Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:Bamital-AC; Avast detects explorer.exe and winlogon.exe infected with Bamital-AC


  • This topic is locked This topic is locked
16 replies to this topic

#1 TheMantighoul

TheMantighoul

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 07 October 2010 - 02:05 AM

Well, I keep getting the same message over and over from Avast.

-------------------------------------------------
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, October 07, 2010 1:33:05 AM
*

10/7/2010 1:33:11 AM C:\WINDOWS\system32\winlogon.exe [L] Win32:Bamital-AC (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
10/7/2010 1:34:29 AM C:\WINDOWS\Explorer.EXE [L] Win32:Bamital-AC (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
---------------------------------------------------
I have never dealt with something that actually effected system files like this. The problems started about a week ago when the other person who uses this computer started getting reroutes while browsing. I eliminated most of the junk with Malawarebytes, Avast, and Spybot. There was also a fake Windows security alert pop-up window, i believe it mentioned some ipod files as a threat, but anyways It was a bogus security alert, which I also eliminated. During that time, i could not acess taskmgr.exe, but after a reboot it was back up again. I really have not found information on this Win32:Bamital-AC manifestation, and I can really use some help/advice. I also disabled my system restore for now, because there was infections in the files (system volume information). Will I have to resort to Windows recovery console, or you think there is something else to fix explorer.exe and winlogon.exe?

Anyway, here is the DDS:


DDS (Ver_10-10-05.01) - NTFSx86
Run by The Mantighoul at 21:03:56.32 on Wed 10/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2372 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\The Mantighoul\My Documents\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\theman~1\applic~1\mozilla\firefox\profiles\b3qrfxus.default\
FF - plugin: c:\documents and settings\the mantighoul\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\the mantighoul\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\the mantighoul\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-2 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-2 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-2 40384]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-10-1 68136]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-2 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-2 40384]
S0 dqlfn;dqlfn;c:\windows\system32\drivers\bgyvext.sys --> c:\windows\system32\drivers\bgyvext.sys [?]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S4 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
S4 TomTomHOMEService;TomTomHOMEService;e:\applications\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]

=============== Created Last 30 ================

2010-10-05 08:08:03 -------- d-sha-r- C:\cmdcons
2010-10-05 08:00:01 98816 ----a-w- c:\windows\sed.exe
2010-10-05 08:00:01 77312 ----a-w- c:\windows\MBR.exe
2010-10-05 08:00:01 256512 ----a-w- c:\windows\PEV.exe
2010-10-05 08:00:01 161792 ----a-w- c:\windows\SWREG.exe
2010-10-05 07:59:56 -------- d-----w- C:\ComboFix
2010-10-03 02:51:28 5267 ----a-w- c:\docume~1\theman~1\applic~1\35212.js
2010-10-02 16:44:59 38848 ----a-w- c:\windows\avastSS.scr
2010-10-02 16:44:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-09-18 21:34:19 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-09-18 21:34:19 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-09-18 21:33:55 -------- d-----w- c:\program files\iPod
2010-09-18 21:33:54 -------- d-----w- c:\program files\iTunes
2010-09-18 21:33:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-18 21:33:19 -------- d-----w- c:\docume~1\theman~1\locals~1\applic~1\Apple
2010-09-18 21:33:11 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-09-18 21:33:11 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-09-18 21:31:59 -------- d-----w- c:\docume~1\theman~1\locals~1\applic~1\Apple Computer
2010-09-11 01:04:25 -------- d-----w- c:\program files\Fiddler2
2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-10-07 00:02:00 16608 ----a-w- c:\windows\gdrv.sys
2010-08-04 18:24:16 1409 ----a-w- c:\windows\QTFont.for
2010-07-27 23:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 23:44:10 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-07-27 23:44:10 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 23:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 21:04:09.12 ===============


here is the GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-07 01:24:32
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\THEMAN~1\LOCALS~1\Temp\pwrciuod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xA8597CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xA8597BAC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xA8598160]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xA859808A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xA8597782]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xA8597C86]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xA85976C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xA8597726]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xA8597DA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA859822E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xA8597D66]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xA8597EE6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA85A4BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xA85A49D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xA85A4B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP A85A4B10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!NtCreateSection 805AB3AE 7 Bytes JMP A85A49D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC512 5 Bytes JMP A85A05D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2F96 5 Bytes JMP A85A1FFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1136 7 Bytes JMP A85A4BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB539C000, 0x1BDE76, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1608] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\WINDOWS\Explorer.EXE[1868] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 00B48328

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----



Thanks to anyone who can help me out.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:29 AM

Posted 07 October 2010 - 04:24 PM

Good evening. smile.gif

Please re-enable System Restore before you do anything else. This little Windows tool acts as a safety net for your PC and it is better, should something go wrong, to have an infected PC than an expensive paperweight!

