c:\documents and settings\alma\Application Data\vlc
2010-08-29 20:45 . 2007-06-17 17:51 -------- d-----w- c:\documents and settings\alma\Application Data\uTorrent
2010-08-17 13:17 . 2004-08-10 16:38 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 18:59 . 2010-08-16 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-08-01 16:17 . 2010-08-01 16:17 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-08-01 16:03 . 2010-08-01 16:03 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-08-01 16:02 . 2010-08-01 16:02 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-08-01 16:02 . 2010-08-01 16:02 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-08-01 16:02 . 2010-08-01 16:02 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-08-01 16:01 . 2010-08-01 16:01 84054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-08-01 16:01 . 2010-08-01 16:01 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-08-01 16:01 . 2010-08-01 16:01 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-08-01 16:01 . 2010-08-01 16:01 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-08-01 16:01 . 2010-08-01 16:01 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-08-01 16:01 . 2010-08-01 16:01 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-08-01 16:01 . 2010-08-01 16:01 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-08-01 16:01 . 2010-08-01 16:01 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-08-01 16:01 . 2010-08-01 16:01 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-08-01 16:01 . 2010-08-01 16:01 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-08-01 16:01 . 2010-08-01 16:01 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-08-01 16:00 . 2010-08-01 16:00 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-08-01 16:00 . 2010-08-01 16:00 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-08-01 16:00 . 2010-08-01 16:00 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-08-01 12:12 . 2010-08-01 16:03 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-08-01 12:10 . 2010-08-01 16:03 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-08-01 12:10 . 2010-03-22 22:24 3532 ----a-w- C:\drmHeader.bin
2010-07-22 15:49 . 2004-08-10 16:38 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-16 08:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-15 18:35 . 2008-05-29 10:01 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 18:35 . 2010-03-16 23:42 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 18:34 . 2008-05-29 10:01 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\apps\SMP\SmpSys.exe" [2005-11-17 975360]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-28 766041]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2006-02-23 147456]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-03-13 2060288]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-2-28 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 18:35 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-02 18:23 102400 -c----w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]
2007-11-06 10:08 397312 -c----w- c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 12:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-10-11 11:45 75304 -c--a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 15:09 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-11-08 13:06 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2007-06-08 14:22 23299112 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 17:04 2879488 -c--a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-09-28 12:16 185896 -c--a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\AOL 9.0\\aol.exe"=
"c:\\Program Files\\NavDiag\\Navini Diagnostics.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3506:TCP"= 3506:TCP:Services
"5512:TCP"= 5512:TCP:Services
"4738:TCP"= 4738:TCP:Services
"3119:TCP"= 3119:TCP:Services

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/05/2008 11:01 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [29/05/2008 11:01 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/03/2010 00:41 308136]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [13/03/2008 20:08 24576]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27/08/2010 22:05 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [16/08/2010 19:59 430152]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;c:\windows\system32\drivers\NtpaSp50.sys [14/11/2007 12:40 17536]
.
Contents of the 'Scheduled Tasks' folder

2010-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 21:04]

2010-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 21:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.eircom.net/email/?WT.svl=linke1
TCP: {87D286E9-4DA9-4DE3-BBBF-1B1C7453627B} = 10.3.40.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.205.96.237:6500/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\alma\Application Data\Mozilla\Firefox\Profiles\v2rir8om.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://home.eircom.net/email/?WT.svl=linke1
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\alma\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
HKLM-Run-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
MSConfigStartUp-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
MSConfigStartUp-Google Update - c:\documents and settings\alma\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\DivXConverterUninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{B13A7C41581B411290FBC0395694E2A9} - c:\program files\DivX\DivXConverterUninstall.exe
AddRemove-{D050D7362D214723AD585B541FFB6C11} - c:\program files\DivX\DivXContentUploaderUninstall.exe



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84A4978A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf770cf28
\Driver\ACPI -> ACPI.sys @ 0xf75ffcb8
\Driver\atapi -> ntoskrnl.exe @ 0x805c7abe
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> 0x84ab0140
PacketIndicateHandler -> NDIS.sys @ 0xf7442a0d
SendHandler -> NDIS.sys @ 0xf7456b40
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1792)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2616)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\windows\system32\CTsvcCDA.EXE
c:\apps\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Hotspot Shield\bin\hsswd.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Hotspot Shield\bin\openvpntray.exe
c:\program files\Java\jre1.6.0_02\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-10-04 23:37:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-04 22:37

Pre-Run: 5,841,371,136 bytes free
Post-Run: 6,271,369,216 bytes free

- - End Of File - - F551F3568B2E10E986BD18C3659081FC


#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:45 PM

Posted 05 October 2010 - 01:57 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.

So long, and thanks for all the fish.