Once you've attended to that, work through the following:

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either. the following and post accordingly:


So long, and thanks for all the fish.

 

 


#3 TheMantighoul

TheMantighoul
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 07 October 2010 - 07:01 PM

Thanks. I already have Recovery Console installed and re-enabled system restore earlier.

I will be posting the the combofix as soon as it is done.

#4 TheMantighoul

TheMantighoul
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 07 October 2010 - 07:13 PM

Combofix log

ComboFix 10-10-07.01 - The Mantighoul 10/07/2010 19:06:52.2.3 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2728 [GMT -5:00]
Running from: c:\documents and settings\The Mantighoul\My Documents\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-09-08 to 2010-10-08 )))))))))))))))))))))))))))))))
.

2010-10-05 06:27 . 2010-10-05 06:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-05 06:07 . 2010-10-05 06:07 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-02 16:45 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-10-02 16:45 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-10-02 16:45 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-02 16:45 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-02 16:45 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-10-02 16:45 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-10-02 16:45 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-10-02 16:44 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-10-02 16:44 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-10-02 16:44 . 2010-10-02 16:44 -------- d-----w- c:\program files\Alwil Software
2010-10-02 16:44 . 2010-10-02 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-29 23:20 . 2010-09-29 23:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-29 23:20 . 2010-09-29 23:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-09-20 05:27 . 2010-09-20 05:28 -------- d-----w- c:\program files\QuickTime
2010-09-20 05:26 . 2010-09-20 05:26 -------- d-----w- c:\program files\Safari
2010-09-20 05:26 . 2010-09-20 05:26 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.18.5\SetupAdmin.exe
2010-09-20 02:00 . 2010-09-20 02:00 42020 ---ha-w- c:\windows\system32\mlfcache.dat
2010-09-18 21:49 . 2010-08-21 09:21 225416 ----a-w- c:\documents and settings\The Mantighoul\Application Data\Mozilla\Firefox\Profiles\b3qrfxus.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll
2010-09-18 21:34 . 2010-09-20 05:29 -------- d-----w- c:\documents and settings\The Mantighoul\Application Data\Apple Computer
2010-09-18 21:34 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-09-18 21:34 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-09-18 21:33 . 2010-09-18 21:33 -------- d-----w- c:\program files\iPod
2010-09-18 21:33 . 2010-09-18 21:34 -------- d-----w- c:\program files\iTunes
2010-09-18 21:33 . 2010-09-18 21:34 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-18 21:33 . 2010-09-18 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-09-18 21:33 . 2010-09-18 21:33 -------- d-----w- c:\documents and settings\The Mantighoul\Local Settings\Application Data\Apple
2010-09-18 21:33 . 2010-09-18 21:33 -------- d-----w- c:\program files\Apple Software Update
2010-09-18 21:33 . 2010-04-20 01:47 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-09-18 21:33 . 2010-04-20 01:47 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-09-18 21:32 . 2010-09-18 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-09-18 21:32 . 2010-09-18 21:33 -------- d-----w- c:\program files\Common Files\Apple
2010-09-18 21:31 . 2010-09-20 05:29 -------- d-----w- c:\documents and settings\The Mantighoul\Local Settings\Application Data\Apple Computer
2010-09-11 01:04 . 2010-10-07 01:41 -------- d-----w- c:\program files\Fiddler2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 23:55 . 2010-03-20 03:22 -------- d-----w- c:\documents and settings\The Mantighoul\Application Data\WTablet
2010-10-07 23:54 . 2009-10-01 13:39 16608 ----a-w- c:\windows\gdrv.sys
2010-10-07 06:38 . 2009-12-06 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-07 01:22 . 2009-12-19 15:57 -------- d-----w- c:\documents and settings\The Mantighoul\Application Data\Winamp
2010-10-07 01:21 . 2009-11-29 11:22 -------- d-----w- c:\program files\CCleaner
2010-10-07 00:04 . 2009-09-30 23:14 -------- d-----w- c:\documents and settings\The Mantighoul\Application Data\uTorrent
2010-10-05 13:47 . 2010-04-21 13:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-10-05 07:56 . 2009-10-01 13:28 49984 ----a-w- c:\documents and settings\The Mantighoul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-10-05 04:17 . 2009-11-22 20:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-04 02:19 . 2010-03-09 05:02 712192 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-10-04 02:18 . 2010-08-08 00:26 -------- d-----w- c:\documents and settings\The Mantighoul\Application Data\ZoomBrowser EX
2010-09-30 15:58 . 2009-09-30 23:14 -------- d-----w- c:\program files\uTorrent
2010-09-21 20:45 . 2010-02-04 21:12 -------- d-----w- c:\documents and settings\The Mantighoul\Application Data\FileZilla
2010-09-21 20:44 . 2010-02-04 21:11 -------- d-----w- c:\program files\FileZilla FTP Client
2010-09-18 21:32 . 2010-01-05 22:42 -------- d-----w- c:\program files\Bonjour
2010-09-18 02:45 . 2009-11-28 20:38 1 ----a-w- c:\documents and settings\The Mantighoul\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-01 14:12 . 2010-09-01 14:12 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-08-31 05:09 . 2010-08-31 04:46 -------- d-----w- c:\documents and settings\The Mantighoul\Application Data\vlc
2010-07-27 23:44 . 2010-07-27 23:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 23:44 . 2010-07-27 23:44 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-07-27 23:44 . 2010-07-27 23:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 23:44 . 2010-07-27 23:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

------- Sigcheck -------

[-] 2008-04-14 . D4D1B7674758756C1EE210EB985F6048 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . F1F16A6DB4B34FC01C0317926F3AAD90 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-10-05_08.13.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-07 23:55 . 2010-10-07 23:55 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
+ 2001-08-23 11:00 . 2010-10-07 23:59 67516 c:\windows\system32\perfc009.dat
- 2001-08-23 11:00 . 2010-10-05 08:00 67516 c:\windows\system32\perfc009.dat
+ 2001-08-23 11:00 . 2010-10-07 23:59 432686 c:\windows\system32\perfh009.dat
- 2001-08-23 11:00 . 2010-10-05 08:00 432686 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

[HKLM\~\startupfolder\C:^Documents and Settings^The Mantighoul^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\The Mantighoul\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 04:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 08:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 18:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 10:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 13:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-08 22:31 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-11-17 01:04 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-21 03:16 136176 ----atw- c:\documents and settings\The Mantighoul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 05:13 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 13:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 06:36 36864 ------r- c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 05:13 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 21:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 05:13 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 05:13 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-01-13 06:37 18084864 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-30 23:13 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- e:\applications\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-09-30 04:15 328056 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-12-18 00:30 39424 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"gusvc"=3 (0x3)
"Adobe Version Cue CS4"=3 (0x3)
"mi-raysat_3dsmax2010_32"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"TomTomHOMEService"=2 (0x2)
"NBService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Installer\\{350FB27C-CF62-4EF3-AF9D-70FF313FE221}\\iTunesIco.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:*:Disabled:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:*:Disabled:Adobe Version Cue CS4 Server
"27334:TCP"= 27334:TCP:SLSK

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/2/2010 11:45 AM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/2/2010 11:45 AM 17744]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [10/1/2009 8:39 AM 68136]
S0 dqlfn;dqlfn;c:\windows\system32\drivers\bgyvext.sys --> c:\windows\system32\drivers\bgyvext.sys [?]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 284016]
S4 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 6:36 PM 86016]
S4 TomTomHOMEService;TomTomHOMEService;e:\applications\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 6:31 AM 92008]
.
Contents of the 'Scheduled Tasks' folder

2010-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2010-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-706699826-1417001333-1003Core.job
- c:\documents and settings\The Mantighoul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-21 03:16]