 

 


#13 poppyegan

poppyegan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 05 October 2010 - 06:28 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 178):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7B24000 \WINDOWS\system32\KDCOM.DLL
0xF7A34000 \WINDOWS\system32\BOOTVID.dll
0xF75D5000 ACPI.sys
0xF7B26000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF75C4000 pci.sys
0xF7624000 isapnp.sys
0xF7A38000 compbatt.sys
0xF7A3C000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7BEC000 pciide.sys
0xF78A4000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7B28000 aliide.sys
0xF7B2A000 intelide.sys
0xF7B2C000 toside.sys
0xF7B2E000 viaide.sys
0xF7B30000 cmdide.sys
0xF7634000 MountMgr.sys
0xF75A5000 ftdisk.sys
0xF78AC000 PartMgr.sys
0xF7A40000 ACPIEC.sys
0xF7BED000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7644000 VolSnap.sys
0xF7A44000 cpqarray.sys
0xF758D000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7575000 atapi.sys
0xF7A48000 aha154x.sys
0xF78B4000 sparrow.sys
0xF7A4C000 symc810.sys
0xF7654000 aic78xx.sys
0xF7A50000 dac960nt.sys
0xF7664000 ql10wnt.sys
0xF7A54000 amsint.sys
0xF78BC000 asc.sys
0xF7A58000 asc3550.sys
0xF78C4000 mraid35x.sys
0xF78CC000 i2omp.sys
0xF7A5C000 ini910u.sys
0xF7674000 ql1240.sys
0xF7684000 aic78u2.sys
0xF78D4000 symc8xx.sys
0xF78DC000 sym_hi.sys
0xF78E4000 sym_u3.sys
0xF78EC000 ABP480N5.SYS
0xF78F4000 asc3350p.sys
0xF7B32000 cd20xrnt.sys
0xF7694000 ultra.sys
0xF755C000 adpu160m.sys
0xF78FC000 dpti2o.sys
0xF76A4000 ql1080.sys
0xF76B4000 ql1280.sys
0xF76C4000 ql12160.sys
0xF7904000 perc2.sys
0xF7B34000 perc2hib.sys
0xF790C000 hpn.sys
0xF7A60000 cbidf2k.sys
0xF7530000 dac2w2k.sys
0xF76D4000 disk.sys
0xF76E4000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7510000 fltmgr.sys
0xF74FE000 sr.sys
0xF76F4000 PxHelp20.sys
0xF74E7000 KSecDD.sys
0xF74D4000 WudfPf.sys
0xF7447000 Ntfs.sys
0xF741A000 NDIS.sys
0xF7704000 sisagp.sys
0xF7714000 viaagp.sys
0xF7400000 Mup.sys
0xF7914000 BTHidMgr.sys
0xF7724000 alim1541.sys
0xF7734000 amdagp.sys
0xF7744000 agp440.sys
0xF7754000 agpCPQ.sys
0xF77C4000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6B1A000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6B06000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF796C000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6AE2000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7974000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF77D4000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF77E4000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF77F4000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6ABF000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6A97000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7804000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF797C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6A67000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7B5E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7984000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF6A52000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF69F4000 \SystemRoot\system32\DRIVERS\RT61.sys
0xF7B00000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7814000 \SystemRoot\System32\Drivers\VcommMgr.sys
0xF7B04000 \SystemRoot\system32\DRIVERS\vbtenum.sys
0xF798C000 \SystemRoot\system32\DRIVERS\blueletaudio.sys
0xF69D0000 \SystemRoot\system32\DRIVERS\portcls.sys
0xF7824000 \SystemRoot\system32\DRIVERS\drmk.sys
0xF7994000 \SystemRoot\system32\DRIVERS\BlueletSCOAudio.sys
0xF7D04000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7B60000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF799C000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7834000 \SystemRoot\system32\DRIVERS\HssDrv.sys
0xF7844000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B08000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF69B9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7854000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7864000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF79A4000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF69A8000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7874000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF79AC000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF79B4000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF79BC000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF7B1C000 \SystemRoot\system32\DRIVERS\btnetdrv.sys
0xF7884000 \SystemRoot\system32\DRIVERS\tapvpn.sys
0xF79C4000 \SystemRoot\system32\DRIVERS\taphss.sys
0xF7894000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF79CC000 \SystemRoot\system32\DRIVERS\VComm.sys
0xF7B20000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF71D7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7B64000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF68FA000 \SystemRoot\system32\DRIVERS\update.sys
0xF73DC000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF71C7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7197000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xEE453000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF7ADC000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7B76000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C02000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B78000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7A0C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7A14000 \SystemRoot\System32\drivers\vga.sys
0xF7B7A000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B7C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A1C000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7A24000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7AE4000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEE1D0000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEE177000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEE13D000 \SystemRoot\System32\Drivers\avgtdix.sys
0xEE0EF000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7157000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEDD49000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEDD27000 \SystemRoot\System32\drivers\afd.sys
0xF7147000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEDCFC000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEDC8C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF6D01000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7A2C000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xEDC58000 \SystemRoot\System32\Drivers\avgldx86.sys
0xEE447000 \SystemRoot\System32\Drivers\ASPI32.SYS
0xF7764000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEDC40000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7BDE000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEE115000 \SystemRoot\System32\drivers\Dxapi.sys
0xF79FC000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7CEC000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF054000 \SystemRoot\System32\ati2cqag.dll
0xBF08E000 \SystemRoot\System32\atikvmag.dll
0xBF0C4000 \SystemRoot\System32\ati3duag.dll
0xBF32B000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEB7F1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEB594000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7BAC000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xEB287000 \SystemRoot\system32\drivers\wdmaud.sys
0xEB9F1000 \SystemRoot\system32\drivers\sysaudio.sys
0xEB0A2000 \SystemRoot\system32\DRIVERS\srv.sys
0xEDAC4000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xEDA84000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xEDE74000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xF7106000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA128000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 65):
0 System Idle Process
4 System
1704 C:\WINDOWS\system32\smss.exe
1752 csrss.exe
1788 C:\WINDOWS\system32\winlogon.exe
1832 C:\WINDOWS\system32\services.exe
1844 C:\WINDOWS\system32\lsass.exe
1988 C:\WINDOWS\system32\ati2evxx.exe
2008 C:\WINDOWS\system32\svchost.exe
172 svchost.exe
204 C:\WINDOWS\system32\svchost.exe
236 C:\WINDOWS\system32\svchost.exe
300 C:\Program Files\AVG\AVG9\avgchsvx.exe
308 C:\Program Files\AVG\AVG9\avgrsx.exe
436 C:\Program Files\AVG\AVG9\avgcsrvx.exe
860 svchost.exe
936 svchost.exe
1336 C:\WINDOWS\system32\spoolsv.exe
1424 svchost.exe
1456 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
1468 C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
1484 C:\Program Files\AVG\AVG9\avgwdsvc.exe
1552 C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
736 C:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
1616 C:\WINDOWS\system32\CTSVCCDA.EXE
1684 C:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
636 C:\Program Files\Hotspot Shield\bin\openvpnas.exe
884 C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
1244 C:\Program Files\Hotspot Shield\bin\hsswd.exe
1268 C:\Program Files\AVG\AVG9\avgnsx.exe
2052 C:\WINDOWS\system32\svchost.exe
2144 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
2388 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
2464 C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
2612 C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
3308 wmiprvse.exe
3588 C:\APPS\Powercinema\Kernel\TV\CLSched.exe
3724 alg.exe
2316 C:\WINDOWS\system32\ati2evxx.exe
2596 C:\WINDOWS\explorer.exe
3892 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3900 C:\WINDOWS\RTHDCPL.exe
3928 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
3968 C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
1880 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
740 C:\APPS\Powercinema\PCMService.exe
768 C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
840 C:\PROGRA~1\AVG\AVG9\avgtray.exe
1224 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
2192 C:\APPS\SMP\SMPSYS.EXE
352 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
1884 C:\Program Files\MSN Messenger\msnmsgr.exe
3820 C:\Program Files\Hotspot Shield\bin\openvpntray.exe
2820 C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
2072 C:\Program Files\AVG\AVG9\avgscanx.exe
3456 C:\Program Files\AVG\AVG9\avgcsrvx.exe
6108 C:\Program Files\Mozilla Firefox\firefox.exe
5204 C:\DOCUME~1\alma\LOCALS~1\Temp\jre-6u21-windows-i586-iftw-rv_6f82dccf.exe
2924 C:\WINDOWS\system32\msiexec.exe
5048 C:\WINDOWS\system32\msiexec.exe
4364 C:\WINDOWS\system32\msiexec.exe
4628 C:\Documents and Settings\alma\Desktop\MBRCheck.exe
5392 C:\Program Files\Java\jre6\bin\jqs.exe
620 C:\Program Files\Java\jre6\bin\javaws.exe
4424 <unknown>

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`f3947600 (NTFS)

PhysicalDrive0 Model Number: ST980811A, Rev: 3.ALA

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 MBR Code Faked (known infection: Whistler / Black Internet)!
SHA1: ED0B19E36914D028E2802BBB4AC96BBF34B6CF5B


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:45 PM

Posted 06 October 2010 - 02:17 PM

Good evening. smile.gif

Still a little work to do i'm afraid. Can you tell me the make and model of the PC and also work through the following and post accordingly:

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#15 poppyegan

poppyegan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 06 October 2010 - 05:41 PM


Partition ID: Disk #0, Partition #0
Size: 7.81 GB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 66.71 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Packard Bell
Name: Phoenix NoteBIOS 4.0 Release 6.1
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~


Packard Bell Easy Note Argo C




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users