2010-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-706699826-1417001333-1003UA.job
- c:\documents and settings\The Mantighoul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-21 03:16]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\documents and settings\The Mantighoul\Application Data\Mozilla\Firefox\Profiles\b3qrfxus.default\
FF - plugin: c:\documents and settings\The Mantighoul\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\The Mantighoul\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\The Mantighoul\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-10-07 19:10:17
ComboFix-quarantined-files.txt 2010-10-08 00:10
ComboFix2.txt 2010-10-05 08:15

Pre-Run: 46,882,521,088 bytes free
Post-Run: 46,870,323,200 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - C3B411E2ACE05AC458954AA3CEE23468


#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:29 AM

Posted 08 October 2010 - 02:29 PM

Good evening. smile.gif

QUOTE
Let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#6 TheMantighoul

TheMantighoul
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 08 October 2010 - 06:12 PM

Basically most of the time I open a program Avast real-time shield goes "Threat detected" dealing with winlogon.exe, process was stopped. I'll get the exact message for you when it pops up again.

#7 TheMantighoul

TheMantighoul
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 09 October 2010 - 01:09 AM

Hmm, I just noticed there is a windows internet explorer icon now on my desktop. no one uses that browser and nothing has been installed today. I also have some reroutes using google on firefox. My firefox is version 3.6.10. My add-ons Extensions are Add block plus 1.2.2, Better privacy 1.48.3, Flagfox 4.0.9, IMTranslator 3.3.5, Java console 6.0.16, Java Quick start 1.0, NoScript 2.0.3.3, Redirect Remover 2.6.4, Screengrab 0.96.3, and WOT 20100908. Do I have to list my Plug-ins and ersion numbers, all seems well there as far as I can tell. I just cleared my history and cache after the redirects. There were no google redirects last night or this afternoon, now it seems majority of items selected in google results are redirected somewhere. I have not encountered any redirects as of yet in Chrome.

My Avast version is 5.0.677 I have not been able to trigger the "Threat detected' dialogue yet, but I have not spend much time at home today. I hope to get that up ASAP



-------------------------
As of 11 AM. Now when I click on firefox it states it it is no longer my default browser. Also i am unable to reboot my machine via start-> turn off computer. Also i scheduled an Avast boot time scan and I am unable to restart via that way either. I have to manually press the power button on my front case. I have unplugged that machine from the router.

Edited by TheMantighoul, 09 October 2010 - 11:07 AM.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:29 AM

Posted 09 October 2010 - 12:37 PM

Good evening. smile.gif

The original infection still appears to be present, so we'll have to see if we can manually fix it.

Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop:
  • Linky #1
  • Linky #2

  • Double-click SystemLook.exe to run it.
  • Copy the contents of the following codebox into the main textfield:

    CODE
    :filefind
    explorer.*
    sfcfiles.*
    winlogon.*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan - the log can also be found on your Desktop entitled SystemLook.txt
  • Please post the contents of this log in your next reply.

So long, and thanks for all the fish.

 

 


#9 TheMantighoul

TheMantighoul
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 09 October 2010 - 07:43 PM

SystemLook 04.09.10 by jpshortstuff
Log created at 19:27 on 09/10/2010 by The Mantighoul
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.*"
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [12:42 14/04/2008] [12:42 14/04/2008] F1F16A6DB4B34FC01C0317926F3AAD90
C:\WINDOWS\explorer.scf --a---- 80 bytes [11:00 23/08/2001] [11:00 23/08/2001] A3975A7D2C98B30A2AE010754FFB9392

Searching for "sfcfiles.*"
C:\WINDOWS\system32\sfcfiles.dll --a---- 1614848 bytes [02:44 12/01/2009] [02:44 12/01/2009] 362BC5AF8EAF712832C58CC13AE05750

Searching for "winlogon.*"
C:\WINDOWS\Prefetch\WINLOGON.EXE-32C57D49.pf --a---- 70186 bytes [00:16 10/10/2010] [00:16 10/10/2010] EA62709E9E88BA6D72C353843FF712C1
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [12:42 14/04/2008] [12:42 14/04/2008] (Unable to calculate MD5)

-= EOF =-

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:29 AM

Posted 10 October 2010 - 01:45 PM

Good evening. smile.gif

Do you have access to another PC with the identical version of Windows on that you could acquire three system files from? Your machine shows no back-ups we could use and you need to swop some infected files for clean ones to deal with this nasty.

So long, and thanks for all the fish.

 

 


#11 TheMantighoul

TheMantighoul
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 10 October 2010 - 09:55 PM

I have several machines running and a few windows disks. Would it be better to replaces the files from the windows disk or copying them over from another machine?

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:29 AM

Posted 11 October 2010 - 02:02 PM

Good evening. smile.gif

As you really want the same version of the files, I would use the machines rather than the discs as they are more likely to be up-to-date. The three files you want are:

c:\windows\system32\winlogon.exe
c:\windows\explorer.exe
c:\windows\system32\sfcfiles.dll


Right click each and check out Properties and ensure that you get the same version number of each file.

So long, and thanks for all the fish.

 

 


#13 TheMantighoul

TheMantighoul
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 13 October 2010 - 01:23 AM

I replaced these files and i am still getting avast detecting a threat from winlogon.exe and explorer.exe. Also still getting re-directs in google search in firefox.

I ran ESET and so far it found Bamital.EB trojan

Edited by TheMantighoul, 13 October 2010 - 02:43 AM.


#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:29 AM

Posted 13 October 2010 - 01:29 PM

Good evening. smile.gif

You actually got a little ahead of yourself as I didn't intend you to swop the files yet. As the infection is active, any attempt to deal with this nasty isn't going to be as simple as you might have hoped.
What you need to do is to drop copies of all the files to the root of your hard drive. This should give you:

c:\winlogon.exe
c:\explorer.exe
c:\sfcfiles.dll


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Read through the following instructions to be sure that you understand what is required and if you are unclear about anything at all, ask BEFORE you begin:
  • Restart your computer.
  • Before Windows loads, you will be prompted to choose which Operating System to start.
  • Use the up/down arrow keys to select Microsoft Windows Recovery Console.
  • You need to tell the PC which Windows installation to access (there may be more than one) - select the C:\Windows option and press <ENTER>.
You now need to enter the following two commands, one at a time, pressing <ENTER> after each, ensuring that you do so exactly as shown:
    ren explorer.exe explorer.old
    copy c:\explorer.exe c:\windows\explorer.exe
After entering the final command you should see the message 1 file(s) copied which indicates that it has been successful. If you do not see this message, enter the copy command again checking that you have done so correctly. If you still do not see the message, you need to enter the following command:
    ren explorer.old explorer.exe
This will restore the infected file so that your system will function correctly on reboot.

* If you are prompted that you are about to overwrite a file when you enter the copy command, you need to select No as something hasn't gone correctly.

If the file isn't successfully copied you should exit the Recovery Console - see bottom of post. If all goes well however, run the following set of three commands:
    cd system32
    ren winlogon.exe winlogon.old
    copy c:\winlogon.exe c:\windows\system32\winlogon.exe
Again you should see the 1 file(s) copied message - if you don't, you should repeat the copy command and if that doesn't work you need to enter the following command:
    ren winlogon.old winlogon.exe
Again, if you are prompted that you are about to overwrite a file when you enter the copy command, you need to select No

If the file isn't successfully copied you should exit the Recovery Console - see bottom of post. If all goes well however, run the following set of two commands:
    ren sfcfiles.dll sfcfiles.old
    copy c:\sfcfiles.dll c:\windows\system32\sfcfiles.dll
After entering the final command you should see the message 1 file(s) copied which indicates that it has been successful. If you do not see this message, enter the copy command again checking that you have done so correctly. If you still do not see the message, you need to enter the following command:
    ren sfcfiles.old sfcfiles.dll
This will restore the infected file so that your system will function correctly on reboot.

* If you are prompted that you are about to overwrite a file when you enter the copy command, you need to select No as something hasn't gone correctly.

Once you have complete the commands, or if you had any issues, enter the following command to exit the Recovery Console:
    exit - this will reboot your system as normal.

Let me know how you get on.

So long, and thanks for all the fish.

 

 


#15 TheMantighoul

TheMantighoul
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 13 October 2010 - 08:08 PM

i ran recovery colsole and at reboot chkdsk ran and now I am back in xp. Avast automatically updated. I updated firefox and (for now) I have not noticed any reroutes as of yet, and is running more smooth than ever. I did a quick scan on avast and all seems well. i will post later if I find anything suspicious.

if you have any advice again, i appreciate the help.

Thanks again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